Metasploit Weekly Wrap-Up


## Log4Shell goodness ![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/01/metasploit-blg-3-copy.png) Log4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors [sempervictus](<https://github.com/sempervictus>), [schierlm](<https://github.com/schierlm>), [righel](<https://github.com/righel>), [timwr](<https://github.com/timwr>) and our very own [Spencer McIntyre](<https://github.com/smcintyre-r7>) have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution. ## SonicWall SSL VPN module for Rapid7-discovered vulnerability Rapid7 disclosed the technical details of [five vulnerabilities](<https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/>) discovered by [jbaines-r7](<https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/%E2%80%8B%E2%80%8Bhttps://github.com/jbaines-r7>) affecting SonicWall’s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers `root` access to the device using CVE-2021-20039. ## Pi-Hole command execution and common exploit library An exciting new addition has worked its way into Metasploit Framework this week. Contributor [h00die](<https://github.com/h00die>) has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole’s Top Domains API’s `validDomainWildcard` field. H00die has also created a library that aims to make developing future Pi-Hole modules easier. ## New module content (4) * [Pi-Hole Top Domains API Authenticated Exec](<https://github.com/rapid7/metasploit-framework/pull/16012>) by SchneiderSec and h00die, which exploits [CVE-2021-32706](<https://attackerkb.com/topics/4c25C9i2U2/cve-2021-32706?referrer=blog>) \- This adds an auxiliary module that executes commands against Pi-Hole versions <= `5.5`. This also introduces a Pi-Hole library for common functionality required in exploits against the service. * [SonicWall SMA 100 Series Authenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16041>) by jbaines-r7, which exploits [CVE-2021-20039](<https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039?referrer=blog>) \- This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the `\n` character which acts as a terminator when passed to a call to `system()`. An authenticated attacker can execute arbitrary commands as the `root` user. * [Log4Shell HTTP Header Injection](<https://github.com/rapid7/metasploit-framework/pull/15969>) by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>) \- This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing. * [Microsoft Windows SMB Direct Session Takeover](<https://github.com/rapid7/metasploit-framework/pull/15903>) by usiegl00 - This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. ## Enhancements and features * [#15656](<https://github.com/rapid7/metasploit-framework/pull/15656>) from [HynekPetrak](<https://github.com/HynekPetrak>) \- This enables the `vmware_vcenter_vmdir_auth_bypass` module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory. * [#16021](<https://github.com/rapid7/metasploit-framework/pull/16021>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This adds additional tests for Meterpreter's mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters * [#16024](<https://github.com/rapid7/metasploit-framework/pull/16024>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \- This adds in a new command to Meterpreter that allows the end user to kill all channels at once * [#16040](<https://github.com/rapid7/metasploit-framework/pull/16040>) from [jmartin-r7](<https://github.com/jmartin-r7>) \- Removes Ruby 2.5 support as it is officially end of life * [#12217](<https://github.com/rapid7/metasploit-framework/pull/12217>) from [SkypLabs](<https://github.com/SkypLabs>) \- This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs) ## Bugs fixed * [#16016](<https://github.com/rapid7/metasploit-framework/pull/16016>) from [bwatters-r7](<https://github.com/bwatters-r7>) \- This fixes an issue in the `auxiliary/scanner/dcerpc/hidden` module where the `RHOSTS` datastore option was not available, resulting in hosts not being scanned. * [#16027](<https://github.com/rapid7/metasploit-framework/pull/16027>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This fixes an issue with tab completion for the `generate` command. Completion now works with both the `-f` and `-o` flags. * [#16043](<https://github.com/rapid7/metasploit-framework/pull/16043>) from [shoxxdj](<https://github.com/shoxxdj>) \- Fixes crash in the `auxiliary/scanner/http/wordpress_scanner.rb` module when attempting to scan themes ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.1.23...6.1.25](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-01-06T10%3A44%3A33-06%3A00..2022-01-13T13%3A35%3A39-06%3A00%22>) * [Full diff 6.1.23...6.1.25](<https://github.com/rapid7/metasploit-framework/compare/6.1.23...6.1.25>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).