Metasploit Weekly Wrap-Up

Putting in the work!

This week we’re extra grateful for the fantastic contributions our community makes to Metasploit. The Metasploit team landed more than 5 PRs each from Ron Bowes and bcoles, adding some great new capabilities.

Ron Bowes contributed four new modules targeting UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit users some excellent new vectors to leverage against targets.

Contributions from bcoles offer improvements to various session interactions to make gathering data on targets more robust and consistent.

Have you seen Cassandra?

Are you using tools to visualize your data? If you are using cassandra-web, a tool made specifically to help you "see" what Cassandra holds, there are new toys for attackers to use to access much more. The new module from krastanoel targets cassandra-web <= 0.5.0 with a directory traversal to read lots of those sensitive details off the target.

New module content (6)

• Cassandra Web File Read Vulnerability by Jeremy Brown and krastanoel - This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
• UnRAR Path Traversal (CVE-2022-30333) by Ron Bowes and Simon Scannell, which exploits CVE-2022-30333 - This adds two modules for CVE-2022-30333, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open-source version 6.1.6 and earlier). The first module creates a .rar with an arbitrary payload that will be extracted to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generates the .rar file that will need to be emailed to the vulnerable Zimbra server to trigger the payload.
• Webmin Package Updates RCE by Christophe De La Fuente and Emir Polat, which exploits CVE-2022-36446 - This module exploits an arbitrary command injection in Webmin versions prior to 1.997.
• UnRAR Path Traversal in Zimbra (CVE-2022-30333) by Ron Bowes and Simon Scannell, which exploits CVE-2022-30333 - This adds two modules for CVE-2022-30333, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open source version 6.1.6 and earlier). The first module creates a .rar with an arbitrary payload that will be extracted to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generates the .rar file that will need to be emailed to the vulnerable Zimbra server to trigger the payload.
• Zimbra zmslapd arbitrary module load by Darren Martyn and Ron Bowes, which exploits CVE-2022-37393 - This PR adds a local exploit for Zimbra to go from the zimbra user to root by using a sudo-able executable that can load an arbitrary .so file.
• ManageEngine ADAudit Plus CVE-2022-28219 by Naveen Sunkavally and Ron Bowes, which exploits CVE-2022-28219 - This adds a module that leverages a Java deserialization, directory traversal, and a blind XXE injection vulnerability to gain unauthenticated code execution again vulnerable versions of ManageEngine ADAudit Plus.

Enhancements and features (6)

• #16800 from adfoster-r7 - This adds support for OpenSSL 3 compatibility with legacy ciphers.
• #16841 from bcoles - This updates the post/windows/gather/enum_powershell_env module with a code cleanup and expands the module to support non-Meterpreter session types such as shell sessions and PowerShell sessions.
• #16873 from bcoles - This PR cleans up enum_artifacts, adds documentation, error handling, YAML file parsing, and support for non-meterpreter sessions.
• #16875 from bcoles - This PR removes the Remove enum_putty Meterpreter script in favor for the existing post module.
• #16876 from bcoles - Removed the enum_logged_on_users Meterpreter script in favor for the existing post module
• #16878 from bcoles - Adds partial support for non-Meterpreter sessions for the enum_logged_on_users post module as well as makes use of the read_profile_list method. Resolves Rubocop and msftidy_docs violations.

Bugs fixed (1)

• #16872 from bcoles - This PR fixes shell_registry_getvalinfo which was truncating registry values at the first space and normalize_key which was causing a crash when only a hive name was passed to the function when running on a shell session.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.11…6.2.12
• Full diff 6.2.11…6.2.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).