Metasploit Wrap-Up

Windows Local Privilege Escalation for standard users

In this week’s release, we have an exciting new module that has been added by our very own Grant Willcox which exploits (CVE-2022-26904)[<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904&gt;], and allows for normal users to execute code as NT AUTHORITY/SYSTEM on Windows machines from Windows 7 up to and including Windows 11. Currently, the vulnerability is still not patched and there have not been any updates from MSRC regarding this vulnerability, however it may be patched in the next Patch Tuesday.

This exploit requires more than one local user to be present on the machine and the PromptOnSecureDesktop setting to be set to 1, which is the default setting.

MacOS exploitation

Our very own space-r7 has updated the recent GateKeeper module to add support for the recent CVE-2022-22616, which can be used to target all MacOS Catalina versions, and MacOS Monterey versions prior to 12.3.

This module can be used to remove the com.apple.quarantine extended attribute on a downloaded/extracted file and allows for code to be executed on the machine.

Enumerating Chocolatey applications

This week’s release also features a new module from a first-time contributor rad10, which will enumerate all applications that have been installed using Chocolatey.

This could be used when gathering information about a compromised target and potentially vulnerable software present on the machine.

New module content (5)

• User Profile Arbitrary Junction Creation Local Privilege Elevation by Grant Willcox and KLINIX5, which exploits CVE-2022-26904 - This adds an exploit for CVE-2022-26904, which is an LPE vulnerability affecting Windows 7 through Windows 11. Leveraging this vulnerability can allow a local attacker running as a standard user, who has knowledge of another standard user’s credentials, to execute code as NT AUTHORITY\SYSTEM. The PromptOnSecureDesktop setting must also be set to 1 on the affected machine for this exploit to work, which is the default setting.
• ALLMediaServer 1.6 SEH Buffer Overflow by Hejap Zairy Al-Sharif, which exploits CVE-2022-28381 - A new module has been added in which exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.
• Windows Gather Installed Application Within Chocolatey Enumeration by Nick Cottrell - This adds a post module that enumerates applications installed with Chocolatey on Windows systems.
• #16082 from usiegl00 - This updates the shadow_mitm_dispatcher module by adding a new RubySMB Dispatcher, whichallows a better integration with RubySMB and enables the use of all the features provided by its client. Both SMBv2 and SMBv3 are now supported.
• #16401 from space-r7 - This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, we’ve introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.

Enhancements and features (4)

• #15972 from sempervictus - This updates the Log4shell scanner with the LEAK_PARAMS option, providing a way to leak more target information such as environment variables.
• #16320 from dwelch-r7 - This updates Windows Meterpreter payloads to support a new MeterpreterDebugBuild datastore option. When set to true the generated payload will have additional logging support which is visible via Window’s DbgView program.
• #16373 from adfoster-r7 - Adds initial support for Ruby 3.1
• #16403 from sempervictus - This adds more checks to the post/windows/gather/checkvm module to better detect if the current target is a Qemu / KVM virtual machine.

Bugs fixed (3)

• #16398 from jmartin-r7 - A number of recent payload adds did not conform to the patterns used for suggesting spec configurations. Tests for these payloads have now been manually added to ensure they will be appropriately tested as part of rspec checks.
• #16408 from rtpt-alexanderneumann - This fixes an edge case with the multi/postgres/postgres_copy_from_program_cmd_exec module, which crashed when the randomly generated table name started with a number
• #16419 from adfoster-r7 - A bug has been fixed whereby when using the search command and searching by disclosure_date, the help menu would instead appear. This has been remedied by improving the date handling logic for the search command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.36…6.1.37
• Full diff 6.1.36…6.1.37

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).