Metasploit Weekly Wrap-Up: Dec. 22, 2023

Last updated at Wed, 17 Jan 2024 21:48:25 GMT

Getting Looney with Privilege Escalation

As if Metasploit couldn’t get any loonier, this release adds a brand new exploit module for Glibc Tunables Privilege Escalation aka Looney Tunables. Now, using linux/local/glibc_tunables_priv_esc, you can check your target’s glibc version to see if it’s vulnerable to buffer overflow, as outlined in CVE-2023-4911. If so, the module will drop a python script and escalate your privilege to the root user, allowing you to execute malicious code. Happy Tuning!

New module content (3)

Vinchin Backup and Recovery Command Injection

Authors: Gregory Boddin (LeakIX) and Valentin Lobstein
Type: Exploit
Pull request: #18542 contributed by Chocapikk
Path: linux/http/vinchin_backup_recovery_cmd_inject

Description: This adds an exploit module for a command injection vulnerability in Vinchin Backup & Recovery versions v5.0, v6.0, v6.7, and v7.0. This leverages two vulnerabilities identified as CVE-2023-45499 and CVE-2023-45498.

Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)

Authors: Qualys Threat Research Unit, blasty peter@haxx.in, and jheysel-r7
Type: Exploit
Pull request: #18541 contributed by jheysel-r7
Path: linux/local/glibc_tunables_priv_esc

Description: This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)

Authors: jheysel-r7
Type: Exploit
Pull request: #18566 contributed by jheysel-r7
Path: multi/http/atlassian_confluence_unauth_backup

Description:
This adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.

Enhancements and features (2)

• #18622 from zeroSteiner - Updates the auxiliary/scanner/dcerpc/petitpotam module to work with newer Windows Server releases.
• #18623 from gardnerapp - This updates the file handling of the generate command's -o parameter to expand file system paths.

Bugs fixed (1)

• #18619 from adfoster-r7 - Fixed a crash when running the favorites command.

Documentation added (1)

• #18477 from AleksaZatezalo - This adds documentation for the auxiliary/scanner/nessus/nessus_rest_login module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.47...6.3.48
• Full diff 6.3.47...6.3.48

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro