Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/04/26/metasploit-weekly-wrap-up-04-26-24/

Rancher Modules

This week, Metasploit community member h00die added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to Metasploit’s coverage for testing Kubernetes environments.

PAN-OS RCE

Metasploit also released an exploit for the unauthenticated RCE in PAN-OS that has been receiving a lot of attention recently. This vulnerability is an unauthenticated file creation that can be leveraged to trigger the execution of remote commands. See Rapid7’s analysis on AttackerKB for an in depth explanation of the root cause.

New module content (8)

Rancher Authenticated API Credential Exposure

Authors: Florian Struck, Marco Stuurman, and h00die
Type: Auxiliary
Pull request: #18956 contributed by h00die
Path: gather/rancher_authenticated_api_cred_exposure
AttackerKB reference: CVE-2021-36782

Description: This adds an exploit for CVE-2021-36782, a vulnerability which can be leveraged by an authenticated attacker to leak API credentials from an affected Rancher instance.

Gitlab Version Scanner

Author: Julien (jvoisin) Voisin
Type: Auxiliary
Pull request: #18723 contributed by jvoisin
Path: scanner/http/gitlab_version

Description: A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.

Apache Solr Backup/Restore APIs RCE

Authors: jheysel-r7 and l3yx
Type: Exploit
Pull request: #19046 contributed by jheysel-r7
Path: linux/http/apache_solr_backup_restore
AttackerKB reference: CVE-2023-50386

Description: Adds apache_solr_backup_restore module, taking advantage of a Unrestricted Upload of File with Dangerous Type vulnerability, allowing the user to gain a session in an Apache Solr instance for remote code execution.

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Authors: remmons-r7 and sfewer-r7
Type: Exploit
Pull request: #19101 contributed by remmons-r7
Path: linux/http/panos_telemetry_cmd_exec
AttackerKB reference: CVE-2024-3400

Description: This adds an exploit module for https://security.paloaltonetworks.com/CVE-2024-3400, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.

GitLens Git Local Configuration Exec

Authors: Paul Gerste and h00die
Type: Exploit
Pull request: #18997 contributed by h00die
Path: multi/fileformat/gitlens_local_config_exec
AttackerKB reference: CVE-2023-46944

Description: This adds a FileFormat exploit for VSCode. The VSCode extension GitLens by GitKraken before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code.

Code Reviewer

Author: h00die
Type: Exploit
Pull request: #18996 contributed by h00die
Path: multi/fileformat/visual_studio_vsix_exec

Description: This adds a new exploit module that creates a malicious VS / VSCode extension file.

Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability

Authors: h00die-gr3y [email protected] and usd Herolab
Type: Exploit
Pull request: #19005 contributed by h00die-gr3y
Path: multi/http/gambio_unauth_rce_cve_2024_23759
AttackerKB reference: CVE-2024-23759

Description: This adds a module for a Remote Code Execution vulnerability in Gambio Online Webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.

FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE

Authors: James Horseman, Spencer McIntyre, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #19082 contributed by jheysel-r7
Path: windows/http/forticlient_ems_fctid_sqli
AttackerKB reference: CVE-2023-48788

Description: Adds windows/http/forticlient_ems_fctid_sqli module that takes advantage of a SQLi injection vulnerability in FortiNet FortiClient EMS.

Enhancements and features (11)

• #17294 from adfoster-r7 – This adds a new EVENT_DEPENDENT value for module reliability metadata.
• #18723 from jvoisin – A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.
• #18914 from dotslashsuperstar – This PR adds functionality so that CVE and URL references will be imported from an OpenVAS XML report by default. DNF-CERT and CERT-BUND references can also be collected by sending additional flags to the db_import command.
• #19054 from zgoldman-r7 – Adds NText column parsing to MSSQL modules.
• #19066 from sjanusz-r7 – Adds automated tests for multiple SMB modules.
• #19078 from dwelch-r7 – Fixes a crash in the modules/auxiliary/gather/ldap_query.rb module when running queries from a file.
• #19080 from cgranleese-r7 – Adds architecture and platform detection for PostgreSQL sessions.
• #19086 from nrathaus – Update Metasploit’s RPC to expose module’s default_options metadata.
• #19105 from zgoldman-r7 – Not written.
• #19112 from zgoldman-r7 – Adds architecture and platform detection for MSSQL sessions.
• #19122 from h00die – Adds additional reliability metadata to exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.

Bugs fixed (6)

• #19079 from nrathaus – Fixes an issue were the password_spray module option was being ignored.
• #19089 from adfoster-r7 – This PR fixes a bug where a user might get an unexpected NoMethodError running the linux/local/exim4_deliver_message_priv_esc module.
• #19111 from zeroSteiner – This PR fixes a bug where a user can specify an invalid payload architecture for a given exploit target. Previously, it was not possible to tab-complete an invalid payload, but this enforces the architecture limitations with a run-time exception before sending the exploit.
• #19113 from adfoster-r7 – Fixes a regression that caused Metasploit to leak memory, and sometimes crash.
• #19114 from zeroSteiner – This PR fixes several instances where we we pass nil values rather than the types expected, causing crashes and stack traces in LDAP-related modules.
• #19129 from nrathaus – This fixes a bug where the notes command included an example which contained a flag that was not supported.

Documentation added (1)

• #19088 from adfoster-r7 – This PR adds documentation for running and writing Metasploit’s unit tests.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.4…6.4.6
• Full diff 6.4.4…6.4.6

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/23/metasploit-weekly-wrap-up-02-23-2024/

LDAP Capture module

Metasploit now has an LDAP capture module thanks to the work of llcjngdjttrvddchfntdbinjblktjjetrtifdlibuchh
JustAnda7. This work was completed as part of the Google Summer of Code program.

When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

The module can be with run:

msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run

Incoming requests will have their credentials stored for later use:

[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566	 Username:admin	 ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74	 Domain:DOMAIN

These values will be stored in the database for later retrieval:

msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========
host       origin     service         public  private  realm        private_type  JtR Format
----       ------     -------         ------  -------  -----        ------------  ----------
10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password      

Ivanti exploit module

Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chain in AttackerKB.

New module content (4)

Authentication Capture: LDAP

Author: JustAnda7
Type: Auxiliary
Pull request: #18678 contributed by jmartin-tech
Path: server/capture/ldap

Description: Adds a new auxiliary/server/capture/ldap module that emulates an LDAP Server. The server accepts a user’s bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. An ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18792 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_21893
AttackerKB references: CVE-2024-21887, CVE-2023-36661, CVE-2024-21893

Description: This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

Authors: BobTheShopLifter and Thingstad and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18700 contributed by h00die-gr3y
Path: linux/http/kafka_ui_unauth_rce_cve_2023_52251
AttackerKB reference: CVE-2023-52251

Description: This PR adds an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.

QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi

Authors: Spencer McIntyre, jheysel-r7, and sfewer-r7
Type: Exploit
Pull request: #18832 contributed by sfewer-r7
Path: linux/http/qnap_qts_rce_cve_2023_47218
AttackerKB reference: CVE-2023-47218

Description: The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. CVE-2023-47218 was discovered and disclosed by Stephen Fewer.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #18125 from JustAnda7 – This PR adds a module to launch an LDAP service supporting capture and storage of Simple Authentication attempts. When launching this module with default options users must have permissions to bind to port 389.
• #18681 from h00die – This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.

