Last updated at Mon, 05 Feb 2024 19:59:05 GMT

Cloud Fun With EC2

New ground was broken today with the addition of two PRs from community contributor sempervictus, also known as RageLtMan, who added the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface, which provides a public API to execute commands or create real-time interactive websocket command shells. This can result in passwordless elevation of privilege in most if not all cases.

This module is also very helpful as it provides pentesters with the tools required to show the impact of having SSM exposed and can help reinforce the importance of data governance, locality, isolation, and auditing. It can also show how user-based access control systems may be bypassed by the privileges users within IAM have using the SSM interface as an elevation of privilege pivot. Finally, it can also be used to demonstrate how attackers can exfiltrate data from systems which do not have network access outside of the cloud environment.

Contacts Are Like Cookies - I Need More

Community contributors Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN added a module for exploiting a preauthentication contact database dump vulnerability in Dolibarr 16 prior to 16.0.5. Contact details are a great help for attackers as they can allow them to craft more believable phishing attacks and gain more information about the internal structure of a target company. They can also give information on a company's relationships with other companies which could reveal information about sensitive company dealings.

Router Exploits - They Never Stop

Router exploits are like fine wine. They just don't stop, and these devices are often left unpatched for years on end, which can lead to issues where they are compromised and used in attacks such as in the case of the Mirai botnet. Community contributors Anna Graterol, Mana Mostaani, and Nick Cottrell added a new module targeting CVE-2015-3035 which uses a directory traversal vulnerability in unpatched TP-LINK Archer C7 routers to dump arbitrary files on the target such as the /etc/passwd's file.

New module content (7)

Amazon Web Services EC2 instance enumeration

Author: RageLtMan
Type: Auxiliary
Pull request: #17430 contributed by sempervictus

Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a a PTY enabled Powershell session that is incompatible with Post modules but supports user interaction.

VSFTPD 2.3.2 Denial of Service

Authors: Anna Graterol, Maksymilian Arciemowicz, Mana Mostaani, and Nick Cottrell (Rad10Logic)
Type: Auxiliary
Pull request: #18004 contributed by rad10
AttackerKB reference: CVE-2011-0762

Description: This PR adds an auxiliary module for DOSing a VSFTPD server from version 2.3.2 and below.

Apache NiFi Login Scanner

Author: h00die
Type: Auxiliary
Pull request: #18028 contributed by h00die

Description: A new scanner module has been added to scan for valid logins for Apache NiFi servers.

Apache NiFi Version Scanner

Author: h00die
Type: Auxiliary
Pull request: #18025 contributed by h00die

Description: This PR adds a version scanner for Apache NiFi.

Archer C7 Directory Traversal Vulnerability

Authors: Anna Graterol, Mana Mostaani, and Nick Cottrell
Type: Auxiliary
Pull request: #18003 contributed by rad10
AttackerKB reference: CVE-2015-3035

Description: This adds a module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer C7 routers. This vulnerability is identified as CVE-2015-3035.

Dolibarr 16 pre-auth contact database dump

Authors: Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN
Type: Auxiliary
Pull request: #17899 contributed by vtoutain

Description: This adds a module that leverages an authorization bypass in Dolibarr version 16, prior to 16.0.5. This module dumps the contact database to retrieve customer file, prospects, suppliers and employee information. No authentication is needed for this exploit.

AWS SSM Sessions

Author: sempervictus
Type: Payload
Pull request: #17430 contributed by sempervictus

Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a PTY enabled PowerShell session that is incompatible with Post modules but supports user interaction.

Enhancements and features (2)

  • #18021 from zeroSteiner - The PowerShell Post API methods use a mix of PowerShell and .NET methods which have different ways of keeping track of the current working directory. This changes fixes the ambiguity by synchronizing the current working directory referenced by each set of methods.
  • #18031 from wvu - Updates edit and log commands to explain to how to set LocalEditorand LocalPager so that users can adjust the editor that is used when running the edit command and the log file that is used for logging module runtime information, respectively.

Bugs fixed (6)

  • #18019 from cgranleese-r7 - Fixes validation for the to_handler command when running Evasion and Payload modules.
  • #18026 from adfoster-r7 - A bug has been fixed in test modules whereby not all modules were manipulating the load path to require the module_test library correctly, resulting on them being dependent on other modules correctly setting the load path, which may not always occur.
  • #18030 from wvu - A missing return statement was added into lib/msf/core/exploit/cmd_stager/http.rb to fix a Ruby syntax error when attempting to handle a 404 file not found case.
  • #18032 from wvu - A bug has been fixed in the cmd/brace encoder whereby it did not appropriately escape braces.
  • #18036 from adfoster-r7 - A typo has been fixed in the ibm_sametime_enumerate_users.rb gather module that prevented exceptions that were raised from being appropriately caught.
  • #18052 from adfoster-r7 - The test/modules/post/test/file.rb module previously did not work on Windows sessions due to it reading data from a Linux only file to determine what data to write for the binary file write operation. This has since been fixed so that the binary data is randomly generated vs being based off an OS specific file.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).