Tag Archives: penetration-testing

Metasploit Weekly Wrap-Up

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/

Log4Shell goodness

Metasploit Weekly Wrap-Up

Log4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors sempervictus, schierlm, righel, timwr and our very own Spencer McIntyre have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution.

SonicWall SSL VPN module for Rapid7-discovered vulnerability

Rapid7 disclosed the technical details of five vulnerabilities discovered by jbaines-r7 affecting SonicWall’s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers root access to the device using CVE-2021-20039.

Pi-Hole command execution and common exploit library

An exciting new addition has worked its way into Metasploit Framework this week. Contributor h00die has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole’s Top Domains API’s validDomainWildcard field. H00die has also created a library that aims to make developing future Pi-Hole modules easier.

New module content (5)

  • Pi-Hole Top Domains API Authenticated Exec by SchneiderSec and h00die, which exploits CVE-2021-32706 – This adds an auxiliary module that executes commands against Pi-Hole versions <= 5.5. This also introduces a Pi-Hole library for common functionality required in exploits against the service.

  • SonicWall SMA 100 Series Authenticated Command Injection by jbaines-r7, which exploits CVE-2021-20039 – This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the \n character which acts as a terminator when passed to a call to system(). An authenticated attacker can execute arbitrary commands as the root user.

  • Log4Shell HTTP Header Injection by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits CVE-2021-44228 – This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing.

  • Microsoft Windows SMB Direct Session Takeover by usiegl00 – This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.

  • #12217 from SkypLabs – This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)

Enhancements and features

  • #15656 from HynekPetrak – This enables the vmware_vcenter_vmdir_auth_bypass module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory.
  • #16021 from zeroSteiner – This adds additional tests for Meterpreter’s mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters
  • #16024 from sjanusz-r7 – This adds in a new command to Meterpreter that allows the end user to kill all channels at once
  • #16040 from jmartin-r7 – Removes Ruby 2.5 support as it is officially end of life

Bugs fixed

  • #16016 from bwatters-r7 – This fixes an issue in the auxiliary/scanner/dcerpc/hidden module where the RHOSTS datastore option was not available, resulting in hosts not being scanned.
  • #16027 from zeroSteiner – This fixes an issue with tab completion for the generate command. Completion now works with both the -f and -o flags.
  • #16043 from shoxxdj – Fixes crash in the auxiliary/scanner/http/wordpress_scanner.rb module when attempting to scan themes

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/11/05/metasploit-wrap-up-137/

GitLab RCE

Metasploit Wrap-Up

New Rapid7 team member jbaines-r7 wrote an exploit targeting GitLab via the ExifTool command. Exploiting this vulnerability results in unauthenticated remote code execution as the git user. What makes this module extra neat is the fact that it chains two vulnerabilities together to achieve this desired effect. The first vulnerability is in GitLab itself that can be leveraged to pass invalid image files to the ExifTool parser which contained the second vulnerability whereby a specially-constructed image could be used to execute code. For even more information on these vulnerabilities, check out Rapid7’s post.

Less Than BulletProof

This week community member h00die submitted another WordPress module. This one leverages an information disclosure vulnerability in the WordPress BulletProof Security plugin that can disclose user credentials from a backup file. These credentials could then be used by a malicious attacker to login to WordPress if the hashed password is able to be cracked in an offline attack.

Metasploit Masterfully Manages Meterpreter Metadata

Each Meterpreter implementation is a unique snowflake that often incorporates API commands that others may not. A great example of this are all the missing Kiwi commands in the Linux Meterpreter. Metasploit now has much better support for modules to identify the functionality they require a Meterpreter session to have in order to run. This will help alleviate frustration encountered by users when they try to run a post module with a Meterpreter type that doesn’t offer functionality that is needed. This furthers the Metasploit project goal of providing more meaningful error information regarding post module incompatibilities which has been an ongoing effort this year.

New module content (3)

  • WordPress BulletProof Security Backup Disclosure by Ron Jost (Hacker5preme) and h00die, which exploits CVE-2021-39327 – This adds an auxiliary module that leverages an information disclosure vulnerability in the BulletproofSecurity plugin for WordPress. This vulnerability is identified as CVE-2021-39327. The module retrieves a backup file, which is publicly accessible, and extracts user credentials from the database backup.
  • GitLab Unauthenticated Remote ExifTool Command Injection by William Bowling and jbaines-r7, which exploits CVE-2021-22204 and CVE-2021-22205 – This adds an exploit for an unauthenticated remote command injection in GitLab via a separate vulnerability within ExifTool. The vulnerabilities are identified as CVE-2021-22204 and CVE-2021-22205.
  • WordPress Plugin Pie Register Auth Bypass to RCE by Lotfi13-DZ and h00die – This exploits an authentication bypass which leads to arbitrary code execution in versions 3.7.1.4 and below of the WordPress plugin, pie-register. Supplying a valid admin id to the user_id_social_site parameter in a POST request now returns a valid session cookie. With that session cookie, a PHP payload as a plugin is uploaded and requested, resulting in code execution.

Enhancements and features

  • #15665 from adfoster-r7 – This adds additional metadata to exploit modules to specify Meterpreter command requirements. Metadata information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn’t support the required command functionality.
  • #15782 from k0pak4 – This updates the iis_internal_ip module to include coverage for the PROPFIND internal IP address disclosure as described by CVE-2002-0422.

Bugs fixed

  • #15805 from timwr – This bumps the metasploit-payloads version to include two bug fixes for the Python Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2021/10/29/metasploit-wrap-up-136/

OMIGOD It’s RCE

Metasploit Wrap-Up

We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits CVE-2021-38647 courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain root level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you’re patched, lest your servers decide to join the zombie horde this Halloween!

Sophos Contributes to the RCE Pile

Continuing the trend of unauthenticated RCE exploits that grant root level code execution, this week we also have an exploit for CVE-2020-25223, an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven’t yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!

Guess Who’s Back, Back Again, Apache’s Back, Tell a Friend

Whilst not a marshalling bug (I’m sorry, it’s Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), have added a scanner and exploit for CVE-2021-41773 and CVE-2021-42013, which was based off of work from RootUp, ProjectDiscovery, and HackerFantastic. Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it’s been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you’re running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.

New module content (6)

  • Squid Proxy Range Header DoS by Joshua Rogers, which exploits CVE-2021-31806 and CVE-2021-31807 – This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
  • Apache 2.4.49/2.4.50 Traversal RCE scanner by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
  • Sophos UTM WebAdmin SID Command Injection by wvu and Justin Kennedy, which exploits CVE-2020-25223 – This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the root user.
  • Microsoft OMI Management Interface Authentication Bypass by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits CVE-2021-38647 – We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the root user.
  • Apache 2.4.49/2.4.50 Traversal RCE by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
  • Browse the session filesystem in a Web Browser by timwr – This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.

Enhancements and features

  • #15681 from smashery – This adds support for reverse port forwarding via established SSH sessions.
  • #15778 from k0pak4 – This PR adds documentation for the http trace scanner.
  • #15788 from zeroSteiner – When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.
  • #15803 from k0pak4 – This adds f5_bigip_virtual_server scanner documentation.

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest version of Metasploit Framework. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Dean Welch original https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/

We just couldn’t contain ourselves!

Metasploit Wrap-Up

This week we’ve got two Kubernetes modules coming at you from adfoster-r7 and smcintyre-r7. First up is an enum module auxiliary/cloud/kubernetes/enum_kubernetes that’ll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module exploit/multi/kubernetes/exec (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.

Atlassian Confluence WebWork OGNL Injection gets Windows support

You might remember Confluence Server CVE-2021-26084 making an appearance in a wrap-up last month, and it’s back! Rapid7’s own wvu-r7 has updated his Confluence Server exploit to support Windows targets.

New module content (2)

  • Kubernetes Enumeration by Spencer McIntyre and Alan Foster – This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.
  • Kubernetes authenticated code execution by Spencer McIntyre and Alan Foster – Adds a new exploit/multi/kubernetes/exec module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host’s file system when possible.

Enhancements and features

  • #15732 from dwelch-r7 – Adds terminal size synchronisation for fully interactive shells against Linux environments with shell -it. This functionality is behind a feature flag and can be enabled with features set fully_interactive_shells true.
  • #15769 from wvu-r7 – Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.
  • #15773 from adfoster-r7 – Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit’s Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.

Bugs fixed

  • #15760 from adfoster-r7 – Fixes an issue when attempting to store JSON loot, where the extension was always being set to bin instead of json.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2021/10/15/metasploit-wrap-up-134/

An Especially Spooky Season for Moodle

Metasploit Wrap-Up

This release has not one, two, or three, but FOUR authenticated Moodle exploit modules, or should I say moodules? H00die comes through again with not just modules, but also an artisanal, bespoke library to support further work. Two target the spell check functions in Moodle, one is a shell upload using administrative credentials, and one allows teachers to get ahead by declaring themselves administrators!

More Information on Forwarded Sessions and Jobs

To get through networks, sometimes red teamers need to connect sessions and forward traffic through a “red network” of hosts to gain access to a target of interest on an interior network. Smashery has added features to the sessions and jobs information reporting that reflects the status of a forwarded connection and which sessions it is using for its connection. This helps users keep track of an already tricky [or treaty] situation juggling sessions and forwarded connections.

New module content (4)

Enhancements and features

  • #15706 from smashery – The reverse shell handlers in Metasploit have been updated. When catching a shell via a route that goes through another existing session, Metasploit will now note which session the new session originated from. This helps users determine how shells were obtained when they use an existing session to acquire another session within a target’s network. Additional information has been applied to job information which provides users with more clarity when looking at jobs.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

[Modified] Image credit https://commons.wikimedia.org/wiki/File:Halloween_Jack-o’-lantern.jpg

Metasploit Wrap-Up

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2021/10/08/metasploit-wrap-up-133/

Telemetry is for gathering data, not executing commands as root, right?…

Metasploit Wrap-Up

This week’s highlight is a new exploit module by our own wvu for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter’s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7’s full technical analysis in AttackerKB.

Good ol’ Netfilter

This week’s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by Andy Nguyen and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to bcoles, and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.

New module content (3)

Enhancements and features

  • #15735 from jaydesl – Fixes a Rails 6 deprecation warning when a user ran db_disconnect in msfconsole
  • #15740 from h00die – Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.
  • #15750 from jmartin-r7 – Improves Ruby 3.0.2 support on Windows

Bugs fixed

  • #15729 from ErikWynter – This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can’t be mapped to a Win32 error code, the module would crash.
  • #15730 from adfoster-r7 – The check method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.
  • #15737 from adfoster-r7 – A bug has been fixed whereby action wasn’t correctly being set when using the action name as a command. action should now hold the right value when using the action name as a command.
  • #15745 from bwatters-r7 – A bug has been fixed in tools/dev/msftidy.rb whereby if the Notes section was placed before the References section, then msftidy would end up not checking the References section and would therefore state the module didn’t have a CVE reference, even when it did.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Erran Carey original https://blog.rapid7.com/2021/10/01/metasploit-wrap-up-132/

Credential gatherers, mix-ins, oh my!

Metasploit Wrap-Up

We’re excited that Metasploit now includes support for 28 related post modules for gathering credentials based on the PackRat toolset. This is a continuation of #5433, #11700, and #11719. It was developed by community contributors Kazuyoshi Maruta, Daniel Hallsworth and Barwar Salim M, for their final year projects at Leeds Beckett University with guidance, code clean-up and some additions by Z. Cliffe Schreuders.

We thank these community contributors for their months of effort and patience while getting so many modules through the code review process.

Netgear PNPX_GetShareFolderList Authentication Bypass

This auxiliary module exploits an authentication bypass in a range of different Netgear router models and firmware versions. The module leverages this vulnerability to log in as the admin user and then achieves a telnet session as root through the auxiliary/scanner/telnet/telnet_login module.

Read more about the SSD Netgear D7000 authentication bypass advisory here.

New module content (30)

  • Netgear PNPX_GetShareFolderList Authentication Bypass by Grant Willcox and Unknown – The auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass module exploits an authentication bypass in various Netgear router models running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The module leverages the vulnerability to log in as the admin user and then achieves a telnet session as the root user through the auxiliary/scanner/telnet/telnet_login module.
  • ECU Hard Reset by Jay Turla – Adds a new ecu_hard_reset hardware module which performs a hard reset in the ECU Reset Service Identifier (0x11)
  • 28 "PackRat" credential gatherers by Barwar Salim M, Daniel Hallsworth, Kazuyoshi Maruta (@KazuCyber), and Z. Cliffe Schreuders (@cliffe) – This pull request adds 28 post-exploitation modules, based on a common mixin, known as PackRat, which gathers file and information artifacts from end users’ systems.
    • Aim credential gatherer
    • Chrome credential gatherer
    • Comodo credential gatherer
    • Coolnovo credential gatherer
    • Digsby credential gatherer
    • Flock credential gatherer
    • Gadugadu credential gatherer
    • ICQ credential gatherer
    • Ie credential gatherer
    • Incredimail credential gatherer
    • KakaoTalk credential gatherer
    • Kmeleon credential gatherer
    • LINE credential gatherer
    • Maxthon credential gatherer
    • Miranda credential gatherer
    • Opera credential gatherer
    • Operamail credential gatherer
    • Postbox credential gatherer
    • QQ credential gatherer
    • Safari credential gatherer
    • Seamonkey credential gatherer
    • Srware credential gatherer
    • Tango credential gatherer
    • Thunderbird credential gatherer
    • Tlen credential gatherer
    • Viber credential gatherer
    • Windows Live Mail credential gatherer
    • Xchat credential gatherer

Enhancements and features

  • #15441 from bf9114 – This change extends the Meterpreter search functionality by adding the ability to search by modified dates across all supported Meterpreter platforms. This allows a user to quickly find files on a target system that has been modified recently, or within a specific date range.
  • #15594 from h00die – This adds options to the wordpress_scanner that enables the user to only scan for wordpress themes or plugins that Metasploit has modules for.
  • #15630 from zeroSteiner – This adds the option DB_SKIP_EXISTING to the AuthBrute mixin to give users the option to skip credentials already in the database when performing brute force attacks.
  • #15669 from adfoster-r7 – Updates the multi/manage/screenshare module to use the Espia screenshot capabilities if present, and to gracefully fallback to using the normal screenshot behavior if it fails to load as expected.
  • #15721 from zeroSteiner – Support has been added into Metasploit for negotiating SSL connections over multiple connections types including Meterpreter and SSH. As a result, users can now make HTTPS requests over pivoted sessions. Previously, if users tried to make such connections, they would be sent via plaintext instead of being SSL encrypted.
  • #15722 from adfoster-r7 – The rerun command has been enhanced to support tab completion.
  • #15726 from zeroSteiner – This adds the MeterpreterTryToFork option to the Mettle payloads. When set, it translates to Mettle’s :background option. When :persist is not configured it will attempt to fork the stage into the background.

Bugs fixed

  • #15703 from space-r7 – This updates payload/windows/x64/encrypted_shell/reverse_tcp to no longer crash on MacOS. Additionally adds an advanced option, ShowCompileCMD, that prints the compilation command used.
  • #15720 from NeffIsBack – This fixes a bug where the rhost value was incorrectly passed to the underlying scanning script, resulting in an abnormal exit.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/09/24/metasploit-wrap-up-131/

Vulnerability is in the eye of the beholder

Metasploit Wrap-Up

Exploiting firmware authored by UDP Technology and provided to multiple large OEMs (including Geutebruck), community contributor TrGFxX has authored a neat module that allows RCE as root on machines running the web interface of the Geutebruck G-Cam and G-Code products. For more information on the vulnerability check out the CISA advisory.

OpManager exploit is OP plz nerf

Our very own zeroSteiner authored a module implementing both an exploit and patch bypass for a Java deserialization vulnerability that exists in numerous versions of ManageEngine’s OpManager software. This module allows payload execution as either NT AUTHORITY\SYSTEM on Windows or root on Linux. On top of this new module, zeroSteiner made improvements to help utilize the increasingly essential YSoSerial tool. You should definitely check it out if you’re interested in exploring other Java deserialization vulns.

Putting the Win in WinRM

In a big win for Metasploit, community contributor smashery finished off their month-long effort to get fully functional shells working across WinRM! These new sessions support post modules, NTLMSSP authentication, and are also able to run without a payload in remote memory, making these sessions pretty hard to detect. This is a major improvement over the previous WinRM implementation that only supported execution of a single command, so huge thanks again to smashery.

You can tell a lot about a protocol from its handshake

In one final noteworthy addition, smashery has once again come through with a PR that significantly improves our RDP library. Metasploit users can now capture the NETBIOS computer name, NETBIOS domain name, DNS computer name, DNS domain name, and OS version from the NTLM handshake carried out over RDP, and our rdp_scanner module has been updated to display this info to all the RDP sniffers out there.

New module content (3)

Enhancements and features

  • #15684 from adfoster-r7 – This improves interactive shell performance for pasted user input.
  • #15696 from smashery – This updates the RDP scanner module to extract and show additional information gathered from the NTLM handshake used for Network Level Authentication (NLA).
  • #15632 from smashery – This improves Metasploit’s WinRM capabilities by allowing shell sessions to be established over the protocol. The shell sessions are interactive and are usable with post modules.

Bugs fixed

  • #15600 from agalway-r7 – This fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent.
  • #15666 from timwr – This fixes an issue found in Meterpreter’s download functionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.
  • #15679 from nvn1729 – This fixes a bug where the tomcat_mgr_upload module was not correctly undeploying the app after exploitation occurred.
  • #15686 from jmartin-r7 – This fixes a crash in msfrpc that occurs due to the exploit/linux/misc/saltstack_salt_unauth_rce module’s MINIONS option default being a regex instead of a string.
  • #15695 from adfoster-r7 – This fixes a crash in the exploit/unix/local/setuid_nmap module and adds logging to print the result of the exploit’s last command so the user knows what happened in the event of a failure.
  • #15697 from smashery – This updates the HTTP NTLM information enumeration module to use the Net::NTLM library for consistent data processing without a custom parser.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/09/03/metasploit-wrap-up-128/

Capture Credentials with our new SMB Server

Metasploit Wrap-Up

Our own Adam Galway revamped the old SMB capture module and now supports NTLMv1 and NTLMv2, as well as SMB1, SMB2 and SMB3. This was possible thanks to @zeroSteiner‘s new RubySMB server implementation. Metasploit is now able to capture NTLM hashes from any recent Windows releases using the SMB2 and SMB3 dialects, even with encrypted SMB traffic.

Revenge of the Clones

Earlier this year, an outstanding vulnerability in Git clients was disclosed and identified as CVE-2021-21300. It allows an attacker to execute scripts on the victim’s system when cloning a specially crafted repository onto a case-insensitive file system such as NTFS, HFS+ or APFS. Our own Shelby Pace just added a new exploit module that leverages this flaw to achieve remote code execution. First, the module creates a fake Git repository and waits for the victim to clone it. This process will deliver a post-checkout script with the payload that will be automatically executed upon checkout of the repository.

Note that for this exploit to work, the victim’s Git client must support delay-capable clean / smudge filters and symbolic links. The former is enabled by default on Windows through Git-lfs.

Don’t clone repositories you don’t trust!

Exploiting eBPF on Linux

A new local exploit module that leverages a bug in the Linux eBPF feature was added by Grant Willcox this week. This vulnerability is identified as CVE-2021-3490 and allows a local attacker to achieve code execution as the root user by conducting an out-of-bounds read and write in the Linux kernel. This is possible due to a flaw in eBPF verifier‘s verification of ALU32 operations. This module is based on @chompie1337‘s PoC code and should work on any vulnerable kernel versions (from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and
5.10.37). Note that, at the moment, it has only been tested on Ubuntu 20.04 (Focal Fossa) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 20.10 (Groovy Gorilla) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 21.04 (Hirsute Hippo) 5.11.x kernels prior to 5.11.0-17.18 and Fedora kernel versions 5.x from 5.7.x up to but not including 5.11.20-300. However, the module documentation includes some instructions for porting the exploit over onto other systems.

New module content (4)

  • Geutebruck Multiple Remote Command Execution by Ibrahim Ayadhi, Sébastien Charbonnier, and Titouan Lazard, which exploits CVE-2021-33554 – A new module has been added which bypasses authentication and exploits CVE-2021-33544, CVE-2021-33548, and CVE-2021-33550-33554 on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
  • Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE by Grant Willcox, Manfred Paul, and chompie1337, which exploits ZDI-21-606 – This adds a module that uses @chompie1337’s CVE-2021-3490 PoC code to elevate privileges to root on affected Linux systems. It’s been tested to work on clean installs of Ubuntu 21.04, Ubuntu 20.10, Ubuntu 20.04.02, as well as Fedora running affected versions of the 5.7, 5.8, 5.9, 5.10 and 5.11 kernels.
  • Git LFS Clone Command Exec by Johannes Schindelin, Matheus Tavares, and Shelby Pace, which exploits CVE-2021-21300 – An exploit module has been added for CVE-2021-21300, a RCE vulnerability in affected Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems. Additionally, a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol have been added into Metasploit and the code for older Git-related exploits has been updated to utilize some of this new code.
  • Overhaul SMB auth capture server from agalway-r7 – This updates the SMB capture server to be compatible with clients using the SMB 2 and SMB 3 dialects. SMB 1 has not been enabled in Windows 10 since v1709 was released in 2017. This allows the module to be compatible with recent releases.

Enhancements and features

  • #15253 from adfoster-r7 – Updates Metasploit to support URI arguments to set module datastore values. The currently supported protocols are http, smb, mysql, postgres, and ssh.
  • #15537 from adfoster-r7 – Adds support for Ruby 3
  • #15582 from bcoles – The code for Msf::Post::Linux::Kernel.unprivileged_bpf_disabled? has been updated to support new values supported by kernel.unprivileged_bpf_disabled which were introduced in Linux kernels since 5.13 and 5.14-rc+HEAD, particularly the value 2 which means Unprivileged calls to bpf() are disabled, whereas the value 1 is now used to indicate Unprivileged calls to bpf() are disabled without recovery
  • #15606 from adfoster-r7 – Improves Python Meterpreter to gracefully handle unsupported command ids, and cleaning up process objects correctly. Additionally enhances mingw build support for Windows Meterpreter, and now correctly interprets a transport session time of 0 as never expiring.
  • #15621 from jmartin-r7 – Updates the Metasploit docker container to additionally include Go as a dependency.
  • #15623 from zeroSteiner – The creds command has been updated to support several new features: supporting formatting NetNTLMv1 and NetNTLMv2 hash for both the JtR and Hashcat formatters, filtering hashes based on the realm, not truncating hashes when writing them to a CSV file, filtering based on the JtR format type name, support for applying the same filtering to output files that can be applied when generating the creds table, and support for ensuring output consistency when writing output to a file.

Bugs fixed

  • #15375 from HynekPetrak – This PR fixes a bug whereby Metasploit would sometimes crash when remote LDAP servers returned a null character in the base_dn string, and also enhances modules/auxiliary/gather/ldap_hashdump.rb to handle sha256 hashes and skip hashes in cases of LK (locked account) and NP (no password) credentials.

  • #15572 from adfoster-r7 – This PR implements a fix to correctly handle quoted console options and whitespace

  • #15573 from dwelch-r7 – The simplify_module function has been updated so that by default it will not load LHOST/RHOST from the config file and instead use the values set in the options.

  • #15590 from sjanusz-r7 – A bug has been fixed that prevented external modules from properly handling the encoding of UTF-8 characters.

  • #15596 from tomadimitrie – A bug has been fixed in docker_credential_wincred whereby the regex would sometimes match on IP addresses and other invalid entries instead of the expected Docker version string. This has now been fixed by tightening the regex to make it more specific and restrictive.

  • #15628 from timwr – Ensures the session table is refreshed whenever the sysinfo command is run, and whenever stdapi is loaded manually. This should also fix a minor bug where if you run an exploit on an existing session, the session information never gets updated (e.g the username from User -> SYSTEM). Now it’s refreshed when you run meterpreter > sysinfo.

  • #15629 from jmartin-r7 – Fixes a regression issue where msfconsole crashed on startup when running on a Windows environments

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Sonny Gonzalez original https://blog.rapid7.com/2021/08/27/metasploit-wrap-up-127/

LearnPress authenticated SQL injection

Metasploit Wrap-Up

Metasploit contributor h00die added a new module that exploits CVE-2020-6010, an authenticated SQL injection vulnerability in the WordPress LearnPress plugin. When a user is logged in with contributor privileges or higher, the id parameter can be used to inject arbitrary code through an SQL query. This exploit can be used to collect usernames and password hashes. The responsible code is located in learnpress/inc/admin/lp-admin-functions.php at line 1690. The vulnerability affects plugin versions v3.2.6.7 and prior.

Continuous improvement

In addition to new exploit modules, Metasploit releases include a number of enhancements and bug fixes. This week we would like to highlight a few key enhancements that improve usability. Contributor pingport80 added support for easy reading of binary files from target systems compromised through a PowerShell session. Our very own sjanusz-r7 added a default payload option to the postgres_payload module so that payloads update correctly when changing target systems. An enhancement made by our own gwillcox-r7 extends Windows process lib injection beyond just notepad.exe. The logic now selects from a random list that can be updated in the future. We appreciate all the contributions that make Metasploit more robust and easier to use.

New module content (1)

Enhancements and features

  • #15384 from gwillcox-r7 – This consolidates and changes the library code used by exploits that use RDLLs. The changes improve upon the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.
  • #15477 from pingport80 – This adds PowerShell session support to the readable? and read_file functions provided by the Post::File API.
  • #15580 from sjanusz-r7 – Updates postgres_payload exploit modules to specify a valid default PAYLOAD option when changing target architectures
  • #15584 from h00die – Updates the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as auxiliary/scanner/http/wordpress_scanner

Bugs fixed

  • #15496 from zeroSteiner – Users can now specify the SSL version for servers with the SSLVersion datastore option, ensuring compatibility with a range of targets old and new.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/

Anyone enjoy making chains?

Metasploit Wrap-Up

The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7’s own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefited from research and analysis by Jang, PeterJson, brandonshi123, and mekhalleh (RAMELLA Sébastien) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain CVE-2021-31207, CVE-2021-34523, & CVE-2021-34473 into sessions for everyone to enjoy.

Great to see some GSoC value in the wild.

With Google Summer of Code 2021 moving into its final phases, pingport80 had 4 PRs land in this week’s release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.

New module content (2)

Enhancements and features

  • #15540 from dwelch-r7 – This adds an option to cmd_execute to have the command run in a subshell by Meterpreter.
  • #15556 from pingport80 – This adds shell session compatibility to the post/windows/gather/enum_unattend module.
  • #15564 from pingport80 – This adds support to the get_env and command_exists? post API methods for Powershell session types.

Bugs fixed

  • #15303 from pingport80 – This PR ensures that the shell dir command returns a list.
  • #15332 from pingport80 – This improves localization support and compatibly in the session post API related to the rename_file method.
  • #15539 from tomadimitrie – This improves the OS version in the check method of exploit/windows/local/cve_2018_8453_win32k_priv_esc.
  • #15546 from timwr – This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it’s valid first.
  • #15570 from adfoster-r7 – This fixes a bug in the auxiliary/scanner/smb/smb_enum_gpp module where the path that was being generated by the module caused an SMB exception to be raised.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2021/08/13/metasploit-wrap-up-125/

Print Driver PrivEsc

Metasploit Wrap-Up

If you attended DEF CON last week, you may have seen this talk on print driver vulnerabilities from Metasploit community contributor Jacob Baines. In the spirit of Friday the 13th, we’re highlighting some of these "print nightmares" again, in the form of two new Metasploit modules that Jacob added.
The first is a Canon TR150 Print Driver Local Privilege Escalation module, which exploits CVE-2021-38085. The second is a Lexmark Universal Print Driver Local Privilege Escalation module, which exploits CVE-2021-35449. Both modules target Windows systems with their respective vulnerable print drivers installed, and result in privilege escalation to a SYSTEM user.

Atlassian Crowd RCE

Also new in this week’s release is an Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE module by Rapid7’s own Grant Willcox, which exploits CVE-2019-11580. This vulnerability allows an attacker to upload arbitrary plugins to vulnerable Atlassian Crowd data servers and achieve unauthenticated remote code execution. This module also includes a check method for verifying whether a target is vulnerable to this exploit. It should be noted that this vulnerability made the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of the 12 most routinely exploited vulns for 2020).

New module content (3)

  • Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE by Corben Leo, Grant Willcox, and Paul, which exploits CVE-2019-11580 – This adds an exploit for CVE-2019-11580 which is an unauthenticated RCE within the Atlassian Crowd application. The vulnerability allows for a malicious JAR file to be loaded, resulting in arbitrary Java code execution within the context of the service.
  • Canon Driver Privilege Escalation by Jacob Baines and Shelby Pace, which exploits CVE-2021-38085 – A new module has been added to exploit CVE-2021-38085, a privilege escalation issue in the Canon TR150 Print Driver. Successful exploitation results in code execution as the SYSTEM user.
  • Lexmark Driver Privilege Escalation by Grant Willcox, Jacob Baines, and Shelby Pace, which exploits CVE-2021-35449 – A new module has been added to exploit CVE-2021-35449, a privilege escalation issue in a variety of Lexmark drivers including the Universal Print Driver. Successful exploitation allows local attackers to gain SYSTEM level code execution.

Enhancements and features

  • #15327 from adfoster-r7 – Fixes a regression issue in the RPC analyze command. Adds automated integration tests to ensure it doesn’t break in the future.
  • #15430 from zeroSteiner – This adds support for SSH pivoting by adding a new Command Shell session type for SSH clients. This also updates both auxiliary/scanner/ssh/ssh_login and auxiliary/scanner/ssh/ssh_login_pubkey modules to include these changes. Note that it only supports TCP client connections and only outbound payloads can be used through the SSH pivot at the moment (no reverse payloads).
  • #15493 from jmartin-r7 – Updated Metasploit’s dependency on Rails from version 5.2 to 6.1
  • #15523 from adfoster-r7 – This enhances the console output with additional information on why a session may not be compatible with a post module, such as missing Meterpreter commands.
  • #15535 from adfoster-r7 – The psexec module has been updated to use the SMBSHARE option name instead of SHARE for better consistency across modules. Users can still use the old SHARE option if needed, however this should be considered deprecated.

Bugs fixed

  • #15524 from pingport80 – This fixes a localization-related issue in the post/linux/gather/enum_network module, caused by it searching for language-specific strings in the output to determine success.
  • #15534 from timwr – Fixes a regression issue in post/multi/manage/shell_to_meterpreter where the generated Powershell command length was greater than the limit of 8192 characters after string obfuscation was applied.
  • #15536 from zeroSteiner – The HiveNightmare module has been updated to correctly use the INTERATIONS option instead of the NBRE_ITER option when performing the loop to call check_path(). This fixes an issue where the module would hang whilst users were running it, and ensures the loop correctly terminates after a set number of iterations.
  • #15542 from adfoster-r7 – This fixes a regression with Meterpreter’s initialize methods, which caused Meterpreter scripts to be broken.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

Post Syndicated from Ted Raffle original https://blog.rapid7.com/2021/08/13/when-one-door-opens-keep-it-open-a-new-tool-for-physical-security-testing/

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

As penetration testers, we spend most of our time working with different types of networks, applications, and hardware devices. Physical security is another fun area we get to work in during physical social engineering penetration tests and red team engagements, which sometimes includes attempts to gain entry into facilities or sensitive areas within them.

Just like when we’re testing a virtual network’s defenses against intruders, pentesters need to put themselves in the mindset of attackers when testing physical security — and that means thinking creatively.

One classic method of gaining physical access is “tailgating,” where you wait for someone else to be going into or coming out of where you want to go, so you can follow them in before a door closes. To help pentesters simulate an attacker who can tailgate without suspiciously hovering around the door, we’ve come up with a neat little device to help with outward-opening doors with ferromagnetic metal frames, like steel entry doors. This tool is one more way pentesters can recreate the thought process of attackers — and help organizations outsmart them.

But first, of course, we want to caution that this is something that should only be used for legitimate purposes, when you have authorization or authority to do so. While we encourage other testers to try this out themselves and use it for customer engagements, this device is patent pending, and we request that you not manufacture, sell, or monetize it.

It’s it! What is it?

We start by placing our little door holder on the door frame, on the side of the door that opens:

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

When someone opens the door, it will push the long leaf of the hinge forward:

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

As the door opens further than the long leaf of the hinge, it falls back down behind the door:

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

And while the person who was exiting the door is hopefully on their merry way and not looking back to see if the door will close behind them, our little device will make sure it doesn’t:

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

More than one way to peel an orange

We’ve made a few versions of this using lock hasps. Another common hinge with a longer side would be your standard t-hinge. This one was made with a few bar-style neodymium magnets:

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

We’ve also made a miniature version using cup-style neodymium magnets:

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

Important tips

Neodymium magnets can slide around a good bit on smooth surfaces. Putting some grippy tape on the back of the magnet can help keep it from sliding around or scratching paint. Electrical tape and gorilla tape have worked well.

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

Likewise, having some padding on the leaf that contacts the door is important to prevent it from scratching paint.

When One Door Opens, Keep It Open: A New Tool for Physical Security Testing

Countermeasures

This tool makes it easier to enter a building or secure area by tailgating. By simulating an attacker with a high level of skill and ingenuity, the tool can help reveal weaknesses in organizations’ physical security protocols — and what countermeasures might be more effective.

If you have an electronic access control system, consider configuring it to trigger alerts if a door has been left open for too long. But the best place to start is to make sure your physical security policies and security awareness training educates staff about tailgating, encourages them not to let someone follow them in, and emphasizes making sure that doors close behind them.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Cobalt Strike Vulnerability Affects Botnet Servers

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/cobolt-strike-vulnerability-affects-botnet-servers.html

Cobalt Strike is a security tool, used by penetration testers to simulate network attackers. But it’s also used by attackers — from criminals to governments — to automate their own attacks. Researchers have found a vulnerability in the product.

The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send.

Then the attacker installs the client on a targeted machine after exploiting a vulnerability, tricking the user or gaining access by other means. From then on, the client will use those customizations to maintain persistent contact with the machine running the Team Server.

The link connecting the client to the server is called the web server thread, which handles communication between the two machines. Chief among the communications are “tasks” servers send to instruct clients to run a command, get a process list, or do other things. The client then responds with a “reply.”

Researchers at security firm SentinelOne recently found a critical bug in the Team Server that makes it easy to knock the server offline. The bug works by sending a server fake replies that “squeeze every bit of available memory from the C2’s web server thread….”

It’s a pretty serious vulnerability, and there’s already a patch available. But — and this is the interesting part — that patch is available to licensed users, which attackers often aren’t. It’ll be a while before that patch filters down to the pirated copies of the software, and that time window gives defenders an opportunity. They can simulate a Cobolt Strike client, and leverage this vulnerability to reply to servers with messages that cause the server to crash.

Metasploit Wrap-Up

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/07/30/metasploit-wrap-up-123/

New Olympic Discipline: Hive Hunting

Metasploit Wrap-Up

This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.

Note that Microsoft issued an out-of-band advisory and tracked this vulnerability as CVE-2021-36934. You can find more information about the rules in this blog post. Happy Hive hunting!

Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow

Our own Grant Willcox added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in genie.cgi?backup.cgi page of Netgear R7000 routers to enable a telnet server and easily got code execution as the root user. Note that, whereas firmware versions 1.0.11.116 and prior are vulnerable, this module can only be used with versions 1.0.11.116 at the moment. The check method can still be used to detect if older devices are vulnerable. This module is based on research done by @colorlight2019. A new gold medal for the Metasploit team, great job!

New module content (5)

  • Netgear R7000 backup.cgi Heap Overflow RCE by Grant Willcox, SSD Disclosure, and colorlight2019, which exploits CVE-2021-31802 – This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.
  • Pi-Hole Remove Commands Linux Priv Esc by Emanuele Barbeno and h00die, which exploits CVE-2021-29449 – This adds a local privilege escalation module that targets Pi-Hole versions >= 3.0 and <= 5.2.4. In vulnerable versions of the software, a user with sudo privileges can escalate to root by passing shell commands to either the removecustomcname, removecustomdns, or removestaticdhcp function. The functions have minimal sanitization, and they pass the input to the sed command. By default, the www-data user is permitted to run sudo without supplying a password as configured in the sudoers.d/pihole file.
  • WordPress Plugin Modern Events Calendar – Authenticated Remote Code Execution by Nguyen Van Khanh, Ron Jost, and Yann Castel, which exploits CVE-2021-24145 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin known as Modern Events Calendar. For versions before 5.16.5, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to text/csv. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.
  • WordPress Plugin SP Project and Document – Authenticated Remote Code Execution by Ron Jost and Yann Castel, which exploits CVE-2021-24347 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin, SP Project and Document Manager. For versions below 4.22, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a .php extension, meaning that uploading a file with a .pHp extension is allowed. Once uploaded, requesting the file will result in code execution as the www-data user.
  • Windows SAM secrets leak – HiveNightmare by Kevin Beaumont, Yann Castel, and romarroca, which exploits CVE-2021-36934 – This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.

Enhancements and features

  • #15444 from pingport80 – This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.
  • #15465 from sjanusz-r7 – Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information

Bugs fixed

  • #15359 from stephenbradshaw – Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db
  • #15460 from pingport80 – This fixes a localization-related issue in the File libraries copy_file method caused by it searching for a word in the output to determine success.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2021/06/25/metasploit-wrap-up-118/

Cisco ‘Sploits

Metasploit Wrap-Up

This week’s Metasploit Framework release brings two modules that target Cisco products.The first module, written by our very own jheysel-r7, targets an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform. Vulnerable versions of the Cisco HyperFlex software permit uploading of files through the /upload endpoint due to a missing authentication requirement. The exploit module uploads a jsp web shell and obtains code execution as the Tomcat user.

Community contributor Hakyac wrote the second module that targets Cisco Data Center Network Manager (DCNM). The module, auxiliary/admin/networking/cisco_dcnm_auth_bypass, leverages a static encryption key in the REST API of DCNM to generate a valid session token that is then used to create an administrative account with high privileges and access to sensitive data.

rConfig Authenticated File Upload RCE

Community contributor Hakyac wrote another exploit module that targets network management software. exploit/linux/http/rconfig_vendors_auth_file_upload_rce uses an authenticated file upload vulnerability to achieve remote code execution against vulnerable rConfig installations, specifically versions 3.9.6 and below. The vendor logo functionality in lib/crud/vendors.crud.php allows an authenticated user to upload images; however, there are no checks on the contents of the uploaded file. Because of this, an authenticated attacker can upload a php shell and trigger its execution via a request to the file’s name in the /images/vendor path.

New module content (3)

  • Cisco DCNM auth bypass by mr_me and Yann Castel, which exploits CVE-2019-15975 – This adds a module that leverages CVE-2019-15975 which is an authentication bypass in Cisco’s DCNM platform. The module will leverage the vulnerability to add a new administrative user account with known credentials that can be used to access the system.
  • Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499) by wvu, Mikhail Klyuchnikov, Nikita Abramov, and jheysel-r7, which exploits
    CVE-2021-1499 – This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.
  • rConfig Vendors Auth File Upload RCE by Murat Şeker, Vishwaraj Bhattrai, and Yann Castel – This adds an exploit module for rConfig versions <= 3.9.6. An arbitrary file upload vulnerability exists in lib/crud/vendors.crud.php through the vendorLogo parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in the images/vendor path.

Enhancements and features

  • #15358 from zeroSteiner – This updates the exploit/multi/ssh/sshexec module to now account for cases where the target system does not have the python binary. Using the new binary_exists() class method in lib/msf/base/sessions/command_shell.rb, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.

Bugs fixed

  • #15350 from pingport80 – Fixes a regression issue in the windows/manage/shellcode_inject module which crashed due to a missing mixin
  • #15352 from adfoster-r7 – Fixes an issue where running msfdb init on an already initialised database would generate a new password instead of just starting the database

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/06/18/metasploit-wrap-up-117/

I’m very Emby-ous

Metasploit Wrap-Up

Community contributor btnz-k has authored a new Emby Version Scanner module consisting of both an exploit and a scanner for the SSRF vulnerability found in Emby. Emby is a previously open source media server designed to organize, play, and stream audio and video to a variety of devices.

SharePoint of entry

SharePoint, a document management and storage system designed to integrate with Microsoft Office, patched a vuln in May 2021 that allowed authenticated users to perform Remote Code Execution. Our own Spencer McIntyre and wvu authored a PR that allows exploitation of this vulnerability on unpatched systems. The user will need to have the SPBasePermissions.ManageLists permission on the targeted site, but by default users can manually make their own site where that permission will be present.

New module content (4)

  • Emby Version Scanner by Btnz, which exploits CVE-2020-26948 – This PR adds an aux scanner and module to exploit CVE-2020-26948, an SSRF against emby servers
  • IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE by Grant Willcox and Mücahit Saratar, which exploits CVE-2021-33393 – A new module has been added to exploit CVE-2021-33393, an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior. Successful exploitation results in remote code execution as the root user.
  • HashiCorp Nomad Remote Command Execution by Wyatt Dahlenburg ( – Adds a new multi/misc/nomad_exec module for HashiCorp’s Nomad product. This module supports the use of the ‘raw_exec’ and ‘exec’ drivers to create a job that spawns a shell.
  • Microsoft SharePoint Unsafe Control and ViewState RCE by wvu, Spencer McIntyre, and Unknown, which exploits ZDI-21-573 – A new exploit for CVE-2021-31181 has been added, which exploits a RCE in SharePoint that was patched in May 2021. Successful exploitation requires the attacker to have login credentials for a SharePoint user who has SPBasePermissions.ManageLists permissions on any SharePoint site, and grants the attacker remote code execution as the user running the SharePoint server.

Enhancements and features

  • #15109 from zeroSteiner – An update has been made so that when a user attempts to load an extension that isn’t available for the current Meterpreter type, they will now receive a list of payloads that would yield a Meterpreter session that would be capable of loading the specified extension. Additionally, when a user runs a command that’s in an extension that hasn’t been loaded yet, Metasploit will now tell the user which extension needs to be loaded for the command to run.
  • #15187 from dwelch-r7 – Updates the msfdb script to now prompt the user before enabling the remote http webservice functionality, defaulting to being disabled. It is still possible to enable this functionality after the fact with msfdb --component webservice init
  • #15316 from zeroSteiner – The assembly stub used by the PrependFork option for Linux payloads has been updated to call setsid(2) in the child process to properly run the payload in the background before calling fork(2) again. This ensures the payload properly runs when the target environment is expecting the command or payload to return, and ensures the payloads better emulate the Mettle payload’s background command to ensure better consistency across payloads.

Bugs fixed

  • #15319 from pingport80 – This fixes a localization issue in the post/windows/gather/enum_hyperv_vms module where on non-English systems the error message would not match the specified regular expression.
  • #15328 from zeroSteiner – The lib/msf/core/session/provider/single_command_shell.rb library has been updated to address an issue whereby shell_read_until_token may sometimes fail to return output if the randomized token being used to delimit output is contained within the legitimate output as well.
  • #15337 from 0xShoreditch – A bug has been fixed in apache_activemq_upload_jsp.rb whereby the URI and filesystem path were not separated appropriately. Additionally, extra checks were added to handle error conditions that may arise during module operation.
  • #15340 from adfoster-r7 – A bug was identified in lib/msf/ui/console/command_dispatcher/db.rb where the -d flag was not being correctly honored, preventing users from being able to delete hosts from their database. This has now been fixed.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/01/15/metasploit-wrap-up-94/

Commemorating the 2020 December Metasploit community CTF

Metasploit Wrap-Up

A new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the 2020 December Metasploit community CTF and achieved 100 or more points:

Metasploit Wrap-Up

If you missed out on participating in this most recent event, be sure to follow the Metasploit Twitter and Metasploit blog posts. If there are any future Metasploit CTF events, all details will be announced there!

If the banners aren’t quite your style, you can always disable them with the quiet flag:

msfconsole -q

Windows privilege escalation via Cloud Filter driver

Our very own gwillcox-r7 has created a new module for CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP, with credit to James Foreshaw for the initial vulnerability discovery and proof of concept. The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to December 2020, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker-controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don’t have permissions to create files in.

This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter’s getsystem command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

New Modules (3)

Enhancements and Features

  • #14562 from zeroSteiner Improves the readability of Meterpreter error messages by replacing the command ID with the command name
  • #14582 from zeroSteiner This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.
  • #14600 from zeroSteiner The FileSystem mixin has been reorganized and a number of function aliases have been added to assist developers in using the module. Additionally new YARD documentation has been added to better explain the functionality of several of the FileSystem mixin’s functions to assist developers in determining when to use these functions.
  • #14606 from bwatters-r7 This adds a banner commemorating all of the teams that participated in the Q4 2020 CTF.

Bugs Fixed

  • #14515 from timwr This fixes an issue with both cmd/unix/reverse_awk and cmd/unix/bind_awk payloads that were not correctly terminating when after a session was closed. This was causing endless session creations and high CPU consumption on the target.
  • #14605 from zeroSteiner This PR fixes an issue where the VHOST option was not being correctly populated when the RHOST option was a domain name
  • #14613 from adfoster-r7 Fixes a regression error with modules depending on NTLM such as cve_2019_0708_bluekeep
  • #14614 from zeroSteiner A bug within the module for CVE-2020-17136 occurred where a relative path was used instead of an absolute path when attempting to load the C# exploit exe. The code has been replaced with a call to File.expand_path() to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when running msfconsole.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2020/12/18/metasploit-wrap-up-92/

Metasploit Wrap-Up

It’s the week of December 17th and that can only mean one thing: a week until Christmas! For those of you who don’t celebrate Christmas, a very happy Hanukkah/Chanukah, Kwanzaa, Diwali, Chinese New Year, Winter Solstice and Las Posadas to you all!

This is our last weekly wrap-up this year, but as always, we’ll be publishing an annual Metasploit wrap-up just after the new year that covers all the shells we got in 2020.

Without further ado, let’s jump into it!

CVE-2020-1054: I heard you still got Windows 7, so let’s play a game

Oh dear Windows 7, you just can’t catch a break. timwr continued his LPE contributions this week with a exploit for CVE-2020-1054, a OOB write vulnerability via the DrawIconEx() function in win32k.sys. This bug was originally found by bee13oy of Qihoo 360 Vulcan Team and Netanel Ben-Simon and Yoav Alon of Check Point Research and was reported to Microsoft in May 2020. The module targets Windows 7 SP1 x64 and grants SYSTEM level code execution. Whilst Windows 7 is EOL, it is still being used by 17.68% of all Windows computers as of November 2020 according to some statistics. That is still a fair market share even if its popularity has been gradually diminishing over time. Furthermore, although users can update Windows 7, it is now mostly a manual process unless you are on one of Windows extended support plans. This increases the time needed to apply patches and also increases the possibility that users may forget to install specific patches. Hopefully none of your clients’ systems are still running Windows 7, but in case you are on a pen test and happen to encounter one, this exploit might provide the access you need to pivot further into the network.

Parse me to your shell

The second highlight of this week was a PR from our very own wvu-r7 targeting CVE-2020-14871, a buffer overflow within the parse_user_name() function of the PAM (Pluggable Authentication Module) component of Solaris SunSSH running on Oracle Solaris versions 10 and 11. The exploit supports SunSSH 1.1.5 running on solaris 10u11 1/13 (x86) within either VMWare or VirtualBox and grants unauthenticated users a shell as the root user. Pretty nifty stuff!

New modules (2)

Enhancements and features

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

HELK – Open Source Threat Hunting Platform

Post Syndicated from Darknet original https://www.darknet.org.uk/2020/11/helk-open-source-threat-hunting-platform/?utm_source=rss&utm_medium=social&utm_campaign=darknetfeed

HELK – Open Source Threat Hunting Platform

The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack.

This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.

Goals of HELK Open Source Threat Hunting Platform

  • Provide an open-source hunting platform to the community and share the basics of Threat Hunting.

Read the rest of HELK – Open Source Threat Hunting Platform now! Only available at Darknet.