Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/04/19/metasploit-weekly-wrap-up-04-19-24/

Welcome Ryan and the new CrushFTP module

It’s not every week we add an awesome new exploit module to the Framework while adding the original discoverer of the vulnerability to the Rapid7 team as well. We’re very excited to welcome Ryan Emmons to the Emergent Threat Response team, which works alongside Metasploit here at Rapid7. Ryan discovered an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in CrushFTP (CVE-2023-43177) versions prior to 10.5.1 which results in unauthenticated remote code execution. Metasploit’s very own Christophe De La Fuente did a fantastic job of turning this complex exploit into a smooth running Metasploit module. This release includes another unauthenticated remote code execution vulnerability in the oh so popular PostgreSQL management tool, pgAdmin. Written by Spencer McIntyre, the module exploits CVE-2024-2044 which is a path-traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized.

New module content (3)

MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever

Author: h00die
Type: Auxiliary
Pull request: #18936 contributed by h00die
Path: gather/mongodb_ops_manager_diagnostic_archive_info
AttackerKB reference: CVE-2023-0342

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-0342) in MongoDB Ops Manager v5.0 prior to 5.0.21 and v6.0 prior to 6.0.12 to retrieve the SAML SSL Pem Key File Password, which is stored in plaintext in the application’s Diagnostics Archive.

CrushFTP Unauthenticated RCE

Authors: Christophe De La Fuente and Ryan Emmons
Type: Exploit
Pull request: #18918 contributed by cdelafuente-r7
Path: multi/http/crushftp_rce_cve_2023_43177
AttackerKB reference: CVE-2023-43177

Description: This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.

pgAdmin Session Deserialization RCE

Authors: Abdel Adim Oisfi, Davide Silvetti, and Spencer McIntyre
Type: Exploit
Pull request: #19026 contributed by zeroSteiner
Path: multi/http/pgadmin_session_deserialization
AttackerKB reference: CVE-2024-2044

Description: This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn’t block the HTTP request.

Enhancements and features (0)

None

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.3…6.4.4
• Full diff 6.4.3…6.4.4

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/02/09/metasploit-weekly-wrap-up-02-09-2024/

Go go gadget Fortra GoAnywhere MFT Module

This Metasploit release contains a module for one of 2024’s hottest vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in Fortra GoAnywhere MFT allows for unauthenticated attackers to access the InitialAccountSetup.xhtml endpoint which is used during the products initial setup to create the first administrator user. After setup has completed, this endpoint is supposed to be no longer available. Attackers can use this vulnerability to create a user with Administrator privileges. Once Administrative privileges have been obtained for the GoAnywhere MFT application, uploading a .jsp payload in order to achieve RCE is trivial.

New module content (3)

runc (docker) File Descriptor Leak Privilege Escalation

Authors: Rory McNamara and h00die
Type: Exploit
Pull request: #18780 contributed by h00die
Path: linux/local/runc_cwd_priv_esc

Description: This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.

Cacti RCE via SQLi in pollers.php

Authors: Aleksey Solovev and Christophe De La Fuente
Type: Exploit
Pull request: #18769 contributed by cdelafuente-r7
Path: multi/http/cacti_pollers_sqli_rce

Description: This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Authors: James Horseman, Zach Hanley, and sfewer-r7
Type: Exploit
Pull request: #18762 contributed by sfewer-r7
Path: multi/http/fortra_goanywhere_mft_rce_cve_2024_0204

Description: This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

Enhancements and features (3)

• #18696 from zgoldman-r7 – Introduces a standalone MSSQL client class that can be used in new contexts not tied to a specific module.
• #18718 from cgranleese-r7 – Updates the auxiliary/scanner/mysql/mysql_login.rb module to include a new CreateSession option that opens an interactive session. This functionality is currently behind a feature flag which can be enabled with features set mysql_session_type true.
• #18761 from dwelch-r7 – Adds a user notification that new modules support a CreateSession option. This functionality is currently behind a feature flag which can be enabled with the features command.

Bugs fixed (3)

• #18704 from dwelch-r7 – Fixes a bug with framework having 0 registered nop modules when the defer-module-loads feature was enabled.
• #18773 from sjanusz-r7 – Fixes an issue where Ctrl+Z and Ctrl+C when in the context of an interactive PostgreSQL shell prompt inside the PostgreSQL session type did work correctly.
• #18803 from dwelch-r7 – Fixes a crash when using exploit/multi/handler with an invalid payload name.

Documentation added (1)

• #18782 from ekalinichev-r7 – Updates our existing Windows installation documentation to mention that Administrator privileges are required when installing via our .msi package.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.54…6.3.55
• Full diff 6.3.54…6.3.55

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2023/07/21/metasploit-weekly-wrap-up-20/

It’s open season on Openfire with a new RCE module in Metasploit

This week the Metasploit framework saw the addition of an RCE module which exploits path traversal vulnerability in the instant messaging and group chat server, Openfire. The module was submitted by the one and only community contributor h00die-gr3y. The module targets Openfire’s unauthenticated setup environment, in an already configured Openfire environment, to access restricted pages in the Admin Console reserved for administrative users. This module uses a path traversal vulnerability to create a new admin user that is used to upload a Openfire management plugin weaponized with a Java native payload that triggers an RCE. The module is quite flexible and will get you shells when Openfire is running in Windows, Linux and on a variety of different Java versions.

New module content (2)

Piwigo CVE-2023-26876 Gather Credentials via SQL Injection

Authors: Rodolfo Tavares, Tempest Security, Henrique Arcoverde, and rodnt
Type: Auxiliary
Pull request: #18182 contributed by rodnt
AttackerKB reference: CVE-2023-26876

Description: This PR adds an auxiliary module that takes advantage of CVE-2023-26876 to retrieve the username and password hash from piwigo v.13.5.0 and earlier.

Openfire authentication bypass with RCE plugin

Author: h00die-gr3y
Type: Exploit
Pull request: #18173 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-32315

Description: This PR adds a module for CVE-2023-32315, a remote code execution vulnerability for all versions of Openfire that have been released since April 2015, starting with version 3.10.0. Patched versions are 4.7.5+ 4.6.8+ and 4.8.0+.

Enhancements and features (1)

• #17681 from MegaManSec – This PR adds a new datastore option for Jenkins home directory to the jenkins_gather module.

Bugs fixed (0)

None

Documentation added (1)

• #18186 from adfoster-r7 – This PR updates multiple code and console snippets within the Wiki to now have syntax highlighting

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.25…6.3.26
• Full diff 6.3.25…6.3.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2023/03/24/metasploit-weekly-wrap-up-197/

Zxyel Routers Beware

This week we’ve released a module written by first time community contributor shr70 that can exploit roughly 45 different Zyxel router and VPN models. The module exploits a buffer overflow vulnerability that results in unauthenticated remote code execution on affected devices. It’s rare we see a module affect this many devices once and are excited to see this ship in the framework. We hope pentesters and red-teamers alike can make good use of this module in their day to day operations.

Monitorr unauthenticated RCE

Community contributor h00die-gr3y strikes again this time with a module for an Unauthenticated RCE vulnerability in Monitorr. Monitorr is a simple web application that allows you to set up a dashboard to monitor various web sites / web applications up or down state. Vulnerable versions allow an attacker to upload a webshell tagged as a GIF image and execute malicious php code in the upload directory where the malicious file is stored.

More Metasploit Twitch Streaming

In case you missed it or were previously unaware, our very own Spencer McIntyre has been doing live exploit development on Twitch the second Friday of the month at 4pm EST. This past week Spencer (aka zerosteiner) shared in real time the trials and tribulations of reverse engineering an authenticated SolarWinds information service deserialization RCE. The pull request for this work can be found here: https://github.com/rapid7/metasploit-framework/pull/17785. In the live stream he explained how he takes a blog posted with limited technical details, decompiles and debugs the application to figure out what makes the vulnerability tick. Come watch the next on Friday April 14th, at: https://www.twitch.tv/zerosteiner, there’s a good chance you’ll learn something new and be sure to invite your family and friends!

New module content (4)

Zyxel Unauthenticated LAN Remote Code Execution

Authors: Gerhard Hechenberger, SEC Consult Vulnerability Lab, Stefan Viehboeck, Steffen Robertz, and Thomas Weber
Type: Exploit
Pull request: #17388 contributed by shr70

Description: This PR adds a new exploit module for a buffer overflow in roughly 45 different Zyxel router and VPN models.