Enhancements and features (8)

• #18376 from JustAnda7 – This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP BindRequest, SearchRequest, UnbindRequest, as well as a default action for unsupported requests.
• #18817 from dwelch-r7 – This PR adds support to now bucket module options that are output after running the options command. This will be for modules that support either an RHOST or a SESSION connection to show that only one or the other is required when using the new session type features for SMB/MSSQL/MYSQL/PostgreSQL sessions.
• #18847 from sjanusz-r7 – This PR adds proxy support for getting a PostgreSQL session via the postgres_login module.
• #18848 from sjanusz-r7 – This PR adds proxy support for getting a MSSQL session via the mssql_login module.
• #18854 from sjanusz-r7 – This PR adds proxy support for getting a MySQL session via the mysql_login module.
• #18855 from sjanusz-r7 – This PR removes the cwd convention from SQL-based sessions, and instead uses a more appropriate def database_name computed value rather than a cached variable.
• #18863 from sjanusz-r7 – This PR adds in the ENVCHANGE types to the MSSQL client mixin, and uses those to fetch the initial DB name received from the server.
• #18864 from cgranleese-r7 – Adds an alias for ls and dir inside SMB sessions.

Bugs fixed (5)

• #18770 from dwelch-r7 – Fixes a bug when multiple new session types (SMB, PostgreSQL, MSSQL, MySQL) were enabled with the features set postgresql_session_type true command.
• #18842 from upsidedwn – Updates the Metasploit Dockerfile to correctly honor user provided bundler config arguments.
• #18850 from adfoster-r7 – Fixes failing ldap server tests.
• #18861 from cgranleese-r7 – Removes SessionType values from modules with OptionalSession mixin.
• #18871 from adfoster-r7 – Fixes a crash when using the webconsole.

Documentation added (1)

• #18857 from jlownie – Updates the Wiki documentation on running the Metasploit database to be more clear.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.56…6.3.57
• Full diff 6.3.56…6.3.57

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/16/metasploit-weekly-wrap-up-02-16-2024/

New Fetch Payload

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf [email protected]
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

• cmd/windows/smb/x64/custom/bind_ipv6_tcp
• cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/custom/bind_named_pipe
• cmd/windows/smb/x64/custom/bind_tcp
• cmd/windows/smb/x64/custom/bind_tcp_rc4
• cmd/windows/smb/x64/custom/bind_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_http
• cmd/windows/smb/x64/custom/reverse_https
• cmd/windows/smb/x64/custom/reverse_named_pipe
• cmd/windows/smb/x64/custom/reverse_tcp
• cmd/windows/smb/x64/custom/reverse_tcp_rc4
• cmd/windows/smb/x64/custom/reverse_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_winhttp
• cmd/windows/smb/x64/custom/reverse_winhttps
• cmd/windows/smb/x64/encrypted_shell/reverse_tcp
• cmd/windows/smb/x64/encrypted_shell_reverse_tcp
• cmd/windows/smb/x64/exec
• cmd/windows/smb/x64/loadlibrary
• cmd/windows/smb/x64/messagebox
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/meterpreter/bind_named_pipe
• cmd/windows/smb/x64/meterpreter/bind_tcp
• cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
• cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_http
• cmd/windows/smb/x64/meterpreter/reverse_https
• cmd/windows/smb/x64/meterpreter/reverse_named_pipe
• cmd/windows/smb/x64/meterpreter/reverse_tcp
• cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
• cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_winhttp
• cmd/windows/smb/x64/meterpreter/reverse_winhttps
• cmd/windows/smb/x64/meterpreter_bind_named_pipe
• cmd/windows/smb/x64/meterpreter_bind_tcp
• cmd/windows/smb/x64/meterpreter_reverse_http
• cmd/windows/smb/x64/meterpreter_reverse_https
• cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
• cmd/windows/smb/x64/meterpreter_reverse_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/peinject/bind_named_pipe
• cmd/windows/smb/x64/peinject/bind_tcp
• cmd/windows/smb/x64/peinject/bind_tcp_rc4
• cmd/windows/smb/x64/peinject/bind_tcp_uuid
• cmd/windows/smb/x64/peinject/reverse_named_pipe
• cmd/windows/smb/x64/peinject/reverse_tcp
• cmd/windows/smb/x64/peinject/reverse_tcp_rc4
• cmd/windows/smb/x64/peinject/reverse_tcp_uuid
• cmd/windows/smb/x64/pingback_reverse_tcp
• cmd/windows/smb/x64/powershell_bind_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp_ssl
• cmd/windows/smb/x64/shell/bind_ipv6_tcp
• cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/shell/bind_named_pipe
• cmd/windows/smb/x64/shell/bind_tcp
• cmd/windows/smb/x64/shell/bind_tcp_rc4
• cmd/windows/smb/x64/shell/bind_tcp_uuid
• cmd/windows/smb/x64/shell/reverse_tcp
• cmd/windows/smb/x64/shell/reverse_tcp_rc4
• cmd/windows/smb/x64/shell/reverse_tcp_uuid
• cmd/windows/smb/x64/shell_bind_tcp
• cmd/windows/smb/x64/shell_reverse_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/vncinject/bind_named_pipe
• cmd/windows/smb/x64/vncinject/bind_tcp
• cmd/windows/smb/x64/vncinject/bind_tcp_rc4
• cmd/windows/smb/x64/vncinject/bind_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_http
• cmd/windows/smb/x64/vncinject/reverse_https
• cmd/windows/smb/x64/vncinject/reverse_tcp
• cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
• cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_winhttp
• cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

• #18706 from sjanusz-r7 – Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
• #18747 from zgoldman-r7 – Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
• #18759 from cgranleese-r7 – Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
• #18763 from zgoldman-r7 – Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
• #18806 from cgranleese-r7 – Improves unknown command handling by suggesting similar valid commands.
• #18809 from zeroSteiner – Makes multiple improvements to the dns command – a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
• #18825 from cgranleese-r7 – Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

• #18616 from adfoster-r7 – This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
• #18774 from adfoster-r7 – Updates the following modules to now work with newer versions of sqlcmd:
  post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
• #18786 from lihe07 – This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
• #18795 from cgranleese-r7 – Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
• #18798 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module’s check method that was causing version comparisons to fail.
• #18799 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_17136 module’s check method that was causing version comparisons to fail.
• #18800 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2021_40449 module’s check method that was causing version comparisons to fail.
• #18801 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module’s check method that was causing version comparisons to fail.
• #18812 from adfoster-r7 – Reverts the auxiliary/scanner/mssql/mssql_login modules’s TDSENCRYPTION default value to false.
• #18813 from adfoster-r7 – Fixes a crash when running the help services or help hosts commands.
• #18823 from cdelafuente-r7 – Fix module metadata platform list comparison.
• #18826 from dwelch-r7 – Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
• #18828 from dwelch-r7 – Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.55…6.3.56
• Full diff 6.3.55…6.3.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/12/29/metasploit-2023-wrap-up/

As 2023 winds down, we’re taking another look back at all the changes and improvements to the Metasploit Framework. This year marked the 20th anniversary since Metasploit version 1.0 was committed and the project is still actively maintained and improved thanks to a thriving community.

Version 6.3

Early this year in January, Metasploit version 6.3 was released with a number of improvements for targeting Active Directory environments. The crowning achievement of this effort was the integration of native Kerberos authentication. With this in place, HTTP, LDAP, MSSQL, SMB and WinRM modules can all make use of Kerberos authentication, enabling a swath of new attack techniques and workflows. In addition to the existing modules that are now capable of authenticating with Kerberos, multiple Kerberos-specific modules were added as well for a variety of tasks such as requesting tickets from the Key Distribution Center (aka the KDC which is almost always the Active Directory Domain Controller), forging tickets from known secrets, and inspecting the contents of tickets.

This functionality was highlighted in Black Hat USA’s Arsenal demonstrations, a recording of which can be found online.

Fetch Based Payloads

In May 2023, Metasploit released a new set of payloads, dubbed the Fetch Payloads which make exploitation of OS-command-executing vulnerabilities easier for users. At the time of the release, about two-thirds of exploits added to the Metasploit Framework in the previous year resulted in the execution of an OS command, either due to direct injection or via some other means such as deserialization. While OS command execution is becoming more popular, it often limits the type of payloads that can easily be added to an exploit since the most advanced payloads, including Meterpreter, aren’t available as OS commands.

