Lucene search

K
rapid7blogChristopher GranleeseRAPID7BLOG:ADAE3CACA7F41A02C12F44F4616369FF
HistorySep 02, 2022 - 7:39 p.m.

Metasploit Weekly Wrap-Up

2022-09-0219:39:21
Christopher Granleese
blog.rapid7.com
105

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

ICPR Certificate Management

Metasploit Weekly Wrap-Up

This week Metasploit has a new ICPR Certificate Management module from Oliver Lyak and our very own Spencer McIntyre, which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful in a few contexts including persistence, ESC1 and as a primitive necessary for exploiting CVE-2022-26923. Resulting in the PFX certificate file being stored to loot and is encrypted using a blank password.

ManageEngine ADAudit Plus and DataSecurity Plus Xnode enum

Another addition thanks to Erik Wynter and Sahil Dhar, that brings two new auxiliary/gather modules and docs that take advantage of default Xnode credentials (CVE-2020–11532) in order to enumerate active directory information and other sensitive data via the DataEngine Xnode server (Xnode). Because both modules rely on the same code to interact with Xnode, this change also adds a mixin at lib/msf/core/auxiliary/manageengine_xnode that is leveraged by both modules (plus by a third module that will be part of a separate PR). Both modules also come with configuration files to determine what data will be enumerated from Xnode. The PR contains even more information on the vulnerable systems and extensive notes!

New module content (5)

  • ICPR Certificate Management by Oliver Lyak and Spencer McIntyre - This adds a module for issuing certificates via Active Directory Certificate Services, which is useful in a few contexts including persistence and for some specific exploits. The resulting PFX certificate file is stored to the loot and is encrypted using a blank password.

  • ManageEngine ADAudit Plus Xnode Enumeration by Erik Wynter and Sahil Dhar, which exploits CVE-2020-11532 - Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, aka CVE-2020–11532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.

  • ManageEngine DataSecurity Plus Xnode Enumeration by Erik Wynter and Sahil Dhar, which exploits CVE-2020-11532 - Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, a.k.a CVE-2020–11532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.

  • Zyxel Firewall SUID Binary Privilege Escalation by jbaines-r7, which exploits CVE-2022-30526 - This adds an LPE exploit for Zyxel Firewalls that can allow a user to escalate themselves to root. The vulnerability is identified as CVE-2022-30526 and is due to a suid binary that allows any user to copy files with root permissions.

  • CVE-2022-30190 AKA Follina by bwatters-r7 - This updates the exploit for CVE-2022-30190 (A.K.A Follina) to support generating RTF exploit documents. RTF documents are helpful for not only being another exploit vector, but they will trigger the payload execution when viewed by Explorer’s preview tab without needing user interaction to enable editing functionality.

Enhancements and features (4)

  • #16746 from adfoster-r7 - This updates the MSSQL login scanner to catch exceptions and continue running.

  • #16900 from bcoles - This adds a new #kill_process method that supports shell, PowerShell, and Meterpreter sessions on different platforms.

  • #16903 from bcoles - This cleans up the enum_shares post modules and adds support for shell sessions.

  • #16959 from adfoster-r7 - The time command has been updated with the --cpu and --memory profiler options to allow users to get memory and CPU usage profiles when running a command inside msfconsole.

Bugs fixed (5)

  • #16750 from bojanisc - This updates the exploit/multi/http/jenkins_script_console module to use the decoder from the java.util.Base64 class in place of the now-deprecated decoder from the sun.misc.BASE64Decoder class, enabling exploitation of newer Jenkins versions.

  • #16869 from bcoles - This fixes an issue in the file_remote_digestmd5() and file_remote_digestsha1() methods where read_file() would return an error message instead of the remote file contents. Additionally, the file_remote_digest* methods now support more session types, and they have a new util option that allows the user to perform the hashing on the remote host instead of downloading the remote file and performing the hashing locally.

  • #16918 from rbowes-r7 - A bug has been fixed in the module for CVE-2022-30333 whereby if the server responded with a 200 OK response, the module would keep trying to trigger the payload. This would lead to multiple sessions being returned when only one was desired.

  • #16920 from zeroSteiner - A typo has been fixed in _msfvenom that prevented ZSH autocompletion from working when using the --arch argument with msfvenom.

  • #16955 from gwillcox-r7 - This fixes an issue in the LDAP query module that would cause issues if the user queried for a field that was populated with binary data.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

GitHub:

  • [Pull Requests 6.2.14…6.2.15][prs-landed]
  • [Full diff 6.2.14…6.2.15][diff]

If you are a git user, you can clone the [Metasploit Framework repo][repo](master branch) for the latest.

To install fresh without using git, you can use the open-source-only [Nightly Installers][nightly] or the

[binary installers][binary](which also include the commercial edition).
[binary]: <https://www.rapid7.com/products/metasploit/download.jsp&gt;
[diff]: <https://github.com/rapid7/metasploit-framework/compare/6.2.14...6.2.15&gt;
[prs-landed]: https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:"2022-08-25T17%3A06%3A18%2B01%3A00…2022-09-01T12%3A53%3A23-04%3A00"
[nightly]: <https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers&gt;
[repo]: <https://github.com/rapid7/metasploit-framework&gt;

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Related for RAPID7BLOG:ADAE3CACA7F41A02C12F44F4616369FF