Post Syndicated from Simon Janusz original https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/

Log4Shell goodness

Log4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors sempervictus, schierlm, righel, timwr and our very own Spencer McIntyre have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution.

SonicWall SSL VPN module for Rapid7-discovered vulnerability

Rapid7 disclosed the technical details of five vulnerabilities discovered by jbaines-r7 affecting SonicWall’s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers root access to the device using CVE-2021-20039.

Pi-Hole command execution and common exploit library

An exciting new addition has worked its way into Metasploit Framework this week. Contributor h00die has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole’s Top Domains API’s validDomainWildcard field. H00die has also created a library that aims to make developing future Pi-Hole modules easier.

New module content (5)

• Pi-Hole Top Domains API Authenticated Exec by SchneiderSec and h00die, which exploits CVE-2021-32706 – This adds an auxiliary module that executes commands against Pi-Hole versions <= 5.5. This also introduces a Pi-Hole library for common functionality required in exploits against the service.

• SonicWall SMA 100 Series Authenticated Command Injection by jbaines-r7, which exploits CVE-2021-20039 – This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the \n character which acts as a terminator when passed to a call to system(). An authenticated attacker can execute arbitrary commands as the root user.

• Log4Shell HTTP Header Injection by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits CVE-2021-44228 – This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing.

• Microsoft Windows SMB Direct Session Takeover by usiegl00 – This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.

• #12217 from SkypLabs – This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)

Enhancements and features

• #15656 from HynekPetrak – This enables the vmware_vcenter_vmdir_auth_bypass module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory.
• #16021 from zeroSteiner – This adds additional tests for Meterpreter’s mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters
• #16024 from sjanusz-r7 – This adds in a new command to Meterpreter that allows the end user to kill all channels at once
• #16040 from jmartin-r7 – Removes Ruby 2.5 support as it is officially end of life

Bugs fixed

• #16016 from bwatters-r7 – This fixes an issue in the auxiliary/scanner/dcerpc/hidden module where the RHOSTS datastore option was not available, resulting in hosts not being scanned.
• #16027 from zeroSteiner – This fixes an issue with tab completion for the generate command. Completion now works with both the -f and -o flags.
• #16043 from shoxxdj – Fixes crash in the auxiliary/scanner/http/wordpress_scanner.rb module when attempting to scan themes

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.23…6.1.25
• Full diff 6.1.23…6.1.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2021/10/29/metasploit-wrap-up-136/

OMIGOD It’s RCE

We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits CVE-2021-38647 courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain root level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you’re patched, lest your servers decide to join the zombie horde this Halloween!

Sophos Contributes to the RCE Pile

Continuing the trend of unauthenticated RCE exploits that grant root level code execution, this week we also have an exploit for CVE-2020-25223, an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven’t yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!

Guess Who’s Back, Back Again, Apache’s Back, Tell a Friend

Whilst not a marshalling bug (I’m sorry, it’s Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), have added a scanner and exploit for CVE-2021-41773 and CVE-2021-42013, which was based off of work from RootUp, ProjectDiscovery, and HackerFantastic. Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it’s been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you’re running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.

New module content (6)

• Squid Proxy Range Header DoS by Joshua Rogers, which exploits CVE-2021-31806 and CVE-2021-31807 – This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
• Apache 2.4.49/2.4.50 Traversal RCE scanner by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
• Sophos UTM WebAdmin SID Command Injection by wvu and Justin Kennedy, which exploits CVE-2020-25223 – This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the root user.
• Microsoft OMI Management Interface Authentication Bypass by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits CVE-2021-38647 – We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the root user.
• Apache 2.4.49/2.4.50 Traversal RCE by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
• Browse the session filesystem in a Web Browser by timwr – This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.

Enhancements and features

• #15681 from smashery – This adds support for reverse port forwarding via established SSH sessions.
• #15778 from k0pak4 – This PR adds documentation for the http trace scanner.
• #15788 from zeroSteiner – When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.
• #15803 from k0pak4 – This adds f5_bigip_virtual_server scanner documentation.

