Tag Archives: penetration-testing

Cobalt Strike Vulnerability Affects Botnet Servers

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/cobolt-strike-vulnerability-affects-botnet-servers.html

Cobalt Strike is a security tool, used by penetration testers to simulate network attackers. But it’s also used by attackers — from criminals to governments — to automate their own attacks. Researchers have found a vulnerability in the product.

The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send.

Then the attacker installs the client on a targeted machine after exploiting a vulnerability, tricking the user or gaining access by other means. From then on, the client will use those customizations to maintain persistent contact with the machine running the Team Server.

The link connecting the client to the server is called the web server thread, which handles communication between the two machines. Chief among the communications are “tasks” servers send to instruct clients to run a command, get a process list, or do other things. The client then responds with a “reply.”

Researchers at security firm SentinelOne recently found a critical bug in the Team Server that makes it easy to knock the server offline. The bug works by sending a server fake replies that “squeeze every bit of available memory from the C2’s web server thread….”

It’s a pretty serious vulnerability, and there’s already a patch available. But — and this is the interesting part — that patch is available to licensed users, which attackers often aren’t. It’ll be a while before that patch filters down to the pirated copies of the software, and that time window gives defenders an opportunity. They can simulate a Cobolt Strike client, and leverage this vulnerability to reply to servers with messages that cause the server to crash.

Metasploit Wrap-Up

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2021/07/30/metasploit-wrap-up-123/

New Olympic Discipline: Hive Hunting

Metasploit Wrap-Up

This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.

Note that Microsoft issued an out-of-band advisory and tracked this vulnerability as CVE-2021-36934. You can find more information about the rules in this blog post. Happy Hive hunting!

Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow

Our own Grant Willcox added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in genie.cgi?backup.cgi page of Netgear R7000 routers to enable a telnet server and easily got code execution as the root user. Note that, whereas firmware versions 1.0.11.116 and prior are vulnerable, this module can only be used with versions 1.0.11.116 at the moment. The check method can still be used to detect if older devices are vulnerable. This module is based on research done by @colorlight2019. A new gold medal for the Metasploit team, great job!

New module content (5)

  • Netgear R7000 backup.cgi Heap Overflow RCE by Grant Willcox, SSD Disclosure, and colorlight2019, which exploits CVE-2021-31802 – This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.
  • Pi-Hole Remove Commands Linux Priv Esc by Emanuele Barbeno and h00die, which exploits CVE-2021-29449 – This adds a local privilege escalation module that targets Pi-Hole versions >= 3.0 and <= 5.2.4. In vulnerable versions of the software, a user with sudo privileges can escalate to root by passing shell commands to either the removecustomcname, removecustomdns, or removestaticdhcp function. The functions have minimal sanitization, and they pass the input to the sed command. By default, the www-data user is permitted to run sudo without supplying a password as configured in the sudoers.d/pihole file.
  • WordPress Plugin Modern Events Calendar – Authenticated Remote Code Execution by Nguyen Van Khanh, Ron Jost, and Yann Castel, which exploits CVE-2021-24145 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin known as Modern Events Calendar. For versions before 5.16.5, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to text/csv. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.
  • WordPress Plugin SP Project and Document – Authenticated Remote Code Execution by Ron Jost and Yann Castel, which exploits CVE-2021-24347 – This adds a module that exploits an authenticated file upload vulnerability in the WordPress plugin, SP Project and Document Manager. For versions below 4.22, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a .php extension, meaning that uploading a file with a .pHp extension is allowed. Once uploaded, requesting the file will result in code execution as the www-data user.
  • Windows SAM secrets leak – HiveNightmare by Kevin Beaumont, Yann Castel, and romarroca, which exploits CVE-2021-36934 – This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.

Enhancements and features

  • #15444 from pingport80 – This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.
  • #15465 from sjanusz-r7 – Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information

Bugs fixed

  • #15359 from stephenbradshaw – Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db
  • #15460 from pingport80 – This fixes a localization-related issue in the File libraries copy_file method caused by it searching for a word in the output to determine success.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2021/06/25/metasploit-wrap-up-118/

Cisco ‘Sploits

Metasploit Wrap-Up

This week’s Metasploit Framework release brings two modules that target Cisco products.The first module, written by our very own jheysel-r7, targets an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform. Vulnerable versions of the Cisco HyperFlex software permit uploading of files through the /upload endpoint due to a missing authentication requirement. The exploit module uploads a jsp web shell and obtains code execution as the Tomcat user.

Community contributor Hakyac wrote the second module that targets Cisco Data Center Network Manager (DCNM). The module, auxiliary/admin/networking/cisco_dcnm_auth_bypass, leverages a static encryption key in the REST API of DCNM to generate a valid session token that is then used to create an administrative account with high privileges and access to sensitive data.

rConfig Authenticated File Upload RCE

Community contributor Hakyac wrote another exploit module that targets network management software. exploit/linux/http/rconfig_vendors_auth_file_upload_rce uses an authenticated file upload vulnerability to achieve remote code execution against vulnerable rConfig installations, specifically versions 3.9.6 and below. The vendor logo functionality in lib/crud/vendors.crud.php allows an authenticated user to upload images; however, there are no checks on the contents of the uploaded file. Because of this, an authenticated attacker can upload a php shell and trigger its execution via a request to the file’s name in the /images/vendor path.

New module content (3)

  • Cisco DCNM auth bypass by mr_me and Yann Castel, which exploits CVE-2019-15975 – This adds a module that leverages CVE-2019-15975 which is an authentication bypass in Cisco’s DCNM platform. The module will leverage the vulnerability to add a new administrative user account with known credentials that can be used to access the system.
  • Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499) by wvu, Mikhail Klyuchnikov, Nikita Abramov, and jheysel-r7, which exploits
    CVE-2021-1499 – This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.
  • rConfig Vendors Auth File Upload RCE by Murat Şeker, Vishwaraj Bhattrai, and Yann Castel – This adds an exploit module for rConfig versions <= 3.9.6. An arbitrary file upload vulnerability exists in lib/crud/vendors.crud.php through the vendorLogo parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in the images/vendor path.

Enhancements and features

  • #15358 from zeroSteiner – This updates the exploit/multi/ssh/sshexec module to now account for cases where the target system does not have the python binary. Using the new binary_exists() class method in lib/msf/base/sessions/command_shell.rb, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.

Bugs fixed

  • #15350 from pingport80 – Fixes a regression issue in the windows/manage/shellcode_inject module which crashed due to a missing mixin
  • #15352 from adfoster-r7 – Fixes an issue where running msfdb init on an already initialised database would generate a new password instead of just starting the database

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/06/18/metasploit-wrap-up-117/

I’m very Emby-ous

Metasploit Wrap-Up

Community contributor btnz-k has authored a new Emby Version Scanner module consisting of both an exploit and a scanner for the SSRF vulnerability found in Emby. Emby is a previously open source media server designed to organize, play, and stream audio and video to a variety of devices.

SharePoint of entry

SharePoint, a document management and storage system designed to integrate with Microsoft Office, patched a vuln in May 2021 that allowed authenticated users to perform Remote Code Execution. Our own Spencer McIntyre and wvu authored a PR that allows exploitation of this vulnerability on unpatched systems. The user will need to have the SPBasePermissions.ManageLists permission on the targeted site, but by default users can manually make their own site where that permission will be present.

New module content (4)

  • Emby Version Scanner by Btnz, which exploits CVE-2020-26948 – This PR adds an aux scanner and module to exploit CVE-2020-26948, an SSRF against emby servers
  • IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE by Grant Willcox and Mücahit Saratar, which exploits CVE-2021-33393 – A new module has been added to exploit CVE-2021-33393, an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior. Successful exploitation results in remote code execution as the root user.
  • HashiCorp Nomad Remote Command Execution by Wyatt Dahlenburg ( – Adds a new multi/misc/nomad_exec module for HashiCorp’s Nomad product. This module supports the use of the ‘raw_exec’ and ‘exec’ drivers to create a job that spawns a shell.
  • Microsoft SharePoint Unsafe Control and ViewState RCE by wvu, Spencer McIntyre, and Unknown, which exploits ZDI-21-573 – A new exploit for CVE-2021-31181 has been added, which exploits a RCE in SharePoint that was patched in May 2021. Successful exploitation requires the attacker to have login credentials for a SharePoint user who has SPBasePermissions.ManageLists permissions on any SharePoint site, and grants the attacker remote code execution as the user running the SharePoint server.

Enhancements and features

  • #15109 from zeroSteiner – An update has been made so that when a user attempts to load an extension that isn’t available for the current Meterpreter type, they will now receive a list of payloads that would yield a Meterpreter session that would be capable of loading the specified extension. Additionally, when a user runs a command that’s in an extension that hasn’t been loaded yet, Metasploit will now tell the user which extension needs to be loaded for the command to run.
  • #15187 from dwelch-r7 – Updates the msfdb script to now prompt the user before enabling the remote http webservice functionality, defaulting to being disabled. It is still possible to enable this functionality after the fact with msfdb --component webservice init
  • #15316 from zeroSteiner – The assembly stub used by the PrependFork option for Linux payloads has been updated to call setsid(2) in the child process to properly run the payload in the background before calling fork(2) again. This ensures the payload properly runs when the target environment is expecting the command or payload to return, and ensures the payloads better emulate the Mettle payload’s background command to ensure better consistency across payloads.

Bugs fixed

  • #15319 from pingport80 – This fixes a localization issue in the post/windows/gather/enum_hyperv_vms module where on non-English systems the error message would not match the specified regular expression.
  • #15328 from zeroSteiner – The lib/msf/core/session/provider/single_command_shell.rb library has been updated to address an issue whereby shell_read_until_token may sometimes fail to return output if the randomized token being used to delimit output is contained within the legitimate output as well.
  • #15337 from 0xShoreditch – A bug has been fixed in apache_activemq_upload_jsp.rb whereby the URI and filesystem path were not separated appropriately. Additionally, extra checks were added to handle error conditions that may arise during module operation.
  • #15340 from adfoster-r7 – A bug was identified in lib/msf/ui/console/command_dispatcher/db.rb where the -d flag was not being correctly honored, preventing users from being able to delete hosts from their database. This has now been fixed.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/01/15/metasploit-wrap-up-94/

Commemorating the 2020 December Metasploit community CTF

Metasploit Wrap-Up

A new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the 2020 December Metasploit community CTF and achieved 100 or more points:

Metasploit Wrap-Up

If you missed out on participating in this most recent event, be sure to follow the Metasploit Twitter and Metasploit blog posts. If there are any future Metasploit CTF events, all details will be announced there!

If the banners aren’t quite your style, you can always disable them with the quiet flag:

msfconsole -q

Windows privilege escalation via Cloud Filter driver

Our very own gwillcox-r7 has created a new module for CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP, with credit to James Foreshaw for the initial vulnerability discovery and proof of concept. The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to December 2020, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker-controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don’t have permissions to create files in.

This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter’s getsystem command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

New Modules (3)

Enhancements and Features

  • #14562 from zeroSteiner Improves the readability of Meterpreter error messages by replacing the command ID with the command name
  • #14582 from zeroSteiner This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.
  • #14600 from zeroSteiner The FileSystem mixin has been reorganized and a number of function aliases have been added to assist developers in using the module. Additionally new YARD documentation has been added to better explain the functionality of several of the FileSystem mixin’s functions to assist developers in determining when to use these functions.
  • #14606 from bwatters-r7 This adds a banner commemorating all of the teams that participated in the Q4 2020 CTF.

Bugs Fixed

  • #14515 from timwr This fixes an issue with both cmd/unix/reverse_awk and cmd/unix/bind_awk payloads that were not correctly terminating when after a session was closed. This was causing endless session creations and high CPU consumption on the target.
  • #14605 from zeroSteiner This PR fixes an issue where the VHOST option was not being correctly populated when the RHOST option was a domain name
  • #14613 from adfoster-r7 Fixes a regression error with modules depending on NTLM such as cve_2019_0708_bluekeep
  • #14614 from zeroSteiner A bug within the module for CVE-2020-17136 occurred where a relative path was used instead of an absolute path when attempting to load the C# exploit exe. The code has been replaced with a call to File.expand_path() to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when running msfconsole.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2020/12/18/metasploit-wrap-up-92/

Metasploit Wrap-Up

It’s the week of December 17th and that can only mean one thing: a week until Christmas! For those of you who don’t celebrate Christmas, a very happy Hanukkah/Chanukah, Kwanzaa, Diwali, Chinese New Year, Winter Solstice and Las Posadas to you all!

This is our last weekly wrap-up this year, but as always, we’ll be publishing an annual Metasploit wrap-up just after the new year that covers all the shells we got in 2020.

Without further ado, let’s jump into it!

CVE-2020-1054: I heard you still got Windows 7, so let’s play a game

Oh dear Windows 7, you just can’t catch a break. timwr continued his LPE contributions this week with a exploit for CVE-2020-1054, a OOB write vulnerability via the DrawIconEx() function in win32k.sys. This bug was originally found by bee13oy of Qihoo 360 Vulcan Team and Netanel Ben-Simon and Yoav Alon of Check Point Research and was reported to Microsoft in May 2020. The module targets Windows 7 SP1 x64 and grants SYSTEM level code execution. Whilst Windows 7 is EOL, it is still being used by 17.68% of all Windows computers as of November 2020 according to some statistics. That is still a fair market share even if its popularity has been gradually diminishing over time. Furthermore, although users can update Windows 7, it is now mostly a manual process unless you are on one of Windows extended support plans. This increases the time needed to apply patches and also increases the possibility that users may forget to install specific patches. Hopefully none of your clients’ systems are still running Windows 7, but in case you are on a pen test and happen to encounter one, this exploit might provide the access you need to pivot further into the network.

Parse me to your shell

The second highlight of this week was a PR from our very own wvu-r7 targeting CVE-2020-14871, a buffer overflow within the parse_user_name() function of the PAM (Pluggable Authentication Module) component of Solaris SunSSH running on Oracle Solaris versions 10 and 11. The exploit supports SunSSH 1.1.5 running on solaris 10u11 1/13 (x86) within either VMWare or VirtualBox and grants unauthenticated users a shell as the root user. Pretty nifty stuff!

New modules (2)

Enhancements and features

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

HELK – Open Source Threat Hunting Platform

Post Syndicated from original https://www.darknet.org.uk/2020/11/helk-open-source-threat-hunting-platform/?utm_source=rss&utm_medium=social&utm_campaign=darknetfeed

HELK – Open Source Threat Hunting Platform

The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack.

This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.

Goals of HELK Open Source Threat Hunting Platform

  • Provide an open-source hunting platform to the community and share the basics of Threat Hunting.

Read the rest of HELK – Open Source Threat Hunting Platform now! Only available at Darknet.