Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/07/16/metasploit-wrap-up-121/

Eternal Blue improvements

Prior to this release Metasploit offered two separate exploit modules for targeting MS17-010, dubbed Eternal Blue. The Ruby module previously only supported Windows 7, and a separate ms17_010_eternalblue_win8 Python module would target Windows 8 and above.

Now Metasploit provides a single Ruby exploit module exploits/windows/smb/ms17_010_eternalblue.rb which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change removes the need for users to have Python and impacket installed on their host machine, and the automatic targeting functionality will now also make this module easier to run and exploit targets.

AmSi 0BfuSc@t!on

The Anti-Malware Scan Interface integrated into Windows poses a lot of challenges for offensive security testing. While bypasses exist and one such technique is integrated directly into Metasploit, the stub itself is identified as malicious. A chicken and egg problem exists due to the stub being incapable of being executed to bypass AMSI and permit the payload from executing. To address this, Metasploit now randomizes the AMSI bypass stub itself. The randomization both obfuscates literal string values that are known qualifiers for AMSI such as amsiInitFailed as well as shuffles the placement of powershell expressions. With these improvements in place, Powershell payloads are now much more likely to be successfully executed. While the bypass stub is now prepended by default for all exploit modules, it can be explicitly disabled by setting Powershell::prepend_protections_bypass to false.

VMware vCenter Server RCE

Our very own Will Vu has added a new exploit module targeting VMware vCenter Server CVE-2021-21985. This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin’s ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. This module has been tested against VMware vCenter Server 6.7 Update 3m (Linux appliance). For testing in your own lab environment, full details are in the module documentation.

New module content (4)

• VMware vCenter Server Virtual SAN Health Check Plugin RCE by wvu and Ricter Z, which exploits CVE-2021-21985 – A new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin’s ProxygenController class to execute code as the vsphere-ui user.
• Polkit D-Bus Authentication Bypass by Kevin Backhouse, Spencer McIntyre, and jheysel-r7, which exploits CVE-2021-3560 – A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with root permissions, which can then be used to gain a shell as root. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.
• ForgeRock / OpenAM Jato Java Deserialization by Michael Stepankin, Spencer McIntyre, bwatters-r7, and jheysel-r7, which exploits CVE-2021-35464 – A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability
  in OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.
• Windows Process Memory Dump by smashery – This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or a standard dump. It also downloads the file into the local loot database and delete the temporary file on the target.

Enhancements and features

• #15217 from agalway-r7 – Removes the Python module ms17_010_eternalblue_win8.py and consolidates the functionality into exploits/windows/smb/ms17_010_eternalblue.rb – which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.
• #15254 from zeroSteiner – This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.

Bugs fixed

• #15362 from bwatters-r7 – Fixes a regression issue with post/multi/manage/shell_to_meterpreter, and other interactions with command shell based sessions
• #15420 from adfoster-r7 – Fixes an regression issue were auxiliary/scanner/ssh/eaton_xpert_backdoor failed to load correctly

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.52…6.0.53
• Full diff 6.0.52…6.0.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2021/07/09/metasploit-wrap-up-120/

PrintNightmare

Rapid7 security researchers Christophe De La Fuente, and Spencer McIntyre, have added a new module for CVE-2021-34527, dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\SYSTEM.

Because Metasploit’s SMB server doesn’t support SMB3 (yet), it’s highly recommended to use an external SMB server like Samba that supports SMB3. The Metasploit module documentation details the process of generating a payload DLL and using this module to load it.

CVE-2021-34527 is being actively exploited in the wild. For more information and a full timeline, see Rapid7’s blog on PrintNightmare!

NSClient++

Great work by community contributor Yann Castel on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.

For this module to work, both the web interface of NSClient++ and the ExternalScripts feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.

New module content (2)

• Print Spooler Remote DLL Injection by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits CVE-2021-34527 – A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the SYSTEM user.

• NSClient++ 0.5.2.35 – Privilege escalation by BZYO, Yann Castel and kindredsec – This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.

Enhancements and features

• #15366 from pingport80 – This updates how the msfconsole’s history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).

