GameOver(lay) Privilege Escalation and Container Escape
Authors: bwatters-r7, g1vi, gardnerapp, and h00die
Type: Exploit
Pull request: #19460 contributed by gardnerapp
Path: linux/local/gameoverlay_privesc
AttackerKB reference: CVE-2023-2640
Description: Adds a module for CVE-2023-2640 and CVE-2023-32629, a local privilege escalation in some Ubuntu kernel versions that abuses overly trusting OverlayFS features.
Clinic’s Patient Management System 1.0 – Unauthenticated RCE
Authors: Aaryan Golatkar and Oğulcan Hami Gül
Type: Exploit
Pull request: #19733 contributed by aaryan-11-x
Path: multi/http/clinic_pms_fileupload_rce
AttackerKB reference: CVE-2022-40471
Description: New exploit module for Clinic’s Patient Management System 1.0 that targets CVE-2022-40471. The module exploits unrestricted file upload, which can be further used to get remote code execution (RCE) through a malicious PHP file.
WordPress WP Time Capsule Arbitrary File Upload to RCE
Authors: Rein Daelman and Valentin Lobstein
Type: Exploit
Pull request: #19713 contributed by Chocapikk
Path: multi/http/wp_time_capsule_file_upload_rce
AttackerKB reference: CVE-2024-8856
Description: This exploits a remote code execution (RCE) vulnerability (CVE-2024-8856) in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.
WSO2 API Manager Documentation File Upload Remote Code Execution
Authors: Heyder Andrade <@HeyderAndrade>, Redway Security <redwaysecurity.com>, and Siebene@ <@Siebene7>
Type: Exploit
Pull request: #19647 contributed by heyder
Path: multi/http/wso2_api_manager_file_upload_rce
AttackerKB reference: CVE-2023-2988
Description: Adds an exploit module for a vulnerability in the ‘Add API Documentation’ feature of WSO2 API Manager (CVE-2023-2988) that allows malicious users with specific permissions to upload arbitrary files to a user-controlled server location. This flaw allows for RCE on the target system.
Enhancements and features (4)
- #19546 from adfoster-r7 – Improves the database module cache performance from ~3 minutes to ~1 minute by performing bulk inserts of module metadata instead of multiple smaller inserts for every
module/reference/author/etc. - #19660 from zeroSteiner – Updates
OptEnumto validate values without being case sensitive while preserving the case the author was expecting. - #19715 from oddlittlebird – Improves
db/README.mddocumentation. - #19718 from sjanusz-r7 – Expose the currently authenticated rpc_token to RPC handlers.
Bugs fixed (4)
- #19719 from bwatters-r7 – Fixed a syntax error in the code generated by fetch payloads when the FETCH_DELETE option was enabled.
- #19721 from bwatters-r7 – This updates the way the module checks the Windows build version to determine if it’s vulnerable to CVE-2020-0668.
- #19726 from pczinser – The reverse HTTP and HTTPS Meterpreter x64 payloads now correctly set the User-Agent HTTP header when connecting back to Metasploit. Before this fix, the
HttpUserAgentoption was not used properly. You can now use this option to customize the User-Agent HTTP header when using these payloads. - #19739 from sjanusz-r7 – Fixes an issue with the
post/multi/recon/local_exploit_suggestermodule which would crash if aTARGETvalue was set.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.
NEVER MISS AN EMERGING THREAT
Be the first to learn about the latest vulnerabilities and cybersecurity news.