National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up 02 23 2024


0 user ratings		2024-02-23 17:55:16
milo
Red Team (CNA)
Metasploit adds a new LDAP capture module as well as the Ivanti Connect Secure unauthenticated RCE.

LDAP Capture module


Metasploit Weekly Wrap-Up 02/23/2024

Metasploit now has an LDAP capture module thanks to the work of llcjngdjttrvddchfntdbinjblktjjetrtifdlibuchh

JustAnda7. This work was completed as part of the Google Summer of Code program.


When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7) error is sent to the connecting client.


The module can be with run:


msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run

Incoming requests will have their credentials stored for later use:


[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566	 Username:admin	 ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74	 Domain:DOMAIN

These values will be stored in the database for later retrieval:


msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========
host       origin     service         public  private  realm        private_type  JtR Format
----       ------     -------         ------  -------  -----        ------------  ----------
10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password

Ivanti exploit module


Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chain in AttackerKB.


New module content (4)


Authentication Capture: LDAP


Author: JustAnda7

Type: Auxiliary

Pull request: #18678 contributed by jmartin-tech

Path: server/capture/ldap


Description: Adds a new auxiliary/server/capture/ldap module that emulates an LDAP Server. The server accepts a user's bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. An ldap_bind: Authentication method not supported (7) error is sent to the connecting client.


Ivanti Connect Secure Unauthenticated Remote Code Execution


Author: sfewer-r7

Type: Exploit

Pull request: #18792 contributed by sfewer-r7

Path: linux/http/ivanti_connect_secure_rce_cve_2024_21893

AttackerKB references: CVE-2024-21887, CVE-2023-36661, CVE-2024-21893


Description: This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.


Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.


Authors: BobTheShopLifter and Thingstad and h00die-gr3y [email protected]

Type: Exploit

Pull request: #18700 contributed by h00die-gr3y

Path: linux/http/kafka_ui_unauth_rce_cve_2023_52251

AttackerKB reference: CVE-2023-52251


Description: This PR adds an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.


QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi


Authors: Spencer McIntyre, jheysel-r7, and sfewer-r7

Type: Exploit

Pull request: #18832 contributed by sfewer-r7

Path: linux/http/qnap_qts_rce_cve_2023_47218

AttackerKB reference: CVE-2023-47218


Description: The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. CVE-2023-47218 was discovered and disclosed by Stephen Fewer.


Enhanced Modules (2)


Modules which have either been enhanced, or renamed:



  • #18125 from JustAnda7 - This PR adds a module to launch an LDAP service supporting capture and storage of Simple Authentication attempts. When launching this module with default options users must have permissions to bind to port 389.

  • #18681 from h00die - This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.


Enhancements and features (8)



  • #18376 from JustAnda7 - This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP BindRequest, SearchRequest, UnbindRequest, as well as a default action for unsupported requests.

  • #18817 from dwelch-r7 - This PR adds support to now bucket module options that are output after running the options command. This will be for modules that support either an RHOST or a SESSION connection to show that only one or the other is required when using the new session type features for SMB/MSSQL/MYSQL/PostgreSQL sessions.

  • #18847 from sjanusz-r7 - This PR adds proxy support for getting a PostgreSQL session via the postgres_login module.

  • #18848 from sjanusz-r7 - This PR adds proxy support for getting a MSSQL session via the mssql_login module.

  • #18854 from sjanusz-r7 - This PR adds proxy support for getting a MySQL session via the mysql_login module.

  • #18855 from sjanusz-r7 - This PR removes the cwd convention from SQL-based sessions, and instead uses a more appropriate def database_name computed value rather than a cached variable.

  • #18863 from sjanusz-r7 - This PR adds in the ENVCHANGE types to the MSSQL client mixin, and uses those to fetch the initial DB name received from the server.

  • #18864 from cgranleese-r7 - Adds an alias for ls and dir inside SMB sessions.


Bugs fixed (5)



  • #18770 from dwelch-r7 - Fixes a bug when multiple new session types (SMB, PostgreSQL, MSSQL, MySQL) were enabled with the features set postgresql_session_type true command.

  • #18842 from upsidedwn - Updates the Metasploit Dockerfile to correctly honor user provided bundler config arguments.

  • #18850 from adfoster-r7 - Fixes failing ldap server tests.

  • #18861 from cgranleese-r7 - Removes SessionType values from modules with OptionalSession mixin.

  • #18871 from adfoster-r7 - Fixes a crash when using the webconsole.


Documentation added (1)



  • #18857 from jlownie - Updates the Wiki documentation on running the Metasploit database to be more clear.


You can always find more documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/02/23/metasploit-weekly-wrap-up-02-23-2024/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


© Copyright 2012 through 2024 - National Cyber War Foundation - All rights reserved worldwide.