Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/09/13/metasploit-weekly-wrap-up-09-13-2024/

SPIP Modules

This week brings more modules targeting the SPIP publishing platform. SPIP has gained some attention from Metasploit community contributors recently and has inspired some PHP payload and encoder improvements.

New module content (2)

SPIP BigUp Plugin Unauthenticated RCE

Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec
Type: Exploit
Pull request: #19444 contributed by Chocapikk
Path: multi/http/spip_bigup_unauth_rce
AttackerKB reference: CVE-2024-8517

Description: This adds an exploit module for CVE-2024-8517, an unauthenticated RCE able to execute arbitrary PHP code.

SPIP connect Parameter PHP Injection

Authors: Arnaud Pachot, Davy Douhine, Frederic Cikala, and Valentin Lobstein
Type: Exploit
Pull request: #19432 contributed by Chocapikk
Path: multi/http/spip_connect_exec
CVE reference: BID-54292

Description: Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Enhancements and features (3)

• #19330 from heyder – The start_service method in the http_server.rb library now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore["SSL"].
• #19352 from zgoldman-r7 – Adjusts the metadata for the ldap login scanner, adding defaults and adjusting the service and protocol values.
• #19432 from Chocapikk – Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Bugs fixed (1)

• #19439 from bcoles – This explicitly defines x86 and x64 as supported architectures for the bypassuac_comhijack module. Prior to this change there were no defined architectures and if you tried to use an x64 based payload the module would fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.25…6.4.26
• Full diff 6.4.25…6.4.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/09/06/metasploit-weekly-wrap-up-42/

Honey, I shrunk the PHP payloads

This release contains more PHP payload improvements from Julien Voisen. Last week we landed a PR from Julien that added a datastore option to the php/base64 encoder that when enabled, will use zlib to compress the payload which significantly reduced the size, bringing a payload of 4040 bytes down to a mere 1617 bytes. This week’s release includes a php/minify encoder which removes all unnecessary characters from the payload including comments, empty lines, leading spaces, trailing spaces, spaces after keywords and spaces before block openings. Using the php/minify encoder can take a payload of size 4052 bytes down to 2839 bytes. We’d like to thank Julien for their continued commitment to improving PHP payloads!

New module content (1)

PHP Minify Encoder

Author: Julien Voisin
Type: Encoder
Pull request: #19435 contributed by jvoisin
Path: php/minify

Description: This encoder minifies PHP payloads by removing spaces after keywords and before block openings. It removes comments, empty lines, new lines and leading and trailing spaces.

Enhancements and features (2)

• #19368 from h00die-gr3y – This adjusts the exploit/multi/http/geoserver_unauth_rce_cve_2024_36401 to dynamically pull and test the feature_type list to establish an RCE. This will make the module more robust towards installations with different feature_type configurations.
• #19401 from jvoisin – Add a mixin to get SPIP version and make use of it.

Bugs fixed (2)

• #19381 from Takahiro-Yoko – This fixes the gitlab_login scanner so that it uses the proper datastore options Username and Password which are the standard for login scanners. Before this fix the scanner was using HttpUsername and HttpPassword and ignoring the datastore options Username and Password.
• #19438 from cgranleese-r7 – Fixes a nil error if login is successful with ldap_login module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.24…6.4.25
• Full diff 6.4.24…6.4.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2024/08/30/metasploit-weekly-wrap-up-08-30-2024/

A New Way to Encode PHP Payloads

A new PHP encoder has been released by a community contributor, jvoisin, allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters.

Ray Vulnerabilities

This release of Metasploit Framework also features 3 new modules to target ray.io, which is a framework for distributing AI-related workloads across multiple machines, which makes it an excellent exploitation target. These modules can perform arbitrary file reads, perform remote code execution and command injection, making them a great all-round addition to a penetration testing workflow.

The vulnerabilities for which modules are provided are:

• CVE-2023-6019
• CVE-2023-6020
• CVE-2023-48022

New module content (9)

Control iD iDSecure Authentication Bypass (CVE-2023-6329)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19380 contributed by h4x-x0r
Path: admin/http/idsecure_auth_bypass
AttackerKB reference: CVE-2023-6329

Description: Adds an auxiliary module targeting CVE-2023-6329, an improper access control vulnerability, which allows an unauthenticated user to compute valid credentials and to add a new administrative user to the web interface of Control iD iDSecure <= v4.7.43.0.

Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)

Authors: Michael Heinzl, mxalias, and ohnoisploited
Type: Auxiliary
Pull request: #19386 contributed by h4x-x0r
Path: admin/http/ivanti_vtm_admin
AttackerKB reference: CVE-2024-7593

Description: Adds an exploit targeting CVE-2024-7593 which is an improper access control vulnerability in Ivanti Virtual Traffic Manager (vTM) . It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product before 22.7R2.

Ray static arbitrary file read

Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and danmcinerney [email protected]
Type: Auxiliary
Pull request: #19363 contributed by Takahiro-Yoko
Path: gather/ray_lfi_cve_2023_6020
AttackerKB reference: CVE-2023-6020

Description: The auxiliary module allows reading files on the remote system through a local file inclusion vulnerability.

PHP Hex Encoder

Author: Julien Voisin
Type: Encoder
Pull request: #19420 contributed by jvoisin
Path: php/hex

Description: This adds an ascii-hex encoder for PHP with optional compression.

Ray Agent Job RCE

Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_agent_job_rce
AttackerKB reference: CVE-2023-48022

Description: This exploit module allows for arbitrary code execution on the target.

Ray cpu_profile command injection

Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
AttackerKB reference: CVE-2023-6019

Description: This exploit module allows for command injection to be performed on the target.