Monitorr unauthenticated Remote Code Execution (RCE)

Authors: Lyhins Lab and h00die-gr3y
Type: Exploit
Pull request: #17771 contributed by h00die-gr3y
AttackerKB reference: CVE-2020-28871

Description: This adds a module that exploits an unauthenticated file upload vulnerability in various versions of Monitorr. RCE as the user under which the software runs can be achieved due to insufficient validation on GIF uploads.

Open Web Analytics 1.7.3 – Remote Code Execution (RCE)

Authors: Dennis Pfleger and Jacob Ebben
Type: Exploit
Pull request: #17754 contributed by Pflegusch
AttackerKB reference: CVE-2022-24637

Description: This adds an exploit module for CVE-2022-24637, a single/double quote confusion vulnerability in Open Web Analytics versions below 1.7.4. This leads to the disclosure of sensitive information in an automatically generated PHP cache file, which can be leveraged to gain admin privileges and remote code execution.

WhatsUp Gold Credentials Dump

Authors: npm and sshah
Type: Post
Pull request: #17462 contributed by npm-cesium137-io
AttackerKB reference: CVE-2022-29848

Description: This adds a post module that collects and decrypts credentials from WhatsUp Gold installs.

Enhancements and features (2)

• #17401 from araout42 – This PR adds a new x86 XOR polymorphic encoder.
• #17583 from cgranleese-r7 – Enhances msfconsole’s info -d command, which is used to generate browser Metasploit module documentation, to additionally include references to AttackerKB.

Bugs fixed (8)

• #17735 from tekwizz123 – Fixes a few incorrect parameter names in the generated developer documentation found at https://docs.metasploit.com/api/.
• #17747 from dwelch-r7 – Updates the wmap plugin to no longer crash when running `wmap_targets -t http://metasploit.com.
• #17783 from adfoster-r7 – An update has been made to the reload_lib command so that it continues to reload files even if a single file fails to load.
• #17784 from dwelch-r7 – Reduces the amount of files loaded when msfconsole start up. This was a performance regression introduced by a recent Rails upgrade.
• #17792 from adfoster-r7 – Fixes external module crash for when running the auxiliary/scanner/wproxy/att_open_proxy module.
• #17794 from adfoster-r7 – Update external modules to support python3.11.
• #17798 from adfoster-r7 – The debug --datastore command was previously causing a stacktrace due to some incorrect operations. These have since been fixed so that users can now use debug --datastore to output debug information along with the datastore information.
• #17802 from zeroSteiner – Updates Python pingback payloads such as payload/python/pingback_reverse_tcp to no longer crash when viewing info or generating.

Documentation added (1)

• #17795 from adfoster-r7 – This PR adds documentation on debugging and running external python modules.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.8…6.3.9
• Full diff 6.3.8…6.3.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2023/03/10/metasploit-weekly-wrap-up-196/

Wowza, a new credential gatherer and login scanner!

This week Metasploit Framework gained a credential gatherer for Wowza Streaming Engine Manager. Credentials for this application are stored in a file named admin.password in a known location and the file is readable by default by BUILTIN\Users on Windows and is world readable on Linux.. The module was written by community contributor bcoles who also wrote a login scanner for Wowza this week. The login scanner can be used to validate the credentials found by the gatherer. The two modules complement each other quite nicely.

New module content (3)

Wowza Streaming Engine Manager Login Utility

Author: bcoles
Type: Auxiliary
Pull request: #17733 contributed by bcoles

Description: This adds a login scanner module to brute force credentials of Wowza Streaming Engine Manager.

SugarCRM unauthenticated Remote Code Execution (RCE)

Authors: Sw33t.0day and h00die-gr3y
Type: Exploit
Pull request: #17507 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-22952

Description: A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically www-data.

Gather Wowza Streaming Engine Credentials

Author: bcoles
Type: Post
Pull request: #17737 contributed by bcoles

Description: This adds a post module that collects Wowza Streaming Engine user credentials from the admin.password local configuration file. This file is world-readable by default on Linux and readable by BUILTIN\Users on Windows.

