logo
DATABASE RESOURCES PRICING ABOUT US

Metasploit Wrap-Up

Description

## OMIGOD It's RCE ![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/10/metasploit-pumpkin-1-2.jpg) We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits [CVE-2021-38647](<https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647?referrer=blog>) courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain `root` level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you're patched, lest your servers decide to join the zombie horde this Halloween! ## Sophos Contributes to the RCE Pile Continuing the trend of unauthenticated RCE exploits that grant `root` level code execution, this week we also have an exploit for [CVE-2020-25223](<https://attackerkb.com/topics/rOhVHstwNO/cve-2020-25223?referrer=blog>), an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven't yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks! ## Guess Who’s Back, Back Again, Apache's Back, Tell a Friend Whilst not a marshalling bug (I'm sorry, it's Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), have added a scanner and exploit for [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=blog>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>), which was based off of work from [RootUp](<https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse>), [ProjectDiscovery](<https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml>), and [HackerFantastic](<https://twitter.com/hackerfantastic/status/1445531829985968137>). Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it's been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you're running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server. ## New module content (6) * [Squid Proxy Range Header DoS](<https://github.com/rapid7/metasploit-framework/pull/15756>) by Joshua Rogers, which exploits [CVE-2021-31806](<https://attackerkb.com/topics/2k0UqRcdTC/cve-2021-31806?referrer=search>) and [CVE-2021-31807](<https://attackerkb.com/topics/xIwbe92O2s/cve-2021-31807?referrer=blog>) \- This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers. * [Apache 2.4.49/2.4.50 Traversal RCE scanner](<https://github.com/rapid7/metasploit-framework/pull/15754>) by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=search>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>) \- This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires `mod_cgi` to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013. * [Sophos UTM WebAdmin SID Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15783>) by wvu and Justin Kennedy, which exploits [CVE-2020-25223](<https://attackerkb.com/topics/rOhVHstwNO/cve-2020-25223?referrer=blog>) \- This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the `root` user. * [Microsoft OMI Management Interface Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/15800>) by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits [CVE-2021-38647](<https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647?referrer=blog>) \- We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the `root` user. * [Apache 2.4.49/2.4.50 Traversal RCE](<https://github.com/rapid7/metasploit-framework/pull/15754>) by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=search>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>) \- This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires `mod_cgi` to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013. * [Browse the session filesystem in a Web Browser](<https://github.com/rapid7/metasploit-framework/pull/15558>) by timwr - This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page. ## Enhancements and features * [#15681](<https://github.com/rapid7/metasploit-framework/pull/15681>) from [smashery](<https://github.com/smashery>) \- This adds support for reverse port forwarding via established SSH sessions. * [#15778](<https://github.com/rapid7/metasploit-framework/pull/15778>) from [k0pak4](<https://github.com/k0pak4>) \- This PR adds documentation for the http trace scanner. * [#15788](<https://github.com/rapid7/metasploit-framework/pull/15788>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass. * [#15803](<https://github.com/rapid7/metasploit-framework/pull/15803>) from [k0pak4](<https://github.com/k0pak4>) \- This adds f5_bigip_virtual_server scanner documentation. ## Bugs fixed * [#15799](<https://github.com/rapid7/metasploit-framework/pull/15799>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This fixes a crash in the `iis_internal_ip` module. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.1.11...6.1.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-21T11%3A22%3A54-04%3A00..2021-10-28T08%3A17%3A18-05%3A00%22>) * [Full diff 6.1.11...6.1.12](<https://github.com/rapid7/metasploit-framework/compare/6.1.11...6.1.12>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest version of Metasploit Framework. To install fresh without using `git`, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).


Related