Bugs fixed

• #15320 from agalway-r7 – A bug has been fixed in the read_file method of lib/msf/core/post/file.rb that prevented PowerShell sessions from being able to use the read_file() method. PowerShell sessions should now be able to use this method to read files from the target system.
• #15371 from bcoles – This fixes an issue in the apport_abrt_chroot_priv_esc module where if the apport-cli binary was not in the PATH the check method would fail.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from

GitHub:

• Pull Requests 6.0.51…6.0.52
• Full diff 6.0.51…6.0.52

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/03/05/metasploit-wrap-up-101/

FortiOS Path Traversal

Returning community contributor mekhalleh submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in plaintext on the file system. This vulnerability is identified as CVE-2018-13379 and can be reliably exploited remotely, without any authentication. Despite the fact that the vulnerability is several years old, CVE-2018-13379 is still known to be exploited in the wild, including in state-sponsored attacks targeting U.S. government agencies and infrastructure.

Additional Module Updates

Two modules received improvements to their targeting capabilities. The ever-popular exploit for MS17-010 was updated by zerosum0x0 (one of the original authors) with an updated fingerprint for properly targeting Windows Storage Server 2008. This allows the exploit module to be used against affected versions of that Server 2008 variant. Additionally, a KarjaSoft Sami FTP exploit was updated by long-time community contributor bcoles who made a number of improvements to it but notably updated the exploit to only rely on an offset within a DLL that is distributed with the vulnerable software. When memory corruption exploits need the address of a POP, POP, RET instruction (as this one does for the SEH overwrite), they are more reliable when referencing one that is distributed with the software and won’t change, unlike libraries that come with the host operating system and are regularly updated.

New Modules (1)

• FortiOS Path Traversal Credential Gatherer by lynx (Carlos Vieira) and mekhalleh (RAMELLA Sébastien), which exploits a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the /dev/cmdb/sslvpn_websession file, containing the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the creds database for use in future attacks.

Enhancements and features

• #14783 from bcoles The KarjaSoft Sami FTP Server v2.0.2 USER Overflow module has been updated with documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation, instead of relying on an Windows OS DLL whose offsets could change as the OS was updated.
• #14838 from zerosum0x0 The psexec_ms17_010.rb library has been updated to support additionally fingerprinting Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.

Bugs Fixed

• #14816 from dwelch-r7 Ensures that the Faker library is always available for use within modules when generating fake data for bypassing WAF etc.
• #14821 from space-r7 The search command within Meterpreter has had its logic updated to support searches that start at the root directory, aka /. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.
• #14840 from dwelch-r7 Removes require rex/ui statement that prevented execution of msfrpc.
• #14843 from dwelch-r7 With the upgrade to zeitwerk in Metasploit, PseudoShell was not being picked up appropriately, resulting in some modules and tools not being able to load it when needed. A fix has now been applied to make sure that PseudoShell can be appropriately loaded by zeitwerk to prevent missing dependency issues.
• #14853 from adfoster-r7 Fixes an edge case when upgrading from an older version of Metasploit to Metasploit 6.0.32 when using the Mac Metasploit Omnibus installer directly or indirectly via Brew

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.32…6.0.33
• Full diff 6.0.32…6.0.33

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/02/26/metasploit-wrap-up-100/

Hey who finked about Flink?

In this week’s round of modules, contributor bcoles offered up two modules to leverage that Apache Flink install you found in some fun new ways. If you are just looking to filch a few files, auxiliary/scanner/http/apache_flink_jobmanager_traversal leverages CVE-2020-17519 to pilfer the filesystem on Flink versions 1.11.0 thru 1.11.2. The second module, for a litte extra fun, exploit/multi/http/apache_flink_jar_upload_exec utilizes the job functionality in Flink to run arbitrary java code as the web server user, turns out there is a meterpreter for that!

RDP: a dream and a nightmare for the sysAdmin near you.

Ever wonder if exposing a remote desktop in a web page was a good idea? I mean, it’s just a web server, the internet loves those. Turns out timing attacks can expose your usernames when someone chooses to pay close attention. A recently contributed module auxiliary/scanner/http/rdp_web_login contributed by Matthew Dunn can even pay attention for you. Using the module you can now enumerate users by setting a few options.

Have you heard of herpaderping?

For those that have, Metasploit now has a new toy for you. Christophe De La Fuente built on some great research by Johnny Shaw, to bring this technique to Metasploit. Using the new evasion/windows/process_herpaderping module, you too can generate Windows PE files that hide the code behind the curtain, if you will, when executed on a target.

Join the community.

For anyone interested in working with Metasploit in this year’s Google Summer of Code, you’ll have to wait until March 9th to find out if we’ve been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!

