Post Syndicated from Jack Heysel original https://blog.rapid7.com/2023/03/24/metasploit-weekly-wrap-up-197/
Zxyel Routers Beware
This week we’ve released a module written by first time community contributor shr70 that can exploit roughly 45 different Zyxel router and VPN models. The module exploits a buffer overflow vulnerability that results in unauthenticated remote code execution on affected devices. It’s rare we see a module affect this many devices once and are excited to see this ship in the framework. We hope pentesters and red-teamers alike can make good use of this module in their day to day operations.
Monitorr unauthenticated RCE
Community contributor h00die-gr3y strikes again this time with a module for an Unauthenticated RCE vulnerability in Monitorr. Monitorr is a simple web application that allows you to set up a dashboard to monitor various web sites / web applications up or down state. Vulnerable versions allow an attacker to upload a webshell tagged as a GIF image and execute malicious php code in the upload directory where the malicious file is stored.
More Metasploit Twitch Streaming
In case you missed it or were previously unaware, our very own Spencer McIntyre has been doing live exploit development on Twitch the second Friday of the month at 4pm EST. This past week Spencer (aka zerosteiner) shared in real time the trials and tribulations of reverse engineering an authenticated SolarWinds information service deserialization RCE. The pull request for this work can be found here: https://github.com/rapid7/metasploit-framework/pull/17785. In the live stream he explained how he takes a blog posted with limited technical details, decompiles and debugs the application to figure out what makes the vulnerability tick. Come watch the next on Friday April 14th, at: https://www.twitch.tv/zerosteiner, there’s a good chance you’ll learn something new and be sure to invite your family and friends!
New module content (4)
Zyxel Unauthenticated LAN Remote Code Execution
Authors: Gerhard Hechenberger, SEC Consult Vulnerability Lab, Stefan Viehboeck, Steffen Robertz, and Thomas Weber
Pull request: #17388 contributed by shr70
Description: This PR adds a new exploit module for a buffer overflow in roughly 45 different Zyxel router and VPN models.
Monitorr unauthenticated Remote Code Execution (RCE)
Authors: Lyhins Lab and h00die-gr3y
Pull request: #17771 contributed by h00die-gr3y
AttackerKB reference: CVE-2020-28871
Description: This adds a module that exploits an unauthenticated file upload vulnerability in various versions of Monitorr. RCE as the user under which the software runs can be achieved due to insufficient validation on GIF uploads.
Open Web Analytics 1.7.3 – Remote Code Execution (RCE)
Authors: Dennis Pfleger and Jacob Ebben
Pull request: #17754 contributed by Pflegusch
AttackerKB reference: CVE-2022-24637
Description: This adds an exploit module for CVE-2022-24637, a single/double quote confusion vulnerability in Open Web Analytics versions below 1.7.4. This leads to the disclosure of sensitive information in an automatically generated PHP cache file, which can be leveraged to gain admin privileges and remote code execution.
WhatsUp Gold Credentials Dump
Authors: npm and sshah
Pull request: #17462 contributed by npm-cesium137-io
AttackerKB reference: CVE-2022-29848
Description: This adds a post module that collects and decrypts credentials from WhatsUp Gold installs.
Enhancements and features (2)
- #17401 from araout42 – This PR adds a new x86 XOR polymorphic encoder.
- #17583 from cgranleese-r7 – Enhances msfconsole’s
info -dcommand, which is used to generate browser Metasploit module documentation, to additionally include references to AttackerKB.
Bugs fixed (8)
- #17735 from tekwizz123 – Fixes a few incorrect parameter names in the generated developer documentation found at https://docs.metasploit.com/api/.
- #17747 from dwelch-r7 – Updates the wmap plugin to no longer crash when running `wmap_targets -t http://metasploit.com.
- #17783 from adfoster-r7 – An update has been made to the
reload_libcommand so that it continues to reload files even if a single file fails to load.
- #17784 from dwelch-r7 – Reduces the amount of files loaded when msfconsole start up. This was a performance regression introduced by a recent Rails upgrade.
- #17792 from adfoster-r7 – Fixes external module crash for when running the auxiliary/scanner/wproxy/att_open_proxy module.
- #17794 from adfoster-r7 – Update external modules to support python3.11.
- #17798 from adfoster-r7 – The
debug --datastorecommand was previously causing a stacktrace due to some incorrect operations. These have since been fixed so that users can now use
debug --datastoreto output debug information along with the datastore information.
- #17802 from zeroSteiner – Updates Python pingback payloads such as
payload/python/pingback_reverse_tcpto no longer crash when viewing info or generating.
Documentation added (1)
- #17795 from adfoster-r7 – This PR adds documentation on debugging and running external python modules.
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).