GiveWP Unauthenticated Donation Process Exploit

Authors: EQSTSeminar, Julien Ahrens, Valentin Lobstein, and Villu Orav
Type: Exploit
Pull request: #19424 contributed by Chocapikk
Path: multi/http/wp_givewp_rce
AttackerKB reference: CVE-2024-5932

Description: Adds a new module exploits/multi/http/wp_givewp_rce which targets CVE-2024-5932 – a critical RCE vulnerability in the WordPress GiveWP plugin (up to version 3.14.1).

pgAdmin Binary Path API RCE

Authors: Ayoub Mokhtar, M.Selim Karahan, and Mustafa Mutlu
Type: Exploit
Pull request: #19422 contributed by igomeow
Path: windows/http/pgadmin_binary_path_api
AttackerKB reference: CVE-2024-3116

Description: Adds a new module targeting all versions of PgAdmin up to 8.4 which leverages a Remote Code Execution (RCE) CVE-2024-3116 flaw through the validate binary path API.

Gather electerm Passwords

Author: Kali-Team [email protected]
Type: Post
Pull request: #19395 contributed by cn-kali-team
Path: multi/gather/electerm

Description: Adds a post module to gather passwords and saved session information stored in the Electerm program.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #19393 from jheysel-r7 – Adds a patch bypass for CVE-2024-32113 (the original vulnerability this exploited). The patch released in 18.12.14 disallows the Path Traversal vulnerability to be exploited however it was later disclosed that the vulnerable endpoint was accessible all along, without the need for the Path Traversal. And so CVE-2024-38856 was issued as an Incorrect Authorization which was patched in version 18.12.15.
• #19417 from Chocapikk – The new PHP filter chain evaluates a POST parameter, which simplifies the process and reduces the payload size enabling the module to send the entire payload in one POST request instead of writing the payload to a file character by character over many POST requests. Support for both Windows and Linux Meterpreter payloads, not just PHP Meterpreter, has also been added.

Enhancements and features (3)

• #19377 from jvoisin – Not written.
• #19409 from jvoisin – This adds additional fingerprinting checks to the existing post/linux/gather/checkvm module to more accurately identify VMs.
• #19415 from zeroSteiner – Changes the output of the ldap_esc_vulnerable_cert_finder to be more useful, including display changes favoring useful templates and including an explanation of why a template may be vulnerable.

Bugs fixed (4)

• #19241 from zgoldman-r7 – Replaced the usage a deprecated Ruby method to fix crashing modules.
• #19376 from jvoisin – This fixes the php/base64 encoder which was previously generating php payloads that were failing when being being run due to the way single quotes were being inserted into the payload.
• #19411 from dledda-r7 – Fixes a crash in Metasploit’s RPC layer when calling module.results when a nil module result was present.
• #19421 from zeroSteiner – This updates the windows/fileformat/adobe_pdf_embedded_exe exploit to define that its compatible with both ARCH_X86 and ARCH_X64 payloads due to it just generating an EXE.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.23…6.4.24
• Full diff 6.4.23…6.4.24

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/08/23/metasploit-weekly-wrap-up-08-23-2024/

New module content (3)

Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19373 contributed by h4x-x0r
Path: admin/http/fortra_filecatalyst_workflow_sqli
AttackerKB reference: CVE-2024-5276

Description: This adds an auxiliary module to exploit the CVE-2024-5276, a SQL injection vulnerability that allows for adding an arbitrary administration user in the application.

SPIP Unauthenticated RCE via porte_plume Plugin

Authors: Julien Voisin, Laluka, and Valentin Lobstein
Type: Exploit
Pull request: #19394 contributed by Chocapikk
Path: multi/http/spip_porte_plume_previsu_rce

Description: Adds a new exploit/multi/http/spip_porte_plume_previsu_rce SPIP unauthenticated remote code execution (RCE) module targeting SPIP versions up to and including 4.2.12.

DIAEnergie SQL Injection (CVE-2024-4548)

Authors: Michael Heinzl and Tenable
Type: Exploit
Pull request: #19351 contributed by h4x-x0r
Path: windows/scada/diaenergie_sqli
AttackerKB reference: CVE-2024-4548

Description: This adds an exploit module for CVE-2024-4548, an unauthenticated SQL injection vulnerability that allows remote code execution as NT AUTHORITY\SYSTEM.

Bugs fixed (1)

• #19366 from adeherdt-r7 – Updates the Jenkins login scanner to correctly determine whether authentication is required.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.22…6.4.23
• Full diff 6.4.22…6.4.23

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2024/08/16/metasploit-weekly-wrap-up-08-16-2014/

New module content (3)

Apache HugeGraph Gremlin RCE

Authors: 6right and jheysel-r7
Type: Exploit
Pull request: #19348 contributed by jheysel-r7
Path: linux/http/apache_hugegraph_gremlin_rce
AttackerKB reference: CVE-2024-27348

Description: Adds an Apache HugeGraph Server exploit for GHSA-29rc-vq7f-x335, which is a Remote Code Execution (RCE) vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server.

OpenMetadata authentication bypass and SpEL injection exploit chain

Authors: Alvaro Muñoz alias pwntester (https://github.com/pwntester) and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19347 contributed by h00die-gr3y
Path: linux/http/openmetadata_auth_bypass_rce
AttackerKB reference: CVE-2024-28254

Description: This module chains two vulnerabilities that exist in the OpenMetadata application. The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens. It misuses the JwtFilter that checks the path of the URL endpoint against a list of excluded endpoints that does not require authentication. By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection at the endpoint.

LG Simple Editor Command Injection (CVE-2023-40504)

Authors: Michael Heinzl and rgod
Type: Exploit
Pull request: #19370 contributed by h4x-x0r
Path: windows/http/lg_simple_editor_rce_uploadvideo
CVE reference: ZDI-23-1208

Description: This adds an exploit module for CVE-2023-40504, a command injection vulnerability in LG Simple Editor application allowing the execution of arbitrary commands as NT AUTHORITY\SYSTEM.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.21…6.4.22
• Full diff 6.4.21…6.4.22

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2024/08/09/metasploit-weekly-wrap-up-08-09-2024/

Black Hat & DEF CON

Hopefully folks were able to catch our Rapid7 researchers @zeroSteiner & Jack Heysel show off the Metasploit 6.4’s features, focusing on combinations that allow for new, streamlined attack workflows at Black Hat. If not they will also be demoing at DEF CON tomorrow in room W304!

