All posts by Christophe De La Fuente

Metasploit Weekly Wrap-Up 03/01/2024

2024-03-01 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2024/03/01/metasploit-weekly-wrap-up-03-01-2024/

Connect the dots from authentication bypass to remote code execution

Metasploit Weekly Wrap-Up 03/01/2024

This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in ConnectWise ScreenConnect to achieve remote code execution. This vulnerability, CVE-2024-1709, affects all versions of ConnectWise ScreenConnect up to and including 23.9.7.The module creates a new administrator user account on the server, which is used it to upload a malicious extension (.ashx file) and get code execution as the NT AUTHORITY\SYSTEM user on Windows or root user on Linux, depending on the target platform.

New module content (1)

ConnectWise ScreenConnect Unauthenticated Remote Code Execution

Authors: WatchTowr and sfewer-r7
Type: Exploit
Pull request: #18870 contributed by sfewer-r7
Path: multi/http/connectwise_screenconnect_rce_cve_2024_1709

Description: This PR adds an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).

Enhancements and features (8)

#18830 from sjanusz-r7 – Aligns the behavior of the MSSQL, PostgreSQL, and MySQL sessions. This functionality is currently behind a feature flag enabled with the features command.
#18833 from zeroSteiner – This catches an exception when updating a non-existing session. Prior to this PR, trying to run ‘sessions -k’ after running ‘workspace -D’ would result in a stack trace being printed to the console. This resolves issue #18561.
#18849 from adfoster-r7 – Adjusts the logic used for the visual indentation of tables.
#18872 from zgoldman-r7 – Updates the MSSQL modules to support querying database rows that contain boolean bit values.
#18878 from adfoster-r7 – This updates a number of rspec gems which help improve test suite error messages when string encodings are different.
#18879 from zeroSteiner – Updates the auxiliary/admin/kerberos/inspect_ticket module with improved error messages and support for printing Kerberos PAC credential information.
#18892 from zeroSteiner – Allows users to leverage the latest ADCS ESC13 technique. These changes are related to the identification of misconfigured certificate templates and workflow documentation. ldap_esc_vulnerable_cert_finder and ldap_query were also updated to improve usability.
#18893 from sjanusz-r7 – Updates the help command to visually align command names to the same width to improve readability.

Bugs fixed (2)

#18873 from cgranleese-r7 – Fixes a regression that caused a CreateSession option to be available for payloads that did not make sense.
#18880 from jmartin-tech – Fixes a bug with the auxiliary/capture/ldap module’s handling of NTLM hashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Download Gartner® Top Trends in Cybersecurity for 2024 ▶︎

Metasploit Weekly Wrap-Up

2023-12-01 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2023/12/01/metasploit-weekly-wrap-up-37/

Customizable DNS resolution

Metasploit Weekly Wrap-Up

Contributor smashery added a new dns command to Metasploit console, which allows the user to customize the behavior of DNS resolution. Similarly to the route command, it is now possible to specify where DNS requests should be sent to avoid any information leak. Before these changes, the Framework was using the default local system configuration. Now, it is possible to specify which DNS server should be queried based on rules that match specific hostnames or domains. It is also possible to route DNS requests through an existing session, which is useful when querying a DNS server located in an internal network we can only reach through a pivot host.

The DNS feature must be enabled to make this command available with features set dns_feature true. Then, use dns help to list the default commands:

msf6 > features set dns_feature true
dns_feature => true
msf6 > dns help
Manage Metasploit's DNS resolution behaviour

Usage:
  dns [add] [--session <session_id>] [--rule <wildcard DNS entry>] <IP Address> <IP Address> ...
  dns [remove/del] -i <entry id> [-i <entry id> ...]
  dns [purge]
  dns [print]

Subcommands:
  add - add a DNS resolution entry to resolve certain domain names through a particular DNS server
  remove - delete a DNS resolution entry; 'del' is an alias
  purge - remove all DNS resolution entries
  print - show all active DNS resolution entries

Examples:
  Display all current DNS nameserver entries
    dns
    dns print

  Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10
    route add --rule *.metasploit.com 192.168.1.10

  Add multiple entries at once
    route add --rule *.metasploit.com --rule *.google.com 192.168.1.10 192.168.1.11

  Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10, but specifically to go through session 2
    route add --session 2 --rule *.metasploit.com 192.168.1.10

  Delete the DNS resolution rule with ID 3
    route remove -i 3

  Delete multiple entries in one command
    route remove -i 3 -i 4 -i 5

  Set the DNS server(s) to be used for all requests that match no rules
    route add 8.8.8.8 8.8.4.4

Once set up, any name resolution will be performed according to these rules. For example, setting RHOSTS to a hostname with set RHOST www.example.com and a rule set with route add --session 1 --rule *.example.com 10.10.1.1 will force Framework to resolve the hostname sending a DNS request to the internal DNS server at 10.10.1.1 and through the session 1. No other requests will be sent to avoid information leak.

Tickets in the sky with diamond

Smashery also enhanced the existing Kerberos ticket-forging module and added support for Diamond and Sapphire techniques, which are similar to the Golden and Silver Tickets but stealthier. The Diamond technique consists in using a real TGT and modifies the PAC, assuming the krbtgt Kerberos keys is known. The Sapphire technique makes use of S4U2Self and U2U (User-to-User) to obtain the PAC of another user and assembling it with an existing TGT to impersonate him.

New module content (1)

WordPress Royal Elementor Addons RCE

Authors: Fioravante Souza and Valentin Lobstein
Type: Exploit
Pull request: #18567 contributed by Chocapikk
Path: multi/http/wp_royal_elementor_addons_rce

Description: This pull request adds a new exploit module for CVE-2023-5360, an unauthenticated file upload vulnerability in the WordPress Royal Elementor Addons and Templates plugin in versions before 1.3.79.

