NSClient++

Community contributor Yann Castel has contributed an exploit module for NSClient++ which targets an authenticated command execution vulnerability. Users that are able to authenticate to the service as admin can leverage the external scripts feature to execute commands with SYSTEM level privileges. This allows the underlying server to be compromised. Castel is also working on another exploit module for NSClient++ which happens to be a local privilege escalation so stay tuned for more NSClient++ content.

REDIS Improvements

Community member Smashery returned to improve the Framework’s REDIS dumping capabilities. This week two bugs were fixed to ensure that REDIS data can be more easily accessed using the auxiliary/gather/redis_extractor module. This module has seen a number of improvements lately and is capable of dumping data from both authenticated and unauthenticated instances.

POST API Improvements

Google Summer of Code student and community member pingport80 has been hard at work making a number of improvements to the POST API used by modules to interact with sessions. The bulk of the improvements have been focused on closing feature gaps in various scenarios. One excellent example of this is the new Process library that allows both shell and Meterpreter sessions to enumerate running processes on multiple platforms. This makes it easier for module developers to write content without worrying about the different capabilities of the various session types.

Pingport80 has also been testing various scenarios to find issues related to localization. This has involved finding instances where error messages that are assumed to be in English are used to determine various outcomes and updating them to function regardless of the underlying locale.

New module content (2)

Enhancements and features

  • #15296 from pingport80 - The command_exists? method inside post/common.rb has been updated to fall back to using the which command to check if a command exists on a target system if command -v fails to run successfully. This allows users to check whether a command exists or not on systems that might not contain a command command, such as ESXi.
  • #15299 from todb-r7 - The CONTRIBUTING.md documentation has been updated to include additional information on how to request CVEs for vulnerabilities from Rapid7.

Bugs fixed

  • #15257 from zeroSteiner - The lib/msf/core/post_mixin.rb library has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn't load an extension but wouldn't display what the extension was.
  • #15284 from pingport80 - This fixes a localization-related issue in the post/linux/gather/pptpd_chap_secrets module. If the file is unreadable, Metasploit would treat the permission denied error as the contents.
  • #15290 from zeroSteiner - Invalid Meterpeter command requirements in mixins no longer raise a Runtime error.
  • #15293 from smashery - This fixes two bugs in the Redis extractor module. The first was an issue that would occur when a value was excessively large. The second was a race condition that could be encountered if the server was being actively used by a third-party.
  • #15312 from adfoster-r7 - Ensures that msfconsole now supports setting both RHOST and RHOSTS interchangeably for all scenarios and modules

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).