RCE with a Key

An exploit module for Laravel Framework was submitted by community contributor aushack. The module targets an insecure unserialize call with the X-XSRF-TOKEN HTTP request header, which was discovered by Ståle Pettersen. Since the exploit requires the Laravel APP_KEY to reach the vulnerable unserialize call, aushack included information leak checks in the module to extract the APP_KEY if necessary. A Google dork, such as the one shown by finnwea, could be used to retrieve the APP_KEY of a misconfigured Laravel server.

AppXSVC

space-r7 submitted a module that combines an AppXSVC DACL permissions overwrite, discovered by Nabeel Ahmed, with DiagHub DLL hijacking, discovered by James Forshaw, to execute code as SYSTEM. Windows AppXSVC on Windows 10 builds prior to 17763 improperly handles hard links which allows a user to gain full privileges over a SYSTEM-owned file. After gaining control of a SYSTEM file the contents are overwritten with a DLL and then loaded by the DiaHub service for code execution.

New modules (4)

Enhancements and features

PR #12031 by bcoles adds a method to the mixin, exposing the method from to provide a consistent interface for module developers.

Bugs fixed

PR #12087 by wvu-r7 ensures that shell features like globs and pipes work again when executing passthrough commands.

PR #12086 by aushack fixes and refactors in to perform as intended.

PR #12085 by wvu-r7 fixes by returning for payloads

