Metasploit Wrap-up


## PrintNightmare ![Metasploit Wrap-up](https://blog.rapid7.com/content/images/2021/07/metasploit-blg-2-small-1.png) Rapid7 security researchers [Christophe De La Fuente](<https://github.com/cdelafuente-r7>), and [Spencer McIntyre](<https://github.com/zeroSteiner>), have added a new module for [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as `NT AUTHORITY\SYSTEM`. Because Metasploit's SMB server doesn't support SMB3 (yet), it's highly recommended to use an external SMB server like Samba that supports SMB3. The [Metasploit module documentation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.md>) details the process of generating a payload DLL and using this module to load it. [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) is being actively exploited in the wild. For more information and a full timeline, see [Rapid7’s blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)! ## NSClient++ Great work by community contributor [Yann Castel](<https://github.com/Hakyac>) on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell. For this module to work, both the web interface of NSClient++ and the `ExternalScripts` feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text. ## New module content (2) * [Print Spooler Remote DLL Injection](<https://github.com/rapid7/metasploit-framework/pull/15385>) by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) \- A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the `SYSTEM` user. * [NSClient++ - Privilege escalation](<https://github.com/rapid7/metasploit-framework/pull/15318>) by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell. ## Enhancements and features * [#15366](<https://github.com/rapid7/metasploit-framework/pull/15366>) from [pingport80](<https://github.com/pingport80>) \- This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more). ## Bugs fixed * [#15320](<https://github.com/rapid7/metasploit-framework/pull/15320>) from [agalway-r7](<https://github.com/agalway-r7>) \- A bug has been fixed in the `read_file` method of `lib/msf/core/post/file.rb` that prevented PowerShell sessions from being able to use the `read_file()` method. PowerShell sessions should now be able to use this method to read files from the target system. * [#15371](<https://github.com/rapid7/metasploit-framework/pull/15371>) from [bcoles](<https://github.com/bcoles>) \- This fixes an issue in the `apport_abrt_chroot_priv_esc` module where if the `apport-cli` binary was not in the PATH the check method would fail. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-06-30T14%3A00%3A49-05%3A00..2021-07-08T16%3A19%3A37%2B01%3A00%22>) * [Full diff 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/compare/6.0.51...6.0.52>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).