Rapid 7 - Metasploit Wrap-Up

Login brute-force utility

Jan Rude added a new module that gives users the ability to brute-force login for Linux Syncovery. This expands Framework's capability to scan logins to Syncovery, a popular web GUI for backups.

WordPress extension SQL injection module

Cydave, destr4ct, and jheysel-r7 contributed a new module that takes advantage of a vulnerable WordPress extension. This allows Framework users to take advantage of CVE-2022-0739, leveraging a UNION-based SQL injection to gather hashed passwords of WordPress users. For vulnerable versions, anyone who can access the BookingPress plugin page will also have access to all the credentials in the database, yikes! There are currently 3,000 active installs of the plugin, which isn't a huge number by WordPress standards—but the ease of remote exploitation makes it a fun addition to the framework.

New module content (3)

• Wordpress BookingPress bookingpress_front_get_category_services SQLi by cydave, destr4ct, and jheysel-r7, which exploits CVE-2022-0739 - A new module has been added for CVE-2022-0739 which is an unauthenticated SQL injection in WP BookingPress prior to 1.0.11 in the bookingpress_front_get_category_services AJAX action.
• Syncovery For Linux Web-GUI Login Utility by Jan Rude - This adds a login scanner module for Syncovery for Linux.
• VMware vCenter vScalation Priv Esc by Yuval Lazar and h00die, which exploits CVE-2021-22015 - This PR adds a privilege escalation for users in the cis group to escalate to root on certain versions of vCenter. A service file /usr/lib/vmware-vmon/java-wrapper-vmon has improper permissions allowing cis group members to write to it. Upon host reboot or vmware-vmon service restart, a root shell is obtained.

Enhancements and features (2)

• #17214 from h00die - This PR improves upon the data gathered on a vCenter server originally implemented in #16871, including library integration, optimization, and de-duplication.
• #17332 from bcoles - Updates windows/gather/enum_proxy to support non-Meterpreter sessions (shell, PowerShell).

Bugs fixed (5)

• #17183 from rbowes-r7 - This adds some small changes, cleanups, and fixes to the linux/http/zimbra_unrar_cve_2022_30333 and linux/http/zimbra_cpio_cve_2022_41352 Zimbra exploit modules, along with linux/local/zimbra_slapper_priv_esc documentation. Particularly, this fixes an issue that prevented the exploit modules from working properly when the handler was prematurely shut down.
• #17305 from cgranleese-r7 - Updates Metasploit's RPC to automatically choose an appropriate payload if module.execute is invoked without a payload set. This mimics the functionality of msfconsole.
• #17323 from h00die - Fixes a bug when attempting to detect enlightenment_sys in exploits/linux/local/ubuntu_enlightenment_mount_priv_esc.
• #17330 from zeroSteiner - This fixes an issue in the ProxyShell module, which limited the email enumeration to 100 entries. Now, it correctly enumerates all the emails before finding one that is suitable for exploitation.
• #17342 from gwillcox-r7 - This adds the necessary control to the search queries used to find vulnerable certificate templates in an AD CS environment. Prior to this, non-privileged users would not be able to read the security descriptor field.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.2.29...6.2.30
• Full diff 6.2.29...6.2.30

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

from Rapid7 Blog https://blog.rapid7.com/2022/12/09/metasploit-wrap-up-156/