Prior to the Fetch Payloads, exploit authors were burdened with the work necessary to convert Meterpreter payloads to something deliverable as an OS command. This led to extra work and inconsistent implementations that often lacked the flexibility our users desire. The new pattern uses the Fetch Payloads, which allows the Framework to handle this automatically. The result is less work for exploit developers and a higher degree of control for end users. We expect to see Fetch Payloads continue to be used widely well past 2024 and to have new variants added.

Even More Kerberos Improvements

While the Metasploit 6.3 release provided support for native Kerberos authentication for Metasploit, we’ve since built on it to add even more. These features didn’t make it into the original 6.3 release in January but have since shipped in weekly releases:

• The auxiliary/admin/kerberos/forge_ticket module was expanded to support the diamond and sapphire techniques in addition to the original golden and silver techniques.
• The auxiliary/admin/kerberos/forge_ticket module was also updated to account for the additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
• We added the post/windows/manage/kerberos_tickets post module, which enables users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
• The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Fewer DNS Leaks

One of the best features of Metasploit is the seamless way in which users can use established Meterpreter and SSH sessions to tunnel traffic as configured by the route command or often the post/multi/manage/autoroute module. Until this year, these connections would resolve hostnames to IP addresses from the system on which the Metasploit Framework was running, which could potentially leak information to listening parties. Thanks to a combined effort by sempervictus and smashery, Metasploit can now be configured to use a custom DNS server that is optionally accessed via an established session. This feature is currently behind a feature flag and requires users to run features set dns_feature true before it can be accessed.

Once enabled, the dns command allows users to configure how they would like to resolve DNS hostnames. Users can simply specify a single server to handle all queries, or use a wildcard syntax to send DNS queries for one domain to a specific server and non-matching queries to another. The weekly wrap up for the original release contains more detailed notes and usage examples.

Discoverability Improvements

A more recent change to the Framework brought a new feature to allow searching for more fields within modules. By enabling hierarchical search with features set hierarchical_search_table true, users will now find search queries that match module actions, targets, and AKA aliases. For example, this will cause the auxiliary/admin/kerberos/forge_ticket module to be included in the search results when forge_golden is the query because forging golden tickets is one of the actions that it supports.

Users can also discover new capabilities and how to use them by browsing our new docs site at docs.metasploit.com. This site’s source code is included within Metasploit itself, making it easy for users to contribute improvements and their own workflows.

Payload Improvements

Exploits are at the core of what we do on the Metasploit team, but they would be nothing without our payloads. This year saw multiple improvements to our payloads — some changes closed feature gaps, while others added net new functionality. Some highlights include:

• Smashery updated our Java Meterpreter payloads with an important fix to the loader to enable compatibility with the latest versions of OpenJDK.
• Salu90 added a new API to the Windows Meterpreter and a post module to use it that allows users to set the session’s token to a new value.
• JustAnda7 updated the Windows Meterpreter to display IPv6 routes for inspection when the user runs the Meterpreter route command (not to be confused with the Framework route command).
• Ishaanahuja7 added support to Meterpreter for running natively on Apple’s new ARM-based chips.
• Sempervictus added native sessions for AWS Instance connections and AWS SSM agents. These session types are noteworthy because while they require access tokens, they do not require a payload to be run on the target and can be used to open a session on a target that Metasploit is otherwise unable to communicate with.
• usiegl00 and Ishaanahuja7 both contributed enhancements to add support OSX AArch64 Meterpreter payloads, which enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

Additionally, GitHub Actions are now being used to measure the feature coverage of the Meterpreter API commands. It’s a lesser-known fact that the Meterpreter payload has multiple implementations for different architectures and platforms. This means some features may be present in one and not another. This is the reason the Mimikatz kiwi plugin isn’t available when the java/meterpreter/reverse_tcp payload is used. To help us and the community track this information, a report including a coverage matrix is now generated automatically. This report can be accessed by navigating to the project’s Actions tab, selecting “Acceptance”, the latest run, and finally downloading the “final-report”.

Module Highlights

• CVE-2022-47966 – This particular vulnerability was an RCE in multiple ManageEngine products. A combined effort by cdelafuente-r7 and h00die-grey brought exploits for the ServiceDesk Plus, ADSelfService Plus, and Endpoint Central products.

• CVE-2023-34362 (Exploit) – The MOVEit exploit leverages one of the more high-profile vulnerabilities to have been released this year. This module exploits a SQL injection to leak sensitive data in order to upload a .NET deserialization payload which results in code execution in the context of NT AUTHORITY\ SYSTEM and was a combined effort by sfewer-r7, rbowes-r7, and bwatters-r7.

• CVE-2023-32560 (Exploit) – This vulnerability is an unauthenticated RCE in Ivanti Avalanche MDM that would result in code execution as NT AUTHORITY\SYSTEM. The module was submitted by EgeBalci and is one of the very few memory corruption exploits added this year.

• CVE-2023-46214 (Exploit) – Chocapikk made their first contributions this year, one of which is for an authenticated RCE in Splunk Enterprise.

• CVE-2023-22952
  (Exploit) – This exploit was contributed by community member h00die-gr3y back in January of 2023. While it may seem like old news nearly a year later, this zero-day gained a lot of attention when it first came to light. This exploit brought along with it new mixin capabilities for Metasploit to embed PHP payloads in PNG images. This opens the door for future exploit modules to drop payloads inside of PNGs with ease.

• CVE-2023-20887
  (Exploit) – This module was added by community contributor sinsinology (with help from community contributor h00die). There were a few Metasploit modules released this year that targeted VMware products; however this one stands out above the rest. Targeting the popular VMware Aria Operations for Networks software, this module enabled attackers to gain unauthenticated code execution in the context of the root user on a wide range of affected software versions.

• CVE-2023-27350
  (Exploit) – Speaking of modules written for celebrity vulnerabilities, let’s not leave out the PaperCut NG Authentication Bypass, brought to the framework by Metasploit’s one and only Christophe De La Fuente. Christophe’s contribution helped pen testers better assess the security of systems hosting PaperCut NG and ease the concerns of their clients during a stressful time in the cybersecurity ecosystem. The module exploits all affected versions of PaperCut NG and returns an elevated Meterpreter session.

• Post Module – Written by Spencer McIntyre of the Metasploit team, this module highlights the framework’s new, powerful Kerberos capabilities. Bringing along with it a large amount of railgun enhancements this module allows for Kerberos tickets to be exported from a compromised host and added to Metasploit’s own cache, allowing them to be used in subsequent attacks. The Kerberos work along with this module helps streamline many different types of attacks that can be performed in and around Domain environments. If you haven’t tested Metasploit’s Kerberos authentication capabilities yet, put it at the top of your todo list for 2024!

• CVE-2023-28252
  (Exploit) – The Common Log File System (CLFS) driver is a fantastic vector for attacks; it’s installed on all the latest versions of Windows and saw more abuse in 2023. Ransomware gangs exploited this vulnerability to gain SYSTEM level access on Windows 10, 11 and Server 2022. Metasploit team member Jack Heysel wrote this module that uses the Reflective DLL template in order to drop a low level PoC which returns a session running in the context of NT AUTHORITY\SYSTEM.

• CVE-2023-40044
  (Exploit) – Another exploit that made big waves this year was the WS_FTP server running the Ad Hoc Transfer module .NET deserialization vulnerability. The module and the initial research behind how the vulnerability actually works was brought to us by Metasploit’s very own, veteran contributor, Stephen Fewer. The exploit module runs reliably on a wide range of affected targets. Everyone loves a module where all you have to do is: select the module, input the IP address of the machine running the vulnerable software, run the module, and get a SYSTEM-level session.

Contributors

We would like to give a big thank you to all of the contributors who sent us code in 2023. Whether it was bug fixes, enhancements, or exploits, we appreciate the work you put into making Metasploit better. In 2023, we received pull requests from the following 75 people (ordered by count). Of these, 49 made their first contribution to Metasploit this year.

