Metasploit Wrap-Up

Windows secrets dump

(The following provided by Christophe De La Fuente!)

A common pen testing pattern is to compromise a local administrative account on a host and use it to grab Windows password hashes, kerberos tickets, and other secrets stored locally. The most common technique is to run tools such as Mimikatz locally on the compromised system to retrieve all these goodies from memory. One of the drawbacks is that anti-virus products often detect them and block the execution.

This is where the new Windows Secrets Dump module comes into play. It dumps SAM hashes and LSA secrets (including cached credentials) from the remote system without executing any agent (i.e., Meterpreter). First, it takes a backup of a portion of the system registry by saving this info into a local file on the target. Then it downloads the temporary hive files and reads the rest of the data from it.

This module is a native Ruby port of the popular secretsdump.py utility from the Impacket library (note that the NTDS.dit technique has not been implemented yet and will be added later). It also leverages the latest SMBv3 encryption capabilities recently added to the ruby_smb library.

This will integrate nicely with Metasploit database and the password cracker module to provide users with full support for each step of their attack chain. One example would be to use the recent Zerologon module and chain it with the Windows Secrets Dump module to retrieve credentials (from exploit to hash grabbing and cracking).

Safari ‘in’ operator side-effect exploit

Contributor timwr added a new module that exploits three bugs in Safari on macOS 10.15.3 in order to execute a payload in user-mode outside the sandbox. It exploits an incorrect side-effect modeling of the in operator, which is expected to be side-effect free. However, using the <embed> element with the PDF plugin can trigger side-effects, leading to type confusion. This can then be used as addrof and fakeobj primitives to allow an attacker to write shellcode into a JIT region containing the next stage of the exploit.

The next stage of the exploit uses CVE-2020-9856 to exploit a heap overflow in CVM server and extract a macOS application containing the payload info into /var/db/CVMS. The payload can then be opened via CVE-2020-9856, resulting in the payload being executed as a normal user outside the sandbox. This is the first part of the chain from the winning submission to Pwn2Own 2020 and the previous module that was merged can be found here.

New modules (7)

• MaraCMS Arbitrary PHP File Upload by Erik Wynter and Michele Cisternino, which exploits CVE-2020-25042
• Safari in Operator Side Effect Exploit by Insu Yun, Jungwon Lim, Taesoo Kim, Yonghwi Jin, and timwr, which exploits CVE-2020-9856
• Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433) by Antoine Goichot (ATGO), Christophe De La Fuente, and Yorick Koster, which exploits CVE-2020-3153 and CVE-2020-3433
• Windows Update Orchestrator unchecked ScheduleWork call by Imre Rad and bwatters-r7, which exploits CVE-2020-1313
• VyOS Configuration Importer by h00die
• Windows Secrets Dump by Alberto Solino and Christophe De La Fuente
• VyOS Gather Device General Information by h00die

Enhancements and features

• PR #14030 ports <https://github.com/sailay1996/RpcSsImpersonator&gt; to Meterpreter as GetSystem technique 4. It is a riff on the classic named pipe impersonation, but instead leverages the behavior of LSASS to return the first token for a process when a specific path is used. This can be abused by processes running as Network Service to open a handle to the RPCSS service which also runs as Network Service but contains tokens for NT AUTHORITY\SYSTEM. This also includes two payload version bumps to account for (1) the payload side to implement this functionality, and a separate, unrelated PR to add a security.MD document to payloads.
• PR #14172 adds a RUN_NOW option to modules/post/windows/manage/persistence_exe.rb that can be used to choose whether the exe is automatically executed when the module is run.
• PR #14178 adds an example of how to use Metasploit with local copies of Metasploit’s Gem dependencies within Gemfile.local. This change accompanies the new Wiki page which provides additional context and information on this change too.
• PR #14183 updates the debug command to output Metasploit’s web server logs. This command is used when creating a Github issue.
• PR #14186 adds payload tests for missing peinject stage.
• PR #14204 enhances Zerologon documentation to explain how to utilize the new auxiliary/gather/windows_secrets_dump module to form a complete attack chain without relying on external tools such as Impacket.

Bugs fixed

• PR #14129 - updates the Dockerfile to include missing dependencies and to ensure impacket is set up correctly as part of the Docker image building process.The Dockerfile was previously missing the dependencies for impacket and its associated dependencies, which was causing several modules within Docker installs of Metasploit to fail to run.
• PR #14171 replaces calls to the deprecated get_service call with calls to services, and removes support for the get_service call from Metasploit.
• PR #14177 fixes a bug brought about by the changes to the Windows API block call in Windows payloads. By adding obfuscation to the code block that gives access to the Windows API, we inadvertently lengthened the payloads. Unfortunately, a second bug skipped the additional space required for encoders. The additional (known) length of the API block changes combined with the (unknown) increase for the encoder led us to hit a bug where the size was larger than the supported size. Here, we just add a small arbitrary length to any payload requiring encoding, so the added length is covered when selecting a payload.
• PR #14199 fixes a bug in the SecureCRT credential gathering module to fix an issue whereby the module would error out if a user did not have SecureCRT installed or if they were using a portable installer. In addition to fixing this bug, users now have the option to specify the path to the SecureCRT session folder via the SESSION_PATH option, allowing them to enumerate session details even if portable versions of SecureCRT are used by the target.
• PR #14200 fixes an error in the OpenVAS importer where certain lines related to the port and protocol were not being imported or were causing stack traces when they contained leading or trailing whitespace. The OpenVAS importer will now ensure that port and protocol entries are correctly stripped of whitespace prior to saving these entries into the database.
• PR #14203 fixes a bug in the report_note function of db_manager.rb whereby the host object was being passed to a services call lookup instead of host.address, which was causing an ActiveRecord exception to be raised and Metasploit to return a stack trace. Metasploit now correctly passes host.address to this services call, thereby preventing services from throwing an error.
• PR #14211 fixes a regression issue when using the creds command with the remote data service. It is once again possible to view creds which were associated with a particular service.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.0.8…6.0.9
• Full diff 6.0.8…6.0.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).