Site icon API Security Blog

Metasploit Wrap-Up

## Nagios modules

![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/04/metasploit-ascii-1-1.png)

Community member Erik Wynter has contributed two more Nagios XI modules this week, on top of the [previous week’s contributions]()! If you’ve noticed Nagios XI 5.6.0 to 5.7.5 running within your target’s infrastructure during a pen test, be sure to check both these new modules out as well as the previous week’s contributions, as they provide both authenticated and unauthenticated remote code injection.

## JSON RPC service improvements

Fresh out of the oven, Metasploit now warms up its JSON RPC service before accepting traffic. This week’s release ensures that Metasploit is now alive, warmed up, and healthy prior to binding the HTTP server to the host machine. If you’re not familiar with this functionality, Metasploit’s Remote Procedure Call (RPC) API allows you to programmatically drive the Metasploit Framework and commercial products using HTTP requests. This allows you to build powerful tools and functionality around Metasploit’s core engine to automate complex workflows without interacting directly with the Metasploit console as a user would. The JSON RPC Service is a more modern alternative to the older MessagePack implementation that is still available for use.

## Command shell session validation

Thanks to the work of our very own Spencer McIntyre in pull request [#15051](), Metasploit will now automatically validate that the session is established and responsive. The intention is to help users by automatically determining sessions are valid before they can be used, to help avoid failed module runs. These new changes work in POSIX shells as well as Windows’ command shell and PowerShell. This validation works by sending an `echo` command and verifying that the response is received back as expected.

## New Module Content (3)

* [Nagios XI 5.6.0-5.7.3 – Mibs.php Authenticated Remote Code Exection]() by Chris Lyne, Erik Wynter, and Matthew Aberegg, which exploits [CVE-2020-5791]() – A new module has been added to exploit CVE-2020-5791, an OS command injection vulnerability in the `admin/mibs.php` page of NagiosXI 5.6.0 to 5.7.3 inclusive. Successful exploitation requires valid credentials for an administrative user and grants RCE as the `apache` or `www-data` user.
* [Nagios XI 5.5.0-5.7.3 – Snmptrap Authenticated Remote Code Exection]() by Chris Lyne and Erik Wynter, which exploits [CVE-2020-5792]() – A new module has been added to exploit CVE-2020-5792, an authenticated command injection vulnerability in the `includes/components/nxti/index.php` page of Nagios XI prior to 5.7.4. Successful exploitation results in RCE as the `apache` user.
* [Cockpit CMS NoSQLi to RCE]() by Nikita Petrov and h00die, which exploits [CVE-2020-35846]() – Adds a new module to exploit CockpitCMS versions 0.10.0 through 0.11.1. This module uses two NoSQL injections to get the user list, and password reset token list, enumerate the tokens to the users, reset a password, login, then a command injection for RCE.

## Enhancements and features

* [#15051]() from [zeroSteiner]() – Verify that shell sessions are established and responsive by sending an `echo` command and verifying that a response is received.
* [#15072]() from [pingport80]() – The `post/linux/gather/hashdump` module has been improved so that instead of checking if the user is `root`, it will now instead check if the user has access to the `/etc/shadow` file prior to attempting to dump the hashes from the shadow file. This allows users to dump password hashes in the case where the permissions of the `/etc/shadow` file may be set up incorrectly, even if they are not the `root` user.

## Bugs Fixed

* [#15022]() from [adfoster-r7]() – Ensures that the Metasploit JSON RPC service is warmed up and healthy before accepting requests
* [#15063]() from [gwillcox-r7]() – The `check` logic of `nagios_xi_plugins_check_ping_authenticated_rce.rb` was updated to fix a bug whereby older versions of Nagios XI may have caused the module to crash instead of correctly reporting a target as being vulnerable or not.
* [#15064]() from [wvu-r7]() – A undefined constant error in `f5_bigip_known_privkey.rb` was fixed by adding a missing import.
* [#15065]() from [pingport80]() – Fix an issue in the post/linux/gather/checkvm module where a physical machine was detected as a virtual machine.
* [#15067]() from [jmartin-r7]() – The `lib/metasploit/framework/login_scanner/ssh.rb` has been improved so that it now correctly handles cases where the connection might be reset by a client and continues scanning instead of throwing a stack trace.

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:

* [Pull Requests 6.0.40…6.0.41]()
* [Full diff 6.0.40…6.0.41]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the [binary installers]() (which also include the commercial edition).Read More

Exit mobile version