Perfect Persistence via Package Manager

What do most Linux machines come pre-installed with? Package managers. Community member aringo is taking advantage of this with two new modules for setting up persistence via yum and apt. Once you get privileged access you can now easily set up a method to get back in using a tool that has a high likelihood of being present.

Double Dose of DoubleTap

If you read last week’s wrap-up, you might be having a case of deja vu. Our own wchen-r7 has added a second module exploiting the Ruby on Rails “DoubleTap” vulnerability. This version takes advantage of the method Rails uses to generate secrets to get code execution. Be sure to check it out!

Spring Open Some Files

A new module has been added by RootUp that exploits a directory traversal vulnerability in Spring Cloud Config. The module crafts a special request to display the contents of files on the host machine. jhart-r7 noted that there are ~3300 instance of Spring Cloud listening in the world. Hopefully they’re patched up!

New modules (7)

Enhancements and features

  • #11761 updates the apport_abrt_chroot_priv_esc module to be more in-line with current Linux LPE modules through code style changes and using new libs.

Bugs fixed

  • #11786 fixes issues manipulating the Metasploit database via RPC commands.
  • #11784 adds additional nil checks for Nokogiri to avoid NoMethodError.
  • #11778 fixes a bug in cmd_psh_payload where a false value supplied to the options hash would be treated the same as a nil value.
  • #11777 fixes an issues with the auxiliary/dos/http/apache_range_dos CHECK action.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).