Last updated at Fri, 22 Apr 2022 19:21:00 GMT
ManageEngine ADSelfService Plus Authenticated RCE
This module is pretty exciting for us because it's for a vulnerability discovered by our very own Rapid7 researchers Jake Baines, Hernan Diaz, Andrew Iwamaye, and Dan Kelly.
The vulnerability allowed for attackers to leverage the "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords.
I won't go into too much depth though because we have a whole blog post here for you to check out with all the details!
Oh, and I almost forgot to mention this module comes with a brand new
jjs_reverse_tcp payload too.
Who watches the watch_queue?
This week we've also brought you an LPE for Linux via the watch_queue event notification system.
The module exploits a heap out-of-bounds write in kernel memory in versions prior to 5.18 but keep in mind the module currently only has the appropriate offsets for Ubuntu 20.10 with kernel version 5.13.0-37.
New module content (2)
- Watch Queue Out of Bounds Write by Jann Horn, bonfee, and bwatters-r7, which exploits CVE-2022-0995
- ManageEngine ADSelfService Plus Custom Script Execution by Andrew Iwamaye, Dan Kelley, Hernan Diaz, and Jake Baines, which exploits CVE-2022-28810 - This adds an exploit for CVE-2022-28810 which is an authenticated RCE in ManageEngine ADSelfService Plus.
Enhancements and features (6)
- #16437 from h00die - Adds ESXi as a recognizable type on ssh_login.
- #16438 from h00die - Some SMTP servers only give out credentials when prompted. Now, the module option 'AUTHPROMPT' exists to indicate whether or not the auth prompt is required by the server.
- #16446 from zeroSteiner - This updates the code for compatibility with the latest RubySMB 3.1 gem.
- #16458 from bcoles - The fortios_vpnssl_traversal_creds_leak module has been updated to appropriately attribute the original discoverers of the vulnerability and to credit their original blog post and research presentations.
- #16476 from bcoles - The
tools/dev/msftidy.rbtool has been updated to recommend using CVE datastore references over the cve.mitre.org URL references since this is more maintainable in the long run and will assist transitioning things when CVE transitions to cve.org later this year.
- #16477 from bcoles - This PR updates several modules to remove hardcoded URL references to the soon to be deprecated cve.mitre.org site, and where applicable, add in CVE references in place of these hardcoded URL references.
Bugs fixed (5)
- #16318 from heyder - Adds support to old key exchange algorithms in the net/ssh lib by defining the append_all_supported_algorithms to true.
- #16379 from heyder - Refactored a number of modules to use ssh_client_defaults.
- #16426 from usiegl00 - This fixes a crash in OSX Meterpreter's stager caused by mangled
dyldfunctions in MacOS Monterey.
- #16457 from jmartin-r7 - Recent updates in
Rex::Parser::Argumentsregressed the ability to have short flags with multiple characters. This restores functionality by updating the spec checks and library code to appropriately parse multiple character short flags and each individual short flag specified in a combined short flag.
- #16479 from cdelafuente-r7 - Meterpreter's
reg setvalcommand has been updated to allow setting a REG_BINARY key value with the
-doption with an arbitrarily long binary blob. Previously, this value was treated as a string which lead to an incorrect value being set in the registry field.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).