Enhancements and features (5)

#18526 from smashery – This adds a new dns command in Metasploit, to allow the user to customize the behavior of DNS resolution in the framework. DNS resolution can be set to be routed through a session via a specific Comm channel or to request a specific DNS server. Routing rules ensure DNS queries are not sent to unwanted DNS servers and avoid the leak of information.
#18560 from smashery – This updates the existing Kerberos ticket-forging module with new actions for forging tickets with fields copied from ones issued by the legitimate KDC using the Diamond and Sapphire techniques.
#18565 from zeroSteiner – This adds an enhancement to adjust the kerberos cache lookup logic. If no TGT for the specific host is found, it will try again but with any host. This fixes the workflow where a user can currently forge a golden ticket, but that ticket will not be automatically used for authentication by other services. This will also fix the future issue of the TGT that’s created by the Diamond and Sapphire techniques.
#18571 from smashery – Improves the error messages shown to users if there is a validation error with a module’s RHOST datastore values. Now, the user is notified when there is a failure with parsing a URL, invalid CIDR, or DNS resolution failure.
#18580 from adfoster-r7 – Metasploit modules developed using Python can now provide default_options as part of an exploit.

Bugs fixed (1)

#18579 from zeroSteiner – This converts the module to use the new style of Windows version detection that was added in https://github.com/rapid7/metasploit-framework/pull/17336. This will become more important once the Windows Meterpreter returns a more accurate string for the sysinfo OS field.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2023-10-13 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2023/10/13/metasploit-weekly-wrap-up-31/

Pollution in Kibana

Metasploit Weekly Wrap-Up

This week, contributor h00die added a module that leverages a prototype pollution bug in Kibana prior to version 7.6.3. Particularly, this issue is within the Upgrade Assistant and enables an attacker to execute arbitrary code. This vulnerability can be triggered by sending a queries that sets a new constructor.prototype.sourceURL directly to Elastic or by using Kibana to submit the same queries. Note that Kibana needs to be restarted or wait for collection to happen for the payload to execute. This vulnerability doesn’t seem to be assigned a CVE. The module has been written based on a detailed description from Alex Brasetvik (alexbrasetvik) in a Hackerone report.

Torch chain attack

Our very own zeroSteiner added a module that exploits PyTorch model server by chaining multiple vulnerabilities. First, it takes advantage of a weak default configuration that binds the management interface to all IP addresses. Then, once it reaches the management interface, the module exploits a Server-Side Request Forgery vulnerability (CVE-2023-43654) to register MAR (Model Archive) model files from arbitrary servers. Finally, it leverages a vulnerability in SnakeYaml (CVE-2022-1471) that allows code execution when a YAML file is deserialized by SnakeYaml. The module embeds a malicious YAML file in a MAR file and gets an arbitrary Java class executed when this MAR file is loaded.

Updated MySQL version support

Thanks to the work of Rory McKinley, multiple MySQL modules now support authentication against newer MySQL 8.0 versions. This required a lot of effort unearthing and patching historical code across multiple contributions to the Metasploit codebase, and to the Ruby MySQL library dependency. MySQL module highlights include:

auxiliary/scanner/mysql/mysql_login – Bruteforce and manual verification of MySQL credentials
auxiliary/scanner/mysql/mysql_version – MySQL Server Version Enumeration
auxiliary/scanner/mysql/mysql_hashdump – MySQL password hashdump support
auxiliary/scanner/mysql/mysql_schemadump – Extracting MySQL schema details
auxiliary/admin/mysql/mysql_sql – Run arbitrary MySQL SQL queries against a given target

New module content (2)

Kibana Upgrade Assistant Telemetry Collector Prototype Pollution

Authors: Alex Brasetvik (alexbrasetvik) and h00die
Type: Exploit
Pull request: #18417 contributed by h00die
Path: linux/http/kibana_upgrade_assistant_telemetry_rce

Description: Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we’re able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.

PyTorch Model Server Registration and Deserialization RCE

Authors: Gal Elbaz, Guy Kaplan, Idan Levcovich, Spencer McIntyre, and Swapneil Kumar Dash
Type: Exploit
Pull request: #18427 contributed by zeroSteiner
Path: multi/http/torchserver_cve_2023_43654

Description: This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.

Enhancements and features (6)

#18171 from dwelch-r7 – This fixes an issue when users use a payload when framework is started with the --defer-module-loads flag set. This also adds a new feature flag option defer_module_loads which, when enabled, will defer module loads by default without the need to specify--defer-module-loads every time the framework boots. Finally, this comes with a sizable improvement on frameworks boot up time.
#18256 from jmartin-tech – Performs a routine update of multiple library dependencies.
#18296 from rorymckinley – Updates multiple MySQL modules to support authenticating with newer versions of MySQL.
#18383 from cgranleese-r7 – This adds a variety of improvements to the enum_computers module including Shell and Powershell support as well as improvements when running on non-english systems.

Bugs fixed (2)

#18411 from rtpt-erikgeiser – Fixes an issue where the services -R command generated invalid hosts such as 192.0.2.2% if an empty string was registered for the scope metadata instead of nil.
#18431 from zeroSteiner – This switches the way in which port forwarded IPs are displayed so that the local IP is listed under local and the remote IP is listed under remote.

