Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2023/07/14/metasploit-weekly-wrap-up-19/

Authentication bypass in WordPress Plugin WooCommerce Payments

This week’s Metasploit release includes a module for CVE-2023-28121 by h00die. This module can be used against any wordpress instance that uses WooCommerce payments < 5.6.1. This module exploits an auth by-pass vulnerability in the WooCommerce WordPress plugin. You can simply add a header to execute the bypass and use the API to create a new admin user in WordPress.

New module content (3)

WordPress Plugin WooCommerce Payments Unauthenticated Admin Creation

Authors: Julien Ahrens, Michael Mazzolini, and h00die
Type: Auxiliary
Pull request: #18164 contributed by h00die
AttackerKB reference: CVE-2023-28121

Description: This module exploits an auth by-pass vulnerability in the WooCommerce WordPress plugin. By sending a speciality crafted request to the plugin an attacker can by-pass authentication and then use the WordPress API to create an admin user in WordPress.

pfSense Restore RRD Data Command Injection

Author: Emir Polat
Type: Exploit
Pull request: #17861 contributed by emirpolatt
AttackerKB reference: CVE-2023-27253

Description: This module exploits a vulnerability in pfSense version 2.6.0 and below which allows for authenticated users to execute arbitrary operating systems commands as root.

SmarterTools SmarterMail less than build 6985 – .NET Deserialization Remote Code Execution

Authors: 1F98D, Ismail E. Dawoodjee, and Soroush Dalili
Type: Exploit
Pull request: #18170 contributed by ismaildawoodjee
AttackerKB reference: CVE-2019-7214

Description: Adds a new module for SmarterMail Build 6985 – dotNET Deserialization Remote Code Execution (CVE-2019-7214). The vulnerability affects SmarterTools SmarterMail Version less than or equal to 16.3.6989.16341 (all legacy versions without a build number), or SmarterTools SmarterMail Build less than 6985.

Enhancements and features (0)

None

Bugs fixed (0)

None

Documentation added (2)

• #18177 from ismaildawoodjee – Updates the Wiki to use https://metasploit.com/download instead of http://metasploit.com/download.
• #18181 from hahwul – Updates broken links in the Wiki.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.24…6.3.25
• Full diff 6.3.24…6.3.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2023/04/28/metasploit-weekly-wrap-up-8/

Scanner That Pulls Sensitive Information From Joomla Installations

This week’s Metasploit release includes a module for CVE-2023-23752 by h00die. Did you know about the improper API access vulnerability in Joomla installations, specifically Joomla versions between 4.0.0 and 4.2.7, inclusive? This vulnerability allows unauthenticated users access to web service endpoints which contain sensitive information such as user and config information. This module can be used to exploit the users and config/application endpoints.

No More Local Exploit Suggester Crashing Against Older Windows Targets

This week’s Metasploit release includes a bug fix by our own adfoster-r7 addressing an issue related to the local exploit suggester crashing against older windows targets. This issue was tracked down to the bits_ntlm_token_impersonation module when it’s checking the BITS/WinRM version via PowerShell. A patch has been added to prevent it crashing against older and newer Windows targets.

New module content (1)

Joomla API Improper Access Checks

Authors: Tianji Lab and h00die
Type: Auxiliary
Pull request: #17895 contributed by h00die
AttackerKB reference: CVE-2023-23752

Description: This adds a scanner that pulls user and config information from Joomla installations that permit access to endpoints containing sensitive information. This affects versions 4.0.0 through 4.2.7 inclusive.

Enhancements and features (3)

• #17857 from steve-embling – This adds T3S support for the weblogic_deserialize_rawobject, weblogic_deserialize_marshalledobject, and weblogic_deserialize_badattr_extcomp exploit modules.
• #17921 from bcoles – This add documentation for the module post/windows/gather/resolve_sid
• #17941 from j-baines – Updates the exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce module with CVE identifier CVE-2023-28769.

Bugs fixed (4)

• #17912 from bwatters-r7 – Fixes a MinGW issue in the Meterpreter stdapi extension. The stdapi extension was using free() instead of FreeMibTable() to free memory allocated by GetIpForwardTable2() which led to a crash when compiled with MinGW.
• #17913 from adfoster-r7 – Fixes a crash when running the local exploit suggester against older Windows targets.
• #17914 from zeroSteiner – This fixes an issue where paths with trailing backslashes would wait for more input when passed to directory?() due to the " being escaped in the command testing for the existence of the path.
• #17926 from bwatters-r7 – This fixes an issue with a railgun function definition that caused the post/windows/gather/resolve_sid module to fail on 64-bit systems. When the module failed, the session was lost.

Documentation added (2)

• #17839 from cdelafuente-r7 – This improves Metasploit’s documentation on the cleanup method for modules.
• #17937 from adfoster-r7 – This fixes a formatting error due to a typo in the wiki page for setting up a Metasploit development environment.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.13…6.3.14
• Full diff 6.3.13…6.3.14

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2023/02/10/metasploit-weekly-wrap-up-192/

Taking a stroll down memory lane (Tomcat Init Script Privilege Escalation)

Do you remember the issue with Tomcat init script that was originally discovered by Dawid Golunski back in 2016 that led to privilege escalation? This week’s Metasploit release includes an exploit module for CVE-2016-1240 by h00die. This vulnerability allows any local users who already have tomcat accounts to perform privilege escalation and gain access to a target system as a root user. This exploit can be used against the following tomcat versions Tomcat 8 (8.0.36-2), Tomcat 7 (7.0.70-2) and Tomcat 6 (6.0.45+dfsg-1~deb8u1).

Lenovo Diagnostics Driver IOCTL memmove

Our own Jack Heysel contributed an exploit module for CVE-2022-3699 using the proof of concept created by alfarom256. A vulnerability within Lenovo Diagnostics Driver due to incorrect access control allows low-privileged users to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.

New module content (8)

Nagios XI 5.5.6 to 5.7.5 – ConfigWizards Authenticated Remote Code Execution

Author: Matthew Mathur
Type: Exploit
Pull request: #17494 contributed by k0pak4
AttackerKB reference: CVE-2021-25298

Description: A new authenticated RCE module for NagiosXI has been added which exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 to get a shell as the apache user on NagiosXI devices running version 5.5.6 to 5.7.5 inclusive.

F5 Big-IP Create Admin User

Author: Ron Bowes
Type: Exploit
Pull request: #17392 contributed by rbowes-r7

Description: This PR adds a privilege escalation module for F5 that uses the unsecured MCP socket to create a new root account.

Apache Tomcat on Ubuntu Log Init Privilege Escalation

Authors: Dawid Golunski and h00die
Type: Exploit
Pull request: #17483 contributed by h00die
AttackerKB reference: CVE-2016-1240

Description: Adds a new exploit/linux/local/tomcat_ubuntu_log_init_priv_esc module for CVE-2016-1240 targetting Tomcat (6, 7, 8). By default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system.

Fortra GoAnywhere MFT Unsafe Deserialization RCE

Author: Ron Bowes
Type: Exploit
Pull request: #17607 contributed by rbowes-r7
AttackerKB reference: CVE-2023-0669

Description: This PR adds a module that exploits CVE-2023-0669, which is an object deserialization vulnerability in Fortra GoAnywhere MFT.

ManageEngine ADSelfService Plus Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, and horizon3ai
Type: Exploit
Pull request: #17556 contributed by cdelafuente-r7
AttackerKB reference: CVE-2022-47966

Description: This PR adds an exploit that uses an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ADSelfService Plus versions 6210 and below (https://github.com/advisories/GHSA-4w3v-83v8-mg94).

ManageEngine ServiceDesk Plus Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, and horizon3ai
Type: Exploit
Pull request: #17527 contributed by cdelafuente-r7
AttackerKB reference: CVE-2022-47966

Description: This adds an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below. (https://github.com/advisories/GHSA-4w3v-83v8-mg94).

ManageEngine Endpoint Central Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, h00die-gr3y, and horizon3ai
Type: Exploit
Pull request: #17567 contributed by h00die-gr3y
AttackerKB reference: CVE-2022-47966

Description: This adds an exploit targeting CVE-2022-47966, an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below. See https://github.com/advisories/GHSA-mqq7-v29v-25f6 and ManageEngine security advisory.

Lenovo Diagnostics Driver IOCTL memmove

Authors: alfarom256 and jheysel-r7
Type: Exploit
Pull request: #17371 contributed by jheysel-r7
AttackerKB reference: CVE-2022-3699

Description: This PR adds a module that makes use of incorrect access control for the Lenovo Diagnostics Driver allowing a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.

Enhancements and features (3)

• #17597 from bcoles – Fix notes for SideEffects and Reliability in the auxiliary/dos/mirageos/qubes_mirage_firewall_dos module.
• #17603 from dwelch-r7 – Updates admin/kerberos/inspect_ticket to show the UPN and DNS Information within a decrypted PAC.
• #17615 from adfoster-r7 – Adds missing module notes for stability, reliability, and side effects to several modules.

Bugs fixed (2)

• #17591 from zeroSteiner – A bug has been fixed in metasm_shell and nasm_shell whereby the shells were using readline but the dependency wasn’t correctly imported. This has since been fixed and improved validation has been added.
• #17592 from zeroSteiner – A bug has been fixed in the bypassuac_injection_winsxs module whereby a string was not properly being treated as being NULL terminated. Additionally, the definitions of the FindFirstFileA and FindFirstFileW functions have been corrected so that they work on x64 systems.

Documentation added (3)

• #17398 from bwatters-r7 – Adds additional details on using command stagers.
• #17587 from adfoster-r7 – This PR updates docs.metasploit.com to use the latest ruby conventions.
• #17595 from mkonda – Updates the documentation on debugging dead Meterpreter sessions to use the correct option name ReverseListenerBindAddress.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.1…6.3.2
• Full diff 6.3.1…6.3.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2022/12/02/metasploit-weekly-wrap-up-186/

I ## ProxyNotShell
This week’s Metasploit release includes an exploit module for CVE-2022-41082, AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and our very own Spencer McIntyre. The vulnerability CVE-2022-41082, AKA ProxyNotShell is a deserialization flaw in Microsoft Exchange’s PSRP backend. Microsoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server. For more information, see CVE-2022-41082 and CONTROL YOUR TYPES OR GET PWNED. The ProxyNotShell exploit also added new Exchange SSRF functionality that allows both it and the previous ProxyShell module to target Exchange server instances which utilize a Data Access Group (DAG) backend. The Metasploit team has yet to see another public Proof of Concept that takes this configuration type into account.

Remote Control Collection RCE

Community contributors h00die and H4rk3nz0 also introduced another exploit module in this week’s release. This module targets the remote control software which allows a remote person to connect and execute screen commands via mobile devices. Note that this module will only deploy a payload if the server is set without a password (default). A side note, if you’re looking to learn more about how you can use metasploit to hack target servers using remote code vulnerabilities, you might find this video (https://www.youtube.com/watch?v=eLbBR956Tgw) helpful.

New module content (2)

• Microsoft Exchange ProxyNotShell RCE by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and Spencer McIntyre, which exploits CVE-2022-41082 – This adds an exploit module for CVE-2022-41082, AKA ProxyNotShell. This vulnerability is a deserialization flaw in Microsoft Exchange’s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as GHSA-6ph7-8wxv-6gf2. Together, these vulnerabilities allow an authenticated attacker to execute arbitrary commands on a Microsoft Exchange Server.
• Remote Control Collection RCE by H4rk3nz0 and h00die – This PR adds an exploit targeting the Remote Control Server software which allows remote control of a PC, now including running a payload.

Enhancements and features (1)

• #17304 from om3rcitak – Improves auxiliary/scanner/http/tomcat_mgr_login.rb error message on 401 status codes to include the user defined URI.

