Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2025/01/03/metasploit-2024-annual-wrap-up/
Another year has come and gone, and the Metasploit team has taken some time to review the year’s notable additions. This year saw some great new features added, Metasploit 6.4 released and a slew of new modules. We’re grateful to the community members new and old that have submitted modules and issues this year. The real privilege escalation was the privilege of working with the contributors and friends we made along the way. And so, as is tradition, let us begin the 2024 annual recap.
HTTP Relaying and ESC8
Metasploit continues to expand support for Active Directory Certificate Services AD CS attacks, also known as ESC attacks. These attacks have been popular since they were announced three years ago, and the complexity and ubiquity of enterprise AD CS setups has rendered them “gifts that keep on giving” for attackers and pen testers alike. This year, we added support for ESC8, a vulnerability in AD CS Web Enrollment service, in which authentication from a user’s SMB connection can be relayed to a Certificate Web Enrollment endpoint and used to generate a valid certificate for authentication. This means that if an attacker can coerce a user to attempt to access an SMB share, their authentication can be relayed to a certificate server for authentication. Once authenticated, the session will allow the attacker to mint certificates for any template they have permissions to access. Unlike many AD CS attacks, this is not necessarily due to a misconfiguration in a template, but is an effect of the Web Enrollment service’s use of NTLM over HTTP, which does not enable relaying protections by default.
msf6 auxiliary(server/relay/esc8) > show options
Module options (auxiliary/server/relay/esc8):
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.
JOHNPWFILE no Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each
of which is stored in separate files. Can also be a path.
MODE AUTO yes The issue mode. (Accepted: ALL, AUTO, QUERY_ONLY, SPECIFIC_TEMPLATE)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RELAY_TARGETS yes Target address range or CIDR identifier to relay to
RELAY_TIMEOUT 25 yes Seconds that the relay socket will wait for a response after the client has initiated
communication.
RPORT 80 yes The target port (TCP)
SMBDomain WORKGROUP yes The domain name used during SMB exchange.
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local
machine or 0.0.0.0 to listen on all addresses.
SRVPORT 445 yes The local port to listen on.
SRV_TIMEOUT 25 yes Seconds that the server socket will wait for a response after the client has initiated
communication.
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /certsrv/ yes The URI for the cert server.
VHOST no HTTP server virtual host
When MODE is SPECIFIC_TEMPLATE:
Name Current Setting Required Description
---- --------------- -------- -----------
CERT_TEMPLATE no The template to issue if MODE is SPECIFIC_TEMPLATE.
Auxiliary action:
Name Description
---- -----------
Relay Run SMB ESC8 relay server
View the full module info with the info, or info -d command.
msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 10.5.132.182
RELAY_TARGETS => 10.5.132.182
msf6 auxiliary(server/relay/esc8) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/relay/esc8) >
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 10.5.132.191
[*] Received request for EXAMPLE\Administrator
[*] Relaying to next target http://10.5.132.182:80/certsrv/
[+] Identity: EXAMPLE\Administrator - Successfully authenticated against relay target http://10.5.132.182:80/certsrv/
[SMB] NTLMv2-SSP Client : 10.5.132.182
[SMB] NTLMv2-SSP Username : EXAMPLE\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::EXAMPLE:9a0ad3b11b1b3471:b97c9d53262316974c31219cd6dd2f00:01010000000000009e0f749d1b53db013d142354bb7d5da90000000002000e004500580041004d0050004c00450001001e00570049004e002d00440052004300390048004300440049004d0041005400040016006500780061006d0070006c0065002e0063006f006d0003003600570049004e002d00440052004300390048004300440049004d00410054002e006500780061006d0070006c0065002e0063006f006d00050016006500780061006d0070006c0065002e0063006f006d00070008009e0f749d1b53db01060004000200000008003000300000000000000001000000002000007eb46f894f1cad59192724ba6164849c3e04a00c54dae36b065603553ff355c40a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000
[+] Certificate generated using template User and EXAMPLE\Administrator
[+] Certificate for EXAMPLE\Administrator using template User saved to /home/tmoose/.msf4/loot/20241220141352_default_10.5.132.182_windows.ad.cs_360378.pfx
[*] Received request for EXAMPLE\Administrator
[*] Identity: EXAMPLE\Administrator - All targets relayed to
Meterpreter’s PoolParty
In November 2024, the Metasploit Framework improved the Windows Meterpreter capabilities by including the PoolParty Injection technique to perform code injection into remote processes. The new technique functions as a replacement to the common kernel32!CreateRemoteThread technique. This increased the stealth skills of the Meterpreter agent without removing any functionality already present. Significant effort was made to implement the cleanest injection technique in a transparent manner to the user and avoid leaving any footprint in memory after a successful injection. Currently the PoolParty injection is based on the TP_DIRECT_INSERTION variant and supports code injection on 64-bit Windows 10 and newer systems. Injection to and from WoW64 processes is partially implemented due to some security restrictions. Injection is currently limited to WoW64 to x64.
