This week’s Metasploit Framework release brings two modules that target Cisco products.The first module, written by our very own jheysel-r7, targets an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform. Vulnerable versions of the Cisco HyperFlex software permit uploading of files through the /upload
endpoint due to a missing authentication requirement. The exploit module uploads a jsp web shell and obtains code execution as the Tomcat user.
Community contributor Hakyac wrote the second module that targets Cisco Data Center Network Manager (DCNM). The module, auxiliary/admin/networking/cisco_dcnm_auth_bypass
, leverages a static encryption key in the REST API of DCNM to generate a valid session token that is then used to create an administrative account with high privileges and access to sensitive data.
Community contributor Hakyac wrote another exploit module that targets network management software. exploit/linux/http/rconfig_vendors_auth_file_upload_rce
uses an authenticated file upload vulnerability to achieve remote code execution against vulnerable rConfig installations, specifically versions 3.9.6
and below. The vendor logo functionality in lib/crud/vendors.crud.php
allows an authenticated user to upload images; however, there are no checks on the contents of the uploaded file. Because of this, an authenticated attacker can upload a php shell and trigger its execution via a request to the file’s name in the /images/vendor
path.
3.9.6
. An arbitrary file upload vulnerability exists in lib/crud/vendors.crud.php
through the vendorLogo
parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in the images/vendor
path.exploit/multi/ssh/sshexec
module to now account for cases where the target system does not have the python
binary. Using the new binary_exists()
class method in lib/msf/base/sessions/command_shell.rb
, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.windows/manage/shellcode_inject
module which crashed due to a missing mixinmsfdb init
on an already initialised database would generate a new password instead of just starting the databaseAs always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).