Metasploit Wrap-Up

Advantech iView NetworkServlet Command Injection

This week Shelby Pace has developed a new exploit module for CVE-2022-2143. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below 5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access with relatively low effort. Version 5.7.04.6469 has been patched to require authentication, but remote code execution can still be achieved - gaining a shell as the LOCAL SERVICE user.

Cisco ASA ASDM Brute-force Login

Our very own Jake Baines has contributed a new module which scans for the Cisco ASA ASDM landing page and performs login brute-force to identify valid credentials:

msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201
RHOST => 10.9.49.201
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false
VERBOSE => false
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run
[*] The remote target appears to host Cisco ASA ASDM. The module will continue.
[*] Starting login brute force...
[+] SUCCESSFUL LOGIN - "cisco":"cisco123"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > 

New module content (2)

• Cisco ASA ASDM Brute-force Login by jbaines-r7 - This adds a scanner module to brute force the Cisco ASA’s ASDM interface in its default configuration.
• Advantech iView NetworkServlet Command Injection by Shelby Pace, rgod, and y4er, which exploits CVE-2022-2143 - This adds an exploit module that leverages a command injection vulnerability in Advantech iView (CVE-2022-2143) to get remote command execution as the SYSTEM user. Versions below 5.7.04.6469 are vulnerable and do not require authentication. Version 5.7.04.6469 is still vulnerable but requires valid credentials to be exploited. Also, this version only gets you RCE as the LOCAL SERVICE user.

Enhancements and features (7)

• #16883 from gwillcox-r7 -This PR deprecates the srt_webdrive_priv script as the same functionality is included in the service_permissions post module.
• #16884 from bcoles - This PR deprecates the credcollect script as it has effectively been replaced by post/windows/gather/credentials/credential_collector
• #16902 from bcoles - The scripts/meterpreter/killav.rb script has been removed since scripts have been depreciated for over 5 years. It has been replaced with post/windows/manage/killav.
• #16905 from bcoles - The scripts/meterpreter/panda_2007_pavsrv51.rb script has been removed and replaced by exploit/windows/local/service_permissions. Note that scripts have been deprecated for over 5 years and are no longer supported.
• #16908 from bcoles - Remove ./scripts/meterpreter/dumplinks.rb, replace with post/windows/gather/dumplink which does pretty much the same thing but is a proper module vs a deprecated script, since we stopped supporting scripts several years ago.
• #16909 from bcoles - scripts/meterpreter/get_pidgin_creds.rb has been removed since scripts have been depreciated for some time now and are no longer supported. It has been replaced by post/multi/gather/pidgin_cred.
• #16910 from bcoles - The scripts/meterpreter/arp_scanner.rb script has been replaced with post/windows/gather/arp_scanner which implements the same logic with an improved OUI database to help fingerprint the MAC vendor.

Bugs fixed (1)

• #16881 from bcoles - This fixes a crash in the post/windows/manage/forward_pageant module caused by the removal of Dir::Tmpname.make_tmpname() in Ruby 2.5.0. This also makes some improvements to the code.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.12…6.2.13
• Full diff 6.2.12…6.2.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).