• h00die
• bcoles
• smashery
• h00die-gr3y
• jmartin-tech
• ErikWynter
• EgeBalci
• ismaildawoodjee (new in 2023)
• wvu
• jvoisin
• sempervictus
• rorymckinley (new in 2023)
• rad10
• manishkumarr1017 (new in 2023)
• Ryuuuuu (new in 2023)
• prabhatjoshi321 (new in 2023)
• Chocapikk (new in 2023)
• Jemmy1228 (new in 2023)
• AleksaZatezalo (new in 2023)
• emirpolatt (new in 2023)
• heyder
• steve-embling
• dm-ct (new in 2023)
• ide0x90
• archcloudlabs
• samsepi0x0 (new in 2023)
• Lorenyx (new in 2023)
• MikeAnast (new in 2023)
• loredous (new in 2023)
• bradyjackson (new in 2023)
• nfsec
• HynekPetrak
• whotwagner (new in 2023)
• rtpt-erikgeiser
• errorxyz (new in 2023)
• e-lliot (new in 2023)
• gcarmix (new in 2023)
• j0ev (new in 2023)
• xaitax (new in 2023)
• cudalac (new in 2023)
• bka-dev
• cnnrshd (new in 2023)
• pbarry25 (new in 2023)
• D00Movenok (new in 2023)
• gardnerapp (new in 2023)
• rodnt (new in 2023)
• hahwul (new in 2023)
• JustAnda7
• Guilhem7 (new in 2023)
• shellchocolat (new in 2023)
• sdcampbell (new in 2023)
• attl4s (new in 2023)
• distortedsignal (new in 2023)
• spmedia (new in 2023)
• YiDa858 (new in 2023)
• j-baines (new in 2023)
• catatonicprime
• vtoutain (new in 2023)
• SubcomandanteMeowcos (new in 2023)
• samueloph (new in 2023)
• araout42 (new in 2023)
• Pflegusch (new in 2023)
• tekwizz123
• rohitkumarankam (new in 2023)
• jeffmcjunkin
• MegaManSec
• bugch3ck
• raboof (new in 2023)
• JBince (new in 2023)
• Frycos (new in 2023)
• neterum (new in 2023)
• mkonda (new in 2023)
• serializingme (new in 2023)
• k0pak4
• npm-cesium137-io
• hamax97 (new in 2023)

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/11/17/metasploit-weekly-wrap-up-36/

Possible Web Service Removal

Metasploit has support for running with a local database, or from a remote web service which can be initialized with msfdb init --component webservice. Future versions of Metasploit Framework may remove the msfdb remote webservice. Users that leverage this functionality are invited to react on an issue currently on GitHub to inform the maintainers that the feature is used.

New module content (1)

ZoneMinder Snapshots Command Injection

Authors: UnblvR and whotwagner
Type: Exploit
Pull request: #18434 contributed by whotwagner
Path: unix/webapp/zoneminder_snapshots

Description: This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).

Enhancements and features (1)

• #18440 from adfoster-r7 – This alerts users that the remote web service will be removed. It prompts them to respond to an issue on GitHub if the removal will affect them.

Bugs fixed (1)

• #18532 from adfoster-r7 – Fixes db2 scanner module crashes.

Documentation added (1)

• #18524 from bradyjackson – Updates the modules/payload/android/meterpreter/reverse_tcp.md example to use the correct flags when generating a payload.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.42…6.3.43
• Full diff 6.3.42…6.3.43

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/09/22/metasploit-weekly-wrap-up-28/

Improved Ticket Forging

Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present – the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example:

msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f64924fb50be1e23978 domain_sid=S-1-5-21-1242350107-3695253863-3717863007 USER_RID=500 domain=demo.local user=Administrator action=FORGE_GOLDEN

[*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230915213733_default_unknown_mit.kerberos.cca_219182.bin
[*] Primary Principal: [email protected]
Ccache version: 4

....
            Pac Requestor:
              SID: S-1-5-21-1242350107-3695253863-3717863007-500
            Pac Attributes:
              Flag length: 2
              Flags: 1
                .... .... .... .... .... .... .... ..0. Pac Was Requested: The PAC_WAS_REQUESTED bit is NOT SET
                .... .... .... .... .... .... .... ...1 Pac Was Given Implicitly: The PAC_WAS_GIVEN_IMPLICITLY bit is SET
            Pac Server Checksum:
              Signature: 1f94f52598b37bb9cf7e3995
            Pac Privilege Server Checksum:
              Signature: 79ec20b7d4b8e77e5c056563

The domain SID and user RIDs can be obtained using the auxiliary/gather/ldap_query module with the ENUM_DOMAIN and ENUM_ACCOUNTS actions.

New module content (5)

Apache Airflow 1.10.10 – Example DAG Remote Code Execution

Authors: Ismail E. Dawoodjee, Pepe Berba, and xuxiang
Type: Exploit
Pull request: #18283 contributed by ismaildawoodjee
Path: linux/http/apache_airflow_dag_rce

Description: This module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow’s example DAGs, example_trigger_target_dag, which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow’s Experimental REST API to perform malicious actions such as creating the vulnerable DAG above.

Lexmark Device Embedded Web Server RCE

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18333 contributed by jheysel-r7
Path: linux/http/lexmark_faxtrace_settings

Description: This adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.

TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability

Authors: Kazamayc https://github.com/Kazamayc and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18365 contributed by h00die-gr3y
Path: linux/http/totolink_unauth_rce_cve_2023_30013

Description: This adds an exploit module that leverages a command insertion vulnerability in TOTOLINK X5000R Wireless Gigabit Router firmware X5000R_V9.1.0u.6118_B20201102. This allows remote code execution as the user running the webserver. This user is typically the root user.

Ivanti Avalanche MDM Buffer Overflow

Authors: A researcher at Tenable and Ege BALCI egebalci <Ege BALCI [email protected]>
Type: Exploit
Pull request: #18321 contributed by EgeBalci
Path: windows/misc/ivanti_avalanche_mdm_bof

Description: This PR adds an exploit module that targets Ivanti Avalanche MDM versions before v6.4.1, leveraging a buffer overflow condition.

Unix Command Shell, Reverse TCP (via socat)

Author: jheysel-r7
Type: Payload (Single)
Pull request: #18333 contributed by jheysel-r7
Path: cmd/unix/reverse_socat_tcp

Description: This adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.

Enhancements and features (5)

• #18294 from zgoldman-r7 – Improves error messages when failing to interact with a network interface such as calling set LHOST=.
• #18358 from zeroSteiner – This adds a new ThriftClient class for interacting with Thrift RPC services. It also updates the two existing Metasploit modules to use it.
• #18361 from cgranleese-r7 – Updates the search command with additional the search keywords stage: :stager: and adapter:.
• #18374 from h00die – Fixes a bug in 7 modules which specified the RelatedModules metadata incorrectly. Now the RelatedModules data is correctly shown to the user when running the info command.
• #18377 from ErikWynter – This change adds a check to the smtp_relay auxiliary/scanner/smtp/smtp_relay scanner module to confirm if the EHLO command is supported by the server. If not, the module will try to initiate the session using the HELO command instead.

Bugs fixed (4)

• #18359 from smashery – Updates the admin/kerberos/forge_ticket module to work with newer Windows Server releases, in particular post Windows Server October 2022. Now, when forging Golden tickets, the forged PAC contains a PAC requestor element with the forged user SID, and additional PAC attributes.
• #18369 from adfoster-r7 – This PR fixes a crash with OptAddressLocal that was caused by darwin AF_LINK having an empty string for its addr.
• #18370 from adfoster-r7 – This PR fixes an issue where msfrpc would hang when updating saved command history.
• #18378 from adfoster-r7 – Removes fremaining debug logging from Prometheus Exporter.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.34…6.3.35
• Full diff 6.3.34…6.3.35

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/09/15/metasploit-weekly-wrap-up-27/

Flask Cookies

This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer allows for bruteforcing common signing keys from a wordlist as well as decoding cookies and resigning cookies if the key is known (or recovered).

