In a rare double whammy, one of our 2020 Google Summer of Code (GSoC) participants has authored a PR containing both enhancements & a new module! Improvements to our SQL injection library now allow PostgreSQL injection, and this new functionality has been verified with both a test module AND a fully functioning module exploiting CVE-2019-13375, a (Postgre)SQL Injection vuln in the D-Link Central WiFi Manager allowing both DB dumping and user insertion in all versions before v1.03R0100_BETA6
. Big thanks to red0xff for authoring these changes and showing that students can hack it with the best of them.
For anyone interested in working with Metasploit in this year’s Google Summer of Code, you’ll have to wait until March 9th to find out if we’ve been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!
Our copious community contributor bcoles has written a new module exploiting CVE-2020-35729, an unauthenticated command injection vulnerability in KLog (An english translated version of their site can be found here). KLog is a Syslog server providing a time stamp service packaged in a Linux VM, and if Google Translate is to be believed, includes "Kamu SM approved SHA-512 hash algorithm has log signing feature", which is nice. By making a POST request to authenticate.php
, the module can perform code execution in the VM via the PHP shell_exec()
function. Additionally, the KLog VM configuration allows the apache user to execute sudo without supplying a password, ultimately allowing code execution with root privileges.
Wrapping up this wrapup, timwr has fixed an issue with our Java Meterpreter that prevented screenshots from being taken. As an added bonus, it also prevents uploading a screenshot dll on non-native Windows meterpreter sessions.
2.4.1
and below. A POST request to authenticate.php
can result in code execution on the target due to improper sanitization of the user
parameter, which gets passed to the shell_exec()
function. Additionally, Klog Server’s configuration allows the apache
user to execute sudo
without supplying a password, so this exploit ultimately achieves code execution with root
privileges.exploit/linux/http/saltstack_salt_api_cmd_exec
to correctly show failure messages to the user under error scenariosNotes
metadatahex_encode_strings
.msftidy.rb
developer tool whereby a typo was preventing several checks from being run against exploit modules to ensure they conformed to standards. This has now been fixed, along with some grammar issues that were noticed in related modules.screenshot
command. This ensures Java Meterpreter can take screenshots on Windows platforms and prevents unnecessarily uploading the screenshot DLL when using the screenshot
command on non-native Windows sessions.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).