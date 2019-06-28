Log in
Rapid7 : Metasploit Wrap-Up

06/28/2019 | 05:23pm EDT

I am Root

An exploit module for Nagios XI v5.5.6 was added by community contributor yaumn. This module includes two exploits chained together to achieve code execution with root privileges, and it all happens without authentication. A single unsanitized parameter in enables the ability to write arbitrary PHP code to a publicly accessible directory and get code execution. Privilege escalation happens through the combination of a command injection vulnerability in the file and the ability to execute that same file with without supplying a password.

Enumerate all the Things!

Our very own asoto-r7 contributed three modules to enable enumeration of useful Amazon Web Services (AWS) information. With an and a handy, you will be able to find EC2 instance information, IAM user accounts, and S3 bucket info.

SilentCleanup UAC Bypass

Community contributor cbrnrd added a Windows exploit module that returns an elevated session. The task in the Windows Task Scheduler executes a file whose path contains a user-controlled environment variable all while running with elevated privileges. The environment variable can be changed to a new value, thus enabling the execution of arbitrary code with elevated privileges.

A New Diary Entry

Dear diary,
Today I had unauthenticated remote root with a side of Ghidra reversing.

Last quarter we introduced a new series called the Metasploit Development Diaries. Dev diaries shed light on how vulnerabilities and exploitable conditions (whether true bug, feature, or foreverday) turn into full-fledged Metasploit modules. In this quarter's development diary entry, William Vu takes a deep dive into the exploit and underlying vuln for a buffer overflow in the Cisco RV130 VPN router. The write-up even includes some reversing with Ghidra. Earlier this year when this vulnerability was first announced, Rapid7 Labs 's investigated the exposure of affected Cisco devices and found nearly 12,000 affected devices exposed:

Read this quarter's dev diary and more Rapid7 research here.

New modules (5)

Enhancements and features

  • PR #12008 by egypt ignores the response code returned while checking for the vulnerability in the module. This allows for more vulnerable targets to be detected.

Bugs fixed

  • PR #12017 from community contributor aushack fixes an issue in that prevents a error in the case that HTTP headers aren't returned in a response.
  • PR #12013 by wvu-r7 ensures that the SRVHOST option in is a valid callback address.

Get it

As always, you can update to the latest Metasploit Framework with and you can get more details on the changes since the last blog post from GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).

Disclaimer

Rapid7 Inc. published this content on 28 June 2019 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 28 June 2019 21:22:01 UTC