New module content (12)

Apache Superset Signed Cookie Priv Esc

Authors: Naveen Sunkavally, Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/apache_superset_cookie_sig_priv_esc
AttackerKB reference: CVE-2023-27524

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask’s session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Prometheus API Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_api_gather

Description: This PR creates two modules: one to interrogate Prometheus API endpoints for information and one to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Prometheus Node Exporter And Windows Exporter Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_node_exporter_gather

Description: This PR creates 2 modules: one to interrogate Prometheus API endpoints for information, the other to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Python Flask Cookie Signer

Authors: Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/python_flask_cookie_signer

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask’s session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18330 contributed by jheysel-r7
Path: exploits/linux/http/ivanti_sentry_misc_log_service
AttackerKB reference: CVE-2023-38035

Description: This PR adds an exploit module that targets Ivanti Sentry (formerly Mobileiron Sentry). Ivanti Sentry is vulnerable to an authentication by-pass which exposes API functionality,allowing for code execution in the context of the root user.

Kibana Timelion Prototype Pollution RCE

Authors: Gaetan Ferry, Michał Bentkowski, and h00die
Type: Exploit
Pull request: #18316 contributed by h00die
Path: exploits/linux/http/kibana_timelion_prototype_pollution_rce
AttackerKB reference: CVE-2019-7609

Description: Adds a module that exploits a prototype pollution vulnerability in the Kibana Timelion visualiser resulting in Remote Code Execution.

OpenTSDB 2.4.1 unauthenticated command injection

Authors: Daniel Abeles, Erik Wynter, and Gal Goldstein
Type: Exploit
Pull request: #18350 contributed by ErikWynter
Path: exploits/linux/http/opentsdb_key_cmd_injection
AttackerKB reference: CVE-2023-25826

Description: Adds a new module that exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 resulting in root access.

VMware vRealize Log Insight Unauthenticated RCE

Authors: Ege BALCI and Horizon3.ai Attack Team
Type: Exploit
Pull request: #18273 contributed by EgeBalci
Path: exploits/linux/http/vmware_vrli_rce
CVE reference: ZDI-23-115

Description: This adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.

Sonicwall

Authors: Ron Bowes and fulmetalpackets
Type: Exploit
Pull request: #18302 contributed by rbowes-r7
Path: exploits/multi/http/sonicwall_shell_injection_cve_2023_34124
AttackerKB reference: CVE-2023-34127

Description: This adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124.

WinRAR CVE-2023-38831 Exploit

Author: Alexander "xaitax" Hagenah
Type: Exploit
Pull request: #18341 contributed by xaitax
Path: exploits/windows/fileformat/winrar_cve_2023_38831
AttackerKB reference: CVE-2023-38831

Description: This PR adds a module covering CVE-2023-38831, a fileformat vulnerability affecting Winrar 6.22.

LG Simple Editor Remote Code Execution

Authors: Ege Balcı and rgod
Type: Exploit
Pull request: #18329 contributed by EgeBalci
Path: exploits/windows/http/lg_simple_editor_rce
CVE reference: ZDI-23-1204

Description: This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITY\SYSTEM via uploading and executing a JSP payload.

Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability

Authors: Esteban.kazimirow, Ricardo Narvaja, and jheysel-r7
Type: Exploit
Pull request: #18250 contributed by jheysel-r7
Path: exploits/windows/local/cve_2023_28252_clfs_driver
AttackerKB reference: CVE-2023-28252

Description: Adds a new privilege escalation module that exploits a vulnerable clfs.sys driver on Windows to spawn a new NT AUTHORITY/SYSTEM Meterpreter session. The vulnerable driver comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.

Enhancements and features (8)

• #17474 from prabhatjoshi321 – This PR adds support to the Capcom.sys driver LPE for Windows 11 21H1.
• #18262 from cgranleese-r7 – Adds the ability to select favorite modules with the use command after running show favorites, similar to the search command.
• #18270 from pbarry25 – Improves tab completion for the set and unset commands.
• #18327 from h00die – Fixes an issue where specifying a TLS version in the ssl_version module would result in a NoMethodError.
• #18349 from adfoster-r7 – Adds Meterpreter compatibility matrix generation to Github’s acceptance test runs. Now, it’s possible to visually see which Meterpreters support particular functionality.
• #18354 from zeroSteiner – This PR moves the MSF tip to be displayed while Metasploit is loading. This is similar to what a lot of video games do (e.g. Skyrim).
• #18356 from adfoster-r7 – This PR updates the Docker Golang version.
• #18357 from adfoster-r7 – Adds additional error reporting to the Meterpreter integration tests.

Bugs fixed (2)

• #17970 from YiDa858 – Fixes an error in nessus_db_import and nessus_scan_export commands that prevented them from completing successfully.
• #18362 from adfoster-r7 – Fixes an edgecase which could cause a new msfrpc console instance to hang forever.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.33…6.3.34
• Full diff 6.3.33…6.3.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/08/18/metasploit-weekly-wrap-up-23/

Meterpreter Testing

This week’s release adds new payload tests to our automated test suite. This is intended to help the team and community members identify issues and behavior discrepancies before changes are made. Payloads run on a variety of different platforms including Windows, Linux, and OS X each of which has multiple Meterpreter implementations available that are now tested to help ensure consistency. This should improve payload stability and make testing easier for community members that are contributing new features to the payloads.

New module content (4)

H2 Web Interface Create Alias RCE

Authors: Nairuz Abulhul, gambler, h00die, and h4ckNinja
Type: Exploit
Pull request: #18226 contributed by h00die
Path: exploits/linux/http/h2_webinterface_rce

Description: This PR adds an exploit against the H2 database’s web console. An authenticated user can issue requests to invoke built-in functionality to execute arbitrary code. There is no CVE for this issue.

Maltrail Unauthenticated Command Injection

Authors: Chris Wild and Ege BALCI
Type: Exploit
Pull request: #18280 contributed by EgeBalci
Path: exploits/unix/http/maltrail_rce

Description: This PR adds a module for an unauthenticated RCE vulnerability in Maltrail, a malicious traffic detection system. The module author indicated that this vulnerability does not have a CVE associated with it as the vendor (product team in this case) declined to assign one.

RaspAP Unauthenticated Command Injection

Authors: Ege BALCI and Ismael0x00
Type: Exploit
Pull request: #18263 contributed by EgeBalci
Path: exploits/unix/http/raspap_rce
AttackerKB reference: CVE-2022-39986

Description: This PR adds an unauthenticated command injection module for the RaspAP webgui application.

Greenshot .NET Deserialization Fileformat Exploit

Authors: bwatters-r7 and p4r4bellum
Type: Exploit
Pull request: #18253 contributed by bwatters-r7
Path: exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634
AttackerKB reference: CVE-2023-34634

Description: This PR adds a file-format exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6.

Enhancements and features (1)

• #18288 from adfoster-r7 – Adds stability enhancements to Meterpreter payloads. Additionally, this adds a large suite of automated sanity tests to Github Actions that verify OSX/Windows/Linux/Python/Java/PHP Meterpreter payloads work.

Bugs fixed (3)

• #18275 from adfoster-r7 – Updates the module metadata for the Java reverse_http and reverse_https stagers to be treated as a dynamic payload size, instead of a static/fixed size. This size change can happen as the Java payload contains a user-configurable HTTP callback URL, and combined with the Zip compression present in JAR files – the overall generated payload size can change as a result.
• #18278 from rorymckinley – Fixes a crash when running the auxiliary/scanner/mysql/mysql_login module against newer versions of MySQL.
• #18289 from zeroSteiner – Fixes a typo in the exploit/freebsd/http/citrix_formssso_target_rce docs.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.29…6.3.30
• Full diff 6.3.29…6.3.30

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/02/24/metasploit-wrap-up-194/

Basic discover script improvements

This week two improvements were made to the script/resource/basic_discovery.rc resource script. The first update from community member samsepi0x0 allowed commas in the RHOSTS value, making it easier to target multiple hosts. Additionally, adfoster-r7 improved the script by adding better handling for error output. This continues our trend of trying to provide more useful diagnostic information to our end users.

