Last updated at Thu, 25 Jan 2024 01:47:25 GMT
Windows Local Privilege Escalation for standard users
In this week’s release, we have an exciting new module that has been added by our very own Grant Willcox which exploits (CVE-2022-26904)[https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904], and allows for normal users to execute code as NT AUTHORITY/SYSTEM
on Windows machines from Windows 7 up to and including Windows 11. Currently, the vulnerability is still not patched and there have not been any updates from MSRC regarding this vulnerability, however it may be patched in the next Patch Tuesday.
This exploit requires more than one local user to be present on the machine and the PromptOnSecureDesktop
setting to be set to 1, which is the default setting.
MacOS exploitation
Our very own space-r7 has updated the recent GateKeeper
module to add support for the recent CVE-2022-22616, which can be used to target all MacOS Catalina versions, and MacOS Monterey versions prior to 12.3.
This module can be used to remove the com.apple.quarantine
extended attribute on a downloaded/extracted file and allows for code to be executed on the machine.
Enumerating Chocolatey applications
This week’s release also features a new module from a first-time contributor rad10, which will enumerate all applications that have been installed using Chocolatey.
This could be used when gathering information about a compromised target and potentially vulnerable software present on the machine.
New module content (5)
- User Profile Arbitrary Junction Creation Local Privilege Elevation by Grant Willcox and KLINIX5, which exploits CVE-2022-26904 - This adds an exploit for CVE-2022-26904, which is an LPE vulnerability affecting Windows 7 through Windows 11. Leveraging this vulnerability can allow a local attacker running as a standard user, who has knowledge of another standard user's credentials, to execute code as
NT AUTHORITY\SYSTEM
. ThePromptOnSecureDesktop
setting must also be set to1
on the affected machine for this exploit to work, which is the default setting. - ALLMediaServer 1.6 SEH Buffer Overflow by Hejap Zairy Al-Sharif, which exploits CVE-2022-28381 - A new module has been added in which exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.
- Windows Gather Installed Application Within Chocolatey Enumeration by Nick Cottrell - This adds a post module that enumerates applications installed with Chocolatey on Windows systems.
- #16082 from usiegl00 - This updates the
shadow_mitm_dispatcher
module by adding a new RubySMB Dispatcher, whichallows a better integration with RubySMB and enables the use of all the features provided by its client. Both SMBv2 and SMBv3 are now supported. - #16401 from space-r7 - This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, we've introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.
Enhancements and features (4)
- #15972 from sempervictus - This updates the Log4shell scanner with the
LEAK_PARAMS
option, providing a way to leak more target information such as environment variables. - #16320 from dwelch-r7 - This updates Windows Meterpreter payloads to support a new
MeterpreterDebugBuild
datastore option. When set to true the generated payload will have additional logging support which is visible via Window's DbgView program. - #16373 from adfoster-r7 - Adds initial support for Ruby 3.1
- #16403 from sempervictus - This adds more checks to the
post/windows/gather/checkvm
module to better detect if the current target is a Qemu / KVM virtual machine.
Bugs fixed (3)
- #16398 from jmartin-r7 - A number of recent payload adds did not conform to the patterns used for suggesting spec configurations. Tests for these payloads have now been manually added to ensure they will be appropriately tested as part of
rspec
checks. - #16408 from rtpt-alexanderneumann - This fixes an edge case with the
multi/postgres/postgres_copy_from_program_cmd_exec
module, which crashed when the randomly generated table name started with a number - #16419 from adfoster-r7 - A bug has been fixed whereby when using the
search
command and searching bydisclosure_date
, the help menu would instead appear. This has been remedied by improving the date handling logic for thesearch
command.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).