Bugs fixed

• #15799 from adfoster-r7 – This fixes a crash in the iis_internal_ip module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.11…6.1.12
• Full diff 6.1.11…6.1.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest version of Metasploit Framework. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Dean Welch original https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/

We just couldn’t contain ourselves!

This week we’ve got two Kubernetes modules coming at you from adfoster-r7 and smcintyre-r7. First up is an enum module auxiliary/cloud/kubernetes/enum_kubernetes that’ll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module exploit/multi/kubernetes/exec (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.

Atlassian Confluence WebWork OGNL Injection gets Windows support

You might remember Confluence Server CVE-2021-26084 making an appearance in a wrap-up last month, and it’s back! Rapid7’s own wvu-r7 has updated his Confluence Server exploit to support Windows targets.

New module content (2)

• Kubernetes Enumeration by Spencer McIntyre and Alan Foster – This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.
• Kubernetes authenticated code execution by Spencer McIntyre and Alan Foster – Adds a new exploit/multi/kubernetes/exec module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host’s file system when possible.

Enhancements and features

• #15732 from dwelch-r7 – Adds terminal size synchronisation for fully interactive shells against Linux environments with shell -it. This functionality is behind a feature flag and can be enabled with features set fully_interactive_shells true.
• #15769 from wvu-r7 – Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.
• #15773 from adfoster-r7 – Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit’s Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.

Bugs fixed

• #15760 from adfoster-r7 – Fixes an issue when attempting to store JSON loot, where the extension was always being set to bin instead of json.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.10…6.1.11
• Full diff 6.1.10…6.1.11

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2021/10/15/metasploit-wrap-up-134/

An Especially Spooky Season for Moodle

This release has not one, two, or three, but FOUR authenticated Moodle exploit modules, or should I say moodules? H00die comes through again with not just modules, but also an artisanal, bespoke library to support further work. Two target the spell check functions in Moodle, one is a shell upload using administrative credentials, and one allows teachers to get ahead by declaring themselves administrators!

More Information on Forwarded Sessions and Jobs

To get through networks, sometimes red teamers need to connect sessions and forward traffic through a “red network” of hosts to gain access to a target of interest on an interior network. Smashery has added features to the sessions and jobs information reporting that reflects the status of a forwarded connection and which sessions it is using for its connection. This helps users keep track of an already tricky [or treaty] situation juggling sessions and forwarded connections.

New module content (4)

• Moodle Admin Shell Upload by AkkuS and h00die, which exploits CVE-2019-11631 – Allows an attacker to generate a plugin which can receive a malicious payload request and upload it to a server running Moodle, provided valid admin credentials are used.
• Moodle Authenticated Spelling Binary RCE by Brandon Perry, which exploits CVE-2013-4341 – This exploit takes advantage of the fact Moodle allows an authenticated administrator to define spell check settings via the web interface, allowing an administrator can update the aspell path to include a command injection.
• Moodle SpellChecker Path Authenticated Remote Command Execution by Adam Reiser and h00die, which exploits CVE-2021-21809 – Similar to the previous module, this module attacks the spell checker from a different avenue, allowing a user to
• Moodle Teacher Enrollment Privilege Escalation to RCE by HoangKien1020, h00die, and lanz, which exploits CVE-2020-14321 – A bug in the privileges system allows a teacher to add themselves as a manager to their own class, and then add any other users, including someone with manager privileges on the system (not just the class).

Enhancements and features

• #15706 from smashery – The reverse shell handlers in Metasploit have been updated. When catching a shell via a route that goes through another existing session, Metasploit will now note which session the new session originated from. This helps users determine how shells were obtained when they use an existing session to acquire another session within a target’s network. Additional information has been applied to job information which provides users with more clarity when looking at jobs.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.9…6.1.10
• Full diff 6.1.9…6.1.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

[Modified] Image credit https://commons.wikimedia.org/wiki/File:Halloween_Jack-o’-lantern.jpg

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2021/10/08/metasploit-wrap-up-133/

Telemetry is for gathering data, not executing commands as root, right?…

This week’s highlight is a new exploit module by our own wvu for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter’s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7’s full technical analysis in AttackerKB.

Good ol’ Netfilter

This week’s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by Andy Nguyen and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to bcoles, and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.

New module content (3)

• VMware vCenter Server Analytics (CEIP) Service File Upload by wvu, Derek Abdine, George Noseevich, Sergey Gerasimov, and VMware, which exploits CVE-2021-22005 – This adds an exploit for CVE-2021-22005 which is an unauthenticated RCE within the VMWare vCenter appliance.
• Netfilter x_tables Heap OOB Write Privilege Escalation by Andy Nguyen (theflow0), Szymon Janusz and bcoles, which exploits CVE-2021-22555 – This PR adds a module for CVE-2021-22555, a 15-year-old heap out-of-bounds write vulnerability in Linux Netfilter.
• Diagnostic State by Jay Turla – Adds a new post/hardware/automotive/diagnostic_state module which will keep the vehicle in a diagnostic state.

Enhancements and features

• #15735 from jaydesl – Fixes a Rails 6 deprecation warning when a user ran db_disconnect in msfconsole
• #15740 from h00die – Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.
• #15750 from jmartin-r7 – Improves Ruby 3.0.2 support on Windows

Bugs fixed

• #15729 from ErikWynter – This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can’t be mapped to a Win32 error code, the module would crash.
• #15730 from adfoster-r7 – The check method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.
• #15737 from adfoster-r7 – A bug has been fixed whereby action wasn’t correctly being set when using the action name as a command. action should now hold the right value when using the action name as a command.
• #15745 from bwatters-r7 – A bug has been fixed in tools/dev/msftidy.rb whereby if the Notes section was placed before the References section, then msftidy would end up not checking the References section and would therefore state the module didn’t have a CVE reference, even when it did.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.8…6.1.9
• Full diff 6.1.8…6.1.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Erran Carey original https://blog.rapid7.com/2021/10/01/metasploit-wrap-up-132/

Credential gatherers, mix-ins, oh my!

We’re excited that Metasploit now includes support for 28 related post modules for gathering credentials based on the PackRat toolset. This is a continuation of #5433, #11700, and #11719. It was developed by community contributors Kazuyoshi Maruta, Daniel Hallsworth and Barwar Salim M, for their final year projects at Leeds Beckett University with guidance, code clean-up and some additions by Z. Cliffe Schreuders.

We thank these community contributors for their months of effort and patience while getting so many modules through the code review process.

Netgear PNPX_GetShareFolderList Authentication Bypass

This auxiliary module exploits an authentication bypass in a range of different Netgear router models and firmware versions. The module leverages this vulnerability to log in as the admin user and then achieves a telnet session as root through the auxiliary/scanner/telnet/telnet_login module.

Read more about the SSD Netgear D7000 authentication bypass advisory here.

New module content (30)

• Netgear PNPX_GetShareFolderList Authentication Bypass by Grant Willcox and Unknown – The auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass module exploits an authentication bypass in various Netgear router models running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The module leverages the vulnerability to log in as the admin user and then achieves a telnet session as the root user through the auxiliary/scanner/telnet/telnet_login module.
• ECU Hard Reset by Jay Turla – Adds a new ecu_hard_reset hardware module which performs a hard reset in the ECU Reset Service Identifier (0x11)
• 28 "PackRat" credential gatherers by Barwar Salim M, Daniel Hallsworth, Kazuyoshi Maruta (@KazuCyber), and Z. Cliffe Schreuders (@cliffe) – This pull request adds 28 post-exploitation modules, based on a common mixin, known as PackRat, which gathers file and information artifacts from end users’ systems.
  • Aim credential gatherer
  • Chrome credential gatherer
  • Comodo credential gatherer
  • Coolnovo credential gatherer
  • Digsby credential gatherer
  • Flock credential gatherer
  • Gadugadu credential gatherer
  • ICQ credential gatherer
  • Ie credential gatherer
  • Incredimail credential gatherer
  • KakaoTalk credential gatherer
  • Kmeleon credential gatherer
  • LINE credential gatherer
  • Maxthon credential gatherer
  • Miranda credential gatherer
  • Opera credential gatherer
  • Operamail credential gatherer
  • Postbox credential gatherer
  • QQ credential gatherer
  • Safari credential gatherer
  • Seamonkey credential gatherer
  • Srware credential gatherer
  • Tango credential gatherer
  • Thunderbird credential gatherer
  • Tlen credential gatherer
  • Viber credential gatherer
  • Windows Live Mail credential gatherer
  • Xchat credential gatherer

Enhancements and features

• #15441 from bf9114 – This change extends the Meterpreter search functionality by adding the ability to search by modified dates across all supported Meterpreter platforms. This allows a user to quickly find files on a target system that has been modified recently, or within a specific date range.
• #15594 from h00die – This adds options to the wordpress_scanner that enables the user to only scan for wordpress themes or plugins that Metasploit has modules for.
• #15630 from zeroSteiner – This adds the option DB_SKIP_EXISTING to the AuthBrute mixin to give users the option to skip credentials already in the database when performing brute force attacks.
• #15669 from adfoster-r7 – Updates the multi/manage/screenshare module to use the Espia screenshot capabilities if present, and to gracefully fallback to using the normal screenshot behavior if it fails to load as expected.
• #15721 from zeroSteiner – Support has been added into Metasploit for negotiating SSL connections over multiple connections types including Meterpreter and SSH. As a result, users can now make HTTPS requests over pivoted sessions. Previously, if users tried to make such connections, they would be sent via plaintext instead of being SSL encrypted.
• #15722 from adfoster-r7 – The rerun command has been enhanced to support tab completion.
• #15726 from zeroSteiner – This adds the MeterpreterTryToFork option to the Mettle payloads. When set, it translates to Mettle’s :background option. When :persist is not configured it will attempt to fork the stage into the background.

Bugs fixed

• #15703 from space-r7 – This updates payload/windows/x64/encrypted_shell/reverse_tcp to no longer crash on MacOS. Additionally adds an advanced option, ShowCompileCMD, that prints the compilation command used.
• #15720 from NeffIsBack – This fixes a bug where the rhost value was incorrectly passed to the underlying scanning script, resulting in an abnormal exit.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.7…6.1.8
• Full diff 6.1.7…6.1.8

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/09/24/metasploit-wrap-up-131/

Vulnerability is in the eye of the beholder

Exploiting firmware authored by UDP Technology and provided to multiple large OEMs (including Geutebruck), community contributor TrGFxX has authored a neat module that allows RCE as root on machines running the web interface of the Geutebruck G-Cam and G-Code products. For more information on the vulnerability check out the CISA advisory.

OpManager exploit is OP plz nerf

Our very own zeroSteiner authored a module implementing both an exploit and patch bypass for a Java deserialization vulnerability that exists in numerous versions of ManageEngine’s OpManager software. This module allows payload execution as either NT AUTHORITY\SYSTEM on Windows or root on Linux. On top of this new module, zeroSteiner made improvements to help utilize the increasingly essential YSoSerial tool. You should definitely check it out if you’re interested in exploring other Java deserialization vulns.

Putting the Win in WinRM

In a big win for Metasploit, community contributor smashery finished off their month-long effort to get fully functional shells working across WinRM! These new sessions support post modules, NTLMSSP authentication, and are also able to run without a payload in remote memory, making these sessions pretty hard to detect. This is a major improvement over the previous WinRM implementation that only supported execution of a single command, so huge thanks again to smashery.

You can tell a lot about a protocol from its handshake

In one final noteworthy addition, smashery has once again come through with a PR that significantly improves our RDP library. Metasploit users can now capture the NETBIOS computer name, NETBIOS domain name, DNS computer name, DNS domain name, and OS version from the NTLM handshake carried out over RDP, and our rdp_scanner module has been updated to display this info to all the RDP sniffers out there.

New module content (3)

• Direct windows syscall evasion technique by Yaz – This adds a new evasion module that uses direct syscalls on 64-bit versions of Windows to evade detection.
• Geutebruck instantrec Remote Command Execution by Ibrahim Ayadhi – RandoriSec and Titouan Lazard – RandoriSec, which exploits CVE-2021-33549 – This module exploits an unauthenticated buffer overflow vulnerability within the action parameter of the /uapi-cgi/instantrec.cgi endpoint in various Geutebruck G-Cam and G-Code devices. The exploit results in code execution as the root user on target devices.
• ManageEngine OpManager SumPDU Java Deserialization by Johannes Moritz, Robin Peraglie, and Spencer McIntyre, which exploits CVE-2021-3287 – The exploit/multi/http/opmanager_sumpdu_deserialization module implements an exploit (CVE-2020-28653) and patch bypass (CVE-2021-3287) for a Java deserialization vulnerability that exists in numerous versions of ManageEngine’s OpManager software. Arbitrary code execution as the NT AUTHORITY\SYSTEM user on Windows or the root user on Linux is achieved by sending a PDU to the SmartUpdateManager handler.

Enhancements and features

• #15684 from adfoster-r7 – This improves interactive shell performance for pasted user input.
• #15696 from smashery – This updates the RDP scanner module to extract and show additional information gathered from the NTLM handshake used for Network Level Authentication (NLA).
• #15632 from smashery – This improves Metasploit’s WinRM capabilities by allowing shell sessions to be established over the protocol. The shell sessions are interactive and are usable with post modules.

Bugs fixed

• #15600 from agalway-r7 – This fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent.
• #15666 from timwr – This fixes an issue found in Meterpreter’s download functionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.
• #15679 from nvn1729 – This fixes a bug where the tomcat_mgr_upload module was not correctly undeploying the app after exploitation occurred.
• #15686 from jmartin-r7 – This fixes a crash in msfrpc that occurs due to the exploit/linux/misc/saltstack_salt_unauth_rce module’s MINIONS option default being a regex instead of a string.
• #15695 from adfoster-r7 – This fixes a crash in the exploit/unix/local/setuid_nmap module and adds logging to print the result of the exploit’s last command so the user knows what happened in the event of a failure.
• #15697 from smashery – This updates the HTTP NTLM information enumeration module to use the Net::NTLM library for consistent data processing without a custom parser.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.6…6.1.7
• Full diff 6.1.6…6.1.7

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/09/03/metasploit-wrap-up-128/

Capture Credentials with our new SMB Server

Our own Adam Galway revamped the old SMB capture module and now supports NTLMv1 and NTLMv2, as well as SMB1, SMB2 and SMB3. This was possible thanks to @zeroSteiner‘s new RubySMB server implementation. Metasploit is now able to capture NTLM hashes from any recent Windows releases using the SMB2 and SMB3 dialects, even with encrypted SMB traffic.

Revenge of the Clones

Earlier this year, an outstanding vulnerability in Git clients was disclosed and identified as CVE-2021-21300. It allows an attacker to execute scripts on the victim’s system when cloning a specially crafted repository onto a case-insensitive file system such as NTFS, HFS+ or APFS. Our own Shelby Pace just added a new exploit module that leverages this flaw to achieve remote code execution. First, the module creates a fake Git repository and waits for the victim to clone it. This process will deliver a post-checkout script with the payload that will be automatically executed upon checkout of the repository.

Note that for this exploit to work, the victim’s Git client must support delay-capable clean / smudge filters and symbolic links. The former is enabled by default on Windows through Git-lfs.

Don’t clone repositories you don’t trust!

Exploiting eBPF on Linux

A new local exploit module that leverages a bug in the Linux eBPF feature was added by Grant Willcox this week. This vulnerability is identified as CVE-2021-3490 and allows a local attacker to achieve code execution as the root user by conducting an out-of-bounds read and write in the Linux kernel. This is possible due to a flaw in eBPF verifier‘s verification of ALU32 operations. This module is based on @chompie1337‘s PoC code and should work on any vulnerable kernel versions (from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and
5.10.37). Note that, at the moment, it has only been tested on Ubuntu 20.04 (Focal Fossa) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 20.10 (Groovy Gorilla) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 21.04 (Hirsute Hippo) 5.11.x kernels prior to 5.11.0-17.18 and Fedora kernel versions 5.x from 5.7.x up to but not including 5.11.20-300. However, the module documentation includes some instructions for porting the exploit over onto other systems.

New module content (4)

• Geutebruck Multiple Remote Command Execution by Ibrahim Ayadhi, Sébastien Charbonnier, and Titouan Lazard, which exploits CVE-2021-33554 – A new module has been added which bypasses authentication and exploits CVE-2021-33544, CVE-2021-33548, and CVE-2021-33550-33554 on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
• Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE by Grant Willcox, Manfred Paul, and chompie1337, which exploits ZDI-21-606 – This adds a module that uses @chompie1337’s CVE-2021-3490 PoC code to elevate privileges to root on affected Linux systems. It’s been tested to work on clean installs of Ubuntu 21.04, Ubuntu 20.10, Ubuntu 20.04.02, as well as Fedora running affected versions of the 5.7, 5.8, 5.9, 5.10 and 5.11 kernels.
• Git LFS Clone Command Exec by Johannes Schindelin, Matheus Tavares, and Shelby Pace, which exploits CVE-2021-21300 – An exploit module has been added for CVE-2021-21300, a RCE vulnerability in affected Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems. Additionally, a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol have been added into Metasploit and the code for older Git-related exploits has been updated to utilize some of this new code.
• Overhaul SMB auth capture server from agalway-r7 – This updates the SMB capture server to be compatible with clients using the SMB 2 and SMB 3 dialects. SMB 1 has not been enabled in Windows 10 since v1709 was released in 2017. This allows the module to be compatible with recent releases.

Enhancements and features

• #15253 from adfoster-r7 – Updates Metasploit to support URI arguments to set module datastore values. The currently supported protocols are http, smb, mysql, postgres, and ssh.
• #15537 from adfoster-r7 – Adds support for Ruby 3
• #15582 from bcoles – The code for Msf::Post::Linux::Kernel.unprivileged_bpf_disabled? has been updated to support new values supported by kernel.unprivileged_bpf_disabled which were introduced in Linux kernels since 5.13 and 5.14-rc+HEAD, particularly the value 2 which means Unprivileged calls to bpf() are disabled, whereas the value 1 is now used to indicate Unprivileged calls to bpf() are disabled without recovery
• #15606 from adfoster-r7 – Improves Python Meterpreter to gracefully handle unsupported command ids, and cleaning up process objects correctly. Additionally enhances mingw build support for Windows Meterpreter, and now correctly interprets a transport session time of 0 as never expiring.
• #15621 from jmartin-r7 – Updates the Metasploit docker container to additionally include Go as a dependency.
• #15623 from zeroSteiner – The creds command has been updated to support several new features: supporting formatting NetNTLMv1 and NetNTLMv2 hash for both the JtR and Hashcat formatters, filtering hashes based on the realm, not truncating hashes when writing them to a CSV file, filtering based on the JtR format type name, support for applying the same filtering to output files that can be applied when generating the creds table, and support for ensuring output consistency when writing output to a file.

Bugs fixed

• #15375 from HynekPetrak – This PR fixes a bug whereby Metasploit would sometimes crash when remote LDAP servers returned a null character in the base_dn string, and also enhances modules/auxiliary/gather/ldap_hashdump.rb to handle sha256 hashes and skip hashes in cases of LK (locked account) and NP (no password) credentials.

• #15572 from adfoster-r7 – This PR implements a fix to correctly handle quoted console options and whitespace

• #15573 from dwelch-r7 – The simplify_module function has been updated so that by default it will not load LHOST/RHOST from the config file and instead use the values set in the options.

• #15590 from sjanusz-r7 – A bug has been fixed that prevented external modules from properly handling the encoding of UTF-8 characters.

• #15596 from tomadimitrie – A bug has been fixed in docker_credential_wincred whereby the regex would sometimes match on IP addresses and other invalid entries instead of the expected Docker version string. This has now been fixed by tightening the regex to make it more specific and restrictive.

• #15628 from timwr – Ensures the session table is refreshed whenever the sysinfo command is run, and whenever stdapi is loaded manually. This should also fix a minor bug where if you run an exploit on an existing session, the session information never gets updated (e.g the username from User -> SYSTEM). Now it’s refreshed when you run meterpreter > sysinfo.

