Metasploit Wrap-Up


## Operations shell ![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/04/metasploit-blg-3-copy-1.png) Operations and management software make popular targets due to their users typically having elevated privileges across a network. Our own [wvu](<https://github.com/wvu-r7>) contributed the [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The `exploit/linux/http/vmware_vrops_mgr_ssrf_rce` module achieves remote code execution (RCE) as the `admin` Unix user by chaining the two vulnerabilities. First, [CVE-2021-21975](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975?referrer=blog#rapid7-analysis>) pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the `/casa/nodes/thumbprints` endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) via the `/casa/private/config/slice/ha/certificate` endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions: * 7.0.0 * 7.5.0 * 8.0.0, 8.0.1 * 8.1.0, 8.1.1 * 8.2.0 ## Data rules everything around me Many dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules! The first, an [Apache Druid RCE](<https://github.com/rapid7/metasploit-framework/pull/14977>) exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) was discovered by Litch1, and [je5442804](<https://github.com/je5442804>) contributed the module. The second, a gather module named [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) contributed by [Geoff Rainville (noncenz)](<https://github.com/noncenz>) enables easy looting of any key-value stores you discover. ## New Module Content (5) * [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) by Geoff Rainville noncenz - Adds a module to retrieve all data from a Redis instance (version 2.8.0 and above). * [Apache Druid 0.20.0 Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14977>) by Litch1, Security Team of Alibaba Cloud and je5442804, which exploits [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) \- This adds an exploit module that targets Apache Druid versions prior to `0.20.1`. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication. * [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) by wvu and Egor Dimitrenko, which exploits [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) \- This adds a module that exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the `admin` user on vulnerable VMware vRealize Operations Manager installs. * [Micro Focus Operations Bridge Reporter shrboadmin default password](<https://github.com/rapid7/metasploit-framework/pull/15086>) by Pedro Ribeiro, which exploits ZDI-20-1215 - This adds an exploit for [CVE-2020-11857](<https://attackerkb.com/topics/0rBqrv2UNX/cve-2020-11857?referrer=blog>) which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances. * [KOFFEE - Kia OFFensivE Exploit](<https://github.com/rapid7/metasploit-framework/pull/15021>) by Gianpiero Costantino and Ilaria Matteucci, which exploits [CVE-2020-8539](<https://attackerkb.com/topics/zXxJ29z090/cve-2020-8539?referrer=blog>) \- This adds a post module that leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE. ## Enhancements and features * [#11257](<https://github.com/rapid7/metasploit-framework/pull/11257>) from [sempervictus](<https://github.com/sempervictus>) \- This PR adds the ability to wrap some powershell used for exploitation purposes with RC4 for obfuscation. * [#15014](<https://github.com/rapid7/metasploit-framework/pull/15014>) from [ctravis-r7](<https://github.com/ctravis-r7>) \- Adds the ability to specify an individual private key as a string parameter into the `auxiliary/scanner/ssh/ssh_login_pubkey` module. * [#15110](<https://github.com/rapid7/metasploit-framework/pull/15110>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This adds the necessary functionality to the Java Meterpreter to resolve hostnames over DNS, closing a feature gap that had been present with other Meterpreters. ## Bugs Fixed * [#14953](<https://github.com/rapid7/metasploit-framework/pull/14953>) from [bwatters-r7](<https://github.com/bwatters-r7>) \- Fix the python 3.6 string formatting syntax in modules/auxiliary/scanner/http/rdp_web_login * [#15050](<https://github.com/rapid7/metasploit-framework/pull/15050>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \- Fixes a crash in Metasploit's console when the user tried to tab complete values such as file paths that were missing their final ending quote * [#15081](<https://github.com/rapid7/metasploit-framework/pull/15081>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \- Updates the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously this would result in a module crash. * [#15094](<https://github.com/rapid7/metasploit-framework/pull/15094>) from [timwr](<https://github.com/timwr>) \- This fixed a bug in how certain Meterpreter's would execute command issued through `sessions -c` where some would use a subshell while others would not. * [#15114](<https://github.com/rapid7/metasploit-framework/pull/15114>) from [smashery](<https://github.com/smashery>) \- Updates the `auxiliary/scanner/redis/file_upload` module to correctly handle Redis instances that require authenticated access ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-22T13%3A32%3A25%2B10%3A00..2021-04-29T10%3A54%3A48-05%3A00%22>) * [Full diff 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/compare/6.0.41...6.0.42>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).