vBulletin strikes again

This week saw another vBulletin exploit released by returning community member Zenofex. This exploit module allows an unauthenticated attacker to run arbitrary PHP code or operating system commands on affected versions of the vBulletin web application. The vulnerability, which was also discovered by Zenofex, is identified as CVE-2020-7373 and is effectively a bypass for a previously patched vulnerability identified as CVE-2019-16759. Administrators running vBulletin should patch this one immediately.

Multiple DNS improvements

Community member digininja reported and submitted fixes (with the help of bcoles) for multiple DNS related bugs affecting the DNS Enumeration and Dyn DNS Update modules. Additionally, digininja submitted a patch to allow the Dyn DNS Update module to target servers running on non-standard ports. These features will go a long way in improving the experience of framework users that are testing DNS services.

Mikrotik processing

Long time community member h00die continues his trend of targeting network devices this week by submitting configuration processing support for devices running Mikrotik’s RouterOS.The new modules can be used to gather information from a live device, or import a configuration previously exported from a live device. These device configurations can contain valuable information for SNMP and VPN services as well as Wireless authentication secrets.

New modules (4)

Enhancements and features

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).