Bugs fixed (2)

• #17163 from jheysel-r7 – This fixes a bug in the check method where we left an artifact on disk.
• #17299 from smashery – This fixes a bug in the polkit_dbus_auth_bypass module that prevented it from working with certain session types.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.28…6.2.29
• Full diff 6.2.28…6.2.29

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2022/09/09/metasploit-weekly-wrap-up-175/

Authenticated command injection vulnerability of Cisco ASA-X with FirePOWER Services:

[jbaines-r7] (https://github.com/jbaines-r7) added a new module that exploits an authenticated command injection vulnerability CVE-2022-20828 of Cisco ASA-X with FirePOWER Services. This vulnerability affects all Cisco ASA appliances that support ASA FirePOWER module. Note that, although a patch has been added to most recent ASA FirePOWER module versions such as 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21, some versions such as 6.2.2 and earlier, 6.3, 6.5, and 6.7 will not receive the patch. This exploit could allow the attacker to get root access and pivot to the inside network along with the outside network. This exploit takes advantage of the FirePower Services SFR module’s Linux virtual machine via ASA’s ASDM web server which also runs snort on the traffic. Therefore, an attacker can have access to the diverted traffic as well. Check out the (https://www.youtube.com/watch?v=_4FEU4GDtB8) of the exploit for more information!

Remote code execution vulnerability of Apache Spark:

KostyaKortchinsky and [h00die-gr3y] (https://github.com/h00die-gr3y) introduced a new module that exploits a remote code execution vulnerability CVE-2022-33891 in Apache Spark. This exploit affects several Apache Spark versions such as 3.0.3 and earlier, 3.1.1 to 3.1.2 and versions 3.2.0 to 3.2.1. Apache Spark allows its users to enable Access Control Lists (ACLs) via the configuration option spark.acls.enable. This was introduced in order to improve the security access within Apache Spark application but the code that’s triggered by this configuration option leads to a malicious shell command injection vulnerability. Check out this post by [HuskyHacks] (https://github.com/HuskyHacks) who provided more information along with great examples!

New module content (2)

• Apache Spark Unauthenticated Command Injection RCE by [KostyaKortchinsky] (https://twitter.com/crypt0ad?lang=en) and [h00die-gr3y] (https://github.com/h00die-gr3y), which exploits CVE-2022-33891 – This exploits an unauthenticated command injection vulnerability in Apache Spark. The spark.acls.enable setting permits command injection through the id command via a POST request to Apache Spark’s base endpoint containing arbitrary code in the doAs parameter. The exploit achieves unauthenticated RCE as the spark user.
• Cisco ASA-X with FirePOWER Services Authenticated Command Injection by [jbaines-r7] (https://github.com/jbaines-r7), which exploits CVE-2022-20828 – This adds an exploit module that leverages an authenticated command injection vulnerability in Cisco ASA-X with FirePOWER Services. This vulnerability is identified as CVE-2022-20828 and has been patched in ASA FirePOWER module versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. Note that versions 6.2.2 and earlier, 6.3, 6.5, and 6.7 won’t receive a patch.

Enhancements and features (7)

• #16901 from bcoles – The post/windows/manage/killav.rb script has been updated to support shell and PowerShell sessions and has undergone some code cleanup. Additionally, documentation has now been created to explain its operations and how to use it.
• #16934 from bcoles – This adds support for dumping process memory by name in the post/windows/gather/memory_dump module.
• #16947 from ILightThings – This adds support for formatting buffers for golang.
• #16948 from gwillcox-r7 – This adds arguments for specifying the username, password and database to the #run_sql post method.
• #16952 from bcoles – This PR improves the domain_controller? method to allow lower-priv users to invoke it, extends it to support shell sessions, and adds additional useful domain controller enumeration methods to the library.
• #16973 from HuskyHacks – This adds support for formatting buffers for nim.
• #16983 from bcoles – This PR adds documentation, references and a more complete description for the firefox_xpi_bootstrapped_addon module.

Bugs fixed (5)

• #16861 from adfoster-r7 – Fixes a bug in cmd/unix/reverse_ssh that stopped reverse SSH sessions from opening.
• #16926 from jmartin-r7 – Fixes a bug when using RPC service with the analyze command and specifying a workspace, i.e. within Metasploit RPC client – rpc.call('db.analyze_host', { host: '<metasploitable3 ip>', workspace: 'other' } ).
• #16968 from luisfso – This PR adds support for the new syntax of the find command’s perm parameter while also maintaining support for the deprecated syntax.
• #16972 from cgranleese-r7 – Updates msfconsole’s tables to support word wrapping when colors are present.
• #16974 from jbaines-r7 – Updates Rex::Proto::Http::Client to rely on Ruby’s built in string comparison.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.15…6.2.17
• Full diff 6.2.15…6.2.17

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).