New ground was broken today with the addition of two PRs from community contributor sempervictus, also known as RageLtMan, who added the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface, which provides a public API to execute commands or create real-time interactive websocket command shells. This can result in passwordless elevation of privilege in most if not all cases.
This module is also very helpful as it provides pentesters with the tools required to show the impact of having SSM exposed and can help reinforce the importance of data governance, locality, isolation, and auditing. It can also show how user-based access control systems may be bypassed by the privileges users within IAM have using the SSM interface as an elevation of privilege pivot. Finally, it can also be used to demonstrate how attackers can exfiltrate data from systems which do not have network access outside of the cloud environment.
Community contributors Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN added a module for exploiting a preauthentication contact database dump vulnerability in Dolibarr 16 prior to 16.0.5. Contact details are a great help for attackers as they can allow them to craft more believable phishing attacks and gain more information about the internal structure of a target company. They can also give information on a company's relationships with other companies which could reveal information about sensitive company dealings.
Router exploits are like fine wine. They just don't stop, and these devices are often left unpatched for years on end, which can lead to issues where they are compromised and used in attacks such as in the case of the Mirai botnet. Community contributors Anna Graterol, Mana Mostaani, and Nick Cottrell added a new module targeting CVE-2015-3035 which uses a directory traversal vulnerability in unpatched TP-LINK Archer C7 routers to dump arbitrary files on the target such as the /etc/passwd
's file.
Author: RageLtMan
Type: Auxiliary
Pull request: #17430 contributed by sempervictus
Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a a PTY enabled Powershell session that is incompatible with Post modules but supports user interaction.
Authors: Anna Graterol, Maksymilian Arciemowicz, Mana Mostaani, and Nick Cottrell (Rad10Logic)
Type: Auxiliary
Pull request: #18004 contributed by rad10
AttackerKB reference: CVE-2011-0762
Description: This PR adds an auxiliary module for DOSing a VSFTPD server from version 2.3.2 and below.
Author: h00die
Type: Auxiliary
Pull request: #18028 contributed by h00die
Description: A new scanner module has been added to scan for valid logins for Apache NiFi servers.
Author: h00die
Type: Auxiliary
Pull request: #18025 contributed by h00die
Description: This PR adds a version scanner for Apache NiFi.
Authors: Anna Graterol, Mana Mostaani, and Nick Cottrell
Type: Auxiliary
Pull request: #18003 contributed by rad10
AttackerKB reference: CVE-2015-3035
Description: This adds a module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer C7 routers. This vulnerability is identified as CVE-2015-3035.
Authors: Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN
Type: Auxiliary
Pull request: #17899 contributed by vtoutain
Description: This adds a module that leverages an authorization bypass in Dolibarr version 16, prior to 16.0.5. This module dumps the contact database to retrieve customer file, prospects, suppliers and employee information. No authentication is needed for this exploit.
Author: sempervictus
Type: Payload
Pull request: #17430 contributed by sempervictus
Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a PTY enabled PowerShell session that is incompatible with Post modules but supports user interaction.
edit
and log
commands to explain to how to set LocalEditor
and LocalPager
so that users can adjust the editor that is used when running the edit
command and the log file that is used for logging module runtime information, respectively.to_handler
command when running Evasion and Payload modules.module_test
library correctly, resulting on them being dependent on other modules correctly setting the load path, which may not always occur.return
statement was added into lib/msf/core/exploit/cmd_stager/http.rb
to fix a Ruby syntax error when attempting to handle a 404 file not found case.cmd/brace
encoder whereby it did not appropriately escape braces.ibm_sametime_enumerate_users.rb
gather module that prevented exceptions that were raised from being appropriately caught.test/modules/post/test/file.rb
module previously did not work on Windows sessions due to it reading data from a Linux only file to determine what data to write for the binary file write operation. This has since been fixed so that the binary data is randomly generated vs being based off an OS specific file.You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).