Anyone enjoy making chains?
The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7's own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefited from research and analysis by Jang, PeterJson, brandonshi123, and mekhalleh (RAMELLA Sébastien) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain CVE-2021-31207, CVE-2021-34523, & CVE-2021-34473 into sessions for everyone to enjoy.
Great to see some GSoC value in the wild.
With Google Summer of Code 2021 moving into its final phases, pingport80 had 4 PRs land in this week's release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.
New module content (2)
- Lucee Administrator imgProcess.cfm Arbitrary File Write by wvu,, iamnoooob, and rootxharsh, which exploits CVE-2021-21307 - An unauthenticated user is permitted to make requests through the
imgProcess.cfmendpoint, and using the
fileparameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.
- Microsoft Exchange ProxyShell RCE by wvu, Jang, Orange Tsai, PeterJson, Spencer McIntyre, brandonshi123, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-31207 - Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.
Enhancements and features
- #15540 from dwelch-r7 - This adds an option to
cmd_executeto have the command run in a subshell by Meterpreter.
- #15556 from pingport80 - This adds shell session compatibility to the
- #15564 from pingport80 - This adds support to the
command_exists?post API methods for Powershell session types.
- #15303 from pingport80 - This PR ensures that the shell
dircommand returns a list.
- #15332 from pingport80 - This improves localization support and compatibly in the session post API related to the
- #15539 from tomadimitrie - This improves the OS version in the
- #15546 from timwr - This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it's valid first.
- #15570 from adfoster-r7 - This fixes a bug in the
auxiliary/scanner/smb/smb_enum_gppmodule where the path that was being generated by the module caused an SMB exception to be raised.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).