Lucene search

K
rapid7blogJacquie HarrisRAPID7BLOG:A7415EC36E152BB0F6532D0F8D5FC7BD
HistoryOct 06, 2023 - 6:10 p.m.

Metasploit Weekly Wrap Up

2023-10-0618:10:13
Jacquie Harris
blog.rapid7.com
37
metasploit
new modules
ldap
junos os
rce
exploit
vulnerability
ws_ftp
.net
deserialization
bug fixes

EPSS

0.964

Percentile

99.6%

New module content (3)

LDAP Login Scanner

Metasploit Weekly Wrap Up

Author: Dean Welch
Type: Auxiliary
Pull request: #18197 contributed by dwelch-r7
Path: scanner/ldap/ldap_login

Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication against various different protocols and mechanisms. This LDAP login scanner supports multiple types of authentication including: Plaintext, NTLM, Kerberos and SChannel.

Junos OS PHPRC Environment Variable Manipulation RCE

Authors: Jacob Baines, Ron Bowes, and jheysel-r7
Type: Exploit
Pull request: #18389 contributed by jheysel-r7
Path: freebsd/http/junos_phprc_auto_prepend_file

Description: This adds an exploit module that leverages a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. This vulnerability is identified as CVE-2023-36845 and allows an attacker to achieve unauthenticated remote code execution as a low privileged user. This module also includes a jailbreak feature that consists in changing the root password and establishing an SSH session as the root user. The original password is restored when the module terminates.

Progress Software WS_FTP Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18414 contributed by sfewer-r7
Path: windows/http/ws_ftp_rce_cve_2023_40044

Description: This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.

AttackerKB Assessment: (<https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis&gt;)

Enhancements and features (6)

  • #17919 from bcoles - This PR adds support for starting and stopping Windows services using the service control manager to shell payloads.
  • #18338 from smashery - This PR updates the kerberos.rb library such that when a kerberos login is attempted, on a user where pre-authentication is not required, the module now requests a RRC4-HMAC ticket, since it’s more easily crackable.
  • #18363 from j0ev - This PR adds support to outputting payloads in octal in both framework and venom.
  • #18412 from zeroSteiner - This adds additional usage tips to Metasploit, expanding the pool that is selected from on startup.
  • #18420 from smashery - :
    This PR updates the user-agent string reported by our http payloads. We update this periodically to make sure that our payloads don’t stick out having an older user agent string.
  • #18425 from adfoster-r7 - Adds history support to the nasm and metasm shells. Now when re-opening these shells, previously typed commands should be remembered and available.

Bugs fixed (1)

  • #18372 from gcarmix - Fixed an issue in the generic shell download command.

Documentation added (3)

  • #18277 from cnnrshd -
    This PR adds new documentation for how to create a command injection exploit module.
  • #18347 from bwatters-r7 - This PR updates the how-to-write-a-check-method docs to better explain to not use fail_with to align with best practices when making sure a check method returns a check code.
  • #18393 from adfoster-r7 - Updates the running modules landing page on the Wiki with more beginner friendly information on searching for and running modules.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Download Rapid7’s 2023 Mid-Year Threat Report ▶︎