New Modules (4)

• Apache Flink JobManager Traversal by 0rich1 – Ant Security FG Lab, Hoa Nguyen – Suncsr Team, and bcoles, which exploitsCVE-2020-17519, adds an auxiliary module that leverages the directory traversal vulnerability within Apache Flink to recover files from the affected server. This vulnerability does not require authentication.
• Apache Flink JAR Upload Java Code Execution by Henry Chen, bcoles, and bigger.wing, adds an exploit module that leverages Apache Flink to upload and run an arbitrary JAR file.
• Microsoft RDP Web Client Login Enumeration by Matthew Dunn, adds a scanner module that leverages the timing behavior of the web rdp authentication process to determine valid users.
• Process Herpaderping evasion technique by Christophe De La Fuente and Johnny Shaw, adds an evasion module that takes advantage of the Process Herpaderping evasion technique.

Enhancements and features

• #14784 from bcoles This fixes a bug in the ScadaBR credential dumping module that prevented it from processing response data.

• #14617 from zeroSteiner The core Meterpreter and console libraries have been updated to better handle cases where a given implementation of Meterpreter may not support a certain command. Now instead of each version of Meterpreter trying to handle invalid commands, which previously lead to errors, they will instead check if they support that command and then will throw an error message if they do not support that command. Additionally, the output from running the help or ? command inside the meterpreter prompt has been updated so as to not display a command that a given Meterpreter implementation does not support. Tests have also been updated accordingly to support checking this functionality works as expected.

• #14670 from adfoster-r7 Word wrapping of Rex tables is now enabled by default for all Rex tables except for those output by the creds and search commands. This feature can optionally be turned off by issuing the features set wrapped_tables false command.

• #14735 from adfoster-r7 Updates have been made to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.

• #14740 from zeroSteiner This makes a few improvements to the CVE-2021-3156 and adds a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).

Bugs Fixed

• #14748 from cdelafuente-r7 A bug has been fixed in the Auxiliary::AuthBrute that caused a crash when the DB_ALL_USERS or DB_ALL_PASS options were set. This has now been addressed.
• #14789 from zeroSteiner A bug has been fixed whereby Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the AutoVerifySession datastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.
• #14802 from dwelch-r7 A bug within the Kiwi library has been fixed whereby commands passed to Kiwi via the kiwi_cmd command in Metasploit where not being properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it two separate commands to execute rather than one space separated command.
• #14812 from dwelch-r7 Restores missing requires for sock5 proxy support.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.31…6.0.32
• Full diff 6.0.31…6.0.32

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/02/19/metasploit-wrap-up-99/

GSoC Rocks!

In a rare double whammy, one of our 2020 Google Summer of Code (GSoC) participants has authored a PR containing both enhancements & a new module! Improvements to our SQL injection library now allow PostgreSQL injection, and this new functionality has been verified with both a test module AND a fully functioning module exploiting CVE-2019-13375, a (Postgre)SQL Injection vuln in the D-Link Central WiFi Manager allowing both DB dumping and user insertion in all versions before v1.03R0100_BETA6. Big thanks to red0xff for authoring these changes and showing that students can hack it with the best of them.

For anyone interested in working with Metasploit in this year’s Google Summer of Code, you’ll have to wait until March 9th to find out if we’ve been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!

King KLog vs Colezilla

Our copious community contributor bcoles has written a new module exploiting CVE-2020-35729, an unauthenticated command injection vulnerability in KLog (An english translated version of their site can be found here). KLog is a Syslog server providing a time stamp service packaged in a Linux VM, and if Google Translate is to be believed, includes "Kamu SM approved SHA-512 hash algorithm has log signing feature", which is nice. By making a POST request to authenticate.php, the module can perform code execution in the VM via the PHP shell_exec() function. Additionally, the KLog VM configuration allows the apache user to execute sudo without supplying a password, ultimately allowing code execution with root privileges.

Short. Sweet. Screenshot.

Wrapping up this wrapup, timwr has fixed an issue with our Java Meterpreter that prevented screenshots from being taken. As an added bonus, it also prevents uploading a screenshot dll on non-native Windows meterpreter sessions.

New Modules (4)

• WordPress ChopSlider3 id SQLi Scanner by Callum Murphy, SunCSR, and h00die, which exploits CVE-2020-11530 This adds a new module to exploit a SQL injection vulnerability in iDangero.us ChopSlider 3 WordPress plugin version 3.4 and prior. It is able to remotely dump usernames and password hashes from the WordPress database without any authentication. This vulnerability is identified as CVE-2020-11530.
• D-Link Central WiFiManager SQL injection by M3 and Redouane NIBOUCHA, which exploits CVE-2019-13373 GSoC 2020 project supporting SQLi library usage with PostgreSQL. This support comes with a new module utilizing CVE-2019-13373 to dump database information or insert additional users into D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6.
• Klog Server authenticate.php user Unauthenticated Command Injection by Metin Yunus Kandemir, b3kc4t, and bcoles, which exploits CVE-2020-35729 This adds an exploit module that targets an unauthenticated command injection vulnerability in Klog Server versions 2.4.1 and below. A POST request to authenticate.php can result in code execution on the target due to improper sanitization of the user parameter, which gets passed to the shell_exec() function. Additionally, Klog Server’s configuration allows the apache user to execute sudo without supplying a password, so this exploit ultimately achieves code execution with root privileges.
• Micro Focus Operations Bridge Manager Local Privilege Escalation by Pedro Ribeiro, which exploits ZDI-20-1326 (CVE-2020-11858) Allows privilege escalation assuming victim machine is running a vulnerable version of OBM & user already has a session on said machine that supports Powershell. Module writes payload to specific folder, then sends request to OBM process via the loopback address to trigger payload execution.

Enhancements and features

• #14733 from adfoster-r7 Adds the latest rubocop rules
• #14747 from dwelch-r7 Updates exploit/linux/http/saltstack_salt_api_cmd_exec to correctly show failure messages to the user under error scenarios
• #14756 from bcoles Updates msftidy to warn when a module is missing its Notes metadata
• #14762 from adfoster-r7 Adds support for ignoring Rubocop’s ExtraSpacing rules for BinData objects

Bugs Fixed

• #14602 from red0xff Improved length detection for Time Based MySQLi injections & expand support for empty strings to hex_encode_strings.
• #14738 from timwr Fixes multi/manage/shell_to_meterpreter on macOS by using Python reflection to upgrade a shell session on macOS to a meterpreter session, in memory, without dropping a file to disk
• #14751 from bcoles A bug has been fixed within the msftidy.rb developer tool whereby a typo was preventing several checks from being run against exploit modules to ensure they conformed to standards. This has now been fixed, along with some grammar issues that were noticed in related modules.
• #14758 from timwr Fix platform check in Meterpreter stdapi screenshot command. This ensures Java Meterpreter can take screenshots on Windows platforms and prevents unnecessarily uploading the screenshot DLL when using the screenshot command on non-native Windows sessions.
• #14741 from zeroSteiner Fixes typo for exchange_ecp_dlp_policy target

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.30…6.0.31
• Full diff 6.0.30…6.0.31

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/02/12/metasploit-wrap-up-98/

MicroFocus? More like MacroVuln

MicroFocus’s Operations Bridge Manager is a security information and event management (SIEM) tool designed to collect and parse security logs from multiple disparate sources. OBM has a large attack surface—something Pedro Ribeiro was able to take advantage of with his new RCE module. This module leverages a Java deserialization bug to allow payload execution as either root or SYSTEM, depending on the victim OS.

We’ve one other OBM module currently in the process of being landed, but for anyone who needs their fix of MicroFocus hacks right away, we’d recommend pedrib’s super detailed writeup of his findings.

Patches? We don’t need no stinkin’ patches!

While PR #14607 doesn’t add a totally new exploit for Microsoft Exchange Server, that’s only because zeroSteiner was able to update an earlier module to support a bypass for the patch that was supposed to fix the vuln it exploited.

CVE-2020-16875 originally allowed remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server so long as they were authenticated as a user who had an active mailbox and who was assigned the Data Loss Prevention role. This was believed to have been patched in the Exchange Server 2016 Cumulative Update 18 (September 15 2020) and Exchange Server 2019 Cumulative Update 7 (September 15 2020). However, this patch was later bypassed and assigned CVE-2020-17132. Microsoft’s second patch was also later bypassed—a tough shake for organizations’ patch cycles. Both the original vulnerability and the patch bypass) were discovered by Steven Seeley, and the Metasploit code is based on his work.

zeroSteiner’s changes allow the exchange_ecp_dlp_policy module to exploit the two patched versions of Exchange Server and the unpatched server.

