New ground was broken today with the addition of two PRs from community contributor sempervictus, also known as RageLtMan, who added the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface, which provides a public API to execute commands or create real-time interactive websocket command shells. This can result in passwordless elevation of privilege in most if not all cases.
This module is also very helpful as it provides pentesters with the tools required to show the impact of having SSM exposed and can help reinforce the importance of data governance, locality, isolation, and auditing. It can also show how user-based access control systems may be bypassed by the privileges users within IAM have using the SSM interface as an elevation of privilege pivot. Finally, it can also be used to demonstrate how attackers can exfiltrate data from systems which do not have network access outside of the cloud environment.
Community contributors Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN added a module for exploiting a preauthentication contact database dump vulnerability in Dolibarr 16 prior to 16.0.5. Contact details are a great help for attackers as they can allow them to craft more believable phishing attacks and gain more information about the internal structure of a target company. They can also give information on a company's relationships with other companies which could reveal information about sensitive company dealings.
Router exploits are like fine wine. They just don't stop, and these devices are often left unpatched for years on end, which can lead to issues where they are compromised and used in attacks such as in the case of the Mirai botnet. Community contributors Anna Graterol, Mana Mostaani, and Nick Cottrell added a new module targeting CVE-2015-3035 which uses a directory traversal vulnerability in unpatched TP-LINK Archer C7 routers to dump arbitrary files on the target such as the
Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a a PTY enabled Powershell session that is incompatible with Post modules but supports user interaction.
Description: This PR adds an auxiliary module for DOSing a VSFTPD server from version 2.3.2 and below.
Description: A new scanner module has been added to scan for valid logins for Apache NiFi servers.
Description: This PR adds a version scanner for Apache NiFi.
Description: This adds a module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer C7 routers. This vulnerability is identified as CVE-2015-3035.
Description: This adds a module that leverages an authorization bypass in Dolibarr version 16, prior to 16.0.5. This module dumps the contact database to retrieve customer file, prospects, suppliers and employee information. No authentication is needed for this exploit.
Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a PTY enabled PowerShell session that is incompatible with Post modules but supports user interaction.
logcommands to explain to how to set
LocalPagerso that users can adjust the editor that is used when running the
editcommand and the log file that is used for logging module runtime information, respectively.
to_handlercommand when running Evasion and Payload modules.
module_testlibrary correctly, resulting on them being dependent on other modules correctly setting the load path, which may not always occur.
returnstatement was added into
lib/msf/core/exploit/cmd_stager/http.rbto fix a Ruby syntax error when attempting to handle a 404 file not found case.
cmd/braceencoder whereby it did not appropriately escape braces.
ibm_sametime_enumerate_users.rbgather module that prevented exceptions that were raised from being appropriately caught.
test/modules/post/test/file.rbmodule previously did not work on Windows sessions due to it reading data from a Linux only file to determine what data to write for the binary file write operation. This has since been fixed so that the binary data is randomly generated vs being based off an OS specific file.
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).