Metasploit Weekly Wrap-Up


## Wowza, a new credential gatherer and login scanner! ![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2023/03/metasploit-fence.png) This week Metasploit Framework gained a credential gatherer for Wowza Streaming Engine Manager. Credentials for this application are stored in a file named `admin.password` in a known location and the file is readable by default by `BUILTIN\Users` on Windows and is world readable on Linux.. The module was written by community contributor [bcoles](<https://github.com/bcoles>) who also wrote a login scanner for Wowza this week. The login scanner can be used to validate the credentials found by the gatherer. The two modules complement each other quite nicely. ## New module content (3) ### Wowza Streaming Engine Manager Login Utility Author: bcoles Type: Auxiliary Pull request: [#17733](<https://github.com/rapid7/metasploit-framework/pull/17733>) contributed by [bcoles](<https://github.com/bcoles>) Description: This adds a login scanner module to brute force credentials of Wowza Streaming Engine Manager. ### SugarCRM unauthenticated Remote Code Execution (RCE) Authors: Sw33t.0day and h00die-gr3y Type: Exploit Pull request: [#17507](<https://github.com/rapid7/metasploit-framework/pull/17507>) contributed by [h00die-gr3y](<https://github.com/h00die-gr3y>) AttackerKB reference: [CVE-2023-22952](<https://attackerkb.com/topics/E486ui94II/cve-2023-22952?referrer=blog>) Description: A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically `www-data`. ### Gather Wowza Streaming Engine Credentials Author: bcoles Type: Post Pull request: [#17737](<https://github.com/rapid7/metasploit-framework/pull/17737>) contributed by [bcoles](<https://github.com/bcoles>) Description: This adds a post module that collects Wowza Streaming Engine user credentials from the `admin.password` local configuration file. This file is world-readable by default on Linux and readable by `BUILTIN\Users` on Windows. ## Enhancements and features (9) * [#17675](<https://github.com/rapid7/metasploit-framework/pull/17675>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- Updates the `admin/kerberos/forge_ticket` to support a new `extra_sids` option which can be useful for including cross-domain SIDs for forging external Kerberos trust tickets as part of cross-trust domain escalation. The `admin/kerberos/inspect_ticket` has also been updated to support viewing these extra SID values. * [#17686](<https://github.com/rapid7/metasploit-framework/pull/17686>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This adds 3 additional methods to the existing PetitPotam module to make it work even if the patch for CVE-2021-36942 has been installed. Note that it won't work after the December 2021 patch. * [#17715](<https://github.com/rapid7/metasploit-framework/pull/17715>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- The Metasploit Payload gem has been bumped to 2.0.115, bringing in support for the `arp` command to Python Meterpreter on Linux, and adding support for displaying IPv6 routing tables using the `route` command on Windows. * [#17727](<https://github.com/rapid7/metasploit-framework/pull/17727>) from [rohitkumarankam](<https://github.com/rohitkumarankam>) \- Two new options have been added to the login scanner library: `max_consecutive_error_count` and `max_error_count`. These options allow users to set the maximum number of errors that are allowed to occur when connecting as well as the maximum number of consecutive errors that are allowed when connecting before the login scanner will give up on a target. * [#17744](<https://github.com/rapid7/metasploit-framework/pull/17744>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- The code for `msfconsole` has been updated so that performance profiling can also take into account the time it takes to load `msfenv` and console related libraries, thereby allowing for more accurate performance profiling. * [#17745](<https://github.com/rapid7/metasploit-framework/pull/17745>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \- This updates the metasploit-payloads gem to pull in changes to the Python Meterpreter on Windows to add the `route add` and `route delete` commands as well as the ability to get process information such as process names and paths. * [#17746](<https://github.com/rapid7/metasploit-framework/pull/17746>) from [todb-r7](<https://github.com/todb-r7>) \- The `data/wordlists/password.lst` password list has been updated to include the master password that LastPass suggests as an example when a user goes to create a new master password, `r50$K28vaIFiYxaY`, into the password list, as well as to fix some encoding issues. * [#17749](<https://github.com/rapid7/metasploit-framework/pull/17749>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- Updates the `auxiliary/admin/kerberos/keytab.rb` module to additionally export any NTHASHES, which can be useful for decrypting Kerberos network traffic in Wireshark. * [#17756](<https://github.com/rapid7/metasploit-framework/pull/17756>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- Updates secrets dump to generate the Kerberos RC4 key for the machine account. ## Bugs fixed (8) * [#17673](<https://github.com/rapid7/metasploit-framework/pull/17673>) from [bcoles](<https://github.com/bcoles>) \- `lib/msf/core/payload/apk.rb` has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum `apktool` version to 2.4.1 and makes it so that versions prior to 2.7.0 of `apktool` will throw a warning about being potentially out of date. * [#17716](<https://github.com/rapid7/metasploit-framework/pull/17716>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- A bug has been fixed whereby the reverse port forward information message was displayed incorrectly, and the same information was shown on both the local and remote parts of the message. * [#17721](<https://github.com/rapid7/metasploit-framework/pull/17721>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This fixes an issue where payloads that were adapted failed when stage encoding was enabled because the stage encoding was based on the stager arch and platform values. These values were always the same until we introduced adapted payloads, which can vary. * [#17723](<https://github.com/rapid7/metasploit-framework/pull/17723>) from [jvoisin](<https://github.com/jvoisin>) \- A bug has been fixed in the `modules/encoders/php/base64.rb` encoder whereby strings were being passed as literal strings without being properly quoted, which could result in errors on newer versions of PHP. * [#17726](<https://github.com/rapid7/metasploit-framework/pull/17726>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- The Metasploit Payloads gem has been updated bringing in initial support for attaching to processes on Python Meterpreter shells on Windows, a bug fix for the `route` command on newer versions of Windows on Windows Meterpreter, and a fix so that both C Meterpreter and Python Meterpreter sessions will attempt to enable the same set of permissions when running `getprivs`. * [#17729](<https://github.com/rapid7/metasploit-framework/pull/17729>) from [bcoles](<https://github.com/bcoles>) \- Fixes an edge case crash when running Ruby 3.2 * [#17738](<https://github.com/rapid7/metasploit-framework/pull/17738>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- Fix Ruby 3.2 crash when running certain tools * [#17758](<https://github.com/rapid7/metasploit-framework/pull/17758>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- The metasploit-payloads gem has been bumped to fix a token handle leak that was causing Python Meterpreters to leave dangling handles after using `getprivs`, fix a error in `packet_transmit_http` whereby error codes were not appropriately returned, and update the `arp` command to properly return the interface name instead of the index for the `interface` column. ## Documentation added (3) * [#17684](<https://github.com/rapid7/metasploit-framework/pull/17684>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This PR adds the RBCD exploitation documentation to the docs site. * [#17688](<https://github.com/rapid7/metasploit-framework/pull/17688>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This PR fixes several broken wiki links, as well as adding validation to users users don't use the wrong syntax when making docs changes. * [#17743](<https://github.com/rapid7/metasploit-framework/pull/17743>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- A new page has been added to explain the `METASPLOIT_CPU_PROFILE` and `METASPLOIT_MEMORY_PROFILE` options and to explain how to profile `msfconsole`'s and `msfvenom`'s performance on systems. You can always find more documentation on our docsite at [docs.metasploit.com](<https://docs.metasploit.com/>). ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.3.5...6.3.6](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222023-03-02T14%3A22%3A58%2B00%3A00..2023-03-09T19%3A29%3A16%2B01%3A00%22>) * [Full diff 6.3.5...6.3.6](<https://github.com/rapid7/metasploit-framework/compare/6.3.5...6.3.6>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).