External modules, internal quality

Last but not least, cgranleese-r7 has spearheaded our efforts to improve usability of Metasploit’s external modules by providing more informative error messages for users when they lack the required languages in their environment (#14480). This will help avoid instances of users missing out on useful modules due to their not knowing some languages outside of ruby can be needed for the full metasploit experience.

msf6 > use auxiliary/scanner/msmail/host_id
[-] Failed to load module: LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
msf6 >

New modules (1)

• Micro Focus Operations Bridge Manager Authenticated Remote Code Execution by Pedro Ribeiro, which exploits ZDI-20-1327 / CVE-2020-11853 This adds an exploit module that leverages an insecure Java deserialization vulnerability in multiple Micro Focus products. This allows remote code execution as the root user on Linux or the SYSTEM user on Windows. Initial authentication is required, but any low-privileged user can be used to successfully run this exploit.

Enhancements and features

• #14154 from cgranleese-r7 This ensures that all modules that previously used manual AutoCheck behavior now leverage the AutoCheck mixin instead.
• #14480 from cgranleese-r7 Improves the handling of external modules when they’re missing runtime dependencies and gives the user a more useful error. It will now return which runtime language the user is missing on their environment (this has been implemented for both Python and Go).
• #14607 from zeroSteiner This updates the Exchange ECP DLP Policy module exploit to leverage a new technique that bypasses the original patch. This new technique also works on unpatched versions.
• #14669 from jmartin-r7 Improves error message feedback when using the auxiliary/analyze/crack_* modules. Examples include notifying the user that the database needs to be active, and having JohnTheRipper Jumbo patch installed
• #14685 from geyslan Reduced the size of the linux/x64/shell_bind_tcp_random_port payload while maintaining the functionality.
• #14708 from timwr Add offsets to the exploit/osx/browser/safari_proxy_object_type_confusion exploit module for Mac OSX 10.13.1 and 10.13.2.
• #14721 from bcoles This adds a target for Debian 10 to the sudo exploit CVE-2021-3156.
• #14728 from FireFart Updates have been made to lib/msf/core/module/reference.rb as well as associated tools and documentation to update old WPVDB links with the new WPVDB domain and to also ensure that the new URL format is properly checked in the respective tools.
• #14725 by h00die moves creds to a default-cred "userpass" list instead of splitting known cred pairs across files.

Bugs fixed

• #14714 from adfoster-r7 Updates the sqlite gem in preparation for Ruby 3.0 support & fixes SQLite3 deprecation warning.
• #14720 from dwelch-r7 Fixed an issue in the lib/msf/core/exploit/remote/http_client.rb and lib/msf/core/opt_http_rhost_url.rb libraries where the VHOST datastore variable would be set incorrectly if a user used an /etc/hosts entry for resolving a hostname to an IP address.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.0.29…6.0.30
• Full diff 6.0.29…6.0.30

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/02/05/metasploit-wrap-up-97/

Baron Samedit is coming to get you

Last week, a critical bug in sudo came out and could potentially affect most of the Linux-based operating systems, since this tool is usually installed by default. This vulnerability is identified as CVE-2021-3156, but better known as "Baron Samedit", and is sitting there in the code since July 2011, ready to guide you to the underworld. It affects legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1. If you have not done it already, patch now!

This week, our own Spencer McIntyre added a new module that leverages this vulnerability to gain root privileges from any local user without using a password. This exploit is based on the blasty PoC. It requires specific offsets to succeed, and currently has targets for Ubuntu 20.04 and 18.0[1-4]. We would like to extend that target list, and help from our awesome community would be greatly appreciated!

OneDrive to rule them all

Contributor @stufus added a very useful module that enumerates the Microsoft 365 Sharepoint/OneDrive endpoints on a target Windows system. This allows access to information related to sites that are being synchronised by the OneDrive application. This module will be very useful to get sensitive and extra information during a pentest engagement.

