Last updated at Fri, 11 Feb 2022 21:07:08 GMT
Welcome, Little Hippo: PetitPotam
Our very own @zeroSteiner ported the PetitPotam exploit to Metasploit this week. This module leverages CVE-2021-36942, a vulnerability in the Windows Encrypting File System (EFS) API, to capture machine NTLM hashes. This uses the
EfsRpcOpenFileRaw function of the Microsoft’s Encrypting File System Remote Protocol API (MS-EFSRPC) to coerce machine authentication to a user-controlled listener host. Metasploit's SMB capture server module can be used for this. The captured hashes are typically used as part of a NTLM relaying attack to take over other Windows hosts. Note that Microsoft has published some guidance about how to mitigate NTLM relay attacks.
QEMU Human Monitor Interface RCE
Contributor @bcoles added an exploit module that abuse QEMU's Monitor Human Monitor Interface (HMP) TCP server to execute arbitrary commands by using the
migrate HMP command. Furthermore, since the HMP TCP service is reachable from emulated devices, it is possible to escape QEMU from a guest system using this module. Note that it doesn't work on Windows hosts since the
migrate command cannot spawn processes on this platform.
New module content (2)
- PetitPotam by GILLES Lionel and Spencer McIntyre, which exploits CVE-2021-36942 - This adds a new auxiliary scanner module that ports the PetitPotam tool to Metasploit andleverages CVE-2021-36942 to coerce Windows hosts to authenticate to a user-specific host, which enables an attacker to capture NTLM credentials for further actions, such as relay attacks.
- QEMU Monitor HMP 'migrate' Command Execution by bcoles - This adds a module that can exploit the QEMU HMP service to execute OS commands. The HMP TCP service is reachable from emulated devices, so it is possible to escape QEMU by exploiting this vulnerability.
Enhancements and features
- #16010 from lap1nou - This updates the zabbix_script_exec module with support for Zabbix version 5.0 and later. It also adds a new item-based execution technique and support for delivering Linux native payloads.
- #16163 from zeroSteiner - Support has been added for the ClaimsPrincipal .NET deserialization gadget chain, which was found by jang. An exploit which utilizes this enhancement will arrive shortly.
- #16125 from bcoles - This module can exploit GXV3140 models now that an
ARCH_CMDtarget has been added.
- #16121 from timwr - This fixes an exception caused by exploits that call
Msf::Post::Commonwithout a valid session.
- #16142 from timwr - This fixes an issue with Meterpreter's
getenvcommand that was not returning
NULLwhen querying for a non-existing environment variable.
- #16143 from sjanusz-r7 - This fixes an issue where a Cygwin SSH session was not correctly identified being a Windows device, due to a case sensitivity issue
- #16147 from zeroSteiner - This fixes a bug where
ssh_enumuserswould only use one source in the generation of its user word list if both
USER_FILEoptions were set. The module now pulls from all possible datastore options if they are set, including a new option
- #16160 from zeroSteiner - This fixes a crash when
msfconsoleis unable to correctly determine the hostname and current user within a shell prompt.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).