Windows Server 2012 Fun

Community contributor Erik Wynter added a local exploit module for a DLL hijacking vulnerability he discovered in Windows Server 2012. The TiWorker.exe process that runs as NT AUTHORITY\SYSTEM attempts to load SrClient.dll, which does not exist on the system. Because of this, privilege escalation is possible, but the success of the exploit relies on two things: The user that the current session is running as must be able to write the payload to the file system as SrClient.dll, and directory the payload is placed in must be present in the system path. Assuming the aforementioned requirements are met, the exploit module writes the payload to the target and leverages the wuauclt utility to spawn TiWorker.exe which then loads the malicious DLL and results in a Meterpreter session running as NT AUTHORITY\SYSTEM.

Some Metasploit Improvements

First-time Metasploit contributor, thesunRider made an addition to the Msf::Exploit::Remote::HTTP::Wordpress::Users mixin, specifically the wordpress_user_exists?() method. This change extends the regex used in determining valid accounts on Wordpress installations, and most importantly, this adds support for Wordpress 5.x versions to the auxiliary/scanner/http/wordpress_login_enum module.

Community contributor geyslan modified the linux/x86/exec payload module to be generated with metasm and introduced a new option for the payload, NullFreeVersion, which allows users to choose between generating a standard version of the payload or a null byte free version. Both versions of the payload are fairly small; however, the new null byte free variant is especially useful for exploits with payload size constraints, as opting for an encoder could potentially expand the payload’s size beyond the requirements for successful exploitation.

bcoles made a number of substantial improvements to the exploit/linux/http/nagios_xi_magpie_debug module that include bug fixes and coverage for older versions of Nagios. Additionally, the changes improve the stealth and reliability of the module by ensuring the proper deletion of uploaded artifacts and falling back to a low-privilege session in the event that the exploit’s privilege escalation attempt fails.

New Modules (1)

Enhancements and features

  • #14661 from geyslan Updated the linux/x86/exec payload to now use metasm, making the source code more readable and adds a new, larger NULL byte free variant.
  • #14757 from bcoles Improved the exploits/linux/http/nagios_xi_magpie_debug module to automatically check if the target is vulnerable, as well as improved error handling and documentation. Additionally, the module has been updated so that it supports older versions of Nagios by adding additional writable paths that the exploit can use, and a fallback mechanism has been implemented to gain a shell as apache if the privilege elevation attempt fails.
  • #14794 from bcoles Improved the exploits/windows/http/dup_scout_enterprise_login_bof module to add: support for v9.9.14 of Dup Scout Enterprise, additional Notes which may help pentesters determine the potential side effects of the exploit, support for the AutoCheck mixin to allow users to automatically check if a target is vulnerable prior to exploiting it, support for automatic targeting whereby the exploit will automatically determine the version of the target and will adjust the exploit accordingly if it is vulnerable, and compliance with new RuboCop standards.
  • #14877 from security-curious Updated the post/multi/gather/firefox_creds module to support gathering profiles from newer versions of Firefox which now use the default profile name of .default-release vs. the old name of .default.
  • #14882 from thesunRider Improved lib/msf/core/exploit/remote/http/wordpress/users.rb to support valid username identification and login identification for newer versions of WordPress up-to-and-including 5.7.

Bugs Fixed

  • #14824 from astutejoe Fixed an issue with the auxiliary/scanner/http/http_traversal scanner to avoid a NULL pointer crash when a server's response body is empty. Also fixed another bug whereby empty files would be created if the server responded with a 404 response code but the body of the response was empty.
  • #14856 from capme Fixed an issue in the two modules targeting CVE-2010-4221 where the ProFTPD version number without a letter suffix was being incorrectly identified as not vulnerable.
  • #14863 from dwelch-r7 Fixed db_import functionality whilst connected to the remote data service.
  • #14887 from space-r7 Fixed a previous feature which added the readability of Meterpreter error messages via replacing the command ID with the command name to now work with older versions of Ruby.
  • #14888 from timwr Fixed two Unicode related bugs preventing recursive download of files or folders containing UTF8 characters, or otherwise open or interact with these files, via Meterpreter. This has now been addressed for common commands such as edit, download and cd.
  • #14897 from adfoster-r7 Corrected a few instances where module documentation was not using the correct naming convention, preventing the documentation from being accessible.
  • #14899 from dwelch-r7 Fixed loading of the REXML library to ensure it is always available for usage within modules.
  • #14905 from jmartin-r7 Fixed an issue where exploit exceptions other than Interrupt could skip proper clean-up.
  • #14911 from friedrico The impersonate_ssl.rb module has been updated to add a new SNI option for retrieving the SSL Certificate, allowing it to properly retrieve SSL certificates in cases where the SNI option needs to be appropriately specified. In addition, RuboCop changes have also been applied to tidy up the code and remove some dangerous code in favor of safer solutions.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).