New Modules (3)

• Abandoned Cart for WooCommerce SQLi Scanner by WPDeeply and h00die: This adds an auxiliary module that retrieves WordPress user names and password hashes by leveraging an unauthenticated SQL injection vulnerability within the WooCommerce Abandoned Cart plugin for versions below 5.8.2.
• Sudo Heap-Based Buffer Overflow by Alexander Krog, Qualys, Spencer McIntyre, blasty, and bwatters-r7, which exploits CVE-2021-3156: This adds an initial exploit for CVE-2021-3156 which is a heap-based buffer overflow in the sudo utility which came out recently.
• OneDrive Sync Provider Enumeration Module by Stuart Morgan: A new module, post/windows/gather/enum_onedrive.rb, has been added which allows users to enumerate information relating to all of the sites (including teamsites) which OneDrive is configured to synchronize for a target host.

Enhancements and features

• #14713 from yogeshwarram adds documentation for the auxiliary/scanner/redis/redis_login module.

Bugs Fixed

• #14680 from digininja prevents exploit/windows/winrm/winrm_script_exec printing nil when no command output is returned.
• #14684 from adfoster-r7 adds formatted logging to external python modules.
• #14690 from timwr updates the Mettle payloads gem to 1.0.6, which includes a fix for a segmentation fault leading to the Meterpreter session crashing.
• #14693 from dwelch-r7 fixes a regression error introduced in Metasploit 6.0.27 which caused the vhost header to not be correctly set for http modules
• #14719 from acammack-r7 pivoted connections are now much less likely to close early when there is still data pending to be read or written

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.28…6.0.29
• Full diff 6.0.28…6.0.29

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Louis Sato original https://blog.rapid7.com/2021/01/29/metasploit-wrap-up-96/

MobileIron MDM Hessian-Based Java Deserialization RCE

Our very own wvu-r7 has added exploits/linux/http/mobileiron_mdm_hessian_rce, which exploits an ACL bypass in MobileIron MDM products to execute a Java deserialization attack using a Groovy gadget against a Hessian based endpoint. (CVE-2020-15505). MDM helps organizations manage and control all employees’ devices, requiring it to be publicly reachable to synchronize devices, making this an appealing target. This exploit has been included on the U.S. National Security Agency’s list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. More information about this exploit can be found here.

PEAR Archive_Tar < 1.4.11 Arbitrary File Write

exploits/multi/fileformat/archive_tar_arb_file_write has been added by gwillcox-r7, which adds support for CVE-2020-28949. CVE-2020-28949 is a vulnerability which affects the Archive_Tar plugin of the PEAR PHP development framework and is caused by Archive_Tar’s lack of validation of file stream wrappers contained within filenames, which for allows the writing of an arbitrary file containing user controlled content to an arbitrary location on disk.

Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution

Community contributor Pedro Ribeiro has added exploits/multi/http/microfocus_ucmdb_unauth_deser, which exploits two vulnerabilities CVE-2020-11853 and CVE-2020-11854, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. CVE-2020-11854 is the use of a hardcoded password for the "diagnostics" user, which allows attackers to log into UCMDB. CVE-2020-11853 takes advantage of the fact that after authentication, almost all of the UCMDB client’s communication is done using Java serialized objects, allowing an authenticated attacker to inject a malicious Java serialized object into a POST body to one of the vulnerable endpoints to achieve remote code execution as root or SYSTEM.

New modules (5)

• MobileIron MDM Hessian-Based Java Deserialization RCE by wvu, Orange Tsai, iamnoooob, and rootxharsh, which exploits CVE-2020-15505
• PEAR Archive_Tar < 1.4.11 Arbitrary File Write by gwillcox-r7 and xorathustra, which exploits CVE-2020-28949
• Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution by Pedro Ribeiro, which exploits CVE-2020-11853
• PRTG Network Monitor Authenticated RCE by Josh Berry and Julien Bedel, which exploits CVE-2018-9276
• FannyBMP or DementiaWheel Detection Registry Check by William M., which exploits CVE-2010-2568

Enhancements and features

• PR #14383 by h00die added two new external module examples in python, one as an exploit module example and the other as an auxiliary example.
• PR #14651 by bcoles updates msftidy to verify that all modules have a module description.
• PR #14564 by adfoster-r7 updates internal Metasploit libraries to dependency inject the currently active module when performing tab completion for users.
• PR #14432 by cn-kali-team adds a new function report_creds to the kiwi.rb and priv/password.rb Meterpreter libraries. This function ensures that credentials dumped via Kiwi or via the hashdump command are now appropriately captured in the creds database, allowing users to replay them later on, or attempt to crack them and obtain the plain text password.

