## A sack full of cheer from the Hacking Elves of Metasploit
![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/12/metasploit-ascii-1-2.png)
It is clear that the Metasploit elves have been busy this season: Five new modules, six new enhancements, nine new bug fixes, and a partridge in a pear tree are headed out this week! (Partridge nor pear tree included.) In this sack of goodies, we have a gift that keeps on giving: [Shelbyâs]() [Acronis TrueImage Privilege Escalation]() works wonderfully, even _after_ the software is uninstalled.
## If you prefer elf files to holiday elves, weâve still got you covered
[Jan Rude]() submitted two modules targeting Syncovery for Linux. One takes advantage of an insecure session token generator and allows for the brute-force creation of a token that matches that of a logged-in user, and the other allows an authenticated user to create a job that will run when a userâs profile is run.
## New module content (5)
* [Syncovery For Linux Web-GUI Session Token Brute-Forcer]() by [Jan Rude](), which exploits [CVE-2022-36536]() – A new login scanner module that brute-forces a valid session token for the Syncovery File Sync & Backup Software Web-GUI. This will work if the default user is already logged in the application. If they do not logout, the token stays valid until the next reboot.
* [Acronis TrueImage XPC Privilege Escalation]() by Csaba Fitzl and [Shelby Pace](), which exploits [CVE-2020-25736]() – This module exploits a local privilege escalation vulnerability in Acronis TrueImage versions 2019 update 1 through 2021 update 1 on macOS. This vulnerability is identified as CVE-2020-25736. By abusing a local helper executable, it is possible to execute arbitrary commands as the `root` user.
* [Syncovery For Linux Web-GUI Authenticated Remote Command Execution]() by [Jan Rude](), which exploits [CVE-2022-36534]() – This adds a module that exploits an authenticated remote code execution vulnerability identified as CVE-2022-36534 in the Web GUI of Syncovery File Sync & Backup Software for Linux. The module leverages a flaw in the application that allows the creation of jobs that will be executed when a profile is run. This allows the execution of arbitrary commands as the root user.
* [F5 Big-IP Gather Information from MCP Datastore]() by [Ron Bowes] () – This adds a post module for gathering facts from an F5 system’s MCP database protocol.
## Enhancements and features (6)
* [#17191]() from [liangjs]() – This PR fixes a bug where the Windows Subsystem for Linux crashes when using a reverse_tcp x64 stager because of data in the upper bits of the RDI register when the syscall occurs.
* [#17255]() from [JustAnda7]() – The command payloads have been updated to allow specifying the file system path for several of their commands within datastore options. This should allow users to specify these commands locations should they not be contained within the searchable PATH.
* [#17346]() from [adfoster-r7]() – The logic for counting threads within `lib/metasploit/framework/spec/threads/suite.rb` has been updated to appropriately count and document the known threads that can be left behind when running the rspec test suite. This fixes an intermittent rspec crash.
* [#17355]() from [adfoster-r7]() – The `creds` command has been updated to show the full SSH key contents when running the `creds -v` command or when exporting to a file with `creds -o output.txt`. Previously only a shortened fingerprint string would be shown to the user.
* [#17357]() from [adfoster-r7]() – The docs site has been updated to support mermaid graphs for rendering diagrams to assist with explanations.
* [#17387]() from [smashery]() – The `hosts`, `services`, `vulns` and `notes` command have been updated to support tab expansion in paths using the `~` character when using the `-o` option to specify the path to the file to write the output to.
## Bugs fixed (9)
* [#17345]() from [adfoster-r7]() – A crash has been fixed when using the report API with verbose mode enabled and no active DB.
* [#17350]() from [smashery]() – This updates three UAC bypass modules to remove a hard coded delay in favor of using the module’s builtin cleanup method. This results in the user having access to the interactive session without needing to wait.
* [#17351]() from [smashery]() – This fixes an issue in the `exploit/windows/local/s4u_persistence` module where the default value for `FREQUENCY` would cause an error.
* [#17352]() from [smashery]() – A bug has been fixed in the `file_version` method for Windows Meterpreter, which would cause the session to crash if it was run on a file that did not exist on the target system.
* [#17361]() from [jmartin-r7]() – A bug has been fixed that would cause a crash when running the `exit` command from within `msfconsole` when running `msfconsole` with a 3.1.x release of Ruby.
* [#17366]() from [zeroSteiner]() – The upload and download commands used by shell sessions have been updated to handle directory destinations in the same way as the Meterpreter equivalents do, and to fix some bugs when uploading and downloading files that would prevent errors from being displayed and might cause session crashes.
* [#17368]() from [adfoster-r7]() – Fixes a regression issue with msfvenom payload generation for large payloads taking more than 5 minutes to generate when outputting as hex format. Now it takes a few seconds as normal.
* [#17370]() from [jmartin-r7]() – A bug has been fixed in the `smb_enumshares.rb` whereby if a SMBv1 connection is used a call was made to the `net_share_enum_all` function on the wrong object. This has since been updated to address this error.
* [#17378]() from [gwillcox-r7]() – A bug has been fixed in the Meterpreter payloads that was preventing Python Meterpreter from being able to utilize its EventLog API properly. Additionally a bug has been fixed in the COFFLoader that prevented BOFLoader from working with some COFF files.
## Get it
As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:
* [Pull Requests 6.2.30…6.2.31]()
* [Full diff 6.2.30…6.2.31]()
If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More