Last updated at Thu, 25 Jan 2024 01:17:24 GMT
A sack full of cheer from the Hacking Elves of Metasploit
It is clear that the Metasploit elves have been busy this season: Five new modules, six new enhancements, nine new bug fixes, and a partridge in a pear tree are headed out this week! (Partridge nor pear tree included.) In this sack of goodies, we have a gift that keeps on giving: Shelby’s Acronis TrueImage Privilege Escalation works wonderfully, even after the software is uninstalled.
If you prefer elf files to holiday elves, we’ve still got you covered
Jan Rude submitted two modules targeting Syncovery for Linux. One takes advantage of an insecure session token generator and allows for the brute-force creation of a token that matches that of a logged-in user, and the other allows an authenticated user to create a job that will run when a user’s profile is run.
New module content (5)
- Syncovery For Linux Web-GUI Session Token Brute-Forcer by Jan Rude, which exploits CVE-2022-36536 - A new login scanner module that brute-forces a valid session token for the Syncovery File Sync & Backup Software Web-GUI. This will work if the default user is already logged in the application. If they do not logout, the token stays valid until the next reboot.
- Acronis TrueImage XPC Privilege Escalation by Csaba Fitzl and Shelby Pace, which exploits CVE-2020-25736 - This module exploits a local privilege escalation vulnerability in Acronis TrueImage versions 2019 update 1 through 2021 update 1 on macOS. This vulnerability is identified as CVE-2020-25736. By abusing a local helper executable, it is possible to execute arbitrary commands as the
rootuser. - Syncovery For Linux Web-GUI Authenticated Remote Command Execution by Jan Rude, which exploits CVE-2022-36534 - This adds a module that exploits an authenticated remote code execution vulnerability identified as CVE-2022-36534 in the Web GUI of Syncovery File Sync & Backup Software for Linux. The module leverages a flaw in the application that allows the creation of jobs that will be executed when a profile is run. This allows the execution of arbitrary commands as the root user.
- F5 Big-IP Gather Information from MCP Datastore by [Ron Bowes] (https://github.com/rbowes-r7) - This adds a post module for gathering facts from an F5 system's MCP database protocol.
Enhancements and features (6)
- #17191 from liangjs - This PR fixes a bug where the Windows Subsystem for Linux crashes when using a reverse_tcp x64 stager because of data in the upper bits of the RDI register when the syscall occurs.
- #17255 from JustAnda7 - The command payloads have been updated to allow specifying the file system path for several of their commands within datastore options. This should allow users to specify these commands locations should they not be contained within the searchable PATH.
- #17346 from adfoster-r7 - The logic for counting threads within
lib/metasploit/framework/spec/threads/suite.rbhas been updated to appropriately count and document the known threads that can be left behind when running the rspec test suite. This fixes an intermittent rspec crash. - #17355 from adfoster-r7 - The
credscommand has been updated to show the full SSH key contents when running thecreds -vcommand or when exporting to a file withcreds -o output.txt. Previously only a shortened fingerprint string would be shown to the user. - #17357 from adfoster-r7 - The docs site has been updated to support mermaid graphs for rendering diagrams to assist with explanations.
- #17387 from smashery - The
hosts,services,vulnsandnotescommand have been updated to support tab expansion in paths using the~character when using the-ooption to specify the path to the file to write the output to.
Bugs fixed (9)
- #17345 from adfoster-r7 - A crash has been fixed when using the report API with verbose mode enabled and no active DB.
- #17350 from smashery - This updates three UAC bypass modules to remove a hard coded delay in favor of using the module's builtin cleanup method. This results in the user having access to the interactive session without needing to wait.
- #17351 from smashery - This fixes an issue in the
exploit/windows/local/s4u_persistencemodule where the default value forFREQUENCYwould cause an error. - #17352 from smashery - A bug has been fixed in the
file_versionmethod for Windows Meterpreter, which would cause the session to crash if it was run on a file that did not exist on the target system. - #17361 from jmartin-r7 - A bug has been fixed that would cause a crash when running the
exitcommand from withinmsfconsolewhen runningmsfconsolewith a 3.1.x release of Ruby. - #17366 from zeroSteiner - The upload and download commands used by shell sessions have been updated to handle directory destinations in the same way as the Meterpreter equivalents do, and to fix some bugs when uploading and downloading files that would prevent errors from being displayed and might cause session crashes.
- #17368 from adfoster-r7 - Fixes a regression issue with msfvenom payload generation for large payloads taking more than 5 minutes to generate when outputting as hex format. Now it takes a few seconds as normal.
- #17370 from jmartin-r7 - A bug has been fixed in the
smb_enumshares.rbwhereby if a SMBv1 connection is used a call was made to thenet_share_enum_allfunction on the wrong object. This has since been updated to address this error. - #17378 from gwillcox-r7 - A bug has been fixed in the Meterpreter payloads that was preventing Python Meterpreter from being able to utilize its EventLog API properly. Additionally a bug has been fixed in the COFFLoader that prevented BOFLoader from working with some COFF files.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
