RCE with a Key
An exploit module for Laravel Framework was submitted by community contributor aushack. The module targets an insecure unserialize call with the X-XSRF-TOKEN HTTP request header, which was discovered by Ståle Pettersen. Since the exploit requires the Laravel APP_KEY to reach the vulnerable unserialize call, aushack included information leak checks in the module to extract the APP_KEY if necessary. A Google dork, such as the one shown by finnwea, could be used to retrieve the APP_KEY of a misconfigured Laravel server.
space-r7 submitted a module that combines an AppXSVC DACL permissions overwrite, discovered by Nabeel Ahmed, with DiagHub DLL hijacking, discovered by James Forshaw, to execute code as SYSTEM. Windows AppXSVC on Windows 10 builds prior to 17763 improperly handles hard links which allows a user to gain full privileges over a SYSTEM-owned file. After gaining control of a SYSTEM file the contents are overwritten with a DLL and then loaded by the DiaHub service for code execution.
New modules (4)
- PHP Laravel Framework token Unserialize Remote Command Execution by Ståle Pettersen and aushack, which exploits CVE-2017-16894
- Xymon useradm Command Execution by Markus Krell and bcoles, which exploits CVE-2016-2056
- AppXSvc Hard Link Privilege Escalation by James Forshaw, Nabeel Ahmed, and Shelby Pace, which exploits CVE-2019-0841
- Windows NtUserSetWindowFNID Win32k User Callback by Jacob Robles, Kaspersky Lab, and ze0r, which exploits CVE-2018-8453
Enhancements and features
- PR #12031 by bcoles adds a
shutdownmethod to the
Msf::Exploit::Remote::Tcpmixin, exposing the
Rex::Socket::Tcpto provide a consistent interface for module developers.
- PR #12087 by wvu-r7 ensures that shell features like globs and pipes work again when executing passthrough commands.
- PR #12086 by aushack fixes and refactors
auxiliary/admin/http/joomla_registration_privescto perform as intended.
- PR #12085 by wvu-r7 fixes
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).