Post Syndicated from Simon Janusz original https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/

Log4Shell goodness

Log4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors sempervictus, schierlm, righel, timwr and our very own Spencer McIntyre have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution.

SonicWall SSL VPN module for Rapid7-discovered vulnerability

Rapid7 disclosed the technical details of five vulnerabilities discovered by jbaines-r7 affecting SonicWall’s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers root access to the device using CVE-2021-20039.

Pi-Hole command execution and common exploit library

An exciting new addition has worked its way into Metasploit Framework this week. Contributor h00die has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole’s Top Domains API’s validDomainWildcard field. H00die has also created a library that aims to make developing future Pi-Hole modules easier.

New module content (5)

• Pi-Hole Top Domains API Authenticated Exec by SchneiderSec and h00die, which exploits CVE-2021-32706 – This adds an auxiliary module that executes commands against Pi-Hole versions <= 5.5. This also introduces a Pi-Hole library for common functionality required in exploits against the service.

• SonicWall SMA 100 Series Authenticated Command Injection by jbaines-r7, which exploits CVE-2021-20039 – This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the \n character which acts as a terminator when passed to a call to system(). An authenticated attacker can execute arbitrary commands as the root user.

• Log4Shell HTTP Header Injection by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits CVE-2021-44228 – This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing.

• Microsoft Windows SMB Direct Session Takeover by usiegl00 – This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.

• #12217 from SkypLabs – This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)

Enhancements and features

• #15656 from HynekPetrak – This enables the vmware_vcenter_vmdir_auth_bypass module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory.
• #16021 from zeroSteiner – This adds additional tests for Meterpreter’s mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters
• #16024 from sjanusz-r7 – This adds in a new command to Meterpreter that allows the end user to kill all channels at once
• #16040 from jmartin-r7 – Removes Ruby 2.5 support as it is officially end of life

Bugs fixed

• #16016 from bwatters-r7 – This fixes an issue in the auxiliary/scanner/dcerpc/hidden module where the RHOSTS datastore option was not available, resulting in hosts not being scanned.
• #16027 from zeroSteiner – This fixes an issue with tab completion for the generate command. Completion now works with both the -f and -o flags.
• #16043 from shoxxdj – Fixes crash in the auxiliary/scanner/http/wordpress_scanner.rb module when attempting to scan themes

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.23…6.1.25
• Full diff 6.1.23…6.1.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2021/10/29/metasploit-wrap-up-136/

OMIGOD It’s RCE

We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits CVE-2021-38647 courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain root level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you’re patched, lest your servers decide to join the zombie horde this Halloween!

Sophos Contributes to the RCE Pile

Continuing the trend of unauthenticated RCE exploits that grant root level code execution, this week we also have an exploit for CVE-2020-25223, an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven’t yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!

Guess Who’s Back, Back Again, Apache’s Back, Tell a Friend

Whilst not a marshalling bug (I’m sorry, it’s Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), have added a scanner and exploit for CVE-2021-41773 and CVE-2021-42013, which was based off of work from RootUp, ProjectDiscovery, and HackerFantastic. Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it’s been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you’re running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.

New module content (6)

• Squid Proxy Range Header DoS by Joshua Rogers, which exploits CVE-2021-31806 and CVE-2021-31807 – This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
• Apache 2.4.49/2.4.50 Traversal RCE scanner by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
• Sophos UTM WebAdmin SID Command Injection by wvu and Justin Kennedy, which exploits CVE-2020-25223 – This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the root user.
• Microsoft OMI Management Interface Authentication Bypass by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits CVE-2021-38647 – We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the root user.
• Apache 2.4.49/2.4.50 Traversal RCE by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 – This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
• Browse the session filesystem in a Web Browser by timwr – This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.

Enhancements and features

• #15681 from smashery – This adds support for reverse port forwarding via established SSH sessions.
• #15778 from k0pak4 – This PR adds documentation for the http trace scanner.
• #15788 from zeroSteiner – When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.
• #15803 from k0pak4 – This adds f5_bigip_virtual_server scanner documentation.

Bugs fixed

• #15799 from adfoster-r7 – This fixes a crash in the iis_internal_ip module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.11…6.1.12
• Full diff 6.1.11…6.1.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest version of Metasploit Framework. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Dean Welch original https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/

We just couldn’t contain ourselves!

This week we’ve got two Kubernetes modules coming at you from adfoster-r7 and smcintyre-r7. First up is an enum module auxiliary/cloud/kubernetes/enum_kubernetes that’ll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module exploit/multi/kubernetes/exec (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.

Atlassian Confluence WebWork OGNL Injection gets Windows support

You might remember Confluence Server CVE-2021-26084 making an appearance in a wrap-up last month, and it’s back! Rapid7’s own wvu-r7 has updated his Confluence Server exploit to support Windows targets.

New module content (2)

• Kubernetes Enumeration by Spencer McIntyre and Alan Foster – This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.
• Kubernetes authenticated code execution by Spencer McIntyre and Alan Foster – Adds a new exploit/multi/kubernetes/exec module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host’s file system when possible.

Enhancements and features

• #15732 from dwelch-r7 – Adds terminal size synchronisation for fully interactive shells against Linux environments with shell -it. This functionality is behind a feature flag and can be enabled with features set fully_interactive_shells true.
• #15769 from wvu-r7 – Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.
• #15773 from adfoster-r7 – Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit’s Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.

Bugs fixed

• #15760 from adfoster-r7 – Fixes an issue when attempting to store JSON loot, where the extension was always being set to bin instead of json.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.10…6.1.11
• Full diff 6.1.10…6.1.11

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2021/10/15/metasploit-wrap-up-134/

An Especially Spooky Season for Moodle

This release has not one, two, or three, but FOUR authenticated Moodle exploit modules, or should I say moodules? H00die comes through again with not just modules, but also an artisanal, bespoke library to support further work. Two target the spell check functions in Moodle, one is a shell upload using administrative credentials, and one allows teachers to get ahead by declaring themselves administrators!

More Information on Forwarded Sessions and Jobs

To get through networks, sometimes red teamers need to connect sessions and forward traffic through a “red network” of hosts to gain access to a target of interest on an interior network. Smashery has added features to the sessions and jobs information reporting that reflects the status of a forwarded connection and which sessions it is using for its connection. This helps users keep track of an already tricky [or treaty] situation juggling sessions and forwarded connections.

New module content (4)

• Moodle Admin Shell Upload by AkkuS and h00die, which exploits CVE-2019-11631 – Allows an attacker to generate a plugin which can receive a malicious payload request and upload it to a server running Moodle, provided valid admin credentials are used.
• Moodle Authenticated Spelling Binary RCE by Brandon Perry, which exploits CVE-2013-4341 – This exploit takes advantage of the fact Moodle allows an authenticated administrator to define spell check settings via the web interface, allowing an administrator can update the aspell path to include a command injection.
• Moodle SpellChecker Path Authenticated Remote Command Execution by Adam Reiser and h00die, which exploits CVE-2021-21809 – Similar to the previous module, this module attacks the spell checker from a different avenue, allowing a user to
• Moodle Teacher Enrollment Privilege Escalation to RCE by HoangKien1020, h00die, and lanz, which exploits CVE-2020-14321 – A bug in the privileges system allows a teacher to add themselves as a manager to their own class, and then add any other users, including someone with manager privileges on the system (not just the class).

Enhancements and features

• #15706 from smashery – The reverse shell handlers in Metasploit have been updated. When catching a shell via a route that goes through another existing session, Metasploit will now note which session the new session originated from. This helps users determine how shells were obtained when they use an existing session to acquire another session within a target’s network. Additional information has been applied to job information which provides users with more clarity when looking at jobs.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.9…6.1.10
• Full diff 6.1.9…6.1.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

[Modified] Image credit https://commons.wikimedia.org/wiki/File:Halloween_Jack-o’-lantern.jpg

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2021/10/08/metasploit-wrap-up-133/

Telemetry is for gathering data, not executing commands as root, right?…

This week’s highlight is a new exploit module by our own wvu for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter’s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7’s full technical analysis in AttackerKB.

Good ol’ Netfilter

This week’s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by Andy Nguyen and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to bcoles, and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.

New module content (3)

• VMware vCenter Server Analytics (CEIP) Service File Upload by wvu, Derek Abdine, George Noseevich, Sergey Gerasimov, and VMware, which exploits CVE-2021-22005 – This adds an exploit for CVE-2021-22005 which is an unauthenticated RCE within the VMWare vCenter appliance.
• Netfilter x_tables Heap OOB Write Privilege Escalation by Andy Nguyen (theflow0), Szymon Janusz and bcoles, which exploits CVE-2021-22555 – This PR adds a module for CVE-2021-22555, a 15-year-old heap out-of-bounds write vulnerability in Linux Netfilter.
• Diagnostic State by Jay Turla – Adds a new post/hardware/automotive/diagnostic_state module which will keep the vehicle in a diagnostic state.

Enhancements and features

• #15735 from jaydesl – Fixes a Rails 6 deprecation warning when a user ran db_disconnect in msfconsole
• #15740 from h00die – Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.
• #15750 from jmartin-r7 – Improves Ruby 3.0.2 support on Windows

Bugs fixed

• #15729 from ErikWynter – This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can’t be mapped to a Win32 error code, the module would crash.
• #15730 from adfoster-r7 – The check method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.
• #15737 from adfoster-r7 – A bug has been fixed whereby action wasn’t correctly being set when using the action name as a command. action should now hold the right value when using the action name as a command.
• #15745 from bwatters-r7 – A bug has been fixed in tools/dev/msftidy.rb whereby if the Notes section was placed before the References section, then msftidy would end up not checking the References section and would therefore state the module didn’t have a CVE reference, even when it did.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.8…6.1.9
• Full diff 6.1.8…6.1.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Erran Carey original https://blog.rapid7.com/2021/10/01/metasploit-wrap-up-132/

Credential gatherers, mix-ins, oh my!

We’re excited that Metasploit now includes support for 28 related post modules for gathering credentials based on the PackRat toolset. This is a continuation of #5433, #11700, and #11719. It was developed by community contributors Kazuyoshi Maruta, Daniel Hallsworth and Barwar Salim M, for their final year projects at Leeds Beckett University with guidance, code clean-up and some additions by Z. Cliffe Schreuders.

We thank these community contributors for their months of effort and patience while getting so many modules through the code review process.

Netgear PNPX_GetShareFolderList Authentication Bypass

This auxiliary module exploits an authentication bypass in a range of different Netgear router models and firmware versions. The module leverages this vulnerability to log in as the admin user and then achieves a telnet session as root through the auxiliary/scanner/telnet/telnet_login module.

Read more about the SSD Netgear D7000 authentication bypass advisory here.

New module content (30)

• Netgear PNPX_GetShareFolderList Authentication Bypass by Grant Willcox and Unknown – The auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass module exploits an authentication bypass in various Netgear router models running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The module leverages the vulnerability to log in as the admin user and then achieves a telnet session as the root user through the auxiliary/scanner/telnet/telnet_login module.
• ECU Hard Reset by Jay Turla – Adds a new ecu_hard_reset hardware module which performs a hard reset in the ECU Reset Service Identifier (0x11)
• 28 "PackRat" credential gatherers by Barwar Salim M, Daniel Hallsworth, Kazuyoshi Maruta (@KazuCyber), and Z. Cliffe Schreuders (@cliffe) – This pull request adds 28 post-exploitation modules, based on a common mixin, known as PackRat, which gathers file and information artifacts from end users’ systems.
  • Aim credential gatherer
  • Chrome credential gatherer
  • Comodo credential gatherer
  • Coolnovo credential gatherer
  • Digsby credential gatherer
  • Flock credential gatherer
  • Gadugadu credential gatherer
  • ICQ credential gatherer
  • Ie credential gatherer
  • Incredimail credential gatherer
  • KakaoTalk credential gatherer
  • Kmeleon credential gatherer
  • LINE credential gatherer
  • Maxthon credential gatherer
  • Miranda credential gatherer
  • Opera credential gatherer
  • Operamail credential gatherer
  • Postbox credential gatherer
  • QQ credential gatherer
  • Safari credential gatherer
  • Seamonkey credential gatherer
  • Srware credential gatherer
  • Tango credential gatherer
  • Thunderbird credential gatherer
  • Tlen credential gatherer
  • Viber credential gatherer
  • Windows Live Mail credential gatherer
  • Xchat credential gatherer

Enhancements and features

• #15441 from bf9114 – This change extends the Meterpreter search functionality by adding the ability to search by modified dates across all supported Meterpreter platforms. This allows a user to quickly find files on a target system that has been modified recently, or within a specific date range.
• #15594 from h00die – This adds options to the wordpress_scanner that enables the user to only scan for wordpress themes or plugins that Metasploit has modules for.
• #15630 from zeroSteiner – This adds the option DB_SKIP_EXISTING to the AuthBrute mixin to give users the option to skip credentials already in the database when performing brute force attacks.
• #15669 from adfoster-r7 – Updates the multi/manage/screenshare module to use the Espia screenshot capabilities if present, and to gracefully fallback to using the normal screenshot behavior if it fails to load as expected.
• #15721 from zeroSteiner – Support has been added into Metasploit for negotiating SSL connections over multiple connections types including Meterpreter and SSH. As a result, users can now make HTTPS requests over pivoted sessions. Previously, if users tried to make such connections, they would be sent via plaintext instead of being SSL encrypted.
• #15722 from adfoster-r7 – The rerun command has been enhanced to support tab completion.
• #15726 from zeroSteiner – This adds the MeterpreterTryToFork option to the Mettle payloads. When set, it translates to Mettle’s :background option. When :persist is not configured it will attempt to fork the stage into the background.

Bugs fixed

• #15703 from space-r7 – This updates payload/windows/x64/encrypted_shell/reverse_tcp to no longer crash on MacOS. Additionally adds an advanced option, ShowCompileCMD, that prints the compilation command used.
• #15720 from NeffIsBack – This fixes a bug where the rhost value was incorrectly passed to the underlying scanning script, resulting in an abnormal exit.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.7…6.1.8
• Full diff 6.1.7…6.1.8

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/09/24/metasploit-wrap-up-131/

Vulnerability is in the eye of the beholder

Exploiting firmware authored by UDP Technology and provided to multiple large OEMs (including Geutebruck), community contributor TrGFxX has authored a neat module that allows RCE as root on machines running the web interface of the Geutebruck G-Cam and G-Code products. For more information on the vulnerability check out the CISA advisory.

OpManager exploit is OP plz nerf

Our very own zeroSteiner authored a module implementing both an exploit and patch bypass for a Java deserialization vulnerability that exists in numerous versions of ManageEngine’s OpManager software. This module allows payload execution as either NT AUTHORITY\SYSTEM on Windows or root on Linux. On top of this new module, zeroSteiner made improvements to help utilize the increasingly essential YSoSerial tool. You should definitely check it out if you’re interested in exploring other Java deserialization vulns.

Putting the Win in WinRM

In a big win for Metasploit, community contributor smashery finished off their month-long effort to get fully functional shells working across WinRM! These new sessions support post modules, NTLMSSP authentication, and are also able to run without a payload in remote memory, making these sessions pretty hard to detect. This is a major improvement over the previous WinRM implementation that only supported execution of a single command, so huge thanks again to smashery.

You can tell a lot about a protocol from its handshake

In one final noteworthy addition, smashery has once again come through with a PR that significantly improves our RDP library. Metasploit users can now capture the NETBIOS computer name, NETBIOS domain name, DNS computer name, DNS domain name, and OS version from the NTLM handshake carried out over RDP, and our rdp_scanner module has been updated to display this info to all the RDP sniffers out there.

New module content (3)

• Direct windows syscall evasion technique by Yaz – This adds a new evasion module that uses direct syscalls on 64-bit versions of Windows to evade detection.
• Geutebruck instantrec Remote Command Execution by Ibrahim Ayadhi – RandoriSec and Titouan Lazard – RandoriSec, which exploits CVE-2021-33549 – This module exploits an unauthenticated buffer overflow vulnerability within the action parameter of the /uapi-cgi/instantrec.cgi endpoint in various Geutebruck G-Cam and G-Code devices. The exploit results in code execution as the root user on target devices.
• ManageEngine OpManager SumPDU Java Deserialization by Johannes Moritz, Robin Peraglie, and Spencer McIntyre, which exploits CVE-2021-3287 – The exploit/multi/http/opmanager_sumpdu_deserialization module implements an exploit (CVE-2020-28653) and patch bypass (CVE-2021-3287) for a Java deserialization vulnerability that exists in numerous versions of ManageEngine’s OpManager software. Arbitrary code execution as the NT AUTHORITY\SYSTEM user on Windows or the root user on Linux is achieved by sending a PDU to the SmartUpdateManager handler.

Enhancements and features

• #15684 from adfoster-r7 – This improves interactive shell performance for pasted user input.
• #15696 from smashery – This updates the RDP scanner module to extract and show additional information gathered from the NTLM handshake used for Network Level Authentication (NLA).
• #15632 from smashery – This improves Metasploit’s WinRM capabilities by allowing shell sessions to be established over the protocol. The shell sessions are interactive and are usable with post modules.

Bugs fixed

• #15600 from agalway-r7 – This fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent.
• #15666 from timwr – This fixes an issue found in Meterpreter’s download functionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.
• #15679 from nvn1729 – This fixes a bug where the tomcat_mgr_upload module was not correctly undeploying the app after exploitation occurred.
• #15686 from jmartin-r7 – This fixes a crash in msfrpc that occurs due to the exploit/linux/misc/saltstack_salt_unauth_rce module’s MINIONS option default being a regex instead of a string.
• #15695 from adfoster-r7 – This fixes a crash in the exploit/unix/local/setuid_nmap module and adds logging to print the result of the exploit’s last command so the user knows what happened in the event of a failure.
• #15697 from smashery – This updates the HTTP NTLM information enumeration module to use the Net::NTLM library for consistent data processing without a custom parser.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.6…6.1.7
• Full diff 6.1.6…6.1.7

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/09/03/metasploit-wrap-up-128/

Capture Credentials with our new SMB Server

Our own Adam Galway revamped the old SMB capture module and now supports NTLMv1 and NTLMv2, as well as SMB1, SMB2 and SMB3. This was possible thanks to @zeroSteiner‘s new RubySMB server implementation. Metasploit is now able to capture NTLM hashes from any recent Windows releases using the SMB2 and SMB3 dialects, even with encrypted SMB traffic.

Revenge of the Clones

Earlier this year, an outstanding vulnerability in Git clients was disclosed and identified as CVE-2021-21300. It allows an attacker to execute scripts on the victim’s system when cloning a specially crafted repository onto a case-insensitive file system such as NTFS, HFS+ or APFS. Our own Shelby Pace just added a new exploit module that leverages this flaw to achieve remote code execution. First, the module creates a fake Git repository and waits for the victim to clone it. This process will deliver a post-checkout script with the payload that will be automatically executed upon checkout of the repository.

Note that for this exploit to work, the victim’s Git client must support delay-capable clean / smudge filters and symbolic links. The former is enabled by default on Windows through Git-lfs.

Don’t clone repositories you don’t trust!

Exploiting eBPF on Linux

A new local exploit module that leverages a bug in the Linux eBPF feature was added by Grant Willcox this week. This vulnerability is identified as CVE-2021-3490 and allows a local attacker to achieve code execution as the root user by conducting an out-of-bounds read and write in the Linux kernel. This is possible due to a flaw in eBPF verifier‘s verification of ALU32 operations. This module is based on @chompie1337‘s PoC code and should work on any vulnerable kernel versions (from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and
5.10.37). Note that, at the moment, it has only been tested on Ubuntu 20.04 (Focal Fossa) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 20.10 (Groovy Gorilla) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 21.04 (Hirsute Hippo) 5.11.x kernels prior to 5.11.0-17.18 and Fedora kernel versions 5.x from 5.7.x up to but not including 5.11.20-300. However, the module documentation includes some instructions for porting the exploit over onto other systems.

New module content (4)

• Geutebruck Multiple Remote Command Execution by Ibrahim Ayadhi, Sébastien Charbonnier, and Titouan Lazard, which exploits CVE-2021-33554 – A new module has been added which bypasses authentication and exploits CVE-2021-33544, CVE-2021-33548, and CVE-2021-33550-33554 on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
• Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE by Grant Willcox, Manfred Paul, and chompie1337, which exploits ZDI-21-606 – This adds a module that uses @chompie1337’s CVE-2021-3490 PoC code to elevate privileges to root on affected Linux systems. It’s been tested to work on clean installs of Ubuntu 21.04, Ubuntu 20.10, Ubuntu 20.04.02, as well as Fedora running affected versions of the 5.7, 5.8, 5.9, 5.10 and 5.11 kernels.
• Git LFS Clone Command Exec by Johannes Schindelin, Matheus Tavares, and Shelby Pace, which exploits CVE-2021-21300 – An exploit module has been added for CVE-2021-21300, a RCE vulnerability in affected Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems. Additionally, a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol have been added into Metasploit and the code for older Git-related exploits has been updated to utilize some of this new code.
• Overhaul SMB auth capture server from agalway-r7 – This updates the SMB capture server to be compatible with clients using the SMB 2 and SMB 3 dialects. SMB 1 has not been enabled in Windows 10 since v1709 was released in 2017. This allows the module to be compatible with recent releases.

Enhancements and features

• #15253 from adfoster-r7 – Updates Metasploit to support URI arguments to set module datastore values. The currently supported protocols are http, smb, mysql, postgres, and ssh.
• #15537 from adfoster-r7 – Adds support for Ruby 3
• #15582 from bcoles – The code for Msf::Post::Linux::Kernel.unprivileged_bpf_disabled? has been updated to support new values supported by kernel.unprivileged_bpf_disabled which were introduced in Linux kernels since 5.13 and 5.14-rc+HEAD, particularly the value 2 which means Unprivileged calls to bpf() are disabled, whereas the value 1 is now used to indicate Unprivileged calls to bpf() are disabled without recovery
• #15606 from adfoster-r7 – Improves Python Meterpreter to gracefully handle unsupported command ids, and cleaning up process objects correctly. Additionally enhances mingw build support for Windows Meterpreter, and now correctly interprets a transport session time of 0 as never expiring.
• #15621 from jmartin-r7 – Updates the Metasploit docker container to additionally include Go as a dependency.
• #15623 from zeroSteiner – The creds command has been updated to support several new features: supporting formatting NetNTLMv1 and NetNTLMv2 hash for both the JtR and Hashcat formatters, filtering hashes based on the realm, not truncating hashes when writing them to a CSV file, filtering based on the JtR format type name, support for applying the same filtering to output files that can be applied when generating the creds table, and support for ensuring output consistency when writing output to a file.

Bugs fixed

• #15375 from HynekPetrak – This PR fixes a bug whereby Metasploit would sometimes crash when remote LDAP servers returned a null character in the base_dn string, and also enhances modules/auxiliary/gather/ldap_hashdump.rb to handle sha256 hashes and skip hashes in cases of LK (locked account) and NP (no password) credentials.

• #15572 from adfoster-r7 – This PR implements a fix to correctly handle quoted console options and whitespace

• #15573 from dwelch-r7 – The simplify_module function has been updated so that by default it will not load LHOST/RHOST from the config file and instead use the values set in the options.

• #15590 from sjanusz-r7 – A bug has been fixed that prevented external modules from properly handling the encoding of UTF-8 characters.

• #15596 from tomadimitrie – A bug has been fixed in docker_credential_wincred whereby the regex would sometimes match on IP addresses and other invalid entries instead of the expected Docker version string. This has now been fixed by tightening the regex to make it more specific and restrictive.

• #15628 from timwr – Ensures the session table is refreshed whenever the sysinfo command is run, and whenever stdapi is loaded manually. This should also fix a minor bug where if you run an exploit on an existing session, the session information never gets updated (e.g the username from User -> SYSTEM). Now it’s refreshed when you run meterpreter > sysinfo.

• #15629 from jmartin-r7 – Fixes a regression issue where msfconsole crashed on startup when running on a Windows environments

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.2…6.1.3
• Full diff 6.1.2…6.1.3

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Sonny Gonzalez original https://blog.rapid7.com/2021/08/27/metasploit-wrap-up-127/

LearnPress authenticated SQL injection

Metasploit contributor h00die added a new module that exploits CVE-2020-6010, an authenticated SQL injection vulnerability in the WordPress LearnPress plugin. When a user is logged in with contributor privileges or higher, the id parameter can be used to inject arbitrary code through an SQL query. This exploit can be used to collect usernames and password hashes. The responsible code is located in learnpress/inc/admin/lp-admin-functions.php at line 1690. The vulnerability affects plugin versions v3.2.6.7 and prior.

Continuous improvement

In addition to new exploit modules, Metasploit releases include a number of enhancements and bug fixes. This week we would like to highlight a few key enhancements that improve usability. Contributor pingport80 added support for easy reading of binary files from target systems compromised through a PowerShell session. Our very own sjanusz-r7 added a default payload option to the postgres_payload module so that payloads update correctly when changing target systems. An enhancement made by our own gwillcox-r7 extends Windows process lib injection beyond just notepad.exe. The logic now selects from a random list that can be updated in the future. We appreciate all the contributions that make Metasploit more robust and easier to use.

New module content (1)

• WordPress LearnPress current_items Authenticated SQLi by Omri Herscovici, Sagi Tzadik, h00die, and nhattruong, which exploits CVE-2020-6010 – This collects usernames and password hashes from WordPress installations via an authenticated SQL injection vulnerability that exists in LearnPress plugin versions below v3.2.6.8.

Enhancements and features

• #15384 from gwillcox-r7 – This consolidates and changes the library code used by exploits that use RDLLs. The changes improve upon the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.
• #15477 from pingport80 – This adds PowerShell session support to the readable? and read_file functions provided by the Post::File API.
• #15580 from sjanusz-r7 – Updates postgres_payload exploit modules to specify a valid default PAYLOAD option when changing target architectures
• #15584 from h00die – Updates the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as auxiliary/scanner/http/wordpress_scanner

Bugs fixed

• #15496 from zeroSteiner – Users can now specify the SSL version for servers with the SSLVersion datastore option, ensuring compatibility with a range of targets old and new.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.1…6.1.2
• Full diff 6.1.1…6.1.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/

Anyone enjoy making chains?

The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7’s own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefited from research and analysis by Jang, PeterJson, brandonshi123, and mekhalleh (RAMELLA Sébastien) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain CVE-2021-31207, CVE-2021-34523, & CVE-2021-34473 into sessions for everyone to enjoy.

Great to see some GSoC value in the wild.

With Google Summer of Code 2021 moving into its final phases, pingport80 had 4 PRs land in this week’s release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.

New module content (2)

• Lucee Administrator imgProcess.cfm Arbitrary File Write by wvu,, iamnoooob, and rootxharsh, which exploits CVE-2021-21307 – An unauthenticated user is permitted to make requests through the imgProcess.cfm endpoint, and using the file parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.
• Microsoft Exchange ProxyShell RCE by wvu, Jang, Orange Tsai, PeterJson, Spencer McIntyre, brandonshi123, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-31207 – Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.

Enhancements and features

• #15540 from dwelch-r7 – This adds an option to cmd_execute to have the command run in a subshell by Meterpreter.
• #15556 from pingport80 – This adds shell session compatibility to the post/windows/gather/enum_unattend module.
• #15564 from pingport80 – This adds support to the get_env and command_exists? post API methods for Powershell session types.

Bugs fixed

• #15303 from pingport80 – This PR ensures that the shell dir command returns a list.
• #15332 from pingport80 – This improves localization support and compatibly in the session post API related to the rename_file method.
• #15539 from tomadimitrie – This improves the OS version in the check method of exploit/windows/local/cve_2018_8453_win32k_priv_esc.
• #15546 from timwr – This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it’s valid first.
• #15570 from adfoster-r7 – This fixes a bug in the auxiliary/scanner/smb/smb_enum_gpp module where the path that was being generated by the module caused an SMB exception to be raised.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.0…6.1.1
• Full diff 6.1.0…6.1.1

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Erin Bleiweiss original https://blog.rapid7.com/2021/08/13/metasploit-wrap-up-125/

Print Driver PrivEsc

If you attended DEF CON last week, you may have seen this talk on print driver vulnerabilities from Metasploit community contributor Jacob Baines. In the spirit of Friday the 13th, we’re highlighting some of these "print nightmares" again, in the form of two new Metasploit modules that Jacob added.
The first is a Canon TR150 Print Driver Local Privilege Escalation module, which exploits CVE-2021-38085. The second is a Lexmark Universal Print Driver Local Privilege Escalation module, which exploits CVE-2021-35449. Both modules target Windows systems with their respective vulnerable print drivers installed, and result in privilege escalation to a SYSTEM user.

Atlassian Crowd RCE

Also new in this week’s release is an Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE module by Rapid7’s own Grant Willcox, which exploits CVE-2019-11580. This vulnerability allows an attacker to upload arbitrary plugins to vulnerable Atlassian Crowd data servers and achieve unauthenticated remote code execution. This module also includes a check method for verifying whether a target is vulnerable to this exploit. It should be noted that this vulnerability made the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of the 12 most routinely exploited vulns for 2020).

New module content (3)

• Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE by Corben Leo, Grant Willcox, and Paul, which exploits CVE-2019-11580 – This adds an exploit for CVE-2019-11580 which is an unauthenticated RCE within the Atlassian Crowd application. The vulnerability allows for a malicious JAR file to be loaded, resulting in arbitrary Java code execution within the context of the service.
• Canon Driver Privilege Escalation by Jacob Baines and Shelby Pace, which exploits CVE-2021-38085 – A new module has been added to exploit CVE-2021-38085, a privilege escalation issue in the Canon TR150 Print Driver. Successful exploitation results in code execution as the SYSTEM user.
• Lexmark Driver Privilege Escalation by Grant Willcox, Jacob Baines, and Shelby Pace, which exploits CVE-2021-35449 – A new module has been added to exploit CVE-2021-35449, a privilege escalation issue in a variety of Lexmark drivers including the Universal Print Driver. Successful exploitation allows local attackers to gain SYSTEM level code execution.

Enhancements and features

• #15327 from adfoster-r7 – Fixes a regression issue in the RPC analyze command. Adds automated integration tests to ensure it doesn’t break in the future.
• #15430 from zeroSteiner – This adds support for SSH pivoting by adding a new Command Shell session type for SSH clients. This also updates both auxiliary/scanner/ssh/ssh_login and auxiliary/scanner/ssh/ssh_login_pubkey modules to include these changes. Note that it only supports TCP client connections and only outbound payloads can be used through the SSH pivot at the moment (no reverse payloads).
• #15493 from jmartin-r7 – Updated Metasploit’s dependency on Rails from version 5.2 to 6.1
• #15523 from adfoster-r7 – This enhances the console output with additional information on why a session may not be compatible with a post module, such as missing Meterpreter commands.
• #15535 from adfoster-r7 – The psexec module has been updated to use the SMBSHARE option name instead of SHARE for better consistency across modules. Users can still use the old SHARE option if needed, however this should be considered deprecated.

Bugs fixed

• #15524 from pingport80 – This fixes a localization-related issue in the post/linux/gather/enum_network module, caused by it searching for language-specific strings in the output to determine success.
• #15534 from timwr – Fixes a regression issue in post/multi/manage/shell_to_meterpreter where the generated Powershell command length was greater than the limit of 8192 characters after string obfuscation was applied.
• #15536 from zeroSteiner – The HiveNightmare module has been updated to correctly use the INTERATIONS option instead of the NBRE_ITER option when performing the loop to call check_path(). This fixes an issue where the module would hang whilst users were running it, and ensures the loop correctly terminates after a set number of iterations.
• #15542 from adfoster-r7 – This fixes a regression with Meterpreter’s initialize methods, which caused Meterpreter scripts to be broken.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.0.56…6.1.0
• Full diff 6.0.56…6.1.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/07/30/metasploit-wrap-up-123/

New Olympic Discipline: Hive Hunting

This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.

Note that Microsoft issued an out-of-band advisory and tracked this vulnerability as CVE-2021-36934. You can find more information about the rules in this blog post. Happy Hive hunting!

Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow

Our own Grant Willcox added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in genie.cgi?backup.cgi page of Netgear R7000 routers to enable a telnet server and easily got code execution as the root user. Note that, whereas firmware versions 1.0.11.116 and prior are vulnerable, this module can only be used with versions 1.0.11.116 at the moment. The check method can still be used to detect if older devices are vulnerable. This module is based on research done by @colorlight2019. A new gold medal for the Metasploit team, great job!

New module content (5)

• Netgear R7000 backup.cgi Heap Overflow RCE by Grant Willcox, SSD Disclosure, and colorlight2019, which exploits CVE-2021-31802 – This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.
• Pi-Hole Remove Commands Linux Priv Esc by Emanuele Barbeno and h00die, which exploits CVE-2021-29449 – This adds a local privilege escalation module that targets Pi-Hole versions >= 3.0 and <= 5.2.4. In vulnerable versions of the software, a user with sudo privileges can escalate to root by passing shell commands to either the removecustomcname, removecustomdns, or removestaticdhcp function. The functions have minimal sanitization, and they pass the input to the sed command. By default, the www-data user is permitted to run sudo without supplying a password as configured in the sudoers.d/pihole file.
• WordPress Plugin Modern Events Calendar – Authenticated Remote Code Execution by Nguyen Van Khanh, Ron Jost, and Yann Castel, which exploits CVE-2021-24145 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin known as Modern Events Calendar. For versions before 5.16.5, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to text/csv. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.
• WordPress Plugin SP Project and Document – Authenticated Remote Code Execution by Ron Jost and Yann Castel, which exploits CVE-2021-24347 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin, SP Project and Document Manager. For versions below 4.22, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a .php extension, meaning that uploading a file with a .pHp extension is allowed. Once uploaded, requesting the file will result in code execution as the www-data user.
• Windows SAM secrets leak – HiveNightmare by Kevin Beaumont, Yann Castel, and romarroca, which exploits CVE-2021-36934 – This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.

Enhancements and features

• #15444 from pingport80 – This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.
• #15465 from sjanusz-r7 – Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information

Bugs fixed

• #15359 from stephenbradshaw – Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db
• #15460 from pingport80 – This fixes a localization-related issue in the File libraries copy_file method caused by it searching for a word in the output to determine success.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.0.54…6.0.55
• Full diff 6.0.54…6.0.55

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2021/06/25/metasploit-wrap-up-118/

Cisco ‘Sploits

This week’s Metasploit Framework release brings two modules that target Cisco products.The first module, written by our very own jheysel-r7, targets an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform. Vulnerable versions of the Cisco HyperFlex software permit uploading of files through the /upload endpoint due to a missing authentication requirement. The exploit module uploads a jsp web shell and obtains code execution as the Tomcat user.

