Whatβs life without a little WordPress exploitation? Courtesy of Hacker5preme (aka Ron Jost) and h00die, we now have an exploit for CVE-2021-24862, a bug in the RestorationMagic WordPress plugin prior to 5.0.1.6 whereby user input was not properly escaped in the rm_chronos_ajax
action prior to it being used in an SQL statement.
By utilizing this module, authenticated attackers can grab the usernames and password hashes of users on the affected WordPress site, which could then be cracked using hashcat or John The Ripper to get the plaintext password.
Since users are prone to reusing their passwords across sites this module could potentially allow attackers who successfully cracked a users password to successfully log into other sites, which is a practice commonly known as credential stuffing. As a reminder, it is recommended to use unique passwords for each site to mitigate against credential stuffing attacks.
Whilst the risk of this is somewhat mitigated by the fact that valid login credentials are required, keep in mind that RestorationMagic is designed to be a user registration form plugin and is designed to help register users onto your Wordpress site, so in most cases all an attacker would just have to do is just register and gain a user account on the target site to exploit this bug.
Its always good when we get a Cisco module, as these devices are used all over the place. Takeshi Shiomitsu and Rapid7βs Jacob Baines certainly delivered on this front with a module for exploiting CVE-2021-1473, which combines an authentication bypass with a command injection vulnerability to execute code as the www-data
user on vulnerable Cisco RV Series VPNs and Routers running firmware versions 1.0.03.20
and below.
Because of the sensitivity of data that Cisco routers process as well as the level of access they often have, Cisco routers have often been a prime target for exploitation in the past. It is likely that in the wild exploitation of this vulnerability will occur in the near future, so if you havenβt patched this vulnerability already, it is highly encouraged to do so soon.
1.0.03.20
and below. The module exploits both an auth bypass vulnerability and command injection vulnerability to achieve unauthenticated code execution as the www-data
user against vulnerable devices.modules/nop/cmd/generic
, has been added which supports adding NOPs to command line payloads using spaces for NOP characters.save
/connect
/search
and more.getsystem
command on Windows Meterpreter.modules/nop/cmd/generic
, has been added which supports adding NOPs to command line payloads using spaces for NOP characters.<
and >
characters to improve compatibility.msfdb init
on windows when opting not to initialize web services.post/windows/gather/enum_domains
when no domains are found.PayloadGenerator::prepend_nops
whereby if no Nops modules existed for the target payload architecture, the payload would be vaporized and replaced with an array of Nop modules as a string. This was fixed. Now if no Nop modules exist for the target payload architecture, the raw shellcode is returned unmodified.modules/auxiliary/dos/http/slowloris.py
.exploit/linux/http/cisco_ucs_rce
module.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).