Metasploit Wrap-Up


## Anyone enjoy making chains? ![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/08/metasploit-blg-2-small.png) The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7's own [wvu](<https://github.com/wvu-r7>) & [Spencer McIntyre](<https://github.com/zeroSteiner>) added a module that implements the ProxyShell exploit chain originally demonstrated by [Orange Tsai](<https://twitter.com/orange_8361>). The module also benefited from research and analysis by [Jang](<https://twitter.com/testanull>), [PeterJson](<https://twitter.com/peterjson>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA Sébastien)](<https://twitter.com/Mekhalleh>) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>), [CVE-2021-34523](<https://attackerkb.com/topics/RY7LpTmyCj/cve-2021-34523?referrer=blog>), & [CVE-2021-34473](<https://attackerkb.com/topics/pUK1MXLZkW/cve-2021-34473?referrer=blog>) into sessions for everyone to enjoy. ## Great to see some GSoC value in the wild. With Google Summer of Code 2021 moving into its final phases, [pingport80](<https://github.com/pingport80>) had 4 PRs land in this week's release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way. ## New module content (2) * [Lucee Administrator imgProcess.cfm Arbitrary File Write](<https://github.com/rapid7/metasploit-framework/pull/15525>) by [wvu](<https://github.com/wvu-r7>),, [iamnoooob](<https://github.com/iamnoooob>), and [rootxharsh](<https://github.com/rootxharsh>), which exploits [CVE-2021-21307](<https://attackerkb.com/topics/16OOl6KSdo/cve-2021-21307?referrer=blog>) \- An unauthenticated user is permitted to make requests through the `imgProcess.cfm` endpoint, and using the `file` parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server. * [Microsoft Exchange ProxyShell RCE](<https://github.com/rapid7/metasploit-framework/pull/15561>) by [wvu](<https://github.com/wvu-r7>), [Jang](<https://twitter.com/testanull>), [Orange Tsai](<https://twitter.com/orange_8361>), [PeterJson](<https://twitter.com/peterjson>), [Spencer McIntyre](<https://github.com/zeroSteiner>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA Sébastien)](<https://twitter.com/Mekhalleh>), which exploits [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>) \- Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server. ## Enhancements and features * [#15540](<https://github.com/rapid7/metasploit-framework/pull/15540>) from [dwelch-r7](<https://github.com/dwelch-r7>) \- This adds an option to `cmd_execute` to have the command run in a subshell by Meterpreter. * [#15556](<https://github.com/rapid7/metasploit-framework/pull/15556>) from [pingport80](<https://github.com/pingport80>) \- This adds shell session compatibility to the `post/windows/gather/enum_unattend` module. * [#15564](<https://github.com/rapid7/metasploit-framework/pull/15564>) from [pingport80](<https://github.com/pingport80>) \- This adds support to the `get_env` and `command_exists?` post API methods for Powershell session types. ## Bugs fixed * [#15303](<https://github.com/rapid7/metasploit-framework/pull/15303>) from [pingport80](<https://github.com/pingport80>) \- This PR ensures that the shell `dir` command returns a list. * [#15332](<https://github.com/rapid7/metasploit-framework/pull/15332>) from [pingport80](<https://github.com/pingport80>) \- This improves localization support and compatibly in the session post API related to the `rename_file` method. * [#15539](<https://github.com/rapid7/metasploit-framework/pull/15539>) from [tomadimitrie](<https://github.com/tomadimitrie>) \- This improves the OS version in the `check` method of `exploit/windows/local/cve_2018_8453_win32k_priv_esc`. * [#15546](<https://github.com/rapid7/metasploit-framework/pull/15546>) from [timwr](<https://github.com/timwr>) \- This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it's valid first. * [#15570](<https://github.com/rapid7/metasploit-framework/pull/15570>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This fixes a bug in the `auxiliary/scanner/smb/smb_enum_gpp` module where the path that was being generated by the module caused an SMB exception to be raised. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-08-12T17%3A57%3A38%2B01%3A00..2021-08-20T05%3A13%3A43-05%3A00%22>) * [Full diff 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/compare/6.1.0...6.1.1>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).