Rapid 7 - Metasploit Wrap-Up

RCE Exploit For CVE-2020-0796 (SMBGhost)

Metasploit Wrap-Up

This week our very own Spencer McIntyre has added an exploit for CVE-2020-0796, which leverages a vulnerability within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems. Previously, Metasploit offered an LPE version of this exploit but not RCE support. The exploit is heavily based on the chompie1337/SMBGhost_RCE_PoC PoC.

Note that there is a high probability that, even when the exploit is successful, the remote target will crash within about 90 minutes. It is recommended that after a successful compromise, a persistence mechanism be established and the system be rebooted to avoid a Blue Screen of Death (BSOD).

Improved command history management

Community member pingport80 has made improvements to Metasploit's command history management to now be context aware. The command history for both the main console and sub-shells, such as Pry and Metepreter, will now have their command history separated. This means that pressing the up arrow key within the console in these different contexts will now only show the command history for that specific context sub-shell, which should be more intuitive to users.

New module content (2)

  • SMBv3 Compression Buffer Overflow by Spencer McIntyre, chompie1337, and hugeh0ge, which exploits CVE-2020-0796 - This adds an exploit for CVE-2020-0796 which can be used to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems.
  • Git Ignore Retriever by N!ght Jmp - Adds an OSX Post exploitation module to retrieve .gitignore files that may contain pointers to files of interest

Enhancements and features

  • #15062 from pingport80 - Adds support for separating command history for the various sub-shells such as Meterpreter and Pry
  • #15079 from zeroSteiner - This introduces the meterpreter key to the compat hash to better-provide Meterpreter session compatibility info to users, including printing the required Meterpreter extension(s) to the console in the event of a session incompatibility. Additionally, post modules will automatically load Meterpreter extensions used, provided that the module's Meterpreter compatibility requirements are annotated.
  • #15199 from pingport80 - This improves the get_processes API on non-Windows systems with support that fails back to enumerating the /proc directory when the ps utility is not present.
  • #15220 from bogey3 - This modification adds the ability to retrieve the OS version from
    an NTLMSSP type 2 message.
  • #15242 from adfoster-r7 - This updates the tables displayed by the loot command to be displayed without wrapping. This makes it easier for users to copy and paste the output.
  • #15243 from adfoster-r7 - Adds a check method to the Apache Tomcat Ghostcat module
  • #15246 from jmartin-r7 - This refactors some common functionality into a cross-platform Msf::Post::Process mixin with support for multiple session types.

Bugs fixed

  • #15216 from zeroSteiner - This fixes a mistake in the exploit for CVE-2021-21551 where the version fingerprinting is overly specific. Windows 10 build 18363 failed because it didn't match the explicit build number 18362. This PR changes the fingerprinting to use ranges to fix this problem.
  • #15223 from bwatters-r7 - This updates the exploit/windows/local/tokenmagic module by fixing a crash that occurs on some targets and moves the target validation logic to earlier in the module.
  • #15236 from Apeironic - This adds an additional check to the Linux checkvm module to fix a bug where it was failing to identify certain Xen environments such as those used within AWS.
  • #15240 from mcorybillington - This fixes a typo that was present in the template for GitHub pull requests.
  • #15241 from adfoster-r7 - Removes the previously prototyped RHOST_HTTP_URL module option and feature flag as it had blocking edge cases for being enabled by default. A new implementation is being investigated.
  • #15262 from adfoster-r7 - Improved msfvenom to only wrap output if the output is going to STDOUT.
  • #15267 from e2002e - This fixes a bug that was present within the Shodan search module where certain queries would cause an exception to be raised while processing the results.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).



from Rapid7 Blog https://blog.rapid7.com/2021/05/28/metasploit-wrap-up-113/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more