Last updated at Thu, 25 Jan 2024 01:19:35 GMT
while (j==shell); Log4j;
The Log4j loop continues as we release a module targeting vulnerable vCenter releases. This is a good time to suggest that you check your vCenter releases and maybe even increase the protection surrounding them, as it’s been a rough year-plus for vCenter.
Let your shell do the walking
bcoles sent us a module that targets Grandstream GXV3175IP phones that allows remote code execution. It’s always fun to get a shell on a phone.
New module content (2)
- Grandstream GXV3175 'settimezone' Unauthenticated Command Execution by Brendan Scarvell, alhazred, and bcoles, which exploits CVE-2019-10655 - A new module has been added in that exploits CVE-2019-10655, an unauthenticated remote code execution bug in Grandstream GXV3175. Authentication is bypassed via a buffer overflow in the way the
phonecookie
cookie is parsed, after which a command injection vulnerability in the 'settimezone' action's 'timezone' parameter is exploited to gain RCE as theroot
user. - VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits CVE-2021-44228 - This PR adds a vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as root / SYSTEM. This exploit has been tested on both Windows and Linux targets.
Enhancements and features
- #16075 from bcoles - The
post/multi/manage/sudo
module has been enhanced to print out a warning message and exit early if the session type that is trying to be upgraded viasudo
is Meterpreter, since Meterpreter does not support sudo elevation at present.
Bugs fixed
- #16029 from cdelafuente-r7 - A bug existed in the
normalize
function oflib/msf/core/opt_path.rb
whereby the path parameter passed in wasn't checked to see if it was empty prior to callingFile.expand_path
on it. In these cases the path returned would be that of the current directory, which could lead to unexpected results. This has been fixed with improved validation to ensure that the path parameter is not an empty string prior to expanding the path. - #16058 from bcoles - This change fixes a bug where a stack trace was printed in post/multi/recon/local_exploit_suggester when an invalid session option was specified.
- #16063 from bcoles - A bug has been fixed in the
local_admin_search_enum
module whereby a typo was causing the module to crash on an undefined variable. The typo has been corrected and the module now accesses the correct variable. - #15727 from NeffIsBack - This adds more robust NTLM message parsing with better error handling and messaging when pulling out the NTLM hashes.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).