Documentation added (1)

#18394 from errorxyz – This adds documentation for the auxiliary/scanner/http/http_traversal module.
#18435 from h00die – Fixes multiple spelling mistakes in the Wiki.
#18444 from h00die – Fixes spelling mistakes in module documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap up

2023-07-28 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2023/07/28/metasploit-weekly-wrap-up-21/

Unauthenticated RCE in VMware Product

Metasploit Weekly Wrap up

This week, community contributor h00die added an exploit module that leverages a command injection vulnerability in VMWare Aria Operations for Networks, formerly known as vRealize Network Insight. Versions 6.2 to 6.10 are vulnerable (CVE-2023-20887). A remote attacker could abuse the Apache Thrift RPC interface by sending specially crafted data and get unauthenticated remote code execution on the underlying operating system as the root user. The module first bypasses the reverse proxy that protects the RPC interface and executes its payload with root privileges. This vulnerability has been rated as critical by VMware, with a CVSSv3 base score of 9.8.

Again, WordPress Plugin

Community contributor h00die-gr3y added an exploit module that targets the File Manager Advanced Shortcode WordPress plugin. This module leverages a flaw in the data validation mechanism when uploading a file and gets unauthenticated remote code execution. The plugin does not correctly prevent uploading files with disallowed MIME types. This vulnerability is identified as CVE-2023-2068 and affects version 2.3.2 and prior.

Kerberos Authentication and LDAP socks Proxies support

This release adds support for sending Kerberos and LDAP traffic through user configurable Socks4/Socks5 proxies. The proxies can be set with the Proxies datastore option. This functionality is supported by most modules, such as SMB/WinRM/etc. An example network environment would be:

[ Attacker Machine ] -> [ Socks Proxy (192.168.123.144) ] -> [ Target (10.20.0.137)]

For instance running the auxiliary/gather/ldap_query module with the inline option proxies=socks5:192.168.123.144:1080, or using the older set proxies socks5:192.168.123.144:1080 syntax, will send the network traffic through the user specified Socks proxy – requesting both the Kerberos tickets for authentication as well as the LDAP query itself:

msf6 auxiliary(gather/ldap_query) > rerun rhost=10.20.0.137 username=administrator password=p4$$w0rd5 ldap::auth=kerberos ldap::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.137 domain=adf3.local proxies=socks5:192.168.123.144:1080
[*] Reloading module...
[*] Running module against 10.20.0.137

[+] 10.20.0.137:88 - Received a valid TGT-Response
[*] 10.20.0.137:389 - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_426003.bin
[+] 10.20.0.137:88 - Received a valid TGS-Response
[*] 10.20.0.137:389 - TGS MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_291783.bin
[+] 10.20.0.137:88 - Received a valid delegation TGS-Response
[*] Discovering base DN automatically
[+] 10.20.0.137:389 Discovered base DN: DC=adf3,DC=local
[+] 10.20.0.137:389 Discovered schema DN: DC=adf3,DC=local
CN=Administrator CN=Users DC=adf3 DC=local
==========================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Built-in account for administering the computer/domain
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2023-07-10 16:02:38 UTC
… omitted …

New module content (2)

VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE

Authors: Anonymous with Trend Micro Zero Day Initiative, Sina Kheirkhah, and h00die
Type: Exploit
Pull request: #18199 contributed by h00die
Path: exploits/linux/http/vmware_vrni_rce_cve_2023_20887
AttackerKB reference: CVE-2023-20887

Description: This adds an exploit module that leverages a pre-authenticated command injection vulnerability in VMWare Aria Operations for Networks (vRealize Network Insight). Versions from 6.2 to 6.10 are vulnerable and this has been identified as CVE-2023-20887. The module bypasses the reverse proxy that protects the access to the Apache Thrift RPC interface and executes arbitrary commands on the underlying operating system as the root user.

WordPress File Manager Advanced Shortcode 2.3.2 – Unauthenticated Remote Code Execution through shortcode

Authors: Mateus Machado Tesser and h00die-gr3y
Type: Exploit
Pull request: #18142 contributed by h00die-gr3y
Path: exploits/multi/http/wp_plugin_fma_shortcode_unauth_rce
AttackerKB reference: CVE-2023-2068

Description: This adds a WordPress exploit that makes use of the WordPress File Manager Advanced Shortcode 2.3.2 plugin, to gain unauthenticated Remote Code Execution through shortcode.

Enhancements and features (1)

#18096 from adfoster-r7 – Updates the LDAP query module and the Kerberos authentication support for WinRM/MSSQL/SMB/LDAP/etc to work in conjunction with the user’s set Proxies datastore value, i.e. set Proxies socks5:127.0.0.1:1080.

Bugs fixed (3)

#18187 from cgranleese-r7 – Fixes a crash when running Ruby 3.3.0-preview1 with modules that used invalid syntax when packing or unpacking binary data.
#18213 from adfoster-r7 – This fixes a bug in the evasion/windows/syscall_inject module that was caused by an uninitialized variable.
#18225 from adfoster-r7 – This fixes multiple missing/invalid references in modules.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2022-10-14 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/10/14/metasploit-wrap-up-155/

Spring Cloud Gateway RCE

Metasploit Wrap-Up

This week, a new module that exploits a code injection vulnerability in Spring Cloud Gateway (CVE-2022-22947) has been added by @Ayantaker. Versions 3.1.0 and 3.0.0 to 3.0.6 are vulnerable if the Gateway Actuator endpoint is enabled, exposed and unsecured. The module sends a specially crafted SpEL expression to this endpoint and gets command execution as the user running Spring Cloud Gateway. A first request is sent to create a route with a filter including the SpEL expression which will be parsed with a StandardEvaluationContext. A second request is sent to reload the route and trigger code execution.

pfSense pfBlockNG plugin unauthenticated RCE

Our very own @jheysel-r7 added a module that exploits an OS command injection vulnerability in pfSense’s pfBlockerNG plugin versions 2.1.4_26 and below and identified as CVE-2022-31814. The module sends an HTTP request with a payload in the Host: header, which will be executed by the PHP’s exec() function. This leads to unauthenticated remote command execution as root. Note that this pfSense module is not installed by default but is commonly used to block inbound connections from countries or IP ranges.

