Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/01/21/metasploit-wrap-up-145/
while (j==shell); Log4j;
The Log4j loop continues as we release a module targeting vulnerable vCenter releases. This is a good time to suggest that you check your vCenter releases and maybe even increase the protection surrounding them, as it’s been a rough year-plus for vCenter.
Let your shell do the walking
bcoles sent us a module that targets Grandstream GXV3175IP phones that allows remote code execution. It’s always fun to get a shell on a phone.
New module content (2)
- Grandstream GXV3175 ‘settimezone’ Unauthenticated Command Execution by Brendan Scarvell, alhazred, and bcoles, which exploits CVE-2019-10655 – A new module has been added in that exploits CVE-2019-10655, an unauthenticated remote code execution bug in Grandstream GXV3175. Authentication is bypassed via a buffer overflow in the way the
phonecookiecookie is parsed, after which a command injection vulnerability in the ‘settimezone’ action’s ‘timezone’ parameter is exploited to gain RCE as the
- VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits CVE-2021-44228 – This PR adds a vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as root / SYSTEM. This exploit has been tested on both Windows and Linux targets.
Enhancements and features
- #16075 from bcoles – The
post/multi/manage/sudomodule has been enhanced to print out a warning message and exit early if the session type that is trying to be upgraded via
sudois Meterpreter, since Meterpreter does not support sudo elevation at present.
- #16029 from cdelafuente-r7 – A bug existed in the
lib/msf/core/opt_path.rbwhereby the path parameter passed in wasn’t checked to see if it was empty prior to calling
File.expand_pathon it. In these cases the path returned would be that of the current directory, which could lead to unexpected results. This has been fixed with improved validation to ensure that the path parameter is not an empty string prior to expanding the path.
- #16058 from bcoles – This change fixes a bug where a stack trace was printed in post/multi/recon/local_exploit_suggester when an invalid session option was specified.
- #16063 from bcoles – A bug has been fixed in the
local_admin_search_enummodule whereby a typo was causing the module to crash on an undefined variable. The typo has been corrected and the module now accesses the correct variable. This has been addressed by fixing the typo, which should now make the module access the correct variable.
- #15727 from NeffIsBack – This PR adds more robust NTLM message parsing with better error handling and messaging when pulling out the NTLM hashes.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).