## Cloud Fun With EC2
![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2023/06/metasploit-sky-1-1-1.png)
New ground was broken today with the addition of two PRs from community contributor sempervictus, also known as RageLtMan, who added the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface, which provides a public API to execute commands or create real-time interactive websocket command shells. This can result in passwordless elevation of privilege in most if not all cases.
This module is also very helpful as it provides pentesters with the tools required to show the impact of having SSM exposed and can help reinforce the importance of data governance, locality, isolation, and auditing. It can also show how user-based access control systems may be bypassed by the privileges users within IAM have using the SSM interface as an elevation of privilege pivot. Finally, it can also be used to demonstrate how attackers can exfiltrate data from systems which do not have network access outside of the cloud environment.
## Contacts Are Like Cookies – I Need More
Community contributors Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN added a module for exploiting a preauthentication contact database dump vulnerability in Dolibarr 16 prior to 16.0.5. Contact details are a great help for attackers as they can allow them to craft more believable phishing attacks and gain more information about the internal structure of a target company. They can also give information on a company’s relationships with other companies which could reveal information about sensitive company dealings.
## Router Exploits – They Never Stop
Router exploits are like fine wine. They just don’t stop, and these devices are often left unpatched for years on end, which can lead to issues where they are compromised and used in attacks such as in the case of the Mirai botnet. Community contributors Anna Graterol, Mana Mostaani, and Nick Cottrell added a new module targeting [CVE-2015-3035]() which uses a directory traversal vulnerability in unpatched TP-LINK Archer C7 routers to dump arbitrary files on the target such as the `/etc/passwd`’s file.
## New module content (7)
### Amazon Web Services EC2 instance enumeration
Author: RageLtMan
Type: Auxiliary
Pull request: [#17430]() contributed by [sempervictus]()
Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a a PTY enabled Powershell session that is incompatible with Post modules but supports user interaction.
### VSFTPD 2.3.2 Denial of Service
Authors: Anna Graterol, Maksymilian Arciemowicz, Mana Mostaani, and Nick Cottrell (Rad10Logic)
Type: Auxiliary
Pull request: [#18004]() contributed by [rad10]()
AttackerKB reference: [CVE-2011-0762]()
Description: This PR adds an auxiliary module for DOSing a VSFTPD server from version 2.3.2 and below.
### Apache NiFi Login Scanner
Author: h00die
Type: Auxiliary
Pull request: [#18028]() contributed by [h00die]()
Description: A new scanner module has been added to scan for valid logins for Apache NiFi servers.
### Apache NiFi Version Scanner
Author: h00die
Type: Auxiliary
Pull request: [#18025]() contributed by [h00die]()
Description: This PR adds a version scanner for Apache NiFi.
### Archer C7 Directory Traversal Vulnerability
Authors: Anna Graterol, Mana Mostaani, and Nick Cottrell
Type: Auxiliary
Pull request: [#18003]() contributed by [rad10]()
AttackerKB reference: [CVE-2015-3035]()
Description: This adds a module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer C7 routers. This vulnerability is identified as CVE-2015-3035.
### Dolibarr 16 pre-auth contact database dump
Authors: Nolan LOSSIGNOL-DRILLIEN and Vladimir TOUTAIN
Type: Auxiliary
Pull request: [#17899]() contributed by [vtoutain]()
Description: This adds a module that leverages an authorization bypass in Dolibarr version 16, prior to 16.0.5. This module dumps the contact database to retrieve customer file, prospects, suppliers and employee information. No authentication is needed for this exploit.
### AWS SSM Sessions
Author: sempervictus
Type: Payload
Pull request: [#17430]() contributed by [sempervictus]()
Description: This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon’s SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a PTY enabled PowerShell session that is incompatible with Post modules but supports user interaction.
## Enhancements and features (2)
* [#18021]() from [zeroSteiner]() – The PowerShell Post API methods use a mix of PowerShell and .NET methods which have different ways of keeping track of the current working directory. This changes fixes the ambiguity by synchronizing the current working directory referenced by each set of methods.
* [#18031]() from [wvu]() – Updates `edit` and `log` commands to explain to how to set `LocalEditor`and `LocalPager` so that users can adjust the editor that is used when running the `edit` command and the log file that is used for logging module runtime information, respectively.
## Bugs fixed (6)
* [#18019]() from [cgranleese-r7]() – Fixes validation for the `to_handler` command when running Evasion and Payload modules.
* [#18026]() from [adfoster-r7]() – A bug has been fixed in test modules whereby not all modules were manipulating the load path to require the `module_test` library correctly, resulting on them being dependent on other modules correctly setting the load path, which may not always occur.
* [#18030]() from [wvu]() – A missing `return` statement was added into `lib/msf/core/exploit/cmd_stager/http.rb` to fix a Ruby syntax error when attempting to handle a 404 file not found case.
* [#18032]() from [wvu]() – A bug has been fixed in the `cmd/brace` encoder whereby it did not appropriately escape braces.
* [#18036]() from [adfoster-r7]() – A typo has been fixed in the `ibm_sametime_enumerate_users.rb` gather module that prevented exceptions that were raised from being appropriately caught.
* [#18052]() from [adfoster-r7]() – The `test/modules/post/test/file.rb` module previously did not work on Windows sessions due to it reading data from a Linux only file to determine what data to write for the binary file write operation. This has since been fixed so that the binary data is randomly generated vs being based off an OS specific file.
## Documentation
You can find the latest Metasploit documentation on our docsite at [docs.metasