Community contributor Yann Castel has contributed an exploit module for NSClient++ which targets an authenticated command execution vulnerability. Users that are able to authenticate to the service as admin can leverage the external scripts feature to execute commands with SYSTEM level privileges. This allows the underlying server to be compromised. Castel is also working on another exploit module for NSClient++ which happens to be a local privilege escalation so stay tuned for more NSClient++ content.
Community member Smashery returned to improve the Framework’s REDIS dumping capabilities. This week two bugs were fixed to ensure that REDIS data can be more easily accessed using the
auxiliary/gather/redis_extractor module. This module has seen a number of improvements lately and is capable of dumping data from both authenticated and unauthenticated instances.
POST API Improvements
Google Summer of Code student and community member pingport80 has been hard at work making a number of improvements to the POST API used by modules to interact with sessions. The bulk of the improvements have been focused on closing feature gaps in various scenarios. One excellent example of this is the new Process library that allows both shell and Meterpreter sessions to enumerate running processes on multiple platforms. This makes it easier for module developers to write content without worrying about the different capabilities of the various session types.
Pingport80 has also been testing various scenarios to find issues related to localization. This has involved finding instances where error messages that are assumed to be in English are used to determine various outcomes and updating them to function regardless of the underlying locale.
New module content (2)
- Cisco HyperFlex HX Data Platform Command Execution by wvu, Mikhail Klyuchnikov, and Nikita Abramov, which exploits CVE-2021-1498 - Added an exploit for CVE-2021-1497/CVE-2021-1498, a command injection in Cisco HyperFlex HX Data Platform.
- NSClient++ 0.5.2.35 - ExternalScripts Authenticated Remote Code Execution by Yann Castel and kindredsec - This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privilege reverse shell, so long as the attacker has the admin password, and the NSClient++has both the web interface and ExternalScripts feature enabled.
Enhancements and features
- #15296 from pingport80 - The
post/common.rbhas been updated to fall back to using the
whichcommand to check if a command exists on a target system if
command -vfails to run successfully. This allows users to check whether a command exists or not on systems that might not contain a
commandcommand, such as ESXi.
- #15299 from todb-r7 - The CONTRIBUTING.md documentation has been updated to include additional information on how to request CVEs for vulnerabilities from Rapid7.
- #15257 from zeroSteiner - The
lib/msf/core/post_mixin.rblibrary has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn't load an extension but wouldn't display what the extension was.
- #15284 from pingport80 - This fixes a localization-related issue in the
post/linux/gather/pptpd_chap_secretsmodule. If the file is unreadable, Metasploit would treat the permission denied error as the contents.
- #15290 from zeroSteiner - Invalid Meterpeter command requirements in mixins no longer raise a Runtime error.
- #15293 from smashery - This fixes two bugs in the Redis extractor module. The first was an issue that would occur when a value was excessively large. The second was a race condition that could be encountered if the server was being actively used by a third-party.
- #15312 from adfoster-r7 - Ensures that msfconsole now supports setting both
RHOSTSinterchangeably for all scenarios and modules
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).