Metasploit Weekly Wrap-Up: 7/7/23

Last updated at Thu, 25 Jan 2024 00:37:38 GMT

Apache RocketMQ

We saw some great teamwork this week from jheysel-r7 and h00die to bring you an exploit module for CVE-2023-33246.
In Apache RocketMQ version 5.1.0 and under, there is an access control issue which the module leverages to update the broker's configuration file without authentication. From here we can gain remote code execution as whichever user is running the service.

New module content (1)

Apache RocketMQ update config RCE

Authors: Malayke, h00die, and jheysel-r7
Type: Exploit
Pull request: #18082 contributed by jheysel-r7
AttackerKB reference: CVE-2023-33246

Description: This adds an exploit module that leverages an RCE in Apache RocketMQ. Due to an access control issue, one can update the Broker's configuration file without authentication and obtain remote code execution in the context of the user running Apache RocketMQ. This vulnerability is identified as CVE-2023-33246.

Enhancements and features (4)

• #18122 from h00die - This adds a library that provides methods for working with Apache RocketMQ.
• #18144 from rorymckinley - Updates the capture plugin to be more helpful, and adds additional documentation. This passive capture plugin can be used with load capture and run with captureg --help.
• #18147 from adfoster-r7 - Adds support for Ruby 3.3.0-preview1.
• #18153 from adfoster-r7 - Removes Ruby 2.7 from Metasploit's automated test suite. Ruby 2.7 has been officially marked as end-of-life by the maintainers. Users are recommended to upgrade to Ruby 3.x with a Ruby version manager or similar.

Bugs fixed (2)

• #18152 from adfoster-r7 - This fixes a bug where the PHP Meterpreter would show the incorrect file size for very large files.
• #18166 from dwelch-r7 - Fixes a crash when running the show payloads command for a module that supports encrypted payloads on a machine that doesn't have a Mingw compiler available.

Documentation added (1)

• #18169 from adfoster-r7 - Additional documentation has been added to the Metasploit Wiki to explain how plugins work.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.23...6.3.24
• Full diff 6.3.23...6.3.24

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).