• #15629 from jmartin-r7 – Fixes a regression issue where msfconsole crashed on startup when running on a Windows environments

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.2…6.1.3
• Full diff 6.1.2…6.1.3

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Sonny Gonzalez original https://blog.rapid7.com/2021/08/27/metasploit-wrap-up-127/

LearnPress authenticated SQL injection

Metasploit contributor h00die added a new module that exploits CVE-2020-6010, an authenticated SQL injection vulnerability in the WordPress LearnPress plugin. When a user is logged in with contributor privileges or higher, the id parameter can be used to inject arbitrary code through an SQL query. This exploit can be used to collect usernames and password hashes. The responsible code is located in learnpress/inc/admin/lp-admin-functions.php at line 1690. The vulnerability affects plugin versions v3.2.6.7 and prior.

Continuous improvement

In addition to new exploit modules, Metasploit releases include a number of enhancements and bug fixes. This week we would like to highlight a few key enhancements that improve usability. Contributor pingport80 added support for easy reading of binary files from target systems compromised through a PowerShell session. Our very own sjanusz-r7 added a default payload option to the postgres_payload module so that payloads update correctly when changing target systems. An enhancement made by our own gwillcox-r7 extends Windows process lib injection beyond just notepad.exe. The logic now selects from a random list that can be updated in the future. We appreciate all the contributions that make Metasploit more robust and easier to use.

New module content (1)

• WordPress LearnPress current_items Authenticated SQLi by Omri Herscovici, Sagi Tzadik, h00die, and nhattruong, which exploits CVE-2020-6010 – This collects usernames and password hashes from WordPress installations via an authenticated SQL injection vulnerability that exists in LearnPress plugin versions below v3.2.6.8.

Enhancements and features

• #15384 from gwillcox-r7 – This consolidates and changes the library code used by exploits that use RDLLs. The changes improve upon the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.
• #15477 from pingport80 – This adds PowerShell session support to the readable? and read_file functions provided by the Post::File API.
• #15580 from sjanusz-r7 – Updates postgres_payload exploit modules to specify a valid default PAYLOAD option when changing target architectures
• #15584 from h00die – Updates the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as auxiliary/scanner/http/wordpress_scanner

Bugs fixed

• #15496 from zeroSteiner – Users can now specify the SSL version for servers with the SSLVersion datastore option, ensuring compatibility with a range of targets old and new.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.1…6.1.2
• Full diff 6.1.1…6.1.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/

Anyone enjoy making chains?

The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7’s own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefited from research and analysis by Jang, PeterJson, brandonshi123, and mekhalleh (RAMELLA Sébastien) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain CVE-2021-31207, CVE-2021-34523, & CVE-2021-34473 into sessions for everyone to enjoy.

Great to see some GSoC value in the wild.

With Google Summer of Code 2021 moving into its final phases, pingport80 had 4 PRs land in this week’s release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.

New module content (2)

• Lucee Administrator imgProcess.cfm Arbitrary File Write by wvu,, iamnoooob, and rootxharsh, which exploits CVE-2021-21307 – An unauthenticated user is permitted to make requests through the imgProcess.cfm endpoint, and using the file parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.
• Microsoft Exchange ProxyShell RCE by wvu, Jang, Orange Tsai, PeterJson, Spencer McIntyre, brandonshi123, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-31207 – Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.

Enhancements and features

• #15540 from dwelch-r7 – This adds an option to cmd_execute to have the command run in a subshell by Meterpreter.
• #15556 from pingport80 – This adds shell session compatibility to the post/windows/gather/enum_unattend module.
• #15564 from pingport80 – This adds support to the get_env and command_exists? post API methods for Powershell session types.

Bugs fixed

• #15303 from pingport80 – This PR ensures that the shell dir command returns a list.
• #15332 from pingport80 – This improves localization support and compatibly in the session post API related to the rename_file method.
• #15539 from tomadimitrie – This improves the OS version in the check method of exploit/windows/local/cve_2018_8453_win32k_priv_esc.
• #15546 from timwr – This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it’s valid first.
• #15570 from adfoster-r7 – This fixes a bug in the auxiliary/scanner/smb/smb_enum_gpp module where the path that was being generated by the module caused an SMB exception to be raised.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.0…6.1.1
• Full diff 6.1.0…6.1.1

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).