New module content (1)

Calibre Python Code Injection (CVE-2024-6782)

Authors: Amos Ng and Michael Heinzl
Type: Exploit
Pull request: #19357 contributed by h4x-x0r
Path: multi/misc/calibre_exec
AttackerKB reference: CVE-2024-6782

Description: Adds a module targeting CVE-2024-6782, an unauthenticated Python code injection vulnerability in the Content Server component of Calibre v6.9.0 – v7.14.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic. The injected payload will get executed in the same context under which Calibre is being executed.

Bugs fixed (1)

• #19355 from dledda-r7 – Fixes an issue where Meterpreter sessions would fail to migrate when MeterpreterDebugBuild is enabled.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.20…6.4.21
• Full diff 6.4.20…6.4.21

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2024/08/02/metasploit-weekly-wrap-up-08-02-2024/

Metasploit goes to Hacker Summer Camp

Next week, Metasploit will have demos at both Black Hat and DEF CON where the latest functionality from this year will be presented. The Black Hat demo will be on Thursday the 8th from 10:10 to 11:25 and the DEF CON demo will be on Saturday the 10th from 12:00 to 13:45.

The highlights will include demonstrations of:

• Exploiting unconstrained delegation entirely in Metasploit with the new post/windows/manage/kerberos_tickets module and Pass-the-Ticket support for auxiliary/gather/windows_secrets_dump. Next with secrets in hand, we’ll demonstrate forging tickets using the new diamond and sapphire techniques.
• Using the new LDAP, SMB and MSSQL session types for both interactive exploration and post modules.
• Configuring the latest DNS options for advanced pivoting scenarios.

New module content (2)

OpenMediaVault rpc.php Authenticated Cron Remote Code Execution

Authors: Brandon Perry [email protected] and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19298 contributed by h00die-gr3y
Path: unix/webapp/openmediavault_auth_cron_rce
AttackerKB reference: CVE-2013-3632

Description: This adds a new module that leverages a vulnerability in OpenMediaVault versions starting from 1.0 until the recent release 7.4.2-2. This vulnerability (CVE-2013-3632) allows an authenticated user to create cron jobs as root on the system and achieve remote code execution.

mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)

Author: Michael Heinzl
Type: Exploit
Pull request: #19337 contributed by h4x-x0r
Path: windows/scada/mypro_cmdexe
AttackerKB reference: CVE-2023-28384

Description: This adds an exploit module for CVE-2023-28384, a command injection vulnerability in MySCADA MyPRO versions before and including 2.28 allowing the execution of arbitrary commands as NT AUTHORITY\SYSTEM.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #19331 from Takahiro-Yoko – This update the linux/http/empire_skywalker exploit module to add a new technique that leverages a path traversal vulnerability in BC Security Empire versions before 5.9.3 (CVE-2024-6127). An attacker can achieve unauthenticated remote code execution over HTTP by acting as a normal agent. It is still possible to use this module with older versions from ProjectEmpire/Empire by setting a specific datastore option.
• #19344 from jheysel-r7 – This updates the windows/http/forticlient_ems_fctid_sqli exploit module to gain code execution on FortiClient EMS FCTID for the affected version within the range 7.2.x.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.19…6.4.20
• Full diff 6.4.19…6.4.20

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/07/26/metasploit-weekly-wrap-up-41/

New module content (3)

Magento XXE Unserialize Arbitrary File Read

Authors: Heyder and Sergey Temnikov
Type: Auxiliary
Pull request: #19304 contributed by heyder
Path: gather/magento_xxe_cve_2024_34102
AttackerKB reference: CVE-2024-34102

Description: This adds an auxiliary module for an XXE which results in an arbitrary file in Magento which is being tracked as CVE-2024-34102.

Ghostscript Command Execution via Format String

Authors: Christophe De La fuente and Thomas Rinsma
Type: Exploit
Pull request: #19313 contributed by cdelafuente-r7
Path: multi/fileformat/ghostscript_format_string_cve_2024_29510
AttackerKB reference: CVE-2024-29510

Description: This adds an exploit module targeting CVE-2024-29510, a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands.

Softing Secure Integration Server v1.22 Remote Code Execution

Authors: Chris Anastasio (muffin) of Incite Team, Imran E. Dawoodjee [email protected], and Steven Seeley (mr_me) of Incite Team
Type: Exploit
Pull request: #19084 contributed by ide0x90
Path: windows/http/softing_sis_rce
CVE reference: ZDI-22-1156

Description: This adds a module targeting CVE-2022-1373 and CVE-2022-2334 as an exploit chain against Softing Secure Integration Server 1.22.

Enhancements and features (2)

• #19338 from adfoster-r7 – Improves error handling and progress tracking in the auxiliary/gather/kerberos_enumusers and gather/asrep modules.
• #19340 from adfoster-r7 – Improve setg SessionLogging support to work with command shells, as well as allowing logging to be turned on/off at any point – not just for newly created sessions.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.18…6.4.19
• Full diff 6.4.18…6.4.19

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2024/07/12/metasploit-weekly-wrap-up-07-12-2024/

The Usual Suspects

This release features two new exploits targeting old friends: Confluence and Ivanti. CVE-2024-21683 is a very easy vulnerability to exploit, but as pointed out in the AttackerKB Review, it requires authentication as a ‘Confluence Administrator.’ On the other hand, CVE-2024-29824 is an unauthenticated SQL Injection in Ivanti Endpoint Manager up to version 2022 SU5 that results in code execution as the NT Service user.

New module content (2)

Atlassian Confluence Administrator Code Macro Remote Code Execution

Authors: Ankita Sawlani, Huong Kieu, W01fh4cker, and remmons-r7
Type: Exploit
Pull request: #19314 contributed by remmons-r7
Path: multi/http/atlassian_confluence_rce_cve_2024_21683
AttackerKB reference: CVE-2024-21683

Description: This adds an exploit for CVE-2024-21683 which is an authenticated RCE in Atlassian Confluence affecting all versions prior to 7.17 and many versions up to 8.9.0.

Ivanti EPM RecordGoodApp SQLi RCE

Authors: Christophe De La Fuente and James Horseman
Type: Exploit
Pull request: #19274 contributed by cdelafuente-r7
Path: windows/http/ivanti_epm_recordgoodapp_sqli_rce
CVE reference: ZDI-24-507

Description: This adds an exploit for CVE-2024-29824, which is unauthenticated SQLi in Ivanti Endpoint Manager 2022 SU5 and prior which can be used to obtain RCE.

Bugs fixed (1)

• #19312 from adfoster-r7 – Fixes a regression issue that caused the Mettle sniffer extension to not correctly load.

Documentation added (2)

• #19301 from adeherdt-r7 – Updates the documentation for setting up developer environments to include running PostgreSQL in a docker container.
• #19315 from h00die – Removes duplicate wording from the setting up a developer environment documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.16…6.4.17
• Full diff 6.4.16…6.4.17

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2024/07/05/metasploit-wrapup-75/

I still like to MOVEit MOVEit

This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in the MOVEit Transfer SFTP service (CVE-2024-5806). It is possible to authenticate to the SFTP service as any user as long as a valid username is known and the "Remote Access Rules" allows the attacker IP address. On successful attack, it is possible to access any file on the SFTP server that the user has permission to access. The module lets you list directories and display (or download) files.

The following version of MOVEit Transfer are affected:

• MOVEit Transfer 2023.0.x (fixed in 2023.0.11)
• MOVEit Transfer 2023.1.x (fixed in 2023.1.6)
• MOVEit Transfer 2024.0.x (fixed in 2024.0.2)

New module content (3)

Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read

Author: sfewer-r7
Type: Auxiliary
Pull request: #19295 contributed by sfewer-r7
Path: gather/progress_moveit_sftp_fileread_cve_2024_5806
AttackerKB reference: CVE-2024-5806

Description: This module exploits an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The vulnerable versions are MOVEit Transfer 2023.0.x until 2023.0.11; MOVEit Transfer 2023.1.x until 2023.1.6; MOVEit Transfer 2024.0.x until 2024.0.2; allowing to list remote directories and reading files without authentication.

Zyxel parse_config.py Command Injection

Authors: SSD Secure Disclosure technical team and jheysel-r7
Type: Exploit
Pull request: #19204 contributed by jheysel-r7
Path: linux/http/zyxel_parse_config_rce
AttackerKB reference: CVE-2023-33012

Description: This adds an exploit module that leverages multiple vulnerabilities in order to obtain pre-auth command injection on multiple VPN Series Zyxel devices.

Azure CLI Credentials Gatherer

Authors: James Otten and h00die
Type: Post
Pull request: #10113 contributed by james-otten
Path: multi/gather/azure_cli_creds

Description: This post module allows to exfiltrate azure tokens and configurations from old azure-cli versions using unencrypted formats.

Enhancements and features (2)

• #19287 from adeherdt-r7 – Updates the auxiliary/scanner/redis/redis_login module to support Redis 6.x.
• #19297 from adeherdt-r7 – Improves the Redis login brute force functionality to better detect when auth is not required for the target.

Bugs fixed (3)

• #19252 from zgoldman-r7 – Improves error logging for unhandled exceptions for login scanners.
• #19285 from dledda-r7 – This fixes an issue with the Meterpreter’s sysinfo command that was failing when the current working directory was deleted.
• #19289 from h00die – Updates the post/linux/gather/apache_nifi_credentials module to now support extracting nifi.properties values that contain hyphens.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.15…6.4.16
• Full diff 6.4.15…6.4.16

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/06/28/metasploit-weekly-wrap-up-06-28-2024/

Unauthenticated Command Injection in Netis Router

This week’s Metasploit release includes an exploit module for an unauthenticated command injection vulnerability in the Netis MW5360 router which is being tracked as CVE-2024-22729. The vulnerability stems from improper handling of the password parameter within the router’s web interface which allows for command injection. Fortunately for attackers, the router’s login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to V1.0.1.3442 are vulnerable.

New module content (2)

MS-NRPC Domain Users Enumeration

Author: Haidar Kabibo https://x.com/haider_kabibo
Type: Auxiliary
Pull request: #19205 contributed by sud0Ru
Path: scanner/dcerpc/nrpc_enumusers

Description: This adds a new module that can enumerate accounts on a target Active Directory Domain Controller without authenticating to it; instead the module does so by issuing a DCERPC request and analyzing the returned error status.

Netis router MW5360 unauthenticated RCE.

Authors: Adhikara13 and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19188 contributed by h00die-gr3y
Path: linux/http/netis_unauth_rce_cve_2024_22729
AttackerKB reference: CVE-2024-22729

Description: This adds an exploit module that leverages CVE-2024-22729, a command injection vulnerability in Netis router MW5360 to achieve remote code execution as the user root. All router firmware versions up to V1.0.1.3442 are vulnerable.

Bugs fixed (3)

• #19259 from dledda-r7 – This updates Metasploit to check for a new flag that is sent as part of the encryption key negotiation with Meterpreter which indicates if Meterpreter had to use a weak source of entropy to generate the key.
• #19267 from zeroSteiner – Fixes a crash in the ldap_esc_vulnerable_cert_finder module when targeting an AD CS server that has a certificate template containing parenthesis.
• #19283 from adeherdt-r7 – Fixes the auxiliary/scanner/redis/redis_login module to correctly track the registered service name as redis – previously it was blank.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.14…6.4.15
• Full diff 6.4.14…6.4.15

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2024/06/21/metasploit-weekly-wrap-up-06-21-2024/

Argument Injection for PHP on Windows

This week includes modules that target file traversal and arbitrary file read vulnerabilities for software such as Apache, SolarWinds and Check Point, with the highlight being a module for the recent PHP vulnerability submitted by sfewer-r7. This module exploits an argument injection vulnerability, resulting in remote code execution and a Meterpreter shell running in the context of the Administrator user.
Note, that this attack requires the target to be running a Japanese or Chinese locale, as the attack targets Windows’s character replacement behavior for certain code pages when calling Win32 API functions.
A default configuration of XAMPP is vulnerable. This attack is unauthenticated and the server must expose PHP in CGI mode, not FastCGI. More information on this exploit can be found on AttackerKB.

