Anyone enjoy making chains?

The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7's own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefited from research and analysis by Jang, PeterJson, brandonshi123, and mekhalleh (RAMELLA Sébastien) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain CVE-2021-31207, CVE-2021-34523, & CVE-2021-34473 into sessions for everyone to enjoy.

Great to see some GSoC value in the wild.

With Google Summer of Code 2021 moving into its final phases, pingport80 had 4 PRs land in this week's release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.

New module content (2)

Enhancements and features

  • #15540 from dwelch-r7 - This adds an option to cmd_execute to have the command run in a subshell by Meterpreter.
  • #15556 from pingport80 - This adds shell session compatibility to the post/windows/gather/enum_unattend module.
  • #15564 from pingport80 - This adds support to the get_env and command_exists? post API methods for Powershell session types.

Bugs fixed

  • #15303 from pingport80 - This PR ensures that the shell dir command returns a list.
  • #15332 from pingport80 - This improves localization support and compatibly in the session post API related to the rename_file method.
  • #15539 from tomadimitrie - This improves the OS version in the check method of exploit/windows/local/cve_2018_8453_win32k_priv_esc.
  • #15546 from timwr - This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it's valid first.
  • #15570 from adfoster-r7 - This fixes a bug in the auxiliary/scanner/smb/smb_enum_gpp module where the path that was being generated by the module caused an SMB exception to be raised.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).