Metasploit Wrap-Up

Anyone enjoy making chains?

The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7’s own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefited from research and analysis by Jang, PeterJson, brandonshi123, and mekhalleh (RAMELLA Sébastien) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain CVE-2021-31207, CVE-2021-34523, & CVE-2021-34473 into sessions for everyone to enjoy.

Great to see some GSoC value in the wild.

With Google Summer of Code 2021 moving into its final phases, pingport80 had 4 PRs land in this week’s release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.

New module content (2)

• Lucee Administrator imgProcess.cfm Arbitrary File Write by wvu, iamnoooob, and rootxharsh, which exploits CVE-2021-21307 - An unauthenticated user is permitted to make requests through the imgProcess.cfm endpoint, and using the file parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.
• Microsoft Exchange ProxyShell RCE by wvu, Jang, Orange Tsai, PeterJson, Spencer McIntyre, brandonshi123, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-31207 - Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.

Enhancements and features

• #15540 from dwelch-r7 - This adds an option to cmd_execute to have the command run in a subshell by Meterpreter.
• #15556 from pingport80 - This adds shell session compatibility to the post/windows/gather/enum_unattend module.
• #15564 from pingport80 - This adds support to the get_env and command_exists? post API methods for Powershell session types.

Bugs fixed

• #15303 from pingport80 - This PR ensures that the shell dir command returns a list.
• #15332 from pingport80 - This improves localization support and compatibly in the session post API related to the rename_file method.
• #15539 from tomadimitrie - This improves the OS version in the check method of exploit/windows/local/cve_2018_8453_win32k_priv_esc.
• #15546 from timwr - This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it’s valid first.
• #15570 from adfoster-r7 - This fixes a bug in the auxiliary/scanner/smb/smb_enum_gpp module where the path that was being generated by the module caused an SMB exception to be raised.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.0…6.1.1
• Full diff 6.1.0…6.1.1

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).