Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/03/08/metasploit-wrap-up-03-08-2024/

New module content (2)

GitLab Tags RSS feed email disclosure

Authors: erruquill and n00bhaxor
Type: Auxiliary
Pull request: #18821 contributed by n00bhaxor
Path: gather/gitlab_tags_rss_feed_email_disclosure
AttackerKB reference: CVE-2023-5612

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.

BoidCMS Command Injection

Authors: 1337kid and bwatters-r7
Type: Exploit
Pull request: #18827 contributed by bwatters-r7
Path: multi/http/cve_2023_38836_boidcms
AttackerKB reference: CVE-2023-38836

Description: This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.

Enhancements and features (11)

• #18686 from h00die – This updates the existing auxiliary/scanner/ssh/ssh_version module with new checks for supported cryptographic algorithms and version detection capabilities.
• #18715 from errorxyz – This adds a Splunk library for use by future modules. It also updates the existing exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 module to use it.
• #18796 from errorxyz – This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
• #18862 from sjanusz-r7 – This PR aligns the client’s peerhost and peerport API for the recently added SQL-based sessions (postgres, mssql, mysql).
• #18875 from dwelch-r7 – This PR adds conditional validation of options depending on the chosen connection type, so for example if you want to connect via RHOST we also check (where applicable) that RPORT or the USERNAME is set. When a connection is made over an existing SESSION we can still allow the user to only set SESSION and not worry about the missing values only required for a new RHOST connection.
• #18887 from cgranleese-r7 – Updates the search command to now search modules that are compatible with a specified session type, for instance: search session_type:meterpreter or search session_type:smb.
• #18903 from sjanusz-r7 – This PR improves the UX by correctly handling databases changes by updating the prompt to now get the appropriate database value in the context of a MySQL or MSSQL session.
• #18905 from cgranleese-r7 – Improves the pwd command output for SMB sessions.
• #18908 from adfoster-r7 – Update SAMR computer and ICPR cert to support SMB sessions.
• #18921 from dwelch-r7 – This adds the IP address to the SMB session prompt when there is no selected share.
• #18926 from cgranleese-r7 – Update sessions to have a consistent set of local file system commands.

Bugs fixed (5)

• #18844 from sfewer-r7 – This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
• #18897 from adfoster-r7 – Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
• #18904 from double16 – Fixes the windows/gather/bloodhound module to no longer incorrectly validate the OutputDirectory option.
• #18920 from dwelch-r7 – This PR fixes an issue with the autorunscript module option within an SMB session.
• #18928 from dwelch-r7 – This PR fixes an issue when running the auxiliary/gather/windows_secrets_dump module while using the SESSION module option to connect, that caused the client to be disconnected and unable to be reused for subsequent runs/other modules.

Documentation (1)

• #18929 from adfoster-r7 – Updates the Metasploit API documentation library to the latest available version to avoid CVE-2024-27285 – an XSS in the default YARD template. Thanks to Aviv Keller for reporting.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.58…6.3.59
• Full diff 6.3.58…6.3.59

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/01/05/metasploit-weekly-wrap-up-40/

New module content (2)

Splunk __raw Server Info Disclosure

Authors: KOF2002, h00die, and n00bhaxor
Type: Auxiliary
Pull request: #18635 contributed by n00bhaxor
Path: gather/splunk_raw_server_info

Description: This PR adds a module for an authenticated Splunk information disclosure vulnerability. This module gathers information about the host machine and the Splunk install including OS version, build, CPU arch, Splunk license keys, etc.

[msf](Jobs:0 Agents:0) > use auxiliary/gather/splunk_raw_server_info 
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set username admin
username => admin
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set password splunksplunk
password => splunksplunk
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set verbose true
verbose => true
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > run
[*] Running module against 127.0.0.1
[+] Output saved to /root/.msf4/loot/20231220204049_default_127.0.0.1_splunk.system.st_943292.json
[+] Hostname: 523a845e8652
[+] CPU Architecture: x86_64
[+] Operating System: Linux
[+] OS Build: #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09)
[+] OS Version: 6.5.0-kali3-amd64
[+] Splunk Version: 7.1.0
[+] Trial Version?: false
[+] Splunk Forwarder?: false
[+] Splunk Product Type: splunk
[+] License State: OK
[+] License Key(s): ["FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"]
[+] Splunk Server Roles: ["indexer", "license_master"]
[+] Splunk Server Startup Time: 2023-12-21 01:40:02
[*] Auxiliary module execution completed

Craft CMS unauthenticated Remote Code Execution (RCE)

Authors: Thanh, chybeta, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18612 contributed by h00die-gr3y
Path: linux/http/craftcms_unauth_rce_cve_2023_41892

Description: This adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely.