New module content (4)

Check Point Security Gateway Arbitrary File Read

Author: remmons-r7
Type: Auxiliary
Pull request: #19221 contributed by remmons-r7
Path: gather/checkpoint_gateway_fileread_cve_2024_24919
AttackerKB reference: CVE-2024-24919

Description: This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. This vulnerability is tracked as CVE-2024-24919.

SolarWinds Serv-U Unauthenticated Arbitrary File Read

Authors: Hussein Daher and sfewer-r7
Type: Auxiliary
Pull request: #19255 contributed by sfewer-r7
Path: gather/solarwinds_servu_fileread_cve_2024_28995
AttackerKB reference: CVE-2024-28995

Description: This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.

Apache OFBiz Forgot Password Directory Traversal

Authors: Mr-xn and jheysel-r7
Type: Exploit
Pull request: #19249 contributed by jheysel-r7
Path: multi/http/apache_ofbiz_forgot_password_directory_traversal
AttackerKB reference: CVE-2024-32113

Description: This adds an exploit for CVE-2024-32113, which is an unauthenticated RCE in Apache OFBiz.

PHP CGI Argument Injection Remote Code Execution

Authors: Orange Tsai, sfewer-r7, and watchTowr
Type: Exploit
Pull request: #19247 contributed by sfewer-r7
Path: windows/http/php_cgi_arg_injection_rce_cve_2024_4577
AttackerKB reference: CVE-2024-4577

Description: Windows systems running Japanese or Chinese (simplified or traditional) locales are vulnerable to a PHP CGI argument injection vulnerability. This exploit module returns a session running in the context of the Administrator user.

Enhancements and features (2)

• #18829 from cdelafuente-r7 – Adding multiple HttpServer services in a module is sometimes complex since they share the same methods. This usually causes situations where #on_request_uri needs to be overridden to handle requests coming from each service. This updates the cmdstager and the Java HTTP ClassLoader mixins, since these are commonly used in the same module. This also updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module to make use of these new changes.
• #19229 from softScheck – The junos_phprc_auto_prepend_file module used to depend on having a user authenticated to the J-Web application to steal the necessary session tokens in order to exploit. With this enhancement the module will now create a session if one doesn’t exist. Also it adds datastore options to change the hash format to be compatible with older versions as well an option to attempt to set ssh root login to true before attempting to establish a root ssh session.

Bugs fixed (4)

• #19176 from Fufu-btw – This adds the x86 and x64 architectures to the exploit/windows/http/dnn_cookie_deserialization_rce module’s target metadata.
• #19253 from aaronjfeingold – This fixes an incorrect CVE reference in the exploit/unix/http/zivif_ipcheck_exec module.
• #19256 from adfoster-r7 – Fix warnings in acceptance tests.
• #19261 from zeroSteiner – Fixed powershell_base64 encoder to execute encoded strings correctly.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.13…6.4.14
• Full diff 6.4.13…6.4.14

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/06/14/metasploit-weekly-wrap-up-06-14-2024/

New module content (5)

Telerik Report Server Auth Bypass

Authors: SinSinology and Spencer McIntyre
Type: Auxiliary
Pull request: #19242 contributed by zeroSteiner
Path: scanner/http/telerik_report_server_auth_bypass
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-4358 which is an authentication bypass in Telerik Report Server versions up to and including 10.0.24.305.

Cacti Import Packages RCE

Authors: Christophe De La Fuente and Egidio Romano
Type: Exploit
Pull request: #19196 contributed by cdelafuente-r7
Path: multi/http/cacti_package_import_rce
AttackerKB reference: CVE-2024-25641

Description: This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file.

VSCode ipynb Remote Development RCE

Authors: Zemnmez and h00die
Type: Exploit
Pull request: #18998 contributed by h00die
Path: multi/misc/vscode_ipynb_remote_dev_exec
AttackerKB reference: CVE-2022-41034

Description: VSCode allows users to open a Jypiter notebook (.ipynb) file. Versions v1.4.0 – v1.71.1 allow the Jypiter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. This vulnerability is tracked as CVE-2022-41034.

Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution

Authors: Arseniy Sharoglazov and sfewer-r7
Type: Exploit
Pull request: #19240 contributed by sfewer-r7
Path: windows/http/rejetto_hfs_rce_cve_2024_23692
AttackerKB reference: CVE-2024-23692

Description: Adds an exploit module for CVE-2024-23692, an unauthorized SSTI in the Rejetto HTTP File Server (HFS).

Telerik Report Server Auth Bypass and Deserialization RCE

Authors: SinSinology, Soroush Dalili, Spencer McIntyre, and Unknown
Type: Exploit
Pull request: #19243 contributed by zeroSteiner
Path: windows/http/telerik_report_server_deserialization
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-1800 which is an authenticated RCE in Telerik Report Server. To function without authentication it chains CVE-2024-4358 to create a new administrator account before launching the authenticated RCE.

Enhancements and features (4)

• #19191 from adfoster-r7 – Adds support for Ruby 3.4.0-preview1.
• #19197 from sjanusz-r7 – Updates the new PostgreSQL, MSSQL, and MySQL session types to track the history of commands that the user has entered.
• #19199 from cgranleese-r7 – Updates brute force modules to output a summary of the credential discovered. This functionality is currently opt-in with the feature set show_successful_logins true msfconsole command.
• #19225 from h00die – This adds a link to android payload issues to increase visibility.

Bugs fixed (3)

• #19235 from cgranleese-r7 – Fixes an issue where Java payloads zip paths were not being created properly.
• #19239 from e2002e – Updates the modules/auxiliary/gather/zoomeye_search module to work again.
• #19248 from zgoldman-r7 – This removes an extra rescue clause added in error and allows the actual rescue clause to rescue exceptions properly in the event a staged http[s] payload calls back to a stageless http[s] listener.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.12…6.4.13
• Full diff 6.4.12…6.4.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2024/06/07/metasploit-weekly-wrap-up-06-07-2024/

New OSX payloads:ARMed and Dangerous

In addition to an RCE leveraging CVE-2024-5084 to gain RCE through a WordPress Hash form, this release features the addition of several new binary OSX stageless payloads with aarch64 support: Execute Command, Shell Bind TCP, and Shell Reverse TCP.

The new osx/aarch64/shell_bind_tcp payload opens a listening port on the target machine, which allows the attacker to connect to this open port to spawn a command shell using the user provided command using the execve system call on Apple silicon laptops.

The new osx/aarch64/shell_reverse_tcp payload that can connect back to the configured attacker’s RHOST and RPORT to spawn a command shell using the execve system call on Apple silicon laptops.
The new osx/aarch64/exec payload can execute arbitrary user provided commands using the execve system call on Apple silicon laptops, for example:

msf6 payload(osx/aarch64/exec) > generate -f macho cmd="/bin/bash -c 'echo 123 && echo abc && whoami && echo 🔥'" -o shell
[*] Writing 50072 bytes to shell…

And executing:

$ chmod +x ./shell
$ ./shell
123
abc
user
🔥

New module content (4)

WordPress Hash Form Plugin RCE

Authors: Francesco Carlucci and Valentin Lobstein
Type: Exploit
Pull request: #19208 contributed by Chocapikk
Path: multi/http/wp_hash_form_rce
AttackerKB reference: CVE-2024-5084

Description: This adds an exploit module that leverages a vulnerability in the WordPress Hash Form – Drag & Drop Form Builder plugin (CVE-2024-5084) to achieve remote code execution. Versions up to and including 1.1.0 are vulnerable. This allows unauthenticated attackers to upload arbitrary files, including PHP scripts, due to missing file type validation in the file_upload_action function.

OSX aarch64 Execute Command

Author: alanfoster
Type: Payload (Single)
Pull request: #18646 contributed by AlanFoster
Path: osx/aarch64/exec

Description: Add osx aarch64 exec payload.

OS X x64 Shell Bind TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18776 contributed by AlanFoster
Path: osx/aarch64/shell_bind_tcp

Description: Add osx aarch64 bind tcp payload.

OSX aarch64 Shell Reverse TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18652 contributed by AlanFoster
Path: osx/aarch64/shell_reverse_tcp

Description: Add osx aarch64 shell reverse tcp payload.

Enhancements and features (0)

None

Bugs fixed (3)

• #19209 from zgoldman-r7 – Updates multiple file format exploits to show the default settings to users when running show options.
• #19211 from sjanusz-r7 – Fixes an issue were the database management logic would default a model’s updated_at value to incorrectly be set to the created_at value.
• #19217 from zgoldman-r7 – Fixes path tab completion for modules when using Ruby 3.2+.
• #19227 from bcoles – Fixed an issue in Moodle::Login.moodle_login that reported a false negative when logging in with user’s credentials.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.11…6.4.12
• Full diff 6.4.11…6.4.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2024/05/31/metasploit-weekly-wrap-up-05-31-2024/

Quis dīrumpet ipsos dīrumpēs

In this release, we feature a double-double: two exploits each targeting two pieces of software. The first pair is from h00die targeting the Jasmine Ransomeware Web Server. The first uses CVE-2024-30851 to retrieve the login for the ransomware server, and the second is a directory traversal vulnerability allowing arbitrary file read. The second pair from Dave Yesland of Rhino Security targets Progress Flowmon with CVE-2024-2389 and it pairs well like wine with the additional and accompanying Privilege Escalation module.

New module content (4)

Jasmin Ransomware Web Server Unauthenticated Directory Traversal

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_dir_traversal
AttackerKB reference: CVE-2024-30851

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Jasmin Ransomware Web Server Unauthenticated SQL Injection

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_sqli

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Flowmon Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19150 contributed by DaveYesland
Path: linux/http/progress_flowmon_unauth_cmd_injection
AttackerKB reference: CVE-2024-2389

Description: Unauthenticated Command Injection Module for Progress Flowmon CVE-2024-2389.

Progress Flowmon Local sudo privilege escalation

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19151 contributed by DaveYesland
Path: linux/local/progress_flowmon_sudo_privesc_2024

Description: Privilege escalation module for Progress Flowmon unpatched feature.

Enhancements and features (3)

• #19195 from adfoster-r7 – Updates msfconsole to support risc-v platforms.
• #19198 from adfoster-r7 – Add support for Ruby 3.3.x.
• #19200 from adfoster-r7 – Updates Metasploit’s gemspec file to work with additional static analysis tools.

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.10…6.4.11
• Full diff 6.4.10…6.4.11

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2024/05/23/metasploit-weekly-wrap-up-05-23-2024/

Infiltrate the Broadcast!

A new module from Chocapikk allows the user to perform remote code execution on vulnerable versions of streaming platform AVideo (12.4 – 14.2). The multi/http/avideo_wwbnindex_unauth_rce module leverages CVE-2024-31819, a vulnerability to PHP Filter Chaining, to gain unauthenticated and unprivileged access, earning it an attacker value of High on AttackerKB.

New module content (8)

Chaos RAT XSS to RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19104 contributed by h00die
Path: linux/http/chaos_rat_xss_to_rce
AttackerKB reference: CVE-2024-30850

Description: Adds an exploit for HAOS v5.0.8, which contains a remote command execution vulnerability which
can be triggered through one of three routes: credentials, JWT token from an agent, an agent executable can be provided, or the JWT token can be extracted.

AVideo WWBNIndex Plugin Unauthenticated RCE

Author: Valentin Lobstein
Type: Exploit
Pull request: #19071 contributed by Chocapikk
Path: multi/http/avideo_wwbnindex_unauth_rce
AttackerKB reference: CVE-2024-31819

Description: Adds a module for CVE-2024-31819 which exploits an LFI in AVideo which uses PHP Filter Chaining to turn the LFI into unauthenticated RCE.

NorthStar C2 XSS to Agent RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19102 contributed by h00die
Path: windows/http/northstar_c2_xss_to_agent_rce
AttackerKB reference: CVE-2024-28741

Description: Adds an exploit for CVE-2024-28741 which exploits an XSS vulnerability in Northstar C2.

Adi IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19169 contributed by The-Pink-Panther
Path: windows/gather/credentials/adi_irc

Description: This adds a gather module leveraging Packrat targeting Adi IRC client.

CarotDAV credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19173 contributed by The-Pink-Panther
Path: windows/gather/credentials/carotdav_ftp

Description: This adds a gather module leveraging Packrat targeting the CarotDAV FTP client.

Halloy IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19165 contributed by The-Pink-Panther
Path: windows/gather/credentials/halloy_irc

Description: This adds a module leveraging Packrat to gather credentials against the Halloy IRC client.

Quassel IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19166 contributed by The-Pink-Panther
Path: windows/gather/credentials/quassel_irc

Description: This adds a gather module leveraging Packrat targeting Quassel IRC client.

Sylpheed email credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19171 contributed by The-Pink-Panther
Path: windows/gather/credentials/sylpheed

Description: This adds a gather module leveraging Packrat targeting Sylpheed Email client.

Enhancements and features (1)

• #19189 from adfoster-r7 – Updates Metasploit framework’s default Ruby version to 3.1.5; newer Ruby versions are also supported.

Bugs fixed (4)

• #19002 from adfoster-r7 – Fixed persistent jobs not working when rebooting MSF console.
• #19170 from sjanusz-r7 – Fixes the smb_lookupsid module hanging with STATUS_PENDING when running against Samba targets.
• #19186 from dwelch-r7 – Fixes a bug were the show advanced command could show normal options.
• #19192 from adfoster-r7 – Fix crashing mipsel modules when running Ruby 3.3.0.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.9…6.4.10
• Full diff 6.4.9…6.4.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/05/17/metasploit-wrap-up-05-17-2024/

LDAP Authentication Improvements

This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to Domain Controllers. Organizations are incorporating these policies which are making LDAP tools without the necessary features unable to operate. The intention behind these changes are to protect communications with Domain Controllers from relay attacks. There are however plenty of scenarios when users may want to authenticate to a domain controller directly with known credentials to perform a variety of tasks.

The new improvements allow Metasploit users to authenticate via either NTLM or Kerberos to LDAP servers with these hardening settings in place. Signing will be performed opportunistically (LDAP::Signing=auto), however it can be either disabled entirely by setting LDAP::Signing to disabled or required with required. Note that setting it to required will raise exceptions with configurations that are incompatible with signing, e.g. connecting over SSL (LDAPS) or using plaintext / simple authentication. At this time channel binding is automatically enabled and can not be disabled in the same way. When connecting over SSL, and authenticating with either NTLM or Kerberos, the binding information is provided to the server.

For users that are unfamiliar with the semi-recent authentication configuration changes introduced in Metasploit v6.3, LDAP modules have an LDAP::Auth option that can be set to one of auto, ntlm, kerberos, schannel, or plaintext.

LDAP Session

In addition to the new LDAP authentication improvements, Metasploit added the latest session type; LDAP sessions this week. Metasploit v6.4 added new protocol-based sessions that allow modules to be run against persistent connections for a variety of services including SMB, MSSQL and MySQL. Once the feature is enabled by running features set ldap_session_type true, users can open sessions with the auxiliary/scanner/ldap/ldap_login module and CreateSession option. These new sessions allow a users to authenticate once and interact with the connection, running queries or modules such as:

• auxiliary/admin/ldap/rbcd – Role Based Constrained Delegation
• auxiliary/admin/ldap/shadow_credentials – Shadow Credentials
• auxiliary/gather/asrep – Find Users Without Pre-Auth Required (ASREP-roast)
• auxiliary/gather/ldap_esc_vulnerable_cert_finder – Misconfigured Certificate Template Finder
• auxiliary/admin/ldap/ad_cs_cert_template – AD CS Certificate Template Management
• auxiliary/gather/ldap_hashdump – LDAP Information Disclosure
• auxiliary/gather/ldap_query – LDAP Query and Enumeration Module

By interacting with the session, the query command becomes available to run queries interactively. It has a few options allowing the scope, attributes and filter to be set.

LDAP (192.0.2.197) > query -h
Usage: query -f <filter string> -a <attributes>

Run the query against the session.

OPTIONS:

    -a, --attributes      Comma separated list of attributes for the query
    -b, --base-dn         Base dn for the query
    -f, --filter          Filter string for the query (default: (objectclass=*))
    -h, --help            Help menu
    -o, --output-format   Output format: `table`, `csv` or `json` (default: table)
    -s, --scope           Scope for the query: `base`, `single`, `whole` (default: whole)

As an example, basic information about the domain can be queried:

LDAP (192.0.2.197) > query -a ms-DS-MachineAccountQuota,objectSID,name -f '(objectClass=domain)'
DC=labs1collabu0,DC=local
=========================

 Name                       Attributes
 ----                       ----------
 ms-ds-machineaccountquota  10
 name                       labs1collabu0
 objectsid                  S-1-5-21-795503-3050334394-3644400624

New module content (2)

Windows Registry Security Descriptor Utility

Author: Christophe De La Fuente
Type: Auxiliary
Pull request: #19115 contributed by cdelafuente-r7
Path: admin/registry_security_descriptor

Description: This adds a module to read and write the security descriptor of Windows registry keys.

Kemp LoadMaster Local sudo privilege escalation

Authors: Dave Yesland with Rhino Security Labs and bwatters-r7
Type: Exploit
Pull request: #19100 contributed by bwatters-r7
Path: linux/local/progress_kemp_loadmaster_sudo_privesc_2024

Description: This adds a privilege escalation exploit module for LoadMaster that abuses the configuration of the sudo command combined with weak file system permissions. There is no CVE for this vulnerability.

Enhancements and features (2)

• #19058 from dwelch-r7 – This adds an LDAP session type allowing users and modules to interact directly with LDAP servers without uploading a payload.
• #19132 from zeroSteiner – Add channel binding information to Metasploit’s NTLM and Kerberos authentication for the LDAP protocol. This enables users to authenticate to domain controllers where the hardened security configuration setting is in place.
• #19172 from cgranleese-r7 – Updates the debug command to export the currently enabled user features.

Bugs fixed (1)

• #19183 from adfoster-r7 – Fix windows platform detection bug when running on a UCRT compiled environment.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.8…6.4.9
• Full diff 6.4.8…6.4.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2024/05/10/metasploit-wrap-up-05-10-2024/

Password Spraying support

Multiple bruteforce/login scanner modules have been updated to support a PASSWORD_SPRAY module option. This work was completed in pull request #19079 from nrathaus as well as an additional update from our developers . When the password spraying option is set, the order of attempted users and password attempts are changed.

For example, with the usernames user1, user2, and passwords password1 and password2. The default bruteforce logic will attempt all passwords against the first user, before continuing to the next user:

user1:password1
user1:password2
user2:password1
user2:password2

When the PASSWORD_SPRAY option is set, each password is tried against each username first:

user1:password1
user2:password1
user1:password2
user2:password2

This change of order can be useful as it decreases the risk of account lock out for larger password lists.

New module content (4)

CVE-2024-20767 – Adobe Coldfusion Arbitrary File Read

Authors: Christiaan Beek, jheysel-r7, ma4ter, and yoryio
Type: Auxiliary
Pull request: #19050 contributed by jheysel-r7
Path: gather/coldfusion_pms_servlet_file_read
AttackerKB reference: CVE-2024-20767

Description: This adds an auxiliary module to exploit an Arbitrary File Read Vulnerability in Adobe ColdFusion versions prior to ‘2023 Update 6’ and prior to ‘2021 Update 12’.

CrushFTP Unauthenticated Arbitrary File Read

Author: remmons-r7
Type: Auxiliary
Pull request: #19147 contributed by remmons-r7
Path: gather/crushftp_fileread_cve_2024_4040
AttackerKB reference: CVE-2024-4040

Description: This adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root.

MSSQL Version Utility

Author: Zach Goldman
Type: Auxiliary
Pull request: #18907 contributed by zgoldman-r7
Path: scanner/mssql/mssql_version

Description: Adds a new auxiliary/scanner/mssql/mssql_version module for fingerprinting Microsoft SQL Server targets.

Docker Privileged Container Kernel Escape

Authors: Eran Ayalon, Ilan Sokol, and Nick Cottrell
Type: Exploit
Pull request: #18519 contributed by rad10
Path: linux/local/docker_privileged_container_kernel_escape

Description: This adds a local exploit that allows Metasploit to escape container environments in which the SYS_MODULE capability is present.

Enhancements and features (3)

• #19125 from zgoldman-r7 – Updates MSSQL platform/arch fingerprinting to be more resilient.
• #19127 from smashery – This implements LDAP signing and encryption for both NTLM and Kerberos.
• #19158 from cgranleese-r7 – Updates multiple login modules to support the PASSWORD_SPRAY datastore option.

Bugs fixed (3)

• #19156 from cgranleese-r7 – Fixes a bug with the PASSWORD_SPRAY support for login scanners were the default username datastore option was not being tried.
• #19159 from cgranleese-r7 – Improves the error detection when detecting platform and arch for PostgreSQL session types.
• #19163 from zeroSteiner – Updates the modules/auxiliary/scanner/smb/smb_version module to support a user defined RPORT. Previously the module was hard-coded to test port 139 and 445.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.7…6.4.8
• Full diff 6.4.7…6.4.8

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2024/05/03/metasploit-weekly-wrap-up-05-03-24/

Dump secrets inline

This week, our very own cdelafuente-r7 added a significant improvement to the well-known Windows Secrets Dump module to reduce the footprint when dumping SAM hashes, LSA secrets and cached credentials. The module is now directly reading the Windows Registry remotely without having to dump the full registry keys to disk and parse them, like it was originally. This idea comes from this PR proposed by antuache. The technique takes advantage of the WriteDACL privileges held by local administrators to set temporary read permissions on the SAM and SECURITY registry hives. The module also takes care of restoring the original Security Descriptors after each read. Note that it is still possible to use the original technique by setting the INLINE option to false. Happy dumping!

New module content (1)

Kemp LoadMaster Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #18972 contributed by DaveYesland
Path: linux/http/progress_kemp_loadmaster_unauth_cmd_injection
AttackerKB reference: CVE-2024-1212

Description: This adds a module targeting CVE-2024-1212, an unauthenticated command injection vulnerability in Kemp Progress Loadmaster versions after 7.2.48.1, but patched in 7.2.59.2 (GA), 7.2.54.8 (LTSF) and 7.2.48.10 (LTS).

Enhancements and features (3)

• #19048 from cdelafuente-r7 – This updates the windows_secrets_dump module to enable accessing the necessary registry data without writing it to disk first.
• #19075 from ide0x90 – :
  Updates the Softing Secure Integration Server login library to allow the code to be better reused by other modules.
• #19148 from adfoster-r7 – Updates Metasploit-framework to compile on x64-mingw-ucrt platforms.

Bugs fixed (5)

• #19095 from zeroSteiner – Updates the smb_enumusers module to use an updated SMB implementation from RubySMB which fixes an issue where the module could sometimes time out or return an unexpected error when targeting Samba.
• #19137 from zeroSteiner – Fixes an infinite recursion error where Metasploit would attempt to resolve a nameserver specified as a hostname in /etc/resolv.conf while initializing.
• #19138 from dwelch-r7 – Fixes a crash in the cve_2022_26923_certifried module.
• #19141 from jheysel-r7 – This fixes timeout issues encountered by rocketmq and activemq modules that would occur when the target is not running the expected service.
• #19152 from adfoster-r7 – This fixes an issue in the exploit/multi/http/apache_normalize_path_rce exploit module that affected Metasploit Pro due to how the module was handling datastore options.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.6…6.4.7
• Full diff 6.4.6…6.4.7

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.