Last updated at Fri, 19 Jan 2024 21:37:37 GMT
Unicode your way to a php payload and three modules to add to your playbook for Ansible
Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new Ansible post modules to gather configuration information, read files, and deploy payloads. While none offer instantaneous answers across the universe, they will certainly help in red team exercises.
New module content (4)
Ansible Agent Payload Deployer (1 of 3 Ansible post modules)
Ansible Config Gather (2 of 3 Ansible post modules)
Ansible Playbook Error Message File Reader (3 of 3 Ansible post modules)
Description: This adds 3 post-exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (typically
/etc/shadow), when the compromised account is configured with password-less
sudo permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.
WordPress Backup Migration Plugin PHP Filter Chain RCE
Description: This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin
Backup Migration versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called
PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.
Enhancements and features (2)
- #18596 from dwelch-r7 - Updates multiple SMB modules to work with the new upcoming SMB session type support. This beta functionality is currently behind a feature flag, and can be enabled with
features set smb_session_type true.
- #18682 from adfoster-r7 - Add tests for
Msf::Exploit::Localmodule types to ensure that
sysinfowill not break again in the future.
Bugs fixed (2)
- #18655 from adfoster-r7 - Ensures the module will automatically be used when the hierarchical search functionality is enabled and only one module result is found.
- #18710 from adfoster-r7 - Fixes an
uninitialized constant Msf::Simple::Exploit::ExploitDriverexception that could sometimes occur when running Metasploit framework's payload modules.
Documentation added (1)
- #18702 from Sh3llSp4wn - Updates the documentation for the private and public fields in
lib/metasploit/framework/credential.rbto be correct.
You can always find more documentation on our docsite at docs.metasploit.com.
Missing rn-* label on Github (1)
PLEASE ADD RN-TAGS TO THESE PULL REQUESTS BEFORE RELEASING THE WRAP UP, AND RERUN THE WRAPUP SCRIPT
- #18398 from errorxyz - Fixes deprecation warnings when running the
exploits/unix/webapp/vbulletin_vote_sqli_execexploit modules with a database connected.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro