Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/02/03/metasploit-weekly-wrap-up-191/

Metasploit 6.3 is out!

Earlier this week we announced the release of Metasploit 6.3 which came with a tonne of new modules and improvements.
The whole team worked super hard on this and we’re very excited that everyone can now get their hands on it and all of the new features it has to offer!
I won’t go over everything we did here because we have a whole separate blog post dedicated to the 6.3 release that you should check out if you missed it.

Dirty Cow available on macOS

We have a new module provided by timwr to exploit Dirty Cow on macOS. This module exploits a race condition in the kernel that gives the opportunity for a user to get code execution as root.

New module content (5)

CWP login.php Unauthenticated RCE

Authors: Numan Türle and Spencer McIntyre
Type: Exploit
Pull request: #17511 contributed by zeroSteiner
AttackerKB reference: CVE-2022-44877

Description: Adds an exploit for CVE-2022-44877 which is an unauthenticated command injection in CentOS Control Web Panel <0.9.8.1147. Successful exploitation results in code execution as the root user.

io_uring Same Type Object Reuse Priv Esc

Authors: Mathias Krause, Ryota Shiga, and h00die
Type: Exploit
Pull request: #17301 contributed by h00die
AttackerKB reference: CVE-2022-1043

Description: This module exploits Linux LPE CVE-2022-1043, a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes.

vmwgfx Driver File Descriptor Handling Priv Esc

Authors: Mathias Krause and h00die
Type: Exploit
Pull request: #17300 contributed by h00die
AttackerKB reference: CVE-2022-22942

Description: This PR adds a linux privilege escalation against VMWare virtual machines with kernel 4.14-rc1 – 5.17-rc1 due to a VMWare driver bug.

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Authors: Ian Beer, Zhuowei Zhang, and timwr
Type: Exploit
Pull request: #17415 contributed by timwr
AttackerKB reference: CVE-2022-46689

Description: This module is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root.

Veeam Backup and Replication Credentials Dump

Author: npm
Type: Post
Pull request: #17406 contributed by npm-cesium137-io

Description: Post credential capture module Veeam Backup & Recovery and Veeam ONE Monitor versions 9.x – 11.x.

Enhancements and features (11)

• #16946 from cgranleese-r7 – Updates the show targets and show actions command to display a visual indicator beside the currently selected value.
• #17481 from h00die – An update has been made to the modules/auxiliary/scanner/http/options.rb module to modernize a few of its options, tidy up the code, and to handle an edge case when a target server might respond with a Tomcat error page.
• #17504 from ErikWynter – Two aliases for show favorites have been added, namely favorite -l and favorites, to allow for easier listing of modules that users have marked as their favorites.
• #17559 from cgranleese-r7 – Adds support for Ruby 3.2
• #17560 from adfoster-r7 – Updates the Kerberos inspect_ticket module to show unsupported pac buffer ul_types in a clearer way to the user.
• #17563 from bcoles – Improves documentation and code quality for modules/exploits/multi/local.
• #17564 from serializingme – Improves the CIPCTlv definition for the exploits/windows/local/anyconnect_lpe module.
• #17570 from zeroSteiner – The list of default queries used by the ldap_query module has been updated to add in the ENUM_DOMAIN and ENUM_MACHINE_ACCOUNT_QUOTA queries and to make some small updates to existing queries.
• #17575 from zeroSteiner – Updates the Kerberos ccache functionality to automatically perform sname switching on Service Tickets when the ticket sname does not match the Metasploit module’s required sname. This allows for a service ticket associated with the SPN service_a/host.domain.local to be used and updated to service_b/host.domain.local dynamically as part of service authentication.
• #17577 from bcoles – Updates modules/exploits/qnx to run the check command before attempting to exploit the target.
• #17581 from bcoles – This PR modifies the conditions in 45 local privilege escalation modules to check whether the operator set ForceExploit to true before checking the permissions required for exploitation on the remote target, which is more efficient and quieter over the network.

Bugs fixed (4)

• #17444 from hamax97 – A bug has been fixed whereby issuing a command line argument that contained nested equals signs would not be parsed correctly, and would instead be treated as two separate command line statements.
• #17557 from zeroSteiner – This fixes the logon timestamp in the MS14-068 exploit so the generated ticket works.
• #17558 from cgranleese-r7 – Fixes running msfconsole’s analyze command crashing when a WinRM session was opened.
• #17561 from gwillcox-r7 – This fixes the direction for some Railgun function definitions in iphlpapi.

Documentation added (1)

• #17565 from adfoster-r7 – Updates the docs site to add color to Metasploit console examples.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.0…6.3.1
• Full diff 6.3.0…6.3.1

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).