Metasploit Weekly Wrap-Up - API Security Blog

Main / Metasploit Weekly Wrap-Up

Metasploit Weekly Wrap-Up

Discription

## Power[shell]Point

![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2023/08/metasploit-ascii-1-2-1.png)

This weekâs new features and improvements start with two new exploit modules leveraging [CVE-2023-34960]() Chamilo versions 1.11.18 and below and [CVE-2023-26469]() in Jorani 1.0.0. Like [CVE-2023-34960](), I too, feel attacked by PowerPoint sometimes.
We also have several improvements, including additions to fetch payloads, PostgreSQL authentication, and documentation.

## New module content (2)

### Chamilo unauthenticated command injection in PowerPoint upload

Authors: Randorisec and h00die-gr3y
Type: Exploit
Pull request: [#18233]() contributed by [h00die-gr3y]()
Path: exploits/linux/http/chamilo_unauth_rce_cve_2023_34960
AttackerKB reference: [CVE-2023-34960]()

Description: This adds an exploit module that leverages an unauthenticated remote command execution vulnerability Chamilo versions 1.11.18 and below. This vulnerability is identified as CVE-2023-34960. Due to a functionality called `Chamilo Rapid` to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.

### Jorani unauthenticated Remote Code Execution

Author: RIOUX Guilhem (jrjgjk)
Type: Exploit
Pull request: [#18123]() contributed by [Guilhem7]()
Path: exploits/multi/php/jorani_path_trav
AttackerKB reference: [CVE-2023-26469]()

Description: This PR adds a module that chains together a log poisoning LFI redirection bypass and a path traversal vulnerability to obtain unauthenticated RCE.

## Enhancements and features (4)

* [#18214]() from [bwatters-r7]() – This makes two improvements to the fetch payloads. The first improvement is that the `FETCH_SRVHOST` option will be set to `LHOST` when `LHOST` is set and `FETCH_SRVHOST` is not, meaning there is now one less option users need to set when using a payload with a reverse stager. The second improvement is that the default command for the Windows HTTP payload has been changed to CERTUTIL which will offer better compatibility with older versions of Windows than the previous CURL command. The HTTPS and TFTP payloads will still default to CURL.
* [#18276]() from [adfoster-r7]() – Updates all PostgreSQL modules to now support a newer form of authentication (SASL-SCRAM-256) that pen testers are seeing in the wildnow more frequently seeing in the wild. This includes the modules for PostgreSQL authentication brute force, version fingerprinting, running queries, etc.
* [#18307]() from [ismaildawoodjee]() – This fixes documentation typos with the `exploit/multi/http/subrion_cms_file_upload_rce` module.
* [#18308]() from [ismaildawoodjee]() – Improves the readability of `documentation/modules/exploit/windows/http/smartermail_rce`.

## Bugs fixed (5)

* [#18272]() from [sfewer-r7]() – This fixes an issue in the exploit module `multi/http/adobe_coldfusion_rce_cve_2023_26360` when the target ColdFusion server is deployed with a Development profile.
* [#18287]() from [zeroSteiner]() – This fixes a stack trace thrown by the `forge_ticket` module when the SPN datastore option was left blank. The module now fails due to bad-config and gives a detailed error message.
* [#18297]() from [adfoster-r7]() – This fixes the broken `scanner/mysql/mysql_authbypass_hashdump` module and adds documentation for the module.
* [#18298]() from [adfoster-r7]() – Changes the behavior of setting `LHOST` as an interface name, for example with `set LHOST eth0`. Previously, a non-deterministic IP would be resolved from the adapter name if the adapter had multiple IPv4/IPv6 addresses registered. Now the lowest ordinal IPv4 addresses is preferenced first, followed by any IPv6 addresses.
* [#18306]() from [zeroSteiner]() – Fixes a crash when parsing ThriftHeader binary data.

## Documentation

You can find the latest Metasploit documentation on our docsite at [docs.metasploit.com]().

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.3.30…6.3.31]()
* [Full diff 6.3.30…6.3.31]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More

References

Back to Main

Subscribe for the latest news: