Metasploit Weekly Wrap-Up

CVE-2022-21999 - SpoolFool

Our very own Shelby Pace has added a new module for the CVE-2022-21999 SpoolFool privilege escalation vulnerability. This escalation vulnerability can be leveraged to achieve code execution as SYSTEM. This new module has successfully been tested on Windows 10 (10.0 Build 19044) and Windows Server 2019 v1809 (Build 17763.1577).

CVE-2021-4191 - Gitlab GraphQL API User Enumeration

Jake Baines has contributed a new module for CVE-2021-4191, which queries the GitLab GraphQL API to acquire the list of GitLab users without authentication. There’s some news coverage from earlier this month here. The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.

Adapted Payloads

Spencer McIntyre has added a new payload type that allows existing modules to be adapted for new scenarios. For example, modern exploits often deliver OS command payloads while Metasploit users would prefer to have more fully-featured native payloads (like Meterpreter delivered) and these scenarios are often special cases handled by the module author. Metasploit’s new payload adapters allow payloads from one architecture to be converted to another for seamless compatibility with a wider variety of exploit modules. The first entry for this new type is an adapter that converts Python payloads to OS command payloads, allowing any exploit capable of executing a Unix Command payload to deliver a Python Metepreter in memory. For additional ease of use, the correct Python binary is automatically determined.

New module content (3)

• Windows IIS HTTP Protocol Stack DOS by Axel Souchet, Maurice LAMBERT, Max, and Stefan Blair, which exploits CVE-2021-31166 - A new module has been added that exploits CVE-2021-31166, a UAF bug in http.sys when parsing Accept-Encoding headers, to cause a BSoD and denial of service on vulnerable IIS servers.
• GitLab GraphQL API User Enumeration by jbaines-r7 and mungsul, which exploits CVE-2021-4191 - This adds an auxiliary module that enumerates Gitlab user accounts via the GraphQL API which does not require authentication when querying user information.
• CVE-2022-21999 SpoolFool Privesc by Oliver Lyak and Shelby Pace, which exploits CVE-2022-21999 - This adds a module targeting SpoolFool (AKA CVE-2022-21999), a local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.

Enhancements and features (2)

• #16186 from zeroSteiner - This adds an additional Adapter payload type which can be used in a scenario such as wanting to deliver a full Meterpreter session from a command payload.
• #16262 from zeroSteiner - This updates the default payload selection so that cmd/unix/reverse_bash is chosen over cmd/unix/reverse_netcat by default unless RequiredCmd is set such that the module cannot execute Bash payloads.

Bugs fixed (7)

• #16316 from smashery - This ensures individual modules no longer accidentally shut down joint services that are used across multiple modules/handlers etc, such as HTTP servers. Modules will now correctly unregister interest in the global service, and if there are no longer any interested modules in the running global service, it will be shut down correctly.
• #16324 from smashery - This fixes an issue in the DNS native server module where the server would crash upon receiving a query.
• #16326 from zeroSteiner - This fixes SMB signing detection for the scanner/smb/smb_version module when the target server has SMB1 disabled.
• #16332 from bcoles - This change fixes a bug in APK injection where the native libraries would not automatically be aligned with zipalign, and would fail to install on a device.
• #16334 from bcoles - This change fixes a bug where APK files that were not signed with the v1 scheme would fail during the signing phase of APK file injection with msfvenom.
• #16347 from zeroSteiner - This updates the normalize_host method so that when it attempts and fails to resolve a hostname to an IP address, it will return nil instead of raising an exception. Previously this exception would result in modules like auxiliary/gather/enum_dns crashing instead of saving the information it had managed to gather on the target so far.
• #16350 from sjanusz-r7 - This fixes an unintentional crash when using payload/windows/x64/encrypted_shell_reverse_tcp without having a database configured

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.33…6.1.34
• Full diff 6.1.33…6.1.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).