Enhancements and features (2)

• #18610 from sjanusz-r7 – This PR enables the Metasploit Payload Warnings feature by default. When enabled Metasploit will output warnings about missing Metasploit payloads, for instance if they were removed by antivirus.
• #18632 from jvoisin – This PR adds improvements to the Glibc Tunables Privilege Escalation module. In the event the file command is not present on the target the module will try to use the readelf command to get the ld.so build ID and determine whether or not the target is compatible with the exploit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.48…6.3.49
• Full diff 6.3.48…6.3.49

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2023/10/06/metasploit-weekly-wrap-up-30/

New module content (3)

LDAP Login Scanner

Author: Dean Welch
Type: Auxiliary
Pull request: #18197 contributed by dwelch-r7
Path: scanner/ldap/ldap_login

Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication against various different protocols and mechanisms. This LDAP login scanner supports multiple types of authentication including: Plaintext, NTLM, Kerberos and SChannel.

Junos OS PHPRC Environment Variable Manipulation RCE

Authors: Jacob Baines, Ron Bowes, and jheysel-r7
Type: Exploit
Pull request: #18389 contributed by jheysel-r7
Path: freebsd/http/junos_phprc_auto_prepend_file

Description: This adds an exploit module that leverages a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. This vulnerability is identified as CVE-2023-36845 and allows an attacker to achieve unauthenticated remote code execution as a low privileged user. This module also includes a jailbreak feature that consists in changing the root password and establishing an SSH session as the root user. The original password is restored when the module terminates.

Progress Software WS_FTP Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18414 contributed by sfewer-r7
Path: windows/http/ws_ftp_rce_cve_2023_40044

Description: This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.

AttackerKB Assessment: (https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis)

Enhancements and features (6)

• #17919 from bcoles – This PR adds support for starting and stopping Windows services using the service control manager to shell payloads.
• #18338 from smashery – This PR updates the kerberos.rb library such that when a kerberos login is attempted, on a user where pre-authentication is not required, the module now requests a RRC4-HMAC ticket, since it’s more easily crackable.
• #18363 from j0ev – This PR adds support to outputting payloads in octal in both framework and venom.
• #18412 from zeroSteiner – This adds additional usage tips to Metasploit, expanding the pool that is selected from on startup.
• #18420 from smashery – :
  This PR updates the user-agent string reported by our http payloads. We update this periodically to make sure that our payloads don’t stick out having an older user agent string.
• #18425 from adfoster-r7 – Adds history support to the nasm and metasm shells. Now when re-opening these shells, previously typed commands should be remembered and available.

Bugs fixed (1)

• #18372 from gcarmix – Fixed an issue in the generic shell download command.

Documentation added (3)

• #18277 from cnnrshd –
  This PR adds new documentation for how to create a command injection exploit module.
• #18347 from bwatters-r7 – This PR updates the how-to-write-a-check-method docs to better explain to not use fail_with to align with best practices when making sure a check method returns a check code.
• #18393 from adfoster-r7 – Updates the running modules landing page on the Wiki with more beginner friendly information on searching for and running modules.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.36…6.3.37
• Full diff 6.3.36…6.3.37

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2023/02/17/metasploit-wrap-up-193/

Cisco RV Series Auth Bypass and Command Injection

Thanks to community contributor neterum, Metasploit framework just gained an awesome new module which targets Cisco Small Business RV Series Routers. The module actually exploits two vulnerabilities, an authentication bypass CVE-2022-20705 and a command injection vulnerability CVE-2022-20707 in order to achieve code execution in the context of user www-data.

New module content (2)

Cisco RV Series Authentication Bypass and Command Injection

Authors: Biem Pham, Neterum, and jbaines-r7
Type: Exploit
Pull request: #17599 contributed by neterum
Attacker KB Reference: CVE-2022-20707

Description: An exploit for Cisco RV160, RV260, RV340 and RV345 Small Business Routers prior to firmware version 1.0.03.26 has been added which exploits CVE-2022-20705, an authentication bypass, and CVE-2022-20707, a command injection vulnerability, to achieve remote code execution as the www-data user on affected devices as an unauthenticated attacker.

GitLab GitHub Repo Import Deserialization RCE

Authors: Heyder Andrade, RedWay Security, and William Bowling (vakzz)
Type: Exploit
Pull request: #17281 contributed by heyder
AttackerKB reference: CVE-2022-2992

Description: This adds an exploit for CVE-2022-2992 which is authenticated remote command execution in GitLab.

Enhancements and features (1)

• #17594 from zeroSteiner – The DLL template code has been updated so that tools such as msfvenom can use DLL templates with payloads that were larger than 4096 bytes, such as unstaged payloads. Note that this update only applies to the default DLL templates that Metasploit provides, and not to external DLL templates which are restricted to 4096 bytes at this time.

Bugs fixed (1)

• #17645 from adfoster-r7 – Fixes a bug that caused warnings to be output on Arch Linux environments when starting msfconsole

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.2…6.3.3
• Full diff 6.3.2…6.3.3

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).