New module content (2)

Spring Cloud Gateway Remote Code Execution by Ayan Saha, which exploits CVE-2022-22947 – A new module has been added in for CVE-2022-22947, an unauthenticated RCE in Spring Cloud Gateway versions 3.1.0 and 3.0.0 to 3.0.6 when the Gateway Actuator endpoint is enabled, exposed and unsecured. Successful exploitation results in arbitrary code execution as the user running Spring Cloud Gateway.
pfSense plugin pfBlockerNG unauthenticated RCE as root by IHTeam and jheysel-r7, which exploits CVE-2022-31814 – A module has been added for CVE-2022-31814, an unauthenticated RCE in the pfSense plugin within pfBlockerNG that allows remote unauthenticated attackers to execute execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. Versions <= 2.1.4_26 are vulnerable. Note that version 3.X is unaffected.

Enhancements and features (2)

#17123 from h00die – The netrc and fetchmail modules have been updated to include documentation on how to use the modules.
#17092 from bcoles – This PR updates the netlm_downgrade module, providing documentation, extending it to support more session types, and fixing some bugs that were present which caused false-positive warnings to appear.

Bugs fixed (3)

#16987 from jmartin-r7 – Improves scanner/smb/smb_login to gracefully handle additional error conditions when connecting to target services.
#17075 from cdelafuente-r7 – The Windows secrets dump module was failing early for non-administrative users. This fixes the issue so the module now throws warnings where it was previously failing early. Now the module can complete the DOMAIN action whereas before it was failing prior to reaching this point.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

2022-07-22 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/07/22/metasploit-weekly-wrap-up-167/

The past, present and future of Metasploit

Metasploit Weekly Wrap-Up

Don’t miss Spencer McIntyre’s talk on the Help Net Security’s blog. Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today’s offensive security challenges and how important is the partnership with the community.

LDAP swiss army knife

This week, our very own @gwillcox-r7 added an auxiliary module that will likely help you to dump useful information from LDAP servers. This module allows you to remotely retrieve data using either your own custom query or a set of LDAP queries under a specific category. In addition to the available predefined queries, the user can also provide a JSON or YAML file containing custom queries to be executed.

Here are the available predefined queries:

msf6 auxiliary(gather/ldap_query) > show actions

Auxiliary actions:

   Name                      Description
   ----                      -----------
   ENUM_ACCOUNTS             Dump info about all known user accounts in the domain.
   ENUM_ALL_OBJECT_CATEGORY  Dump all objects containing any objectCategory field.
   ENUM_ALL_OBJECT_CLASS     Dump all objects containing any objectClass field.
   ENUM_COMPUTERS            Dump all objects containing an objectCategory of Computer.
   ENUM_DOMAIN_CONTROLLERS   Dump all known domain controllers.
   ENUM_EXCHANGE_RECIPIENTS  Dump info about all known Exchange recipients.
   ENUM_EXCHANGE_SERVERS     Dump info about all known Exchange servers.
   ENUM_GROUPS               Dump info about all known groups in the LDAP environment.
   ENUM_ORGROLES             Dump info about all known organizational roles in the LDAP environment.
   ENUM_ORGUNITS             Dump info about all known organization units in the LDAP environment.
   RUN_QUERY_FILE            Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
   RUN_SINGLE_QUERY          Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.

Here is how you can dump information about users in a Windows domain:

msf6 auxiliary(gather/ldap_query) > set action ENUM_ACCOUNTS
action => ENUM_ACCOUNTS
msf6 auxiliary(gather/ldap_query) > run RHOSTS=10.0.0.33 BIND_DN=MYDOMAIN\\Administrator BIND_PW=123456
[*] Running module against 10.0.0.33

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 10.0.0.33:389 Discovered base DN: DC=mydomain,DC=local
[*] CN=DC02 OU=Domain Controllers DC=mydomain DC=local
===============================================

 Name                Attributes
 ----                ----------
 displayname         DC02$
 name                DC02
 samaccountname      DC02$
 useraccountcontrol  532480

[*] CN=Administrator CN=Users DC=mylab DC=local
===========================================

 Name                Attributes
 ----                ----------
 name                Administrator
 samaccountname      Administrator
 useraccountcontrol  512

 ...[SNIP]...

Win2k summer clean up

For those nostalgic about old Windows systems, bcoles did a great cleanup of old modules targeting Win2k. He breathed life back into modules such as ms01_023_printer, ms02_065_msadc and ms03_007_ntdll_webdav by fixing many issues and adding offsets to support many more Win2k flavors.

New module content (1)

LDAP Query and Enumeration Module by Grant Willcox – This adds a generic module to perform LDAP queries. Users can execute custom queries either through configuration files on disk, or through a combination of datastore options. The module also includes multiple builtin queries for common operations.

