Vulnerability is in the eye of the beholder
Exploiting firmware authored by UDP Technology and provided to multiple large OEMs (including Geutebruck), community contributor TrGFxX has authored a neat module that allows RCE as root on machines running the web interface of the Geutebruck G-Cam and G-Code products. For more information on the vulnerability check out the CISA advisory.
OpManager exploit is OP plz nerf
Our very own zeroSteiner authored a module implementing both an exploit and patch bypass for a Java deserialization vulnerability that exists in numerous versions of ManageEngine's OpManager software. This module allows payload execution as either
NT AUTHORITY\SYSTEM on Windows or root on Linux. On top of this new module, zeroSteiner made improvements to help utilize the increasingly essential YSoSerial tool. You should definitely check it out if you're interested in exploring other Java deserialization vulns.
Putting the Win in WinRM
In a big win for Metasploit, community contributor smashery finished off their month-long effort to get fully functional shells working across WinRM! These new sessions support post modules, NTLMSSP authentication, and are also able to run without a payload in remote memory, making these sessions pretty hard to detect. This is a major improvement over the previous WinRM implementation that only supported execution of a single command, so huge thanks again to smashery.
You can tell a lot about a protocol from its handshake
In one final noteworthy addition, smashery has once again come through with a PR that significantly improves our RDP library. Metasploit users can now capture the NETBIOS computer name, NETBIOS domain name, DNS computer name, DNS domain name, and OS version from the NTLM handshake carried out over RDP, and our rdp_scanner module has been updated to display this info to all the RDP sniffers out there.
New module content (3)
- Direct windows syscall evasion technique by Yaz - This adds a new evasion module that uses direct syscalls on 64-bit versions of Windows to evade detection.
- Geutebruck instantrec Remote Command Execution by Ibrahim Ayadhi - RandoriSec and Titouan Lazard - RandoriSec, which exploits CVE-2021-33549 - This module exploits an unauthenticated buffer overflow vulnerability within the
actionparameter of the
/uapi-cgi/instantrec.cgiendpoint in various Geutebruck G-Cam and G-Code devices. The exploit results in code execution as the
rootuser on target devices.
- ManageEngine OpManager SumPDU Java Deserialization by Johannes Moritz, Robin Peraglie, and Spencer McIntyre, which exploits CVE-2021-3287 - The
exploit/multi/http/opmanager_sumpdu_deserializationmodule implements an exploit (CVE-2020-28653) and patch bypass (CVE-2021-3287) for a Java deserialization vulnerability that exists in numerous versions of ManageEngine's OpManager software. Arbitrary code execution as the
NT AUTHORITY\SYSTEMuser on Windows or the
rootuser on Linux is achieved by sending a PDU to the SmartUpdateManager handler.
Enhancements and features
- #15684 from adfoster-r7 - This improves interactive shell performance for pasted user input.
- #15696 from smashery - This updates the RDP scanner module to extract and show additional information gathered from the NTLM handshake used for Network Level Authentication (NLA).
- #15632 from smashery - This improves Metasploit's WinRM capabilities by allowing shell sessions to be established over the protocol. The shell sessions are interactive and are usable with post modules.
- #15600 from agalway-r7 - This fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent.
- #15666 from timwr - This fixes an issue found in Meterpreter's
downloadfunctionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.
- #15679 from nvn1729 - This fixes a bug where the tomcat_mgr_upload module was not correctly undeploying the app after exploitation occurred.
- #15686 from jmartin-r7 - This fixes a crash in
msfrpcthat occurs due to the
MINIONSoption default being a regex instead of a string.
- #15695 from adfoster-r7 - This fixes a crash in the
exploit/unix/local/setuid_nmapmodule and adds logging to print the result of the exploit's last command so the user knows what happened in the event of a failure.
- #15697 from smashery - This updates the HTTP NTLM information enumeration module to use the
Net::NTLMlibrary for consistent data processing without a custom parser.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).