Metasploit Weekly Wrap-Up - API Security Blog

Main / Metasploit Weekly Wrap-Up

Metasploit Weekly Wrap-Up

Discription

## Add Windows target support for the Confluence OGNL injection module

![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/06/metasploit-sky-2.png)

Improves the `exploit/multi/http/atlassian_confluence_namespace_ognl_injection` module to support Windows server targets. This new target can be used to run payloads in memory with Powershell using the new payload adapters or drop an executable to disk. Once a Meterpreter session is obtained, `getsystem` can be used to escalate to NT AUTHORITYSYSTEM using the RPCSS technique (#5) since Confluence service runs as NETWORK SERVICE by default.
Speaking of getsystem

## EfsPotato – 6th getsystem technique

This adds the EfsPotato technique to the getsystem command in meterpreter. The new technique leverages the EFSRPC API to elevate a user if they have SeImpersonatePrivilege permissions enabled. Like the other getsystem techniques, this one works in memory with no configuration and will escalate the current session to NT AUTHORITYSYSTEM. It works on a wide variety of Windows system and was tested successfully on versions 8 through 11.

## New module content (1)

* [#16676]() from [cdelafuente-r7]() – Adds a new getsystem technique that leverages the EFSRPC API to elevate a user with the `SeImpersonatePrivilege` permission to NT AUTHORITYSYSTEM. This technique is often referred to as “EfsPotato”. It also improves the post module to use ACTIONS instead of the datastore TECHNIQUE for a simpler user interface when using `info` or `show` actions for this module, allowing a user to determine which techniques were available from inside msfconsole.

## Enhancements and features (2)

* [#16650]() from [red0xff]() – This PR implements the method #read_from_file for PostgreSQL and MSSQL, and fixes the MySQL implementation. It also updates the test module to better handle multiline data returned from SQL queries.
* [#16692]() from [noraj]() – Updates various links to

## Bugs fixed (2)

* [#16597]() from [zeroSteiner]() – This fixes an issue with the encrypted shell payload stage that prevented it from being used with the new Powershell command adapter. In addition to this, a number of payload modules have been updated to include an opts hash as a parameter for compatibility.
* [#16680]() from [zeroSteiner]() – This PR adds support for Windows targets to the `atlassian_confluence_namespace_ognl_injection` module and fixes an issue where the check method would fail to properly identify that Windows targets were even vulnerable due to how the command was being executed.

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.2.3…6.2.4]()
* [Full diff 6.2.3…6.2.4]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More

References

Back to Main

Subscribe for the latest news: