Bad WebLogic Part 2

Our own Shelby Pace authored another exploit taking advantage of a Java object deserialization vulnerability to gain unauthenticated remote code execution through the sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers. Leveraging an ExtractorComparator enables the ability to trigger method.invoke(), which will execute arbitrary code. This has been tested on WebLogic versions v12.2.1.4.0, v12.2.1.3.0, and v12.1.3.0.0.

Just Drag and Drop

A new module for a Wordpress Plugin, Drag and Drop Multiple File Upload - Contact Form 7, has been added by our frequent community contributor h00die. This module exploits a file upload feature of the plugin to allow php shells to be uploaded. It bypasses the file extension whitelist by simply appending % at the end of the file.

vBulletin SQL Injection

Community contributor Zenofex has added two new modules for vBulletin, a popular PHP bulletin board and blog web application. These modules exploit a SQL injection vulnerability present in vBulletin 5.2.0 through 5.6.1 in the getIndexableContent function. Both modules exploit the getIndexableContent vulnerability, one to achieve RCE on the target and the other to dump vBulletin table data.

New modules (4)

Enhancements and features

  • PR #13497 by timwr adds the option for python and cmd targets to the exploit/osx/local/persistence module.
  • PR #13538 by wvu-r7 adds Cisco CML and VIRL-PE advisory to Salt modules.
  • PR #13541 by AlanFoster adds some controls to the screenshare interface allowing size and delay customizations and a switch between controlling and non-controlling interface.

Bugs fixed

  • PR #13448 by red0xff makes Metasploit's HTTP client correctly handle relative redirect URIs that start from the root.
  • PR #13514 by noraj updates Metasploit framework to explicitly depend on irb as a runtime dependency.
  • PR #13522 by zeroSteiner fixes an issue where tab-completing an OptAddressRange option, such as RHOSTS, would erroneously append a / character to the host address.
  • PR #13540 by cn-kali-team changes OptString of RPORT to OptPort.
  • PR #13553 by Zenofex fixes redundant guard clauses in the auxiliary/gather/vbulletin_getindexablecontent_sqli and exploit/multi/http/vbulletin_getindexablecontent modules.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).