Our own Christophe De La Fuente added a module for CVE-2019-5736 based on the work of Adam Iwaniuk that breaks out of a Docker container by overwriting the runc binary of an image which is run in the user context whenever someone outside the container runs docker exec
to make a request of the container.
Community contributor Alexandre Zanni sent us a PR that uses native PHP functions to upload a file as an image attachment to Wordpress installations running the wpDiscuz plugin, then executes it by requesting the path of the uploaded file.
runc
binary in the host and escape from a container.v7.0.0
and <= v7.0.4
of the Wordpress plugin, wpDiscuz. An unauthenticated user has the ability to upload arbitrary files as image attachments through the wpDiscuz plugin due to the PHP functions used to process the attachments. Once uploaded, unauthenticated code execution is achieved by requesting the path of the file uploaded.auxiliary/scanner/ipmi/ipmi_dumphashes
module to have SESSION_RETRY_DELAY
and SESSION_MAX_ATTEMPTS
optionsAs always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).