LDAP Improvements
Over the past couple of years Metasploit has improved its LDAP support substantially. There are troves of data points available in Active Directory via LDAP that aid in various attack workflows. Some examples include the domain SID, the number of computers a normal user can add, kerberoastable-accounts, vulnerable ESC templates and more. To aid users in accessing this information, Metasploit has continued to make LDAP improvements this year.
Metasploit 6.4 included multiple new protocol-based session types, one of which was LDAP. The ldap_login module can be used to open an interactive LDAP session, enabling the user to take multiple actions without needing to reconnect and reauthenticate to the target server. This feature is currently disabled by default, but can be enabled using set ldap_session_type true and then restarting Metasploit. Once established, these sessions can be used to run queries from the command line, or certain auxiliary modules, such as ldap_query and ldap_esc_vulnerable_cert_finder can use the session to gather information.
In addition to the new session type, Metasploit has added support for both channel binding and signing to enable users to operate in hardened environments. Now when Metasploit authenticates to an LDAP service, it’ll automatically use signing or channel binding as applicable based on the configuration. Signing can also be controlled using the LDAP::Signing datastore option which supports three values:
- disabled – never use signing, useful for verifying a server is requiring signing
- auto – signing will be used when it is necessary
- required – signing will always be used
Channel binding is always used when SSL is in use. Metasploit supports channel binding for both NTLM and Kerberos authentication.
This year Metasploit 6.4 released with multiple features; including the new dns command which grants the user a high degree of control over how DNS queries should be processed, and adds support for multiple new session types (PostgreSQL, MSSQL, MySQL and SMB) with the CreateSession option:
msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true
[*] 192.168.123.133:445 - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445 - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000
Each new session type supports different capabilities such as querying databases, using the SQL/SMB session with exploit modules to gain native sessions, and exploring and manipulating remote file systems:
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
# Name Type comment
- ---- ---- -------
0 ADMIN$ DISK|SPECIAL Remote Admin
1 C$ DISK|SPECIAL Default share
2 foo DISK
3 IPC$ IPC|SPECIAL Remote IPC
4 NETLOGON DISK Logon server share
5 SYSVOL DISK Logon server share
SMB (192.168.123.133) >
Metasploit 6.4 also continued to enhance support for Kerberos workflows:
Module Highlights
CVE-2023-22527
Metasploit had a great start to 2024 with the addition of a module for CVE-2023-22527 in January, which was an unauthenticated RCE in Atlassian Confluence. This module was written by Metasploit’s Spencer McIntyre aka zeroSteiner. Due to an SSTI flaw that allows an OGNL expression to be evaluated, Metasploit users can obtain OS command execution in the context of the service account. On Windows the service account is NT AUTHORITY\NETWORK SERVICE which, don’t forget, can easily be escalated to NT AUTHORITY\SYSTEM using the RPCSS namedpipe impersonation technique in Meterpreter, just type: “getsystem -t 4”!
CVE-2024-21893 + CVE-2024-21887
February kept the good times rolling with an exploit chain that works against both Ivanti Connect Secure and Ivanti Policy Secure from Rapid7’s research extraordinaire, Stephen Fewer. This module combined CVE-2024-21893, a SSRF vulnerability, with a command injection vulnerability tracked as CVE-2024-21887 in order to achieve unauthenticated remote code execution in the context of the root user.
Shadow Credentials
The Shadows Credential’s module was an incredible addition to Metasploit’s Active Directory exploit capabilities. Using an account that has write permissions over another user account object, the module adds a public key credential object to the user account’s msDS-KeyCredentialLink property, and then uses the existing PKINIT functionality in the get_ticket module to authenticate as that user. This module was written by Metasploit aficionado Ashley Donaldson aka smashery.
CVE-2024-3400
April saw some amazing additions to the Metasploit Framework including a very impactful exploit module for CVE-2024-3400. PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled could be remotely exploited without authentication in order to gain code execution in the context of the root user. Rapid7’s very own Ryan Emmons PR’d this module and it was the only module this year to be awarded the “hotness” label in github, very cool.
CVE-2023-43177
This module, while being a great addition to the framework, also highlighted some great Rapid7 collaboration: the vulnerability was originally discovered by Rapid7’s Ryan Emmons and was written by the one and only Christophe De La Fuente. The exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution in the context of the Administrator user on Windows and the root user on Linux.
Progress Loadmaster sudo abuse privilege escalation
In May we saw the exploitation of Progress (Kemp) Loadmaster. The vulnerability lies in the configuration to allow sudo to auto elevate when run with certain files, but grants the non-root user bal write permissions to those files. The exploit module simply overwrites one of the files that auto-elevates with /bin/bash and runs a payload within a root-enabled /bin/bash session. This heavy hitting privilege escalation module was brought to us by Metasploit powerhouse, Brendan Watters on the 10th of May.
CVE-2024-29824
July brought some of the hottest weather to the northern hemisphere it also brought some of the hottest vulns to the Metasploit Framework with the addition of yet another fantastic exploit module from Christophe De La Feunte: The Ivanti Endpoint Manager (EPM) SQLi to RCE module. This exploit works by sending a soap envelope to the application targeting one poor unsanitized database parameter which pays the ultimate price of allowing the query to be escaped and EXEC xp_cmdshell to be run. The SQLi allows for RCE in the context of the NT Service\MSSQL$LDMSDATA user.
CVE-2024-6670
While Progress WhatsUp Gold made headlines with CVE-2024-6670, community contributor h4x-x0r made haste writing an exploit module adding yet another high impact exploit module in their rookie year of Metasploit framework contributions. The vulnerability allows an unauthenticated attacker to change the password of an existing user to an attacker-controlled value potentially giving up administrative control over the application.
CVE-2024-43917
Some kids got tricks on Halloween but Metasploit got a treat – an exploit module for a SQLi in TI WooCommerce Wishlist. Submitted by one of the hardest working Metasploit community members Valentin Lobstein aka Chocapikk, this was only one of 10 WordPress plugin modules they contributed this year. We decided to highlight this particular module because with it came an entire library of SQLi functionality specifically designed to help facilitate SQLi exploitation against WordPress plugins. We love seeing this type of reusability being added to the framework.
CVE-2024-35230
They say when it rains it pours and this is all too true when looking at the amount of vulnerabilities discovered in the Windows Kernel Streaming family of drivers this year. This module, written by Metasploit’s Jack Heysel, targeted an Access Mode Mismatch LPE in ks.sys. The vulnerable driver had hardcoded the RequestorMode parameter of a KTHREAD structure to KernelMode, which eventually allows for user supplied code to be executed with SYSTEM level privileges. This bug can be found lurking in the depths of Windows 2008 SP2 all the way up to present day Windows 11 and Server 2022.
CVE-2024-27596
It wouldn’t be a proper year without some fun WordPress vulnerabilities. The CVE-2024-27596 was quite memorable as the vulnerability was contained in a popular wp-automatic plugin. The best part was that an unauthenticated user was able to perform SQL injection and even get remote code execution by uploading a malicious module. As SQL injection allows an attacker to create an admin account, the WordPress site is fully compromised.
CVE-2023-0386
This vulnerability was discovered last year, however, it has been added into Metasploit as a module only recently. And it’s one of easy-to-exploit privilege escalations. The reason why it’s so interesting is that it combines the setuid and overlay file system to run binary as root.
CVE-2024-37081
The vulnerabilities in VMWare products are always of very high interest, as these vulnerabilities can be often misused by threat actors. The CVE-2024-37081 is local privilege escalation in vCenter 8.0.0.10200 caused by misconfiguration. This misconfiguration allows the attacker to run sudo commands with preserved environmental variables such as PYTHONPATH,VMWARE_PYTHON_PATH and so.
CVE-2023-7028
When it comes to version control systems, accounts are the identity of the developer. Compromising the identity exposes the whole codebase to risk. This year, we implemented a module for CVE-2023-7028, Github account takeover. This vulnerability can be exploited without any user interaction. If the attacker provides two emails in the request for password reset – administrator’s email and attacker’s email – the reset code for the admin account gets sent back to both emails.
Remote Code Execution in CUPS
https://github.com/rapid7/metasploit-framework/pull/19630
https://github.com/rapid7/metasploit-framework/pull/19510
The CUPS vulnerability made big headlines this year. The reason is that CUPS exposed a UDP service, which was listening for any host to connect. Of course, CUPS service was vulnerable itself, allowing the attacker to execute remote code via specially crafted print jobs. The vulnerability allowed remote code execution on virtually any Linux machine that runs a vulnerable version of CUPS. We have implemented a module (cups_browsed_info_disclosure) for scanning for vulnerable CUPS services and also a module for exploitation (cups_ipp_remote_code_execution).
The entire Metasploit team would like to give a big thank you to all the contributors who added content in 2024. Your ideas and contributions make this tool greater every year. We saw code additions from 62 contributors, including 39 first-time contributors.
Here are some stats for 2024:
- Number of new modules: 165
- Number of new bug fixes: 142
- Number of new enhancements: 161
- Number of new documentations: 19
- Number of new payload enhancements: 4
Contributors in 2024 (ordered by count)
- h00die
- Chocapikk
- jvoisin
- smashery
- h00die-gr3y
- h4x-x0r (new in 2024)
- nrathaus
- bcoles
- errorxyz
- upsidedwn (new in 2024)
- The-Pink-Panther (new in 2024)
- Takahiro-Yoko (new in 2024)
- DaveYesland (new in 2024)
- NtAlexio2 (new in 2024)
- heyder
- KanchiMoe (new in 2024)
- ide0x90
- ostrichgolf (new in 2024)
- jmartin-tech
- jalvarezz13 (new in 2024)
- ArchiMoebius (new in 2024)
- molecula2788 (new in 2024)
- jjoshm (new in 2024)
- dotslashsuperstar (new in 2024)
- double16 (new in 2024)
- jlownie (new in 2024)
- randomstr1ng (new in 2024)
- SickMcNugget (new in 2024)
- n00bhaxor
- lihe07 (new in 2024)
- 6a6f656c
- AleksaZatezalo
- poupapaa (new in 2024)
- Sh3llSp4wn (new in 2024)
- ErikWynter
- siddolo (new in 2024)
- ggisz (new in 2024)
- rad10
- JustAnda7
- pczinser (new in 2024)
- james-otten
- oddlittlebird (new in 2024)
- szymonj99 (new in 2024)
- aaryan-11-x (new in 2024)
- soroshsabz (new in 2024)
- dudu7615 (new in 2024)
- Mathiou04 (new in 2024)
- GhostlyBox (new in 2024)
- Grezzo
- xaitax
- igomeow (new in 2024)
- cn-kali-team
- Adithya2357 (new in 2024)
- gardnerapp
- pmauduit (new in 2024)
- aaronjfeingold (new in 2024)
- e2002e
- softScheck (new in 2024)
- PizzaHat (new in 2024)
- sud0Ru (new in 2024)
- Fufu-btw (new in 2024)
- fanqiaojun (new in 2024)
