This week, community member Nuri Çilengir added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend
parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user.
Community member bcoles removed multiple Meterpreter scripts which have been deprecated for years. Metasploit’s documentation has omitted details on how to write them since 2014 and removing the existing ones in favor of their new post-module equivalents ensures users are using the most up-to-date code and workflows. Post modules have a number of advantages over Meterpreter scripts and Metasploit has equivalents for each of the Meterpreter scripts that were removed.
Msfconsole will now suggest datastore option names when an invalid option is specified. This should help users understand when they make a mistake and misspell an option name. The original behavior would just set the invalid option which may leave the user confused when they think they set one thing but the option did not actually change.
For example, prior to these changes setting LHSOT
(instead of LHOST
) the option would just be set, effectively not doing anything.
msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.169.1
LHSOT => 192.168.169.1
Now the new behavior will identify that LHSOT
is not valid in the current context and will suggest setting LHOST
instead.
msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.159.1
[-] Unknown datastore option: LHSOT. Did you mean LHOST?
msf6 exploit(windows/smb/psexec) >
set
command has been updated so that if an invalid datastore option is provided, a suggestion will be made for a valid datastore option, where possible. Additionally, the behavior has been changed so that one can no longer set a datastore value that is not valid within the given content.scripts/meterpreter/pml_driver_config.rb
script has been removed from Metasploit since Metasploit scripts have been deprecated for over 5 years now. Please use exploit/windows/local/service_permissions
instead which contains a more modern implementation of the same principle this exploit utilized.scripts/meterpreter/schelevator.rb
script has been removed in favor of exploit/windows/local/ms10_092_schelevator
. Scripts were deprecated over 5 years ago and should no longer be used.scripts/meterpreter/prefetchtool.rb
has been removed and replaced with the post/windows/gather/enum_prefetch.rb
post module.scripts/meterpreter/getvncpw.rb
script in favor of the post/windows/gather/credentials/vnc
post module which is more modern and has more features.scripts/meterpreter/get_env.rb
in favor of the post/multi/gather/env
post module.pg_ctl.rb
helper whereby it was possible that initializing and starting databases using msfdb init
might fail due to the pg_ctl.rb
helper not properly setting unix_socket_directories
to a path that a non-root user can write to. This code has now been updated so that it will set the unix_socket_directories
setting to a path that the current user can write to or will error out if it cannot find a writeable directory to use for the socket file.host
command has been updated to fix a bug whereby the -t
flag was not properly accepting the <tag>
parameter that it was supposed to accept and process. Additionally, the documentation for this option has been updated to be clearer.Msf::Config.get_config_root
which did not properly account for changes to the configuration path that the user might make. These calls have been replaced with calls to Msf::Config.config_directory
which will appropriately take the user’s configuration settings into account.hosts
command with the -c
flag to filter by columns would result in a stack trace. The command now correctly returns the output with only the columns specified to the -c
flag.is_admin?
and is_system?
post exploitation methods, which previously incorrectly reported the user as always being an administrator and a system user respectively when run on shell sessions.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).