Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2024/05/03/metasploit-weekly-wrap-up-05-03-24/

Dump secrets inline

This week, our very own cdelafuente-r7 added a significant improvement to the well-known Windows Secrets Dump module to reduce the footprint when dumping SAM hashes, LSA secrets and cached credentials. The module is now directly reading the Windows Registry remotely without having to dump the full registry keys to disk and parse them, like it was originally. This idea comes from this PR proposed by antuache. The technique takes advantage of the WriteDACL privileges held by local administrators to set temporary read permissions on the SAM and SECURITY registry hives. The module also takes care of restoring the original Security Descriptors after each read. Note that it is still possible to use the original technique by setting the INLINE option to false. Happy dumping!

New module content (1)

Kemp LoadMaster Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #18972 contributed by DaveYesland
Path: linux/http/progress_kemp_loadmaster_unauth_cmd_injection
AttackerKB reference: CVE-2024-1212

Description: This adds a module targeting CVE-2024-1212, an unauthenticated command injection vulnerability in Kemp Progress Loadmaster versions after 7.2.48.1, but patched in 7.2.59.2 (GA), 7.2.54.8 (LTSF) and 7.2.48.10 (LTS).

Enhancements and features (3)

• #19048 from cdelafuente-r7 – This updates the windows_secrets_dump module to enable accessing the necessary registry data without writing it to disk first.
• #19075 from ide0x90 – :
  Updates the Softing Secure Integration Server login library to allow the code to be better reused by other modules.
• #19148 from adfoster-r7 – Updates Metasploit-framework to compile on x64-mingw-ucrt platforms.

Bugs fixed (5)

• #19095 from zeroSteiner – Updates the smb_enumusers module to use an updated SMB implementation from RubySMB which fixes an issue where the module could sometimes time out or return an unexpected error when targeting Samba.
• #19137 from zeroSteiner – Fixes an infinite recursion error where Metasploit would attempt to resolve a nameserver specified as a hostname in /etc/resolv.conf while initializing.
• #19138 from dwelch-r7 – Fixes a crash in the cve_2022_26923_certifried module.
• #19141 from jheysel-r7 – This fixes timeout issues encountered by rocketmq and activemq modules that would occur when the target is not running the expected service.
• #19152 from adfoster-r7 – This fixes an issue in the exploit/multi/http/apache_normalize_path_rce exploit module that affected Metasploit Pro due to how the module was handling datastore options.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.6…6.4.7
• Full diff 6.4.6…6.4.7

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.