Philip Pettersson discovered vulnerabilities in certain PAN OS versions that could lead to remote code execution and hdm wrote a Metasploit module for the exploit chain. The exploit chain starts off with an authentication bypass, which allows the module to access a page that is vulnerable to an XML injection. This page is then used to create a directory where a payload is stored. Finally, a cron job, vulnerable to command injection via a bug in its filename parsing, runs and the payload is executed.
RubySMB Integration Update
More RubySMB integration work has landed in Framework. The changes in the pull request allow a module author to decide whether or not to support SMBv2, which is implemented by the RubySMB client, by setting a versions parameter in the module. The use of RubySMB is not enforced across all of the module since some client updates/integrations are still being worked on. Currently, smb/upload_file and smb/download_file modules are using the RubySMB library and can enjoy SMBv2 support. When other modules are ready, they can also be switched to use RubySMB in the future.
- William Vu created a Drupal mixin for Metasploit Framework by taking Drupal specific checks from the drupal_drupalgeddon2 module. The new mixin should help in future development of modules that target the Drupal platform (on which there are already several new vulnerabilities).
- clong updated the OSX keylog_recorder module to work with more recent versions of MacOS.
- Also, a bug in the linux/x64/reverse_tcp payload that caused it to fail after entering a retry loop was fixed. The fix was pushed by timwr, originally identified by plestrin. The bug occured when the first connection attempt by the payload fails and a future connection attempt contacts a listener.
Exploit modules (5 new)
- Palo Alto Networks readSessionVarsFromFile() Session Corruption by hdm and Philip Pettersson, which exploits CVE-2017-15944
- Mantis manage_proj_page PHP Code Execution by EgiX and Lars Sorenson, which exploits CVE-2008-4687
- PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution by DarkS3curity and Touhid M.Shaikh, which exploits CVE-2017-9080
- PlaySMS import.php Authenticated CSV File Upload Code Execution by Touhid M.Shaikh, which exploits CVE-2017-9101
- Windows WMI Recieve Notification Exploit by de7ec7ed and smmrootkit, which exploits CVE-2016-0040
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.