Enhancements and features (9)

• #17675 from adfoster-r7 – Updates the admin/kerberos/forge_ticket to support a new extra_sids option which can be useful for including cross-domain SIDs for forging external Kerberos trust tickets as part of cross-trust domain escalation. The admin/kerberos/inspect_ticket has also been updated to support viewing these extra SID values.
• #17686 from zeroSteiner – This adds 3 additional methods to the existing PetitPotam module to make it work even if the patch for CVE-2021-36942 has been installed. Note that it won’t work after the December 2021 patch.
• #17715 from zeroSteiner – The Metasploit Payload gem has been bumped to 2.0.115, bringing in support for the arp command to Python Meterpreter on Linux, and adding support for displaying IPv6 routing tables using the route command on Windows.
• #17727 from rohitkumarankam – Two new options have been added to the login scanner library: max_consecutive_error_count and max_error_count. These options allow users to set the maximum number of errors that are allowed to occur when connecting as well as the maximum number of consecutive errors that are allowed when connecting before the login scanner will give up on a target.
• #17744 from adfoster-r7 – The code for msfconsole has been updated so that performance profiling can also take into account the time it takes to load msfenv and console related libraries, thereby allowing for more accurate performance profiling.
• #17745 from gwillcox-r7 – This updates the metasploit-payloads gem to pull in changes to the Python Meterpreter on Windows to add the route add and route delete commands as well as the ability to get process information such as process names and paths.
• #17746 from todb-r7 – The data/wordlists/password.lst password list has been updated to include the master password that LastPass suggests as an example when a user goes to create a new master password, r50$K28vaIFiYxaY, into the password list, as well as to fix some encoding issues.
• #17749 from adfoster-r7 – Updates the auxiliary/admin/kerberos/keytab.rb module to additionally export any NTHASHES, which can be useful for decrypting Kerberos network traffic in Wireshark.
• #17756 from adfoster-r7 – Updates secrets dump to generate the Kerberos RC4 key for the machine account.

Bugs fixed (8)

• #17673 from bcoles – lib/msf/core/payload/apk.rb has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum apktool version to 2.4.1 and makes it so that versions prior to 2.7.0 of apktool will throw a warning about being potentially out of date.
• #17716 from zeroSteiner – A bug has been fixed whereby the reverse port forward information message was displayed incorrectly, and the same information was shown on both the local and remote parts of the message.
• #17721 from zeroSteiner – This fixes an issue where payloads that were adapted failed when stage encoding was enabled because the stage encoding was based on the stager arch and platform values. These values were always the same until we introduced adapted payloads, which can vary.
• #17723 from jvoisin – A bug has been fixed in the modules/encoders/php/base64.rb encoder whereby strings were being passed as literal strings without being properly quoted, which could result in errors on newer versions of PHP.
• #17726 from zeroSteiner – The Metasploit Payloads gem has been updated bringing in initial support for attaching to processes on Python Meterpreter shells on Windows, a bug fix for the route command on newer versions of Windows on Windows Meterpreter, and a fix so that both C Meterpreter and Python Meterpreter sessions will attempt to enable the same set of permissions when running getprivs.
• #17729 from bcoles – Fixes an edge case crash when running Ruby 3.2
• #17738 from adfoster-r7 – Fix Ruby 3.2 crash when running certain tools
• #17758 from zeroSteiner – The metasploit-payloads gem has been bumped to fix a token handle leak that was causing Python Meterpreters to leave dangling handles after using getprivs, fix a error in packet_transmit_http whereby error codes were not appropriately returned, and update the arp command to properly return the interface name instead of the index for the interface column.

Documentation added (3)

• #17684 from adfoster-r7 – This PR adds the RBCD exploitation documentation to the docs site.
• #17688 from adfoster-r7 – This PR fixes several broken wiki links, as well as adding validation to users users don’t use the wrong syntax when making docs changes.
• #17743 from adfoster-r7 – A new page has been added to explain the METASPLOIT_CPU_PROFILE and METASPLOIT_MEMORY_PROFILE options and to explain how to profile msfconsole‘s and msfvenom‘s performance on systems.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.5…6.3.6
• Full diff 6.3.5…6.3.6

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).