First up this week, we have a new module from rastating which exploits an unauthenticated file upload vulnerability in the popular WordPress plugin, Ninja Forms. Versions affected include those within the range of v2.9.36 to 2.9.42, and the vulnerability can be leveraged into a shell running within the security context of the web server process in a fairly silent manner. With over 2.5 million downloads and 500k active installs, according to the developer and the Wordpress plugin repos, this silent attack could prove deadly ... sort of like a ninja ... get it?
New from @wvu is a module exploiting a recently discovered pre-auth file upload vulnerability in Ubiquiti Network's airOS, which runs on their airMAX line of devices. Given the ease with which the module turns a file upload exploit into a privileged BusyBox shell, we recommend that affected users check with the vendor for software updates.
Also new from @wvu (he's been busy) is an exploit module targeting Oracle Application Testing Suite version 188.8.131.52.0. The software allows users to perform load and regression testing--among other useful features--on their web applications. Unfortunately, this version also opens a wide security hole that an attacker can easily turn into a connect-back jsp shell. While Oracle's applications are sometimes derided as being both complex and demanding to install, the Metasploit module couldn't be easier to use. Simply point it at the vulnerable target, allow it a moment to attempt cleaning off any exploit artifacts, and wait for your shell. It's just that easy!
Totally wrecking the whole pre-auth file upload theme we had going...
h00die <mike [at] stcyrsecurity.com> recently contributed a module for local privilege escalation vulnerability in Allwinner's (the maker of some really cool embedded devices) 3.4 legacy kernel. Kernel-land vulnerabilities and exploits are often thought of as being quite complex, esoteric, and daunting to approach by many researchers. Allwinner has heard these sentiments echo and made accommodations for all those in agreeance. To exploit, type:
echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug
and you're done!. Or, simply fire up the module by h00die and forgo the rigorous echo command. Granted, there is a good chance that this was implemented as crutch for development and testing with perfectly altruistic intentions, but it's certainly not something you'd want to leave running on any multiuser system where you'd hope to maintain productivity. New Armbian images were released on May 1st to address this issue, and we recommend that users look into upgrading as soon as possible.
A nasty bug existed when attempting to upgrade the
python/shell_reverse_tcp_ssl payload in which send() was not sending all necessary protocol data over the connection, causing an EOF error to occur frequently. The fix was contributed by geckom and remedies the issue by using sendall()
jhart squashed a couple of bugs and performed some maintenance within the
ssh_identify_pubkeys auxiliary module. For one, both KEY_DIR and KEY_PATH would not expand if they contained symbolic values (such as ~/bobbobthebobbob/.ssh/bobskeys.txt). Secondly, if the key included a white list of commands that the user could run, it wouldn't be processed as all. Finally, several unused options and some dead code snippets were removed from the module, which has now been tested and confirmed to work properly.
Our own Brent Cook tidied up and merged changes, which where originally contributed by RageLtMan, to the
bind_tcp_rc4 payloads. This removes the static shellcode originally contained within the payload modules and implements them as assembly which is then compiled by Metasm. Brent also squashed bugs found by @_sinn3r while auditing module
ms08_067_netapi, which later proved to affect many more modules. This fixes issues where the 'check' command would erroneously report that a host was vulnerable when in fact it wasn't, and also allows for correctly checking a range of ip addresses (as in 'check 192.168.1.1-192.168.1.200'). Not content to stop there, Brent also corrected an issue in the BrowserAutoPwn2 server where the CookieExpiration variable was not being set correctly. Finally, in other bugfix news not involving Brent, darkbushido worked in changes to msfvenom, which fixes an issues where it would still generate a payload even if it's larger than the size option. It also no longer fails silently when invalid payload options (such as an ELF file for OS X) are specified.