Operations shell

Operations and management software make popular targets due to their users typically having elevated privileges across a network. Our own wvu contributed the VMware vRealize Operations (vROps) Manager SSRF RCE exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The exploit/linux/http/vmware_vrops_mgr_ssrf_rce module achieves remote code execution (RCE) as the admin Unix user by chaining the two vulnerabilities. First, CVE-2021-21975 pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the /casa/nodes/thumbprints endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit CVE-2021-21983 via the /casa/private/config/slice/ha/certificate endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions:

  • 7.0.0
  • 7.5.0
  • 8.0.0, 8.0.1
  • 8.1.0, 8.1.1
  • 8.2.0

Data rules everything around me

Many dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules!

The first, an Apache Druid RCE exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability CVE-2021-25646 was discovered by Litch1, and je5442804 contributed the module. The second, a gather module named Redis Extractor contributed by Geoff Rainville (noncenz) enables easy looting of any key-value stores you discover.

New Module Content (5)

  • Redis Extractor by Geoff Rainville noncenz - Adds a module to retrieve all data from a Redis instance (version 2.8.0 and above).
  • Apache Druid 0.20.0 Remote Command Execution by Litch1, Security Team of Alibaba Cloud and je5442804, which exploits CVE-2021-25646 - This adds an exploit module that targets Apache Druid versions prior to 0.20.1. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.
  • VMware vRealize Operations (vROps) Manager SSRF RCE by wvu and Egor Dimitrenko, which exploits CVE-2021-21983 - This adds a module that exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the admin user on vulnerable VMware vRealize Operations Manager installs.
  • Micro Focus Operations Bridge Reporter shrboadmin default password by Pedro Ribeiro, which exploits ZDI-20-1215 - This adds an exploit for CVE-2020-11857 which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.
  • KOFFEE - Kia OFFensivE Exploit by Gianpiero Costantino and Ilaria Matteucci, which exploits CVE-2020-8539 - This adds a post module that leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.

Enhancements and features

  • #11257 from sempervictus - This PR adds the ability to wrap some powershell used for exploitation purposes with RC4 for obfuscation.
  • #15014 from ctravis-r7 - Adds the ability to specify an individual private key as a string parameter into the auxiliary/scanner/ssh/ssh_login_pubkey module.
  • #15110 from zeroSteiner - This adds the necessary functionality to the Java Meterpreter to resolve hostnames over DNS, closing a feature gap that had been present with other Meterpreters.

Bugs Fixed

  • #14953 from bwatters-r7 - Fix the python 3.6 string formatting syntax in modules/auxiliary/scanner/http/rdp_web_login
  • #15050 from cgranleese-r7 - Fixes a crash in Metasploit's console when the user tried to tab complete values such as file paths that were missing their final ending quote
  • #15081 from cgranleese-r7 - Updates the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously this would result in a module crash.
  • #15094 from timwr - This fixed a bug in how certain Meterpreter's would execute command issued through sessions -c where some would use a subshell while others would not.
  • #15114 from smashery - Updates the auxiliary/scanner/redis/file_upload module to correctly handle Redis instances that require authenticated access

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).