Metasploit Wrap-Up

Google Chrome exploits return

Community member r4j0x00 contributed a new module for CVE-2020-16040, an integer overflow in the SimplifiedLowering phase of TurboFan in Google Chrome <= 87.0.4280.66 that grants attackers RCE. Whilst the exploit in and of itself does not grant RCE by default, unless the sandbox is disabled, it is still important to note that some embedded versions of Chrome run without the sandbox enabled by default in order to allow Chrome access to more system resources. This means that in some cases it may still be possible to use this module on its own to gain RCE on a system.

Simplifying Metasploit shell verification - Round 2

As part of his continuous updates to make Metasploit sessions easier to verify, our very own zeroSteiner, updated several Meterpreter libraries to ensure that error messages output when commands cannot be run in a given Meterpreter session are now more intuitive and better explain what is going wrong, such as if a library has not yet been loaded. zeroSteiner also updated these libraries to allow Metasploit to proactively identify when a command will fail in a Meterpreter session due to it not being supported by whatever type of Metepreter session is running on the remote target. This should help users to better identify what commands are not supported by a given session and also better debug things themselves if anything goes wrong, as part of our ongoing work to better improve session validation and make it more intuitive.

Reading the OS from Haserl’s perspective

Community members Ike Broflovski and Julien Voisin added in a new post module that takes advantage of CVE-2021-29133 , an arbitrary read in haserl prior to 0.9.36, that allows attackers to read any file on the target file system without requiring any specific privileges. It’s important to note that in many cases attackers are often blocked from escalating their privileges due to a lack of access to some important bit of information. The ability to read arbitrary files on disk can help to lower this barrier by allowing attackers to access protected files that may contain things such as saved application credentials, source code for various sensitive components, or even just information about applications running on the system itself that may assist in identifying ways to elevate permissions, making this an incredibly versatile module should one manage to find a vulnerable target.

New modules (3)

• Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection by Erik Wynter and Haboob Team, which exploits CVE-2020-35578 - A new module has been added to exploit CVE-2020-35578, an RCE in Nagios XI versions prior to 5.8.0 that exploits a command injection when uploading plugins to allow authenticated administrative users to gain remote code execution as the apache user on affected systems.
• Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase by Rajvardhan Agarwal (r4j0x00), which exploits CVE-2020-16040 - Adds an exploit module for CVE-2020-16040, an integer overflow in the SimplifiedLowering phase of TurboFan in Google Chrome <= 87.0.4280.66 that allows attackers to overflow the heap and gain RCE. The module starts a webpage hosting malicious JavaScript that when visited by a vulnerable version of Chrome allows Remote Code Execution on a remote machine. This exploit requires the --no-sandbox Chrome flag, as no sandbox escape is present.
• Haserl Arbitrary File Reader by Ike Broflovski and Julien (jvoisin) Voisin, which exploits CVE-2021-29133 - This adds a post module exploit that leverages an arbitrary read in haserl prior to 0.9.36. This vulnerability is identified as CVE-2021-29133 and allows an attacker to read any file on the target filesystem without any specific privileges.

Enhancements and features

• #14622 from blacklist-arcc - This adds the sp_oacreate technique to the mssql_exec module which is a more stealthy alternative to the traditional xp_cmdshell stored procedure.
• #14701 from kalba-security - The nagios_xi_authenticated_rce.rb module has been renamed to nagios_xi_plugins_check_ping_authenticated_rce and has been updated to take advantage of the Nagios XI mixin. Additionally the documentation has been updated to reflect these changes and to better explain how the module works.
• #14994 from archcloudlabs - The screen_spy.rb module has been updated to allow users to specify the PID of a process they would like to migrate into before taking screenshots, rather than forcing users to migrate into an explorer.exe process. If no PID is specified, then screen_spy.rb will default to taking screenshots from the current process.
• #14997 from geyslan - The payloads/singles/linux/x64/shell_bind_tcp_random_port.rb shellcode has been updated to be more efficient, resulting in its size being reduced by one byte. Additionally comments have been updated to properly mention that the payload uses the string //bin/sh, not /bin/sh.
• #15017 from adfoster-r7 - The modules/auxiliary/admin/http/tomcat_ghostcat.rb module has been updated to use a default RPORT value of 8080 and to add in the AJP_PORT option to specify where the Apache JServ Protocol Port is, which now defaults to a value of 8009.
• #15028 from geyslan - The payloads/singles/linux/x64/exec.rb payload has been updated to be more efficient, thereby reducing the total shellcode size. Additionally, support has been added for generating NULL byte free shellcode, and the code has been refactored to use Metasm to make it easier to understand.
• #15037 from zeroSteiner - Updates the auxiliary/scanner/redis/redis_login to first check if authentication is required before then attempting to bruteforce credentials.
• #15049 from zeroSteiner - Several Meterpreter libraries have been updated to raise more specific and descriptive exception messages. These changes should help users and developers more quickly and easily identify the root cause of these exception messages when they are thrown. Additionally updates have been applied to allow Metasploit to proactively identify when a command will fail in a Meterpreter session due to it not being supported by the remote end.

Bugs fixed

• #14770 from jmartin-r7 - Fixes the modules freefloatftp_wbem, open_ftpd_wbem, ftp/quickshare_traversal_write, and http/solarwinds_storage_manager_sql to correctly handle error scenarios and perform cleanup gracefully.
• #14985 from adfoster-r7 - Fixes the Json API to correctly interact with the configured framework database, as well as adding support for running the msfdb webservice component in the foreground with the --no-daemon flag.
• #14996 from h00die - This fixes a logic bug in the cracker libraries where hashcat wasn’t able to be run due to invalid version expectations.
• #15034 from adfoster-r7 - Fixes broken association handling for remote msfdb services command, where this issue previously caused a crash when running the services command after connecting to another remote database.
• #15038 from wvu-r7 - This fixes a NameError in the pulse_secure_gzip_rce module which was preventing it from functioning correctly.
• #15043 from justinsteven - This change fixes a bug on the python/meterpreter/reverse_http payload handler where, if the LURI option did not begin with a slash, the payload would fail to stage.
• #15047 from ryananicholson - This fixes a bug in DNS reverse lookups due to an invalid answer attribute.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.39…6.0.40
• Full diff 6.0.39…6.0.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).