Bugs fixed

• PR #14664 by s1e2b3i4 applies a fix to auxiliary/scanner/ssh/ssh_enumusers.rb to ensure that error messages that occur when a user doesn’t exist on the target system, or whom can’t connect remotely, are not displayed unless the VERBOSE flag is set.
• PR #14657 by jmartin-r7 updates Metasploit’s docker build process to download pip from an alternative Github download source now that python2 will no longer be available after January 30th 2021.
• PR #14650 by bcoles updates local_exploit_suggester to correctly store rhost information in the database, as previously this would crash.
• PR #14647 by zeroSteiner addresses a typo introduced in #14582 whereby non-existent value is used to populate the tab completion array for the run command of modules that support actions as commands, resulting in msfconsole crashing when tab completion was attempted. Users should now be able to do tab completion using the run command without errors.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.27…6.0.28
• Full diff 6.0.27…6.0.28

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Dean Welch original https://blog.rapid7.com/2021/01/22/metasploit-wrap-up-95/

Metasploit Wrapup

Windows print spooler vulnerability…again

Here we have bwatters-r7 coming in with an exploit for CVE-2020-1337, a patch bypass for a Windows print spooler elevation of privilege vulnerability that was exploited in the wild last year. The original vulnerability, CVE-2020-1048, garnered quite a bit of interest from the security community, in large part because the Windows print spooler is a legacy component that was abused as part of the Stuxnet attack. Alex Ionescu and Yarden Shafir, the researchers who discovered CVE-2020-1048, have a great write-up here if you’re looking for a deep dive.

The first patch that Microsoft released for CVE-2020-1048 uses a check to verify that the process creating a printer port targeting a location has privileges to write to that location. Unfortunately, that patch only checks the permissions when the port is created. The bypass utilized here simply creates the port pointing to a location the user can write
to. Then, after the printer port is created, it creates a symlink from
the location pointed to by the printer port to a second location. The check will pass because the link is only created after the check, but the link will be in place when the print takes place, so the file write will pass through and end up in the trusted location.

A very prompt fix

Chiggins gave us a fix for the msfconsole prompt with PR #14635. For those not in the know, you can set your prompt in the console with the set Prompt command. Thanks to Chiggins setting your prompt to the timestamp works again! So feel free to give it a go with set Prompt %T.

New Modules (1)

• Microsoft Spooler Local Privilege Elevation Vulnerability by 404death, Peleg Hadar, Tomer Bar, bwatters-r7, and sailay1996, which exploits CVE-2020-1337 This adds a local exploit module that leverages an arbitrary file write vulnerability in the Spooler service on Windows. This is a bypass of the patch for CVE-2020-1048 and is identified as CVE-2020-1337. By successfully executing this exploit, it is possible to gain code execution as NT AUTHORITY\SYSTEM.

Enhancements and features

• #14583 from dwelch-r7 This PR adds in the ability for framework to detect when a given nmap scan requires sudo privileges and re-runs nmap with sudo prompting the user in the typical way
• #14621 from geyslan This PR reduces the size of the linux/x64/shell_bind_tcp_random_port payload and maintains the functionality.
• #14630 from h00die Adds the hardcoded creds found in Zyxel devices to the unix creds files – as captured within CVE-2020-29583

Bugs Fixed

• #14597 from arno01 Updates the modules/auxiliary/gather/external_ip.rb module to provide a valid default vhost setting
• #14609 from dwelch-r7 A bug was fixed in the lib/msf/core/exploit/remote/http_client.rb and lib/msf/core/opt_http_rhost_url.rb libraries whereby if a user used a /etc/hosts entry for resolving a hostname to an IP address, the VHOST datastore variable would be set incorrectly. This has now been resolved by improving the logic of these two libraries and updating the spec checks accordingly.
• #14632 from zomfg-zombie This fixes a compatibility issue with the OpenSMTPD MAIL FROM RCE exploit where it was failing to function when the target host’s shell uses a strictly POSIX compatible read utility as is the case in Ubuntu.
• #14635 from Chiggins A bug was fixed in the lib/rex/ui/text/shell.rb library whereby users who used the %T character within their command prompts would not get the full timestamp information. A fix has been applied to address this regression so that users can now get the full timestamp information within their prompts.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.26…6.0.27
• Full diff 6.0.26…6.0.27

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Sonny Gonzalez original https://blog.rapid7.com/2021/01/08/metasploit-wrap-up-93/

Struts2 Multi Eval OGNL RCE

Our very own zeroSteiner added exploit/multi/http/struts2_multi_eval_ognl, which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times (CVE-2019-0230 and CVE-2020-17530). The CVE-2019-0230 OGNL chain for remote code execution requires a one-time chain to enable the RCE gadget, which is handled automatically by the module. The OGNL gadget chain for CVE-2020-17530 will echo the command output. Both chains use a simple mathematical expression to ensure that evaluation occurs. These vulnerabilities are application dependent, and the user does need to know which CVE they are targeting. Setting the NAME parameter appropriately and using the check method to ensure evaluation takes place inside an HTML attribute are key to successful exploitation.

JuicyPotato-like Windows privilege escalation exploit

Exploit module exploits/windows/local/bits_ntlm_token_impersonation was added by Metasploit contributor C4ssandre. It exploits BITS connecting to a local Windows Remote Management server (WinRM) at startup time. A fake WinRM server listening on port 5985 is started by a DLL loaded from a previous unprivileged meterpreter session. The fake server triggers BITS and then steals a SYSTEM token from the subsequent authentication request. The token is then used to start a new process and launch powershell.exe as the SYSTEM user. It downloads a malicious PowerShell script and executes it on a second local HTTP server, not writing any files to disk. The exploit is based on decoder’s PoC. It has been successfully tested on Windows 10 (10.0 Build 19041) 32 bits.

Pulse Connect Secure Gzip RCE

Metasploit contributor h00die added an exploit that targets Pulse Connect Secure server version 9.1R8 and earlier. The vulnerability was originally discovered by the NCC Group. It achieves authenticated remote code execution as root by uploading an encrypted config that contains an overwrite for a Perl template file. This module was made possible by rxwx, who shared the encryption code with the author. Admin credentials are required for successful root access. The module has been tested against server version 9.1R8.

New modules (8)

• SpamTitan Unauthenticated RCE by Christophe De La Fuente and Felipe Molina, which exploits CVE-2020-11698
• Pulse Secure VPN gzip RCE by David Cash, Richard Warren, Spencer McIntyre, and h00die, which exploits CVE-2020-8260
• Apache Struts 2 Forced Multi OGNL Evaluation by Alvaro Muñoz, Matthias Kaiser, Spencer McIntyre, and ka1n4t, which exploits CVE-2020-17530 and CVE-2019-0230
• SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service. by Andrea Pierini (decoder), Antonio Cocomazzi (splinter_code), Cassandre, and Roberto (0xea31)
• Shodan Host Port by natto97
• WordPress Duplicator File Read Vulnerability by Hoa Nguyen – SunCSR Team and Ramuel Gall, which exploits CVE-2020-11738
• WordPress Easy WP SMTP Password Reset by h00die, which exploits CVE-2020-35234
• WordPress Total Upkeep Unauthenticated Backup Downloader by Wadeek and h00die

Enhancements and features

• PR 14566 from zeroSteiner Module auxiliary/server/socks_proxy replaces modules/auxiliary/server/socks4a.rb and modules/auxiliary/server/socks5.rb.
• PR 14538 from jmartin-r7 Improves Metasploit’s XML importer error messages when data is not Base64 encoded.
• PR 14528 from zeroSteiner Clarifies Windows Meterpreter payloads description support of XP SP2 or newer.
• PR 14522 from axxop Replaces the hardcoded default Shiro encryption key with a new datastore option that allows users to specify rememberMe cookie encryption key.
• PR 14517 from timwr Changes the osx/x64/shell_reverse_tcp payload to be generated with Metasm and captures and sends STDERR to msfconsole.
• PR 14509 from egypt This adds a Java target to the Apache Solr RCE exploit module and fixes several payload issues.
• PR 14444 from dwelch-r7 Adds a couple of missing methods from the remote data services for adding and deleting routes.

Bugs fixed

• PR 14589 from timwr Fixes a file download issue with the Android Meterpreter’s download command.
• PR 14532 from bcoles Fixes a NoMethodError exception caused by the Msf::Post::Common mixin not being included in post/android/capture/screen.
• PR 14530 from jmartin-r7 Fixes a failing test on macOS caused by IPv6 vs IPv4 result precedence.
• PR 14475 from dwelch-r7 Fixes the EICAR canary check.
• PR 14334 from Summus-git Fixes a x86 linux bind shell payloads socket closing bug.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.22…6.0.25
• Full diff 6.0.22…6.0.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).