Google Summer of Code

The Metasploit Framework has been accepted to participate in Google’s Summer of Code program again for 2023. This event pairs new contributors with an experienced mentor as they work on an open source project (Metasploit in our case). We will soon be soliciting project proposals from the community for anyone interested in getting involved. Some project ideas are on the docs site, but folks are welcome to submit entirely new ideas for something they think would benefit the Metasploit community.

Web Based Module Counts

This week, adfoster-r7 improved our docs site with a running count of all the published modules. This information is kept up to date automatically and is a great resource for anyone looking for how many modules Metasploit has included without needing to install and start the framework. The page even allows users to dive deeper into types of modules and platforms in the same way as msfconsole.

New module content (2)

Froxlor Log Path RCE

Authors: Askar and jheysel-r7
Type: Exploit
Pull request: #17640 contributed by jheysel-r7
AttackerKB reference: CVE-2023-0315

Description: This module exploits a vulnerability in versions of Froxlor prior to 2.0.8 that allows an authenticated user to change the default log file to an arbitrary path on the system. Using this, an authenticated user can write a Twig template, that when rendered, will execute arbitrary code and grant a shell or Meterpreter session as the www-data user.

pyLoad js2py Python Execution

Authors: Spencer McIntyre and bAu
Type: Exploit
Pull request: #17652 contributed by zeroSteiner
AttackerKB reference: CVE-2023-0297

Description: This adds an exploit for CVE-2023-0297 which is an unauthenticated Javascript injection in pyLoad’s Click ‘N’ Load service.

Enhancements and features (1)

• #17674 from adfoster-r7 – Updates the script/resource/basic_discovery.rc script to better detect when the Metasploit database is not connected as well as improving error output.

Bugs fixed (2)

• #17650 from samsepi0x0 – Updates the script/resource/basic_discovery.rc script to support commas in RHOSTS values.
• #17660 from bugch3ck – This updates the location of where registry hives are temporarily stored by the windows_secrets_dump module.
• #17663 from manishkumarr1017 – This fixes an issue where action names were being treated as case sensitive.

Documentation added (2)

• #17637 from adfoster-r7 – This PR adds the latest module information to docs.metasploit.com as a quick way to explore Metasploit’s available modules.
• #17685 from samsepi0x0 – Fixes a broken link within Metasploit’s Google Summer of Code 2023 Project Ideas.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.3…6.3.4
• Full diff 6.3.3…6.3.4

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/11/18/metasploit-weekly-wrap-up-184/

Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream (CVE-2021-39144)

There’s nothing quite like a pre-authenticated remote code execution vulnerability in a piece of enterprise software. This week, community contributor h00die-gr3y added a module that targets VMware NSX Manager using XStream. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance. VMware saw this vulnerability as such a risk, and they decided to release patches for versions that were no longer supported, which goes to show the value that this module provides.

Gitea Git Fetch Remote Code Execution (CVE-2022-30781)

Using Gitea in your environment? You better git-to-patching. Community contributor krastanoel wrote an awesome module which exploits a remote code execution vulnerability in versions of Gitea before 1.16.7. The vulnerability identified as CVE-2022-30781 is due to the application running a git fetch command in which an attacker can inject arbitrary commands resulting in code execution as the git user.

Metasploit on Twitch

This week Metasploit’s very own Spencer McIntyre went live on Twitch and went over writing Meterpreter features in Metasploit. Be sure to check out the recording and stay tuned for more fun and informative Metasploit streaming sessions.

New module content (2)

• VMware NSX Manager XStream unauthenticated RCE by Sina Kheirkhah, Steven Seeley, and h00die-gr3y, which exploits CVE-2021-39144 – This adds an exploit module that leverages a Remote Command Injection vulnerability in VMware Cloud Foundation 3.x and NSX Manager Data Center for vSphere up to and including version 6.4.13. This vulnerability is identified as CVE-2021-39144.
• Gitea Git Fetch Remote Code Execution by krastanoel, li4n0, and wuhan005, which exploits CVE-2022-30781 – This adds an exploit module that leverages a command injection vulnerability in Gitea. Due to an improper escaping of input, it is possible to execute commands on the system abusing the Gitea repository migration process. This vulnerability is identified as CVE-2022-30781 and affects Gitea versions prior to 1.16.7.

Enhancements and features (2)

• #17243 from adfoster-r7 – Improves the TLV packet logging for Railgun
• #17253 from h00die – The list of WordPress plugins and themes has been updated to allow Metasploit tools to scan for a wider range of known themes and plugins on WordPress targets.

Bugs fixed (2)

• #17260 from zeroSteiner – This fixes an issue with the RBCD module due to the access_mask field of the Access Control Entry types being changed from the AccessMask type to an integer.
• #17263 from zeroSteiner – The Metasploit-payloads gem has been bumped to 2.0.101, which fixes memory and handle leaks when using the incognito plugin’s list_token functionality. It also updates the Mimikatz code in Metasploit to pull in the latest changes.
• #17261 from zeroSteiner – This fixes support for port forwarding on Ruby 3 with meterpreter payloads.
• #17264 from gwillcox-r7 – This bumps the Go version from 1.11.2 to 1.19.3 in the metasploit-framework Dockerfile.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.2.26…6.2.27
• Full diff 6.2.26…6.2.27

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/10/21/metasploit-weekly-wrap-up-181/

Zimbra with Postfix LPE (CVE-2022-3569)

This week rbowes added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the zimbra service account to root. As of this time, this vulnerability remains unpatched.

Zimbra RCE (CVE-2022-41352)

rbowes also added an RCE for Zimbra as well. This exploit can be used to remotely obtain the initial access necessary to exploit CVE-2022-3569 and escalate privileges to root. This exploit leverages a path traversal vulnerability to write a malicious JSP file to the web directory which yields code execution. The vulnerability does not require authentication however it should be noted that pax must not be present on the target in order for it to be exploitable. A Zimbra patch adds pax as a requirement, so either the patch must not have been applied or pax must have been explicitly removed.

FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass (CVE-2022-40684)

Community member heyder submitted an exploit for multiple Fortinet products this week. The exploit involves an authentication bypass that is leveraged to establish an SSH session with the target. Unfortunately, the tested FortiGate v7.2.1 instance used during testing indicated that the target could not be used for SSH port forwarding.

Improved Qualys Scan Import Performance

Metasploit is capable of importing scan data produced by a variety of tools such as Qualys and Nessus. This week jmartin switched the XML parser used while processing Qualys scan files to obtain a dramatic performance improvement. Scans data which previously took hours to import takes only a few minutes now.

New module content (4)

• Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera by Monte Crypto and h00die-gr3y, which exploits CVE-2017-7921 – This adds an auxiliary module that leverages an authentication bypass vulnerability in Hikvision IP cameras (CVE-2017-7921) to disclose information such as detailed hardware and software configuration, user credentials, and camera snapshots.
• Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass. by Heyder Andrade and Zach Hanley, which exploits CVE-2022-40684 – This PR adds a remote code execution exploit module for CVE-2022-4068 affecting some Fortinet products
• TAR Path Traversal in Zimbra (CVE-2022-41352) by Alexander Cherepanov, Ron Bowes, and yeak, which exploits CVE-2022-41352 – This adds a module that exploits a symlink-based path traversal vulnerability in cpio to get unauthenticated remote code execution as the zimbra user. This vulnerability is identified as CVE-2022-41352. The module generates a .tar file that will need to be emailed to any user on the target Zimbra server.
• Zimbra sudo + postfix privilege escalation by EvergreenCartoons and Ron Bowes, which exploits CVE-2022-3569 – This adds a new module to exploit a vulnerable sudo configuration in Zimbra that permits the zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shell scripts and get command execution as the root user. Currently, as of 2022-10-14, all versions of Zimbra are vulnerable.