Enhancements and features (7)

#16737 from adfoster-r7 – This removes the code duplication in the MSSQL client mixins and refactors the code into a single main mixin.
#16754 from bcoles – Adds additional offsets for various Windows 2000 Professional targets in the ms02_065_msadc module. Also adds documentation and notes.
#16761 from bcoles – Adds additional offsets for various Windows 2000 targets, replaces raw socket TCP with HttpClient, fixes default payload, adds docs and notes.
#16776 from bcoles – Adds a ftp-http command stager for FTP clients which support http(s) URLs via set cmdstager::flavor ftp_http.
#16778 from bcoles – The checkvm script at ./scripts/meterpreter/checkvm.rb has been removed and post/windows/gather/checkvm.rb now replaces it. Additionally, the post/windows/gather/checkvm.rb script has been updated to include missing features from ./scripts/meterpreter/checkvm.rb to ensure backwards compatibility.
#16789 from adfoster-r7 – This adds OpenSSL version information to the report generated by the debug command.
#16792 from adfoster-r7 – This improves support for various OpenSSL 3 related errors during console start.

Bugs fixed (2)

#16743 from adfoster-r7 – Fixes a crash when using the scanner/mssql/mssql_login module with the tdsencryption and USE_WINDOWS_AUTHENT options set to true.
#16753 from bcoles – This PR fixes several bugs present in the module, including shifting from Meterpreter to shell payloads, better checking, and added targets anddocumentation.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-05-20 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/05/20/metasploit-weekly-wrap-up-157/

Zyxel firewall unauthenticated command injection

Metasploit Weekly Wrap-Up

This week, our very own Jake Baines added an exploit module that leverages CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and advisory that was published last week. This module allows an attacker to achieve arbitrary code execution as the nobody user on affected devices. It takes advantage of an unsanitized user input that feeds the python os.system method behind the scenes. Well done Jake!

SAML credentials generator for vCenter Server

Community contributor npm-cesium137-io added an auxiliary module that forges valid SAML credentials for vCenter server. These credentials are very useful since they can be used to gain access to the SSO domain as a vSphere administrator. Note that this module cannot run offline and must be executed while the target vCenter is reachable over the network to properly acquire the administrator session token. Also, the vCenter SSO Identity Provider (IdP) trusted certificate chain needs to be provided. This can be extracted manually from the vmdir database file at /storage/db/vmware-vmdir/data.mdb using binwalk or using this post module, which is still in review at the time of writing.

GSOC 2022

The Metasploit project was accepted again for the Google Summer of Code program. This year the team welcomes back pingport80 as a returning contributor and 3V3RYONE. These students will be working on Post API improvements and expanded HTTP-Trace support respectively. We look forward to mentoring and working with them in the coming months, so stay tuned for further updates as they get started!

New module content (3)

VMware vCenter Forge SAML Authentication Credentials by npm – This module forges valid SAML credentials for vCenter server using the vCenter SSO IdP certificate, IdP private key, and VMCA root certificate as input objects.
Zyxel Firewall ZTP Unauthenticated Command Injection by jbaines-r7, which exploits CVE-2022-30525 – A new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the nobody user.
Bookmarked Sites Retriever by jerrelgordon – This adds a module to retrieve the bookmarks from Internet Explorer, Opera, Google Chrome, and Edge.

Enhancements and features (3)

#16430 from adfoster-r7 – This adds support for logging AS-REP Roastable accounts, as well as storing the generated Kerberos token within the creds database. Additionally improves error handling.
#16442 from sjanusz-r7 – This adds a new vars_form_data field to the Rex HTTP Client for uploading files/form values to a remote HTTP server with ease:

vars_form_data = [
  { 'name' => 'nsp', 'data' => @csrf_token },
  { 'name' => 'upload', 'data' => 1 },
  { 'name' => 'MAX_FILE_SIZE', 'data' => 1000000 },
  { 'name' => 'uploadedfile', 'data' => payload_zip, 'mime_type' => 'application/zip', 'encoding' => 'binary', 'filename' => zip_filename }
]

res = send_request_cgi(
  'method' => 'POST',
  'uri' => uri,
  'vars_form_data' => vars_form_data
)

#16555 from zeroSteiner – This moves a duplicated retry_until_truthy function into a centralized location for better reuse. This function is useful for retrying operations that may fail the first time, such as checking if Kubernetes containers are ready yet etc.

Bugs fixed (6)

#16487 from red0xff – This fixes a deprecation warning in the auxiliary/capture/server/mssql warning as well as outputting a valid John The Ripper format for offline password cracking
#16499 from adfoster-r7 – This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.
#16505 from AdrianVollmer – This fixes an issue in the auxiliary/scanner/lotus/lotus_domino_hashes #dump_hashes parsing logic.
#16570 from ssst0n3 – This fixes a bug in the generation of aarch64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process.
#16572 from zeroSteiner – A bug has been fixed whereby a PayloadSpaceViolation exception might be raised when the --smallest flag was used with msfvenom, due to msfvenom setting the space available to 0 instead of a positive number. The code should now appropriately account for this case.
#16588 from zeroSteiner – This adds a check to the two new Powershell adapter payload modules. The size check intends to ensure that payloads that are too large (like unstaged Meterpreters) are marked as incompatible.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2022-02-11 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/02/11/metasploit-wrap-up-148/

Welcome, Little Hippo: PetitPotam

Metasploit Wrap-Up

Our very own @zeroSteiner ported the PetitPotam exploit to Metasploit this week. This module leverages CVE-2021-36942, a vulnerability in the Windows Encrypting File System (EFS) API, to capture machine NTLM hashes. This uses the EfsRpcOpenFileRaw function of the Microsoft’s Encrypting File System Remote Protocol API (MS-EFSRPC) to coerce machine authentication to a user-controlled listener host. Metasploit’s SMB capture server module can be used for this. The captured hashes are typically used as part of a NTLM relaying attack to take over other Windows hosts. Note that Microsoft has published some guidance about how to mitigate NTLM relay attacks.

