Post Syndicated from Grant Willcox original https://blog.rapid7.com/2023/06/07/metasploit-weekly-wrap-up-13/
Cloud Fun With EC2
New ground was broken today with the addition of two PRs from community contributor sempervictus, also known as RageLtMan, who added the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface, which provides a public API to execute commands or create real-time interactive websocket command shells. This can result in passwordless elevation of privilege in most if not all cases.
This module is also very helpful as it provides pentesters with the tools required to show the impact of having SSM exposed and can help reinforce the importance of data governance, locality, isolation, and auditing. It can also show how user-based access control systems may be bypassed by the privileges users within IAM have using the SSM interface as an elevation of privilege pivot. Finally, it can also be used to demonstrate how attackers can exfiltrate data from systems which do not have network access outside of the cloud environment.
Contacts Are Like Cookies – I Need More
Community contributors Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN added a module for exploiting a preauthentication contact database dump vulnerability in Dolibarr 16 prior to 16.0.5. Contact details are a great help for attackers as they can allow them to craft more believable phishing attacks and gain more information about the internal structure of a target company. They can also give information on a company’s relationships with other companies which could reveal information about sensitive company dealings.
Router Exploits – They Never Stop
Router exploits are like fine wine. They just don’t stop, and these devices are often left unpatched for years on end, which can lead to issues where they are compromised and used in attacks such as in the case of the Mirai botnet. Community contributors Anna Graterol, Mana Mostaani, and Nick Cottrell added a new module targeting CVE-2015-3035 which uses a directory traversal vulnerability in unpatched TP-LINK Archer C7 routers to dump arbitrary files on the target such as the
New module content (7)
Amazon Web Services EC2 instance enumeration
Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a a PTY enabled Powershell session that is incompatible with Post modules but supports user interaction.
VSFTPD 2.3.2 Denial of Service
Description: This PR adds an auxiliary module for DOSing a VSFTPD server from version 2.3.2 and below.
Apache NiFi Login Scanner
Description: A new scanner module has been added to scan for valid logins for Apache NiFi servers.
Apache NiFi Version Scanner
Description: This PR adds a version scanner for Apache NiFi.
Archer C7 Directory Traversal Vulnerability
Description: This adds a module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer C7 routers. This vulnerability is identified as CVE-2015-3035.
Dolibarr 16 pre-auth contact database dump
Description: This adds a module that leverages an authorization bypass in Dolibarr version 16, prior to 16.0.5. This module dumps the contact database to retrieve customer file, prospects, suppliers and employee information. No authentication is needed for this exploit.
AWS SSM Sessions
Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a PTY enabled PowerShell session that is incompatible with Post modules but supports user interaction.
Enhancements and features (2)
- #18021 from zeroSteiner – The PowerShell Post API methods use a mix of PowerShell and .NET methods which have different ways of keeping track of the current working directory. This changes fixes the ambiguity by synchronizing the current working directory referenced by each set of methods.
- #18031 from wvu – Updates
logcommands to explain to how to set
LocalPagerso that users can adjust the editor that is used when running the
editcommand and the log file that is used for logging module runtime information, respectively.
Bugs fixed (6)
- #18019 from cgranleese-r7 – Fixes validation for the
to_handlercommand when running Evasion and Payload modules.
- #18026 from adfoster-r7 – A bug has been fixed in test modules whereby not all modules were manipulating the load path to require the
module_testlibrary correctly, resulting on them being dependent on other modules correctly setting the load path, which may not always occur.
- #18030 from wvu – A missing
returnstatement was added into
lib/msf/core/exploit/cmd_stager/http.rbto fix a Ruby syntax error when attempting to handle a 404 file not found case.
- #18032 from wvu – A bug has been fixed in the
cmd/braceencoder whereby it did not appropriately escape braces.
- #18036 from adfoster-r7 – A typo has been fixed in the
ibm_sametime_enumerate_users.rbgather module that prevented exceptions that were raised from being appropriately caught.
- #18052 from adfoster-r7 – The
test/modules/post/test/file.rbmodule previously did not work on Windows sessions due to it reading data from a Linux only file to determine what data to write for the binary file write operation. This has since been fixed so that the binary data is randomly generated vs being based off an OS specific file.
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).