Enhancements and features (4)

• #16982 from h00die – Updates the Dell iDRAC login scanner to work with version 8 and version 9
• #17135 from k0pak4 – This adds proper namespace to the hash identification library to avoid any potential collision with the constants defined previously.
• #17140 from nfsec – The Metasploit Docker image’s Alpine version has been bumped from 3.12 to 3.15.
• #17154 from jmartin-r7 – The process for importing Qualys scan data has been switched over from REXML to using Nokigiri::XML and XPath for improved performance.

Bugs fixed (1)

• #17157 from k0pak4 – Setting the global options to set LHOST for all modules will now be properly respected when loading a module, whereas before only the globally set RHOST option would be respected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.22…6.2.23
• Full diff 6.2.22…6.2.23

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/07/29/metasploit-weekly-wrap-up-169/

Roxy-WI Unauthenticated RCE

This week, community member Nuri Çilengir added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user.

Fewer Meterpreter Scripts

Community member bcoles removed multiple Meterpreter scripts which have been deprecated for years. Metasploit’s documentation has omitted details on how to write them since 2014 and removing the existing ones in favor of their new post-module equivalents ensures users are using the most up-to-date code and workflows. Post modules have a number of advantages over Meterpreter scripts and Metasploit has equivalents for each of the Meterpreter scripts that were removed.

Helpful Suggestions

Msfconsole will now suggest datastore option names when an invalid option is specified. This should help users understand when they make a mistake and misspell an option name. The original behavior would just set the invalid option which may leave the user confused when they think they set one thing but the option did not actually change.

For example, prior to these changes setting LHSOT (instead of LHOST) the option would just be set, effectively not doing anything.

msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.169.1
LHSOT => 192.168.169.1

Now the new behavior will identify that LHSOT is not valid in the current context and will suggest setting LHOST instead.

msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.159.1
[-] Unknown datastore option: LHSOT. Did you mean LHOST?
msf6 exploit(windows/smb/psexec) >

New module content (1)

• Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE by Nuri Çilengir, which exploits CVE-2022-31137

Enhancements and features (6)

• #16774 from zeroSteiner – The set command has been updated so that if an invalid datastore option is provided, a suggestion will be made for a valid datastore option, where possible. Additionally, the behavior has been changed so that one can no longer set a datastore value that is not valid within the given content.
• #16798 from bcoles – The deprecated scripts/meterpreter/pml_driver_config.rb script has been removed from Metasploit since Metasploit scripts have been deprecated for over 5 years now. Please use exploit/windows/local/service_permissions instead which contains a more modern implementation of the same principle this exploit utilized.
• #16801 from bcoles – The deprecated scripts/meterpreter/schelevator.rb script has been removed in favor of exploit/windows/local/ms10_092_schelevator. Scripts were deprecated over 5 years ago and should no longer be used.
• #16823 from bcoles – The deprecated scripts/meterpreter/prefetchtool.rb has been removed and replaced with the post/windows/gather/enum_prefetch.rb post module.
• #16830 from bcoles – Remove deprecated scripts/meterpreter/getvncpw.rb script in favor of the post/windows/gather/credentials/vnc post module which is more modern and has more features.
• #16831 from bcoles – Remove the deprecated scripts/meterpreter/get_env.rb in favor of the post/multi/gather/env post module.

Bugs fixed (6)

• #16094 from 3V3RYONE – A bug has been fixed in the pg_ctl.rb helper whereby it was possible that initializing and starting databases using msfdb init might fail due to the pg_ctl.rb helper not properly setting unix_socket_directories to a path that a non-root user can write to. This code has now been updated so that it will set the unix_socket_directories setting to a path that the current user can write to or will error out if it cannot find a writeable directory to use for the socket file.
• #16668 from sempervictus – A bug has been fixed in the HTTP crawler module and its associated library whereby the code expected an object to be populated when it may not be. This has been fixed with additional validation.
• #16810 from entity0xfe – The host command has been updated to fix a bug whereby the -t flag was not properly accepting the <tag> parameter that it was supposed to accept and process. Additionally, the documentation for this option has been updated to be clearer.
• #16817 from jmartin-r7 – Several modules and libraries were previously calling Msf::Config.get_config_root which did not properly account for changes to the configuration path that the user might make. These calls have been replaced with calls to Msf::Config.config_directory which will appropriately take the user’s configuration settings into account.
• #16819 from adfoster-r7 – A bug has been fixed whereby running the hosts command with the -c flag to filter by columns would result in a stack trace. The command now correctly returns the output with only the columns specified to the -c flag.
• #16824 from bcoles – A bug has been fixed in the is_admin? and is_system? post exploitation methods, which previously incorrectly reported the user as always being an administrator and a system user respectively when run on shell sessions.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.8…6.2.9
• Full diff 6.2.8…6.2.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/04/15/metasploit-wrap-up-152/

Meterpreter Debugging

A consistent message Metasploit hears from users is that debugging and general logging support could be improved. The gaps in functionality make it difficult for users to understand what happens when things go wrong and for new and existing developers to fix bugs and add new features. The Metasploit team has been trying to improve this in various parts of the framework, the most recent being Meterpreter. Meterpreter payloads now have additional debugging options that can be used to inspect the internal workings of the payload as it is running. These options include MeterpreterDebugLogging, which can be used to select where the log file is placed on the remote machine, and MeterpreterDebugBuild, which controls whether or not the deployed Meterpreter supports debugging. For many Meterpreter builds, the additional debugging information would include large, easily signature-able strings that should not be present for typical operations. For this reason, users on active engagements that do not require additional logging should leave this setting off.

This functionality pairs nicely with the recently added SessionTlvLogging option, which can display the C2 traffic used by Meterpreter. With these options, both the internal state and the individual requests and responses can be inspected to understand what is happening. This should hopefully contribute to making Meterpreter a little less enigmatic.

WordPress Library Improvement

Metasploit contains quite a few modules targeting various WordPress vulnerabilities, many of which are in plugins. Almost all of these modules utilize the common WordPress library that Metasploit provides. This week that library was improved to properly handle target WordPress configurations that do not place the REST API under the standard /index.php/ path. This should improve the reliability of these modules by properly accounting for the target’s configuration.

Enhancements and features (5)

• #16377 from sjanusz-r7 – The Python Meterpreter payload now supports creation of a debug build with the MeterpreterDebugBuild datastore option. By default logging will be output to the console that the payload was run in. A new MeterpreterDebugLogging datastore option allows writing these log files on the host that ran the payload.
• #16396 from sjanusz-r7 – The PHP Meterpreter payload now supports creation of a debug build with the MeterpreterDebugBuild datastore option. By default logging will be output to the console the payload was run in. A new MeterpreterDebugLogging datastore option allows for writing these log files on the host that ran the payload.
• #16411 from jmartin-r7 – Improves the RPC analyze host functionality to return additional module suggestion metadata such as invalid options or missing module requirements.
• #16418 from adfoster-r7 – This adds the boilerplate for placing the debugging Meterpreter sessions wiki page to the docs site.
• #16451 from dwelch-r7 – This ensures that if MeterpreterDebugBuild is enabled, that the debug versions of the extensions are also used. This allows extensions can now also output debug messages visible via tools such as dbgview, which can be helpful when debugging payloads or Meterpreter extensions.

Bugs fixed (2)

• #16221 from gwillcox-r7 – This fixes WordPress support to work with sites where the REST API is not under /index.php/.
• #16455 from adfoster-r7 – This removed the requirement for railgun support in modules that used the Post::File mixin, enabling better identification of modules usable against an existing session.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.37…6.1.38
• Full diff 6.1.37…6.1.38

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/03/25/metasploit-weekly-wrap-up-154/

Capture Plugin

Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote interfaces via Meterpreter. A configuration file can be used to select individual services to start and once finished, all services can easily be stopped using a single command.

