Metasploit Weekly Wrap-Up

C is for cookie

And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel added an exploit module based on CVE-2022-24706 targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie that allows users to run OS commands.

This fake computer I just made says I’m an Admin

Metasploit’s zeroSteiner added a module to perform Role-based Constrained Delegation (RBCD) on an Active Directory network. If you need someone to vouch for your credentials as an Administrator on a local host and you have a set of specific permissions, this module will allow you to create your own friendly computer object to vouch for you!

Proving your Mettle while watching a fire

FLIR Cameras measure the heat given off by an exothermic reaction, but they also execute Metasploit’s ARM Meterpreter (formerly known as Mettle) payloads as root, thanks to a module by h00die-gr3y, (and a bug discovered by Samy Younsi) that takes advantage of CVE-2022-37061, an unauthenticated command injection vulnerability in FLIR AX8 cameras up to and including 1.46.16.

That OpenSSL Vuln was certainly not greater than or equal to the hype

It was a tense and scary Halloween for many when it shouldn’t have been, thanks to a “cryptic” early announcement of an OpenSSL vulnerability that proved to be a bust. On AttackerKB Rapid7 researchers break down why this was not the vuln you feared, or much of a vuln at all.

New module content (5)

• FLIR AX8 unauthenticated RCE by Samy Younsi (<https://www.linkedin.com/in/samy-younsi&gt;), Thomas Knudsen (<https://www.linkedin.com/in/thomasjknudsen&gt;), and h00die-gr3y, which exploits CVE-2022-37061 - This adds an exploit module that targets FLIR AX8 thermal cameras. A command injection vulnerability exists in the id POST parameter to the res.php endpoint, which can be leveraged by an unauthenticated attacker to achieve RCE as the root user.
• Webmin File Manager RCE by faisalfs10x and jheysel-r7, which exploits CVE-2022-0824 - This adds a module that exploits improper access controls in Webmin File Manager. An authenticated attacker can coerce Webmin into downloading a malicious CGIcgi script from an attacker-controlled http server. After that, the attacker can further use File Manager utilities to set execute permissions on the cgi script, execute it, and achieve RCE as the root user.
• Apache CouchDB Erlang RCE by 1F98D, Konstantin Burov, Milton Valencia (wetw0rk), _sadshade, and jheysel-r7, which exploits CVE-2022-24706 - A new module has been added to exploit CVE-2022-24706 an RCE within Apache CouchDB prior to 3.2.2 via the Erlang/OTP Distribution protocol, which used a default cookie of "monster" to allow users to connect and run OS commands.
• Linux Gather ManageEngine Password Manager Pro Password Extractor by Charles Yost, Christophe De La Fuente, Rob Simon, and Travis Kaun - This post module gathers ManageEngine’s Password Manager Pro credentials from the local ManageEngine database.
• #17181 from zeroSteiner - Adds a new auxiliary/admin/ldap/rbcd module which uses LDAP to set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the user provided delegate_to datastore option within Active Directory. This technique is used as part of Role Based Constrained Delegation (RBCD) attacks. Example usage: run rhost=192.168.123.13 [email protected] password=p4$$w0rd delegate_to=dc3$ action=WRITE delegate_from=fake_computer. This new module can be used in conjunction with the existing auxiliary/admin/dcerpc/samr_computer module to create the required fake computer account.

Enhancements and features (6)

• #17155 from h00die - This PR updates version checking for the recent Remote mouse RCE module and updates the docs with a vulnerable version download link.
• #17184 from adfoster-r7 - Updates the metashell upload/download commands to work for powershell and windows sessions.
• #17186 from adfoster-r7 - Fixes broken file writes on windows targets when newlines are present within the uploaded file.
• #17195 from adfoster-r7 - Fixes uploading binary files with identical names to a Windows shell session. Previously this would silently error and not write the new file contents, now the file contents will successfully be written out.
• #17196 from bcoles - Adds new get_hostname library support for Windows sessions.
• #17207 from memN0ps - Updates msfvenom and msfconsole to support formatting shellcode as a Rust array. Example usage: msfvenom -p windows/x64/exec cmd='calc.exe' -f rust.

Bugs fixed (3)

• #17188 from zeroSteiner - Fixes a regression issue that stopped Python Meterpreter working for v3.1-3.3.
• #17190 from zeroSteiner - This sets the bufptr parameter in multiple netapi32 railgun functions to the PLPVOID data type and consequently fixes a crash in the post/windows/gather/enum_domain_tokens module caused by improper data types being set for the bufptr parameter.
• #17213 from bwatters-r7 - Fixes a bug that stopped the post/linux/gather/vcenter_secrets_dump module from loading.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.24…6.2.25
• Full diff 6.2.24…6.2.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).