Metasploit Wrap-Up


## MicroFocus? More like MacroVuln ![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/02/metasploit-blg-2-small-1-1.png) MicroFocus’s Operations Bridge Manager is a security information and event management (SIEM) tool designed to collect and parse security logs from multiple disparate sources. OBM has a large attack surface—something [Pedro Ribeiro](<https://github.com/pedrib>) was able to take advantage of with his new [RCE module](<https://github.com/rapid7/metasploit-framework/pull/14671>). This module leverages a Java deserialization bug to allow payload execution as either root or SYSTEM, depending on the victim OS. We've one other OBM module currently in the process of being landed, but for anyone who needs their fix of MicroFocus hacks right away, we'd recommend pedrib’s [super detailed writeup](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md>) of his findings. ## Patches? We don't need no stinkin' patches! While [PR #14607](<https://github.com/rapid7/metasploit-framework/pull/14607>) doesn’t add a totally new exploit for Microsoft Exchange Server, that's only because [zeroSteiner](<https://github.com/zeroSteiner>) was able to update an earlier module to support a bypass for the patch that was _supposed_ to fix the vuln it exploited. [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=blog>) originally allowed remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server so long as they were authenticated as a user who had an active mailbox and who was assigned the `Data Loss Prevention` role. This was believed to have been patched in the [Exchange Server 2016 Cumulative Update 18](<https://support.microsoft.com/en-us/topic/cumulative-update-18-for-exchange-server-2016-c1af0ead-3bde-e4db-5f24-9f597050dcbf>) (September 15 2020) and [Exchange Server 2019 Cumulative Update 7](<https://support.microsoft.com/en-us/topic/cumulative-update-7-for-exchange-server-2019-b763863a-8a2f-9eb9-f3cc-4c4098e0e413>) (September 15 2020). However, this patch was later bypassed and assigned [CVE-2020-17132](<https://attackerkb.com/topics/sfBIO5A6Cl/cve-2020-17132?referrer=blog>). Microsoft’s second patch was also later bypassed—a tough shake for organizations’ patch cycles. Both the [original vulnerability](<https://srcincite.io/advisories/src-2020-0019/>) and [the patch bypass](<https://srcincite.io/advisories/src-2020-0032/>)) were discovered by [Steven Seeley](<https://twitter.com/steventseeley/status/1349058761370071041>), and the Metasploit code is based on his work. zeroSteiner's changes allow the `exchange_ecp_dlp_policy` module to exploit the two patched versions of Exchange Server and the unpatched server. ## External modules, internal quality Last but not least, [cgranleese-r7](<https://github.com/cgranleese-r7>) has spearheaded our efforts to improve usability of [Metasploit’s external modules](<https://blog.rapid7.com/2018/09/05/external-metasploit-modules-the-gift-that-keeps-on-slithering/>) by providing more informative error messages for users when they lack the required languages in their environment ([#14480](<https://github.com/rapid7/metasploit-framework/pull/14480>)). This will help avoid instances of users missing out on useful modules due to their not knowing some languages outside of ruby can be needed for the full metasploit experience. > msf6 > use auxiliary/scanner/msmail/host_id [-] Failed to load module: LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. msf6 > ## New modules (1) * [Micro Focus Operations Bridge Manager Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14671>) by Pedro Ribeiro, which exploits ZDI-20-1327 / [CVE-2020-11853](<https://attackerkb.com/topics/KTzvjJFDS8/cve-2020-11853?referrer=blog>) This adds an exploit module that leverages an insecure Java deserialization vulnerability in multiple Micro Focus products. This allows remote code execution as the root user on Linux or the SYSTEM user on Windows. Initial authentication is required, but any low-privileged user can be used to successfully run this exploit. ## Enhancements and features * [#14154](<https://github.com/rapid7/metasploit-framework/pull/14154>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) This ensures that all modules that previously used manual `AutoCheck` behavior now leverage the `AutoCheck` mixin instead. * [#14480](<https://github.com/rapid7/metasploit-framework/pull/14480>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Improves the handling of external modules when they're missing runtime dependencies and gives the user a more useful error. It will now return which runtime language the user is missing on their environment (this has been implemented for both Python and Go). * [#14607](<https://github.com/rapid7/metasploit-framework/pull/14607>) from [zeroSteiner](<https://github.com/zeroSteiner>) This updates the Exchange ECP DLP Policy module exploit to leverage a new technique that bypasses the original patch. This new technique also works on unpatched versions. * [#14669](<https://github.com/rapid7/metasploit-framework/pull/14669>) from [jmartin-r7](<https://github.com/jmartin-r7>) Improves error message feedback when using the `auxiliary/analyze/crack_*` modules. Examples include notifying the user that the database needs to be active, and having JohnTheRipper Jumbo patch installed * [#14685](<https://github.com/rapid7/metasploit-framework/pull/14685>) from [geyslan](<https://github.com/geyslan>) Reduced the size of the `linux/x64/shell_bind_tcp_random_port` payload while maintaining the functionality. * [#14708](<https://github.com/rapid7/metasploit-framework/pull/14708>) from [timwr](<https://github.com/timwr>) Add offsets to the `exploit/osx/browser/safari_proxy_object_type_confusion` exploit module for Mac OSX 10.13.1 and 10.13.2. * [#14721](<https://github.com/rapid7/metasploit-framework/pull/14721>) from [bcoles](<https://github.com/bcoles>) This adds a target for Debian 10 to the sudo exploit [CVE-2021-3156](<https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit?referrer=blog>). * [#14728](<https://github.com/rapid7/metasploit-framework/pull/14728>) from [FireFart](<https://github.com/FireFart>) Updates have been made to `lib/msf/core/module/reference.rb` as well as associated tools and documentation to update old WPVDB links with the new WPVDB domain and to also ensure that the new URL format is properly checked in the respective tools. * [#14725](<https://github.com/rapid7/metasploit-framework/pull/14725>) by [h00die](<https://github.com/h00die>) moves creds to a default-cred "userpass" list instead of splitting known cred pairs across files. ## Bugs fixed * [#14714](<https://github.com/rapid7/metasploit-framework/pull/14714>) from [adfoster-r7](<https://github.com/adfoster-r7>) Updates the sqlite gem in preparation for Ruby 3.0 support & fixes SQLite3 deprecation warning. * [#14720](<https://github.com/rapid7/metasploit-framework/pull/14720>) from [dwelch-r7](<https://github.com/dwelch-r7>) Fixed an issue in the `lib/msf/core/exploit/remote/http_client.rb` and `lib/msf/core/opt_http_rhost_url.rb` libraries where the `VHOST` datastore variable would be set incorrectly if a user used an `/etc/hosts` entry for resolving a hostname to an IP address. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.0.29...6.0.30](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-02-04T11%3A13%3A25-06%3A00..2021-02-11T08%3A23%3A00-06%3A00%22>) * [Full diff 6.0.29...6.0.30](<https://github.com/rapid7/metasploit-framework/compare/6.0.29...6.0.30>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).