Lucene search

rapid7blogBrendan WattersRAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC
HistoryApr 02, 2021 - 7:49 p.m.

Metasploit Wrap-Up

Brendan Watters

0.974 High




Sprinkle on the Modules

Metasploit Wrap-Up

Metasploit Wrap-Up
The first quarter of 2021 has given us wave after wave of Exchange vulnerabilities, and while our awesome contributors helped us continue coverage with another Exchange module we were able to add to Metasploit, we also added modules covering very heavy-hitting vulnerabilities in F5, SAP, and SaltStack that may have gotten less notice in the shadow of the Exchange vulnerabilities earlier this quarter. This update offers two new modules from community contributor Vladimir Ivanov targeting remote code execution vulnerabilities in SAP, a new module by our own Will Vu covering a remote code execution vulnerability in F5 Big-IP and BIG-IQ devices that gives root access, and a new module by Metasploit team-member Chrisophe De La Fuente covering a remote code execution in Salt Stack also yielding root access. Then, to top it off, community contributor Erik Wynter contributed a scanner module to identify Nagios XI applications and suggest possible exploit modules that may work on the identified targets!

Search your Feelings… and POSIX filesystems!

Our own space-r7 added the fs_search function into our Mettle payloads (A.K.A. POSIX Meterpreter). You can now search target filesystems just as you can with the Windows Meterpreter!

New Modules (6)

  • SAP Solution Manager remote unauthorized OS commands execution by Dmitry Chastuhin, Pablo Artuso, Vladimir Ivanov, and Yvan Genuer, which exploits CVE-2020-6207 This PR adds two modules to exploit a vulnerability in the SAP Solution Manager application. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected within the context of the application.
  • Nagios XI Scanner by Erik Wynter, which exploits CVE-2020-35578 A new set of libraries have been added to support developers wishing to target Nagios XI machines, which should help to supply developers with several commonly used pieces of functionality. Additionally a scanner module has been added which will scan Nagios XI installations and try to detect the version installed. Once the version of Nagios XI has been obtained, it will then suggest exploits in Metasploit that can be used to exploit that version of Nagios XI, if any exploits are available.
  • F5 iControl REST Unauthenticated SSRF Token Generation RCE by wvu and Rich Warren, which exploits CVE-2021-22986 This adds a module that exploits an unauthenticated SSRF vulnerability in F5’s iControl REST API that is then leveraged to execute code as the root user on various versions of F5’s BIG-IP and BIG-IQ devices.
  • SaltStack Salt API Unauthenticated RCE through wheel_async client by Alex Seymour and Christophe De La Fuente, which exploits CVE-2021-25282 This adds an exploit module that exploits an authentication bypass and a directory traversal vulnerability in versions 3002.5 and below of SaltStack Salt’s REST API. Remote code execution as the root user is achieved by writing a custom grain module to the extension module directory and waiting until a recurring maintenance check executes the malicious grain module.
  • Windows Gather Exchange Server Mailboxes by SophosLabs Offensive Security team. This PR adds a module for enumerating end extracting mailboxes on Exchange servers.

Enhancements and features

  • #14937 from cgranleese-r7 Improves the performance of the various show commands within the console. For instance show exploits now takes ~0.5 seconds instead of ~14 seconds
  • #14945 from mekhalleh This updates the ProxyLogon RCE module to use an RPC request to identify the backend server’s FQDN.
  • #14951 from timwr This updates the Linux Meterpreter implementation to support the search command which allows users to search for files on a compromised system.

Bugs Fixed

  • #14918 from zeroSteiner Fixes an issue where the VHOST option was not being correctly populated when the RHOST option was specified with domain names.
  • #14962 from cgranleese-r7 Updates the nexpose_connect login functionality to correctly handle the @ symbol being present in the password
  • #14966 from ryanpohlner This improves the ProxyLogon RCE module to address an issue where a payload would be run twice.
  • #14969 from timwr This fixes a bug in the Python Meterpreter’s DNS resolving function.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).