QEMU Human Monitor Interface RCE

Contributor @bcoles added an exploit module that abuse QEMU’s Monitor Human Monitor Interface (HMP) TCP server to execute arbitrary commands by using the migrate HMP command. Furthermore, since the HMP TCP service is reachable from emulated devices, it is possible to escape QEMU from a guest system using this module. Note that it doesn’t work on Windows hosts since the migrate command cannot spawn processes on this platform.

New module content (2)

PetitPotam by GILLES Lionel and Spencer McIntyre, which exploits CVE-2021-36942 – This adds a new auxiliary scanner module that ports the PetitPotam tool to Metasploit andleverages CVE-2021-36942 to coerce Windows hosts to authenticate to a user-specific host, which enables an attacker to capture NTLM credentials for further actions, such as relay attacks.
QEMU Monitor HMP ‘migrate’ Command Execution by bcoles – This adds a module that can exploit the QEMU HMP service to execute OS commands. The HMP TCP service is reachable from emulated devices, so it is possible to escape QEMU by exploiting this vulnerability.

Enhancements and features

#16010 from lap1nou – This updates the zabbix_script_exec module with support for Zabbix version 5.0 and later. It also adds a new item-based execution technique and support for delivering Linux native payloads.
#16163 from zeroSteiner – Support has been added for the ClaimsPrincipal .NET deserialization gadget chain, which was found by jang. An exploit which utilizes this enhancement will arrive shortly.
#16125 from bcoles – This module can exploit GXV3140 models now that an ARCH_CMD target has been added.

Bugs fixed

#16121 from timwr – This fixes an exception caused by exploits that call rhost() in Msf::Post::Common without a valid session.
#16142 from timwr – This fixes an issue with Meterpreter’s getenv command that was not returning NULL when querying for a non-existing environment variable.
#16143 from sjanusz-r7 – This fixes an issue where a Cygwin SSH session was not correctly identified being a Windows device, due to a case sensitivity issue
#16147 from zeroSteiner – This fixes a bug where ssh_enumusers would only use one source in the generation of its user word list if both USERNAME and USER_FILE options were set. The module now pulls from all possible datastore options if they are set, including a new option DB_ALL_USERS.
#16160 from zeroSteiner – This fixes a crash when msfconsole is unable to correctly determine the hostname and current user within a shell prompt.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2021-11-26 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/11/26/metasploit-wrap-up-140/

Self-Service Remote Code Execution

Metasploit Wrap-Up

This week, our own @wvu-r7 added an exploit module that achieves unauthenticated remote code execution in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution for Active Directory. This new module leverages a REST API authentication bypass vulnerability identified as CVE-2021-40539, where an error in the REST API URL normalization routine makes it possible to bypass security filters and upload arbitrary files on the target. wvu’s new module simply uploads a Java payload to the target and executes it, granting code execution as SYSTEM if ManageEngine ADSelfService Plus was started as a service.

Storm Alert

Warning, this is not a drill! A critical unauthenticated command injection vulnerability is approaching the Nimbus service component of Apache Storm and has been given the name CVE-2021-38294. A new exploit module authored by our very own zeroSteiner has landed and will exploit this vulnerability to get you OS command execution as the user that started the Nimbus service. Please, evacuate the area immediately!

Metasploit Community CTF 2021

We’re happy to announce this year’s CTF will start on Friday, December 3, 2021! Similar to last year, the game has been designed to be accessible to beginners who want to learn and connect with the community. Keep in mind that while a team can have unlimited members, only 1,000 team spots are available, and once they’re gone you will have to join someone else’s team. You can find the full details in our blog post.

New module content (2)

Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution by Alvaro Muñoz and Spencer McIntyre, which exploits CVE-2021-38294 – This adds an exploit for CVE-2021-38294 which is an unauthenticated remote command execution vulnerability within the getTopologyHistory() RPC method that is provided by the Nimbus service which is a component of the Apache Storm project. In order to be exploitable, at least one topology must have been submitted to the Storm cluster. It may be active or inactive but one must be present.
ManageEngine ADSelfService Plus CVE-2021-40539 by wvu, Antoine Cervoise, Wilfried Bécard, and mr_me, which exploits CVE-2021-40539 – This adds an exploit for CVE-2021-40539 which is an unauthenticated RCE within the ManageEngine ADSelfService application.

Enhancements and features

#15887 from smashery – The path expansion code has been expanded to support path-based tab completion. Users should now tab-complete things such as cat ~/some_filenam<tab>.
#15889 from dwelch-r7 – An update has been made to library code so that terminal resize events are only sent if the Meterpreter client supports it. Additionally, extra feedback is now provided to users on whether or not terminal resizing is handled automatically or if they should adjust it manually.
#15898 from jmartin-r7 – Ruby 3.x removes support for URI.encode and URI.escape. This PR replaces uses of these functions in modules with calls to URI::DEFAULT_PARSER.escape so that Ruby 3 can run these modules instead of raising errors about missing functions.
#15899 from dwelch-r7 – This improves the user experience when shell is invoked from a Meterpreter session. Now, when the fully_interactive_shells feature is enabled, a message is displayed to inform the operator that a fully interactive TTY is supported. Note that you can start it by invoking shell -it.

Bugs fixed

#15864 from timwr – A bug has been fixed whereby the sessions -u command would not return a x64 Meterpreter session on a x64 Windows host, and would instead return a x86 session. This issue has now been addressed so that sessions -u will determine the architecture of the target host prior to upgrading and will generate a new Meterpreter session of the appropriate architecture.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2021-09-03 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/09/03/metasploit-wrap-up-128/

Capture Credentials with our new SMB Server

Metasploit Wrap-Up

Our own Adam Galway revamped the old SMB capture module and now supports NTLMv1 and NTLMv2, as well as SMB1, SMB2 and SMB3. This was possible thanks to @zeroSteiner‘s new RubySMB server implementation. Metasploit is now able to capture NTLM hashes from any recent Windows releases using the SMB2 and SMB3 dialects, even with encrypted SMB traffic.