Community contributor Hakyac wrote the second module that targets Cisco Data Center Network Manager (DCNM). The module, auxiliary/admin/networking/cisco_dcnm_auth_bypass, leverages a static encryption key in the REST API of DCNM to generate a valid session token that is then used to create an administrative account with high privileges and access to sensitive data.

rConfig Authenticated File Upload RCE

Community contributor Hakyac wrote another exploit module that targets network management software. exploit/linux/http/rconfig_vendors_auth_file_upload_rce uses an authenticated file upload vulnerability to achieve remote code execution against vulnerable rConfig installations, specifically versions 3.9.6 and below. The vendor logo functionality in lib/crud/vendors.crud.php allows an authenticated user to upload images; however, there are no checks on the contents of the uploaded file. Because of this, an authenticated attacker can upload a php shell and trigger its execution via a request to the file’s name in the /images/vendor path.

New module content (3)

• Cisco DCNM auth bypass by mr_me and Yann Castel, which exploits CVE-2019-15975 – This adds a module that leverages CVE-2019-15975 which is an authentication bypass in Cisco’s DCNM platform. The module will leverage the vulnerability to add a new administrative user account with known credentials that can be used to access the system.
• Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499) by wvu, Mikhail Klyuchnikov, Nikita Abramov, and jheysel-r7, which exploits
  CVE-2021-1499 – This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.
• rConfig Vendors Auth File Upload RCE by Murat Şeker, Vishwaraj Bhattrai, and Yann Castel – This adds an exploit module for rConfig versions <= 3.9.6. An arbitrary file upload vulnerability exists in lib/crud/vendors.crud.php through the vendorLogo parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in the images/vendor path.

Enhancements and features

• #15358 from zeroSteiner – This updates the exploit/multi/ssh/sshexec module to now account for cases where the target system does not have the python binary. Using the new binary_exists() class method in lib/msf/base/sessions/command_shell.rb, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.

Bugs fixed

• #15350 from pingport80 – Fixes a regression issue in the windows/manage/shellcode_inject module which crashed due to a missing mixin
• #15352 from adfoster-r7 – Fixes an issue where running msfdb init on an already initialised database would generate a new password instead of just starting the database

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.49…6.0.50
• Full diff 6.0.49…6.0.50

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/01/15/metasploit-wrap-up-94/

Commemorating the 2020 December Metasploit community CTF

A new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the 2020 December Metasploit community CTF and achieved 100 or more points:

If you missed out on participating in this most recent event, be sure to follow the Metasploit Twitter and Metasploit blog posts. If there are any future Metasploit CTF events, all details will be announced there!

If the banners aren’t quite your style, you can always disable them with the quiet flag:

msfconsole -q

Windows privilege escalation via Cloud Filter driver

Our very own gwillcox-r7 has created a new module for CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP, with credit to James Foreshaw for the initial vulnerability discovery and proof of concept. The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to December 2020, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker-controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don’t have permissions to create files in.

This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter’s getsystem command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

New Modules (3)

• WordPress AIT CSV Import Export Unauthenticated Remote Code Execution by h00die This adds an exploit module for various versions of the AIT CSV Import / Export plugin for WordPress. This module exploits an unauthenticated file upload vulnerability in plugin versions below v3.0.4 to gain code execution against WordPress installations.
• CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP by Grant Willcox and James Foreshaw, which exploits CVE-2020-17136, an arbitrary file write vulnerability within cldflt.sys. The result yields local code execution as the Network Service account which is suitable for escalating to SYSTEM via documented techniques.
• Windows Manage Volume Shadow Copies by zeroSteiner This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.

Enhancements and Features

• #14562 from zeroSteiner Improves the readability of Meterpreter error messages by replacing the command ID with the command name
• #14582 from zeroSteiner This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.
• #14600 from zeroSteiner The FileSystem mixin has been reorganized and a number of function aliases have been added to assist developers in using the module. Additionally new YARD documentation has been added to better explain the functionality of several of the FileSystem mixin’s functions to assist developers in determining when to use these functions.
• #14606 from bwatters-r7 This adds a banner commemorating all of the teams that participated in the Q4 2020 CTF.

Bugs Fixed

• #14515 from timwr This fixes an issue with both cmd/unix/reverse_awk and cmd/unix/bind_awk payloads that were not correctly terminating when after a session was closed. This was causing endless session creations and high CPU consumption on the target.
• #14605 from zeroSteiner This PR fixes an issue where the VHOST option was not being correctly populated when the RHOST option was a domain name
• #14613 from adfoster-r7 Fixes a regression error with modules depending on NTLM such as cve_2019_0708_bluekeep
• #14614 from zeroSteiner A bug within the module for CVE-2020-17136 occurred where a relative path was used instead of an absolute path when attempting to load the C# exploit exe. The code has been replaced with a call to File.expand_path() to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when running msfconsole.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.0.25…6.0.26
• Full diff 6.0.25…6.0.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).