To use the plugin, it must first be loaded. That will provide the captureg command (for Capture-Global) which then offers start and stop subcommands. In the following example, the plugin is loaded, and then all default services are started on the 192.168.159.128 interface.

msf6 > load capture
[*] Successfully loaded plugin: Credential Capture
msf6 > captureg start --ip 192.168.159.128
Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt
Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808
[+] Authentication Capture: DRDA (DB2, Informix, Derby) started
[+] Authentication Capture: FTP started
[+] HTTP Client MS Credential Catcher started
[+] HTTP Client MS Credential Catcher started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: MSSQL started
[+] Authentication Capture: MySQL started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: PostgreSQL started
[+] Printjob Capture Service started
[+] Authentication Capture: SIP started
[+] Authentication Capture: SMB started
[+] Authentication Capture: SMTP started
[+] Authentication Capture: Telnet started
[+] Authentication Capture: VNC started
[+] Authentication Capture: FTP started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: SMTP started
[+] NetBIOS Name Service Spoofer started
[+] LLMNR Spoofer started
[+] mDNS Spoofer started
[+] Started capture jobs
msf6 >

NATed Services

This week Metasploit added features to libraries that provide listening services like HTTP, FTP, LDAP, etc. that allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules to be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that’s provided by the reverse_tcp and reverse_http(s) payload stagers.

When a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won’t be able to bind to it. To fix that, users can now set the ListernBindAddress option to one that Metasploit can listen on. In this case, the IP address that the router will forward the incoming connection to.

For example, with the network configuration:

Private IP: 172.31.21.26 (where Metasploit can bind to)
External IP: 10.2.3.4 (where the target connects to Metasploit)

The Metasploit module commands would be:

set srvhost 10.2.3.4
set ListenerBindAddress 172.31.21.26

set lhost 10.2.3.4
set ReverseListenerBindAddress 172.31.21.26

Enhancements and features (4)

• #16249 from gwillcox-r7 – This expands on the work done in https://github.com/rapid7/metasploit-framework/pull/16164 and adds in a new library named Msf::Exploit::Remote::HTTP::Exchange which will allow for future Exchange library functions.
• #16250 from zeroSteiner – Adds new ListenerBindPort and ListenerBindAddress options on modules which expose services such as HTTP, SMB, LDAP, FTP, etc. This allows users to specify a separate IP/Port to bind to, in addition to providing SRVHOST/SRVPORT values. These additional options are useful if Metasploit is running in a network behind a NAT, or when pivoting through a compromised target. The naming convention is similar to the payload options ReverseListenerBindAddress and ReverseListenerBindPort
• #16298 from smashery – This adds the new "capture" plugin which can be used to easily start and stop credential-capturing services.
• #16352 from adfoster-r7 – The discussion tag has been added to allow for more long term discussions. This will replace the existing Discussions tab, and issues marked as such will not be automatically closed.

Bugs fixed (12)

• #16207 from h00die – The VNC libraries and associated modules have been updated to support more modern versions of VNC and to fix a few bugs so that they will work correctly with new VNC versions.
• #16309 from HynekPetrak – This fixes an issue where the ssh_login module would crash when the channel used to execute the commands to gather the platform information reported that they failed.
• #16317 from smashery – This fixes an issue with multiple modules that listen on UDP sockets where the modules were not closing and freeing the socket when their respective services were stopped.
• #16325 from sjanusz-r7 – This PR replaces IO.read with File.binread, in scenarios where it’s obvious that we’re reading from binaries, to prevent an issue where not all of the file has been read correctly due to an additional EOL<->CRLF conversion that happens on Windows.
• #16340 from bcoles – This fixes the APK injection behavior to use aapt2 if msfvenom is unable to rebuild the APK with apktool, allows more APKs to be compatible with msfvenom, and fixes a bug.
• #16341 from h00die – This fixes a bug where the auxiliary/server/capture/vnc module would not output hashes in a format compatible with John The Ripper and a bug that was causing crashes due to assuming hashes always had an associated username. Additionally, support has been added for exporting VNC hashes into a JTR compatible format for later cracking and the hash_identify function has been updated to properly identify VNC hashes allowing for better hash detection.
• #16353 from jmartin-r7 – A bug has been fixed in the Anemone library and in the HTTP crawler libraries and related module to allow pulling and setting of ssl_version from standardized options. This permits fine-grained user control and avoids issues related to missing or depreciated SSL versions in newer Ruby versions, which were at times preventing Metasploit from making successful connections to targets.
• #16358 from bcoles – This change fixes a bug in the msfvenom APK injection code, where in some situations a suitable hook point could not be found.
• #16367 from zeroSteiner – A bug was found in the way character escaping was done in apache_apisix_api_default_token_rce which has now been fixed. In addition, several updates have been made to better handle error cases that may occur when sending HTTP requests to the target.
• #16368 from zeroSteiner – This improves response time when a cache miss occurs for commands not provided by msfconsole.
• #16369 from sjanusz-r7 – This change fixes shell_to_meterpreter module to allow upgrading (or duplicating) Meterpreter sessions.
• #16371 from AlanFoster – This fixes a crash in the WebSocket library used by the Kubernetes modules that would occur when a socket method was being called that’s only provided by the Rex version.
• #16361 from bcoles – Thisadds docs for the adb_server_exec module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.34…6.1.35
• Full diff 6.1.34…6.1.35

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/02/25/metasploit-weekly-wrap-up-2/

Exchange RCE

Exchange remote code execution vulnerabilities are always valuable exploits to have. This week Metasploit added an exploit for an authenticated RCE in Microsoft Exchange servers 2016 and server 2019 identified as CVE-2021-42321. The flaw leveraged by the exploit exists in a misconfigured denylist that failed to prevent a serialized blob from being loaded resulting in code execution. While this is an authenticated vulnerability, a standard user has sufficient permissions to trigger it which likely encompasses most users within an organization that uses Exchange. The vulnerability affects Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2.

Chrome Password Decryption

Community member timwr updated the existing Chrome enumeration module to support decrypting passwords from modern versions of Chrome. The module can now decrypt both the new and old formats of passwords. This is helpful because when Chrome is updated, passwords in the old format are not updated to the new format.

New module content (2)

• Microweber CMS v1.2.10 Local File Inclusion (Authenticated) by Talha Karakumru – Adds a new module auxiliary/gather/microweber_lfi which targets Microweber CMS v1.2.10 and allows authenticated users to read arbitrary files on disk.
• Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE by Grant Willcox, Microsoft Security Response Center, Microsoft Threat Intelligence Center, peterjson, pwnforsp, testanull, and zcgonvh, which exploits CVE-2021-42321 – This adds an exploit for CVE-2021-42321 which is an authenticated RCE in Microsoft Exchange. The vulnerability is related to a misconfigured deny-list that fails to properly prevent malicious serialized objects from being loaded, leading to code execution.

Enhancements and features

• #16061 from shoxxdj – The wordpress_scanner module has been updated to support enumerating WordPress users using the wp-json API.
• #16200 from timwr – This updates post/windows/enum_chrome to support decrypting stored passwords for Chrome versions greater than 80.

Bugs fixed

• #16197 from adfoster-r7 – This fixes an edge case when reading files on Windows, and fixes Ruby 3 crashes when reading files.
• #16215 from bwatters-r7 – This updates payloads version to 2.0.75, taking in the changes landed in https://github.com/rapid7/metasploit-payloads/pull/542 and fixes a bug in Windows Meterpreter getsystem command where a failed attempt to elevate can result in a partially-broken session.
• #16093 from h00die – A number of broken URL references have been fixed in Metasploit modules. In addition, the tools/modules/module_reference.rb code has been updated to log redirects so that they can be appropriately triaged later and to support saving results to a CSV file. Finally, several modules had their code adjusted to conform to RuboCop standards.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.30…6.1.31
• Full diff 6.1.30…6.1.31

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).