Capture Credentials with our new SMB Server

Our own Adam Galway revamped the old SMB capture module and now supports NTLMv1 and NTLMv2, as well as SMB1, SMB2 and SMB3. This was possible thanks to @zeroSteiner's new RubySMB server implementation. Metasploit is now able to capture NTLM hashes from any recent Windows releases using the SMB2 and SMB3 dialects, even with encrypted SMB traffic.

Revenge of the Clones

Earlier this year, an outstanding vulnerability in Git clients was disclosed and identified as CVE-2021-21300. It allows an attacker to execute scripts on the victim's system when cloning a specially crafted repository onto a case-insensitive file system such as NTFS, HFS+ or APFS. Our own Shelby Pace just added a new exploit module that leverages this flaw to achieve remote code execution. First, the module creates a fake Git repository and waits for the victim to clone it. This process will deliver a post-checkout script with the payload that will be automatically executed upon checkout of the repository.

Note that for this exploit to work, the victim's Git client must support delay-capable clean / smudge filters and symbolic links. The former is enabled by default on Windows through Git-lfs.

Don't clone repositories you don't trust!

Exploiting eBPF on Linux

A new local exploit module that leverages a bug in the Linux eBPF feature was added by Grant Willcox this week. This vulnerability is identified as CVE-2021-3490 and allows a local attacker to achieve code execution as the root user by conducting an out-of-bounds read and write in the Linux kernel. This is possible due to a flaw in eBPF verifier's verification of ALU32 operations. This module is based on @chompie1337's PoC code and should work on any vulnerable kernel versions (from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and
5.10.37). Note that, at the moment, it has only been tested on Ubuntu 20.04 (Focal Fossa) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 20.10 (Groovy Gorilla) 5.8.x kernels prior to 5.8.0-53.60, Ubuntu 21.04 (Hirsute Hippo) 5.11.x kernels prior to 5.11.0-17.18 and Fedora kernel versions 5.x from 5.7.x up to but not including 5.11.20-300. However, the module documentation includes some instructions for porting the exploit over onto other systems.

New module content (4)

  • Geutebruck Multiple Remote Command Execution by Ibrahim Ayadhi, Sébastien Charbonnier, and Titouan Lazard, which exploits CVE-2021-33554 - A new module has been added which bypasses authentication and exploits CVE-2021-33544, CVE-2021-33548, and CVE-2021-33550-33554 on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
  • Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE by Grant Willcox, Manfred Paul, and chompie1337, which exploits ZDI-21-606 - This adds a module that uses @chompie1337's CVE-2021-3490 PoC code to elevate privileges to root on affected Linux systems. It's been tested to work on clean installs of Ubuntu 21.04, Ubuntu 20.10, Ubuntu 20.04.02, as well as Fedora running affected versions of the 5.7, 5.8, 5.9, 5.10 and 5.11 kernels.
  • Git LFS Clone Command Exec by Johannes Schindelin, Matheus Tavares, and Shelby Pace, which exploits CVE-2021-21300 - An exploit module has been added for CVE-2021-21300, a RCE vulnerability in affected Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems. Additionally, a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol have been added into Metasploit and the code for older Git-related exploits has been updated to utilize some of this new code.
  • Overhaul SMB auth capture server from agalway-r7 - This updates the SMB capture server to be compatible with clients using the SMB 2 and SMB 3 dialects. SMB 1 has not been enabled in Windows 10 since v1709 was released in 2017. This allows the module to be compatible with recent releases.

Enhancements and features

  • #15253 from adfoster-r7 - Updates Metasploit to support URI arguments to set module datastore values. The currently supported protocols are http, smb, mysql, postgres, and ssh.
  • #15537 from adfoster-r7 - Adds support for Ruby 3
  • #15582 from bcoles - The code for Msf::Post::Linux::Kernel.unprivileged_bpf_disabled? has been updated to support new values supported by kernel.unprivileged_bpf_disabled which were introduced in Linux kernels since 5.13 and 5.14-rc+HEAD, particularly the value 2 which means Unprivileged calls to bpf() are disabled, whereas the value 1 is now used to indicate Unprivileged calls to bpf() are disabled without recovery
  • #15606 from adfoster-r7 - Improves Python Meterpreter to gracefully handle unsupported command ids, and cleaning up process objects correctly. Additionally enhances mingw build support for Windows Meterpreter, and now correctly interprets a transport session time of 0 as never expiring.
  • #15621 from jmartin-r7 - Updates the Metasploit docker container to additionally include Go as a dependency.
  • #15623 from zeroSteiner - The creds command has been updated to support several new features: supporting formatting NetNTLMv1 and NetNTLMv2 hash for both the JtR and Hashcat formatters, filtering hashes based on the realm, not truncating hashes when writing them to a CSV file, filtering based on the JtR format type name, support for applying the same filtering to output files that can be applied when generating the creds table, and support for ensuring output consistency when writing output to a file.

Bugs fixed

  • #15375 from HynekPetrak - This PR fixes a bug whereby Metasploit would sometimes crash when remote LDAP servers returned a null character in the base_dn string, and also enhances modules/auxiliary/gather/ldap_hashdump.rb to handle sha256 hashes and skip hashes in cases of LK (locked account) and NP (no password) credentials.

  • #15572 from adfoster-r7 - This PR implements a fix to correctly handle quoted console options and whitespace

  • #15573 from dwelch-r7 - The simplify_module function has been updated so that by default it will not load LHOST/RHOST from the config file and instead use the values set in the options.

  • #15590 from sjanusz-r7 - A bug has been fixed that prevented external modules from properly handling the encoding of UTF-8 characters.

  • #15596 from tomadimitrie - A bug has been fixed in docker_credential_wincred whereby the regex would sometimes match on IP addresses and other invalid entries instead of the expected Docker version string. This has now been fixed by tightening the regex to make it more specific and restrictive.

  • #15628 from timwr - Ensures the session table is refreshed whenever the sysinfo command is run, and whenever stdapi is loaded manually. This should also fix a minor bug where if you run an exploit on an existing session, the session information never gets updated (e.g the username from User -> SYSTEM). Now it's refreshed when you run meterpreter > sysinfo.

  • #15629 from jmartin-r7 - Fixes a regression issue where msfconsole crashed on startup when running on a Windows environments

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).