Rapid 7 - Metasploit Weekly Wrap-Up
C is for cookie
And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel added an exploit module based on CVE-2022-24706 targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie that allows users to run OS commands.
This fake computer I just made says I’m an Admin
Metasploit’s zeroSteiner added a module to perform Role-based Constrained Delegation (RBCD) on an Active Directory network. If you need someone to vouch for your credentials as an Administrator on a local host and you have a set of specific permissions, this module will allow you to create your own friendly computer object to vouch for you!
Proving your Mettle while watching a fire
FLIR Cameras measure the heat given off by an exothermic reaction, but they also execute Metasploit’s ARM Meterpreter (formerly known as Mettle) payloads as root, thanks to a module by Samy Younsi that takes advantage of CVE-2022-37061, an unauthenticated command injection vulnerability in FLIR AX8 cameras up to and including 1.46.16.
That OpenSSL Vuln was certainly not greater than or equal to the hype
It was a tense and scary Halloween for many when it shouldn’t have been, thanks to a “cryptic” early announcement of an OpenSSL vulnerability that proved to be a bust. On AttackerKB Rapid7 researchers break down why this was not the vuln you feared, or much of a vuln at all.
New module content (5)
- FLIR AX8 unauthenticated RCE by Samy Younsi (https://www.linkedin.com/in/samy-younsi), Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen), and h00die-gr3y, which exploits CVE-2022-37061 - This adds an exploit module that targets FLIR AX8 thermal cameras. A command injection vulnerability exists in the
id
POST parameter to theres.php
endpoint, which can be leveraged by an unauthenticated attacker to achieve RCE as theroot
user. - Webmin File Manager RCE by faisalfs10x and jheysel-r7, which exploits CVE-2022-0824 - This adds a module that exploits improper access controls in Webmin File Manager. An authenticated attacker can coerce Webmin into downloading a malicious CGIcgi script from an attacker-controlled http server. After that, the attacker can further use File Manager utilities to set execute permissions on the cgi script, execute it, and achieve RCE as the
root
user. - Apache CouchDB Erlang RCE by 1F98D, Konstantin Burov, Milton Valencia (wetw0rk), _sadshade, and jheysel-r7, which exploits CVE-2022-24706 - A new module has been added to exploit CVE-2022-24706 an RCE within Apache CouchDB prior to 3.2.2 via the Erlang/OTP Distribution protocol, which used a default cookie of "monster" to allow users to connect and run OS commands.
- Linux Gather ManageEngine Password Manager Pro Password Extractor by Charles Yost, Christophe De La Fuente, Rob Simon, and Travis Kaun - This post module gathers ManageEngine's Password Manager Pro credentials from the local ManageEngine database.
- #17181 from zeroSteiner - Adds a new
auxiliary/admin/ldap/rbcd
module which uses LDAP to set themsDS-AllowedToActOnBehalfOfOtherIdentity
attribute on the user provideddelegate_to
datastore option within Active Directory. This technique is used as part of Role Based Constrained Delegation (RBCD) attacks. Example usage:run rhost=192.168.123.13 username=account_with_write_privileges@demo.local password=p4$$w0rd delegate_to=dc3$ action=WRITE delegate_from=fake_computer
. This new module can be used in conjunction with the existingauxiliary/admin/dcerpc/samr_computer
module to create the required fake computer account.
Enhancements and features (6)
- #17155 from h00die - This PR updates version checking for the recent Remote mouse RCE module and updates the docs with a vulnerable version download link.
- #17184 from adfoster-r7 - Updates the metashell upload/download commands to work for powershell and windows sessions.
- #17186 from adfoster-r7 - Fixes broken file writes on windows targets when newlines are present within the uploaded file.
- #17195 from adfoster-r7 - Fixes uploading binary files with identical names to a Windows shell session. Previously this would silently error and not write the new file contents, now the file contents will successfully be written out.
- #17196 from bcoles - Adds new
get_hostname
library support for Windows sessions. - #17207 from memN0ps - Updates msfvenom and msfconsole to support formatting shellcode as a Rust array. Example usage:
msfvenom -p windows/x64/exec cmd='calc.exe' -f rust
.
Bugs fixed (3)
- #17188 from zeroSteiner - Fixes a regression issue that stopped Python Meterpreter working for v3.1-3.3.
- #17190 from zeroSteiner - This sets the
bufptr
parameter in multiplenetapi32
railgun functions to thePLPVOID
data type and consequently fixes a crash in thepost/windows/gather/enum_domain_tokens
module caused by improper data types being set for thebufptr
parameter. - #17213 from bwatters-r7 - Fixes a bug that stopped the
post/linux/gather/vcenter_secrets_dump
module from loading.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
from Rapid7 Blog https://blog.rapid7.com/2022/11/04/metasploit-weekly-wrap-up-182/
Comments
Post a Comment