Revenge of the Clones

Earlier this year, an outstanding vulnerability in Git clients was disclosed and identified as CVE-2021-21300. It allows an attacker to execute scripts on the victim’s system when cloning a specially crafted repository onto a case-insensitive file system such as NTFS, HFS+ or APFS. Our own Shelby Pace just added a new exploit module that leverages this flaw to achieve remote code execution. First, the module creates a fake Git repository and waits for the victim to clone it. This process will deliver a post-checkout script with the payload that will be automatically executed upon checkout of the repository.

Note that for this exploit to work, the victim’s Git client must support delay-capable clean / smudge filters and symbolic links. The former is enabled by default on Windows through Git-lfs.

Don’t clone repositories you don’t trust!

Exploiting eBPF on Linux

A new local exploit module that leverages a bug in the Linux eBPF feature was added by Grant Willcox this week. This vulnerability is identified as CVE-2021-3490 and allows a local attacker to achieve code execution as the root user by conducting an out-of-bounds read and write in the Linux kernel. This is possible due to a flaw in eBPF verifier‘s verification of ALU32 operations. This module is based on @chompie1337‘s PoC code and should work on any vulnerable kernel versions (from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and
5.10.37). Note that, at the moment, it has only been tested on Ubuntu 20.04 (Focal Fossa) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 20.10 (Groovy Gorilla) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 21.04 (Hirsute Hippo) 5.11.x kernels prior to 5.11.0-17.18 and Fedora kernel versions 5.x from 5.7.x up to but not including 5.11.20-300. However, the module documentation includes some instructions for porting the exploit over onto other systems.

New module content (4)

Geutebruck Multiple Remote Command Execution by Ibrahim Ayadhi, Sébastien Charbonnier, and Titouan Lazard, which exploits CVE-2021-33554 – A new module has been added which bypasses authentication and exploits CVE-2021-33544, CVE-2021-33548, and CVE-2021-33550-33554 on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE by Grant Willcox, Manfred Paul, and chompie1337, which exploits ZDI-21-606 – This adds a module that uses @chompie1337’s CVE-2021-3490 PoC code to elevate privileges to root on affected Linux systems. It’s been tested to work on clean installs of Ubuntu 21.04, Ubuntu 20.10, Ubuntu 20.04.02, as well as Fedora running affected versions of the 5.7, 5.8, 5.9, 5.10 and 5.11 kernels.
Git LFS Clone Command Exec by Johannes Schindelin, Matheus Tavares, and Shelby Pace, which exploits CVE-2021-21300 – An exploit module has been added for CVE-2021-21300, a RCE vulnerability in affected Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems. Additionally, a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol have been added into Metasploit and the code for older Git-related exploits has been updated to utilize some of this new code.
Overhaul SMB auth capture server from agalway-r7 – This updates the SMB capture server to be compatible with clients using the SMB 2 and SMB 3 dialects. SMB 1 has not been enabled in Windows 10 since v1709 was released in 2017. This allows the module to be compatible with recent releases.

Enhancements and features

#15253 from adfoster-r7 – Updates Metasploit to support URI arguments to set module datastore values. The currently supported protocols are http, smb, mysql, postgres, and ssh.
#15537 from adfoster-r7 – Adds support for Ruby 3
#15582 from bcoles – The code for Msf::Post::Linux::Kernel.unprivileged_bpf_disabled? has been updated to support new values supported by kernel.unprivileged_bpf_disabled which were introduced in Linux kernels since 5.13 and 5.14-rc+HEAD, particularly the value 2 which means Unprivileged calls to bpf() are disabled, whereas the value 1 is now used to indicate Unprivileged calls to bpf() are disabled without recovery
#15606 from adfoster-r7 – Improves Python Meterpreter to gracefully handle unsupported command ids, and cleaning up process objects correctly. Additionally enhances mingw build support for Windows Meterpreter, and now correctly interprets a transport session time of 0 as never expiring.
#15621 from jmartin-r7 – Updates the Metasploit docker container to additionally include Go as a dependency.
#15623 from zeroSteiner – The creds command has been updated to support several new features: supporting formatting NetNTLMv1 and NetNTLMv2 hash for both the JtR and Hashcat formatters, filtering hashes based on the realm, not truncating hashes when writing them to a CSV file, filtering based on the JtR format type name, support for applying the same filtering to output files that can be applied when generating the creds table, and support for ensuring output consistency when writing output to a file.

Bugs fixed

#15375 from HynekPetrak – This PR fixes a bug whereby Metasploit would sometimes crash when remote LDAP servers returned a null character in the base_dn string, and also enhances modules/auxiliary/gather/ldap_hashdump.rb to handle sha256 hashes and skip hashes in cases of LK (locked account) and NP (no password) credentials.
#15572 from adfoster-r7 – This PR implements a fix to correctly handle quoted console options and whitespace
#15573 from dwelch-r7 – The simplify_module function has been updated so that by default it will not load LHOST/RHOST from the config file and instead use the values set in the options.
#15590 from sjanusz-r7 – A bug has been fixed that prevented external modules from properly handling the encoding of UTF-8 characters.
#15596 from tomadimitrie – A bug has been fixed in docker_credential_wincred whereby the regex would sometimes match on IP addresses and other invalid entries instead of the expected Docker version string. This has now been fixed by tightening the regex to make it more specific and restrictive.
#15628 from timwr – Ensures the session table is refreshed whenever the sysinfo command is run, and whenever stdapi is loaded manually. This should also fix a minor bug where if you run an exploit on an existing session, the session information never gets updated (e.g the username from User -> SYSTEM). Now it’s refreshed when you run meterpreter > sysinfo.
#15629 from jmartin-r7 – Fixes a regression issue where msfconsole crashed on startup when running on a Windows environments

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-07-30 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/07/30/metasploit-wrap-up-123/

New Olympic Discipline: Hive Hunting

Metasploit Wrap-Up

This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.

Note that Microsoft issued an out-of-band advisory and tracked this vulnerability as CVE-2021-36934. You can find more information about the rules in this blog post. Happy Hive hunting!

Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow

Our own Grant Willcox added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in genie.cgi?backup.cgi page of Netgear R7000 routers to enable a telnet server and easily got code execution as the root user. Note that, whereas firmware versions 1.0.11.116 and prior are vulnerable, this module can only be used with versions 1.0.11.116 at the moment. The check method can still be used to detect if older devices are vulnerable. This module is based on research done by @colorlight2019. A new gold medal for the Metasploit team, great job!

New module content (5)

Netgear R7000 backup.cgi Heap Overflow RCE by Grant Willcox, SSD Disclosure, and colorlight2019, which exploits CVE-2021-31802 – This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.
Pi-Hole Remove Commands Linux Priv Esc by Emanuele Barbeno and h00die, which exploits CVE-2021-29449 – This adds a local privilege escalation module that targets Pi-Hole versions >= 3.0 and <= 5.2.4. In vulnerable versions of the software, a user with sudo privileges can escalate to root by passing shell commands to either the removecustomcname, removecustomdns, or removestaticdhcp function. The functions have minimal sanitization, and they pass the input to the sed command. By default, the www-data user is permitted to run sudo without supplying a password as configured in the sudoers.d/pihole file.
WordPress Plugin Modern Events Calendar – Authenticated Remote Code Execution by Nguyen Van Khanh, Ron Jost, and Yann Castel, which exploits CVE-2021-24145 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin known as Modern Events Calendar. For versions before 5.16.5, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to text/csv. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.
WordPress Plugin SP Project and Document – Authenticated Remote Code Execution by Ron Jost and Yann Castel, which exploits CVE-2021-24347 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin, SP Project and Document Manager. For versions below 4.22, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a .php extension, meaning that uploading a file with a .pHp extension is allowed. Once uploaded, requesting the file will result in code execution as the www-data user.
Windows SAM secrets leak – HiveNightmare by Kevin Beaumont, Yann Castel, and romarroca, which exploits CVE-2021-36934 – This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.

Enhancements and features

#15444 from pingport80 – This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.
#15465 from sjanusz-r7 – Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information

Bugs fixed

#15359 from stephenbradshaw – Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db
#15460 from pingport80 – This fixes a localization-related issue in the File libraries copy_file method caused by it searching for a word in the output to determine success.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-02-05 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/02/05/metasploit-wrap-up-97/

Baron Samedit is coming to get you

Metasploit Wrap-Up

Last week, a critical bug in sudo came out and could potentially affect most of the Linux-based operating systems, since this tool is usually installed by default. This vulnerability is identified as CVE-2021-3156, but better known as "Baron Samedit", and is sitting there in the code since July 2011, ready to guide you to the underworld. It affects legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1. If you have not done it already, patch now!

This week, our own Spencer McIntyre added a new module that leverages this vulnerability to gain root privileges from any local user without using a password. This exploit is based on the blasty PoC. It requires specific offsets to succeed, and currently has targets for Ubuntu 20.04 and 18.0[1-4]. We would like to extend that target list, and help from our awesome community would be greatly appreciated!

OneDrive to rule them all

Contributor @stufus added a very useful module that enumerates the Microsoft 365 Sharepoint/OneDrive endpoints on a target Windows system. This allows access to information related to sites that are being synchronised by the OneDrive application. This module will be very useful to get sensitive and extra information during a pentest engagement.

New Modules (3)

Abandoned Cart for WooCommerce SQLi Scanner by WPDeeply and h00die: This adds an auxiliary module that retrieves WordPress user names and password hashes by leveraging an unauthenticated SQL injection vulnerability within the WooCommerce Abandoned Cart plugin for versions below 5.8.2.
Sudo Heap-Based Buffer Overflow by Alexander Krog, Qualys, Spencer McIntyre, blasty, and bwatters-r7, which exploits CVE-2021-3156: This adds an initial exploit for CVE-2021-3156 which is a heap-based buffer overflow in the sudo utility which came out recently.
OneDrive Sync Provider Enumeration Module by Stuart Morgan: A new module, post/windows/gather/enum_onedrive.rb, has been added which allows users to enumerate information relating to all of the sites (including teamsites) which OneDrive is configured to synchronize for a target host.

Enhancements and features

#14713 from yogeshwarram adds documentation for the auxiliary/scanner/redis/redis_login module.

Bugs Fixed

#14680 from digininja prevents exploit/windows/winrm/winrm_script_exec printing nil when no command output is returned.
#14684 from adfoster-r7 adds formatted logging to external python modules.
#14690 from timwr updates the Mettle payloads gem to 1.0.6, which includes a fix for a segmentation fault leading to the Meterpreter session crashing.
#14693 from dwelch-r7 fixes a regression error introduced in Metasploit 6.0.27 which caused the vhost header to not be correctly set for http modules
#14719 from acammack-r7 pivoted connections are now much less likely to close early when there is still data pending to be read or written

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub: