Windows Server 2012 Fun
Community contributor Erik Wynter added a local exploit module for a DLL hijacking vulnerability he discovered in Windows Server 2012. The
TiWorker.exe process that runs as
NT AUTHORITY\SYSTEM attempts to load
SrClient.dll, which does not exist on the system. Because of this, privilege escalation is possible, but the success of the exploit relies on two things: The user that the current session is running as must be able to write the payload to the file system as
SrClient.dll, and directory the payload is placed in must be present in the system path. Assuming the aforementioned requirements are met, the exploit module writes the payload to the target and leverages the
wuauclt utility to spawn
TiWorker.exe which then loads the malicious DLL and results in a Meterpreter session running as
Some Metasploit Improvements
First-time Metasploit contributor, thesunRider made an addition to the
Msf::Exploit::Remote::HTTP::Wordpress::Users mixin, specifically the
wordpress_user_exists?() method. This change extends the regex used in determining valid accounts on Wordpress installations, and most importantly, this adds support for Wordpress
5.x versions to the
Community contributor geyslan modified the
linux/x86/exec payload module to be generated with metasm and introduced a new option for the payload,
NullFreeVersion, which allows users to choose between generating a standard version of the payload or a null byte free version. Both versions of the payload are fairly small; however, the new null byte free variant is especially useful for exploits with payload size constraints, as opting for an encoder could potentially expand the payload’s size beyond the requirements for successful exploitation.
bcoles made a number of substantial improvements to the
exploit/linux/http/nagios_xi_magpie_debug module that include bug fixes and coverage for older versions of Nagios. Additionally, the changes improve the stealth and reliability of the module by ensuring the proper deletion of uploaded artifacts and falling back to a low-privilege session in the event that the exploit’s privilege escalation attempt fails.
New Modules (1)
- Windows Server 2012 SrClient DLL hijacking by Erik Wynter
Enhancements and features
- #14661 from geyslan Updated the
linux/x86/execpayload to now use metasm, making the source code more readable and adds a new, larger NULL byte free variant.
- #14757 from bcoles Improved the
exploits/linux/http/nagios_xi_magpie_debugmodule to automatically check if the target is vulnerable, as well as improved error handling and documentation. Additionally, the module has been updated so that it supports older versions of Nagios by adding additional writable paths that the exploit can use, and a fallback mechanism has been implemented to gain a shell as
apacheif the privilege elevation attempt fails.
- #14794 from bcoles Improved the
exploits/windows/http/dup_scout_enterprise_login_bofmodule to add: support for v9.9.14 of Dup Scout Enterprise, additional
Noteswhich may help pentesters determine the potential side effects of the exploit, support for the
AutoCheckmixin to allow users to automatically check if a target is vulnerable prior to exploiting it, support for automatic targeting whereby the exploit will automatically determine the version of the target and will adjust the exploit accordingly if it is vulnerable, and compliance with new RuboCop standards.
- #14877 from security-curious Updated the
post/multi/gather/firefox_credsmodule to support gathering profiles from newer versions of Firefox which now use the default profile name of
.default-releasevs. the old name of
- #14882 from thesunRider Improved
lib/msf/core/exploit/remote/http/wordpress/users.rbto support valid username identification and login identification for newer versions of WordPress up-to-and-including 5.7.
- #14824 from astutejoe Fixed an issue with the
auxiliary/scanner/http/http_traversalscanner to avoid a NULL pointer crash when a server's response body is empty. Also fixed another bug whereby empty files would be created if the server responded with a 404 response code but the body of the response was empty.
- #14856 from capme Fixed an issue in the two modules targeting CVE-2010-4221 where the ProFTPD version number without a letter suffix was being incorrectly identified as not vulnerable.
- #14863 from dwelch-r7 Fixed db_import functionality whilst connected to the remote data service.
- #14887 from space-r7 Fixed a previous feature which added the readability of Meterpreter error messages via replacing the command ID with the command name to now work with older versions of Ruby.
- #14888 from timwr Fixed two Unicode related bugs preventing recursive download of files or folders containing UTF8 characters, or otherwise open or interact with these files, via Meterpreter. This has now been addressed for common commands such as edit, download and cd.
- #14897 from adfoster-r7 Corrected a few instances where module documentation was not using the correct naming convention, preventing the documentation from being accessible.
- #14899 from dwelch-r7 Fixed loading of the REXML library to ensure it is always available for usage within modules.
- #14905 from jmartin-r7 Fixed an issue where exploit exceptions other than
Interruptcould skip proper clean-up.
- #14911 from friedrico The
impersonate_ssl.rbmodule has been updated to add a new SNI option for retrieving the SSL Certificate, allowing it to properly retrieve SSL certificates in cases where the SNI option needs to be appropriately specified. In addition, RuboCop changes have also been applied to tidy up the code and remove some dangerous code in favor of safer solutions.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).