Last updated at Thu, 25 Jan 2024 00:38:00 GMT

Nothing but .NET?

Smashery continues to… smash it by updating our .NET assembly execution module. The original module allowed users to run a .NET exe as a thread within a process they created on a remote host. Smashery’s improvements let users run the executable within a thread of the process hosting Meterpreter and also changed the I/O for the executing thread to support pipes, allowing interaction with the spawned .NET thread, even when the other process has control over STDIN and STDOUT. The changes add more stealth, better I/O, more injection options, and reliability improvements.

Want to be the next exploit, module, research, and wrapup author?

We’re hiring a Security Researcher to develop high-quality modules and produce research that continues to inspire contributions and interest from a growing community. This role can be based on any of the following Rapid7 Offices: Austin TX, Boston MA, Arlington V, Boston MA, Tampa FL, Dublin, or our new Prague office! Seniority level is also flexible depending on experience and team fit.

New module content (1)

Apache Druid JNDI Injection RCE

Authors: Jari Jääskelä and RedWay Security
Type: Exploit
Pull request: #18134 contributed by heyder
AttackerKB reference: CVE-2023-25194

This PR adds a module which exploits CVE-2023-25194, an unauthenticated deserialization vulnerability which leads to RCE in Apache Druid.

Enhancements and features (5)

  • #17796 from sempervictus - This adds reporting to the Framework database for the AWS EC2 enumeration module.
  • #17901 from dwelch-r7 - Adds additional payload module metadata to Metasploit's JSON module cache to improve msfconsole's bootup time.
  • #17959 from jmartin-r7 - The login scanner modules have been updated to catch any exceptions that may be raised when testing a credential. Additionally, the SNMP scanner and PostgreSQL scanners have been updated to catch additional errors that may be thrown when testing credentials.
  • #18114 from smashery - This updates the post/windows/manage/execute_dotnet_assembly module to allow it to run the .NET assembly within the current process. The module can now also read the output from all injection techniques.
  • #18133 from smashery - This improves the execute_dotnet_assembly module's ability to correctly identify the signature of the main method. Users no longer need to know and specify it themselves.

Bugs fixed (4)

  • #18065 from cgranleese-r7 - Updates the jenkins_gather module to work with newer version of Jenkins.
  • #18121 from zeroSteiner - Adds a proper ASN.1 parser using RASN1 for the x509 SubjectAltName field.
  • #18139 from adfoster-r7 - A intermittent segfault issue when running the getuid command within a Windows Python Meterpreter has been fixed.
  • #18146 from adfoster-r7 - Fixes an intermittent issue with Windows Meterpreter which caused 'Access Denied' errors when Meterpreter attempted to get or set the clipboard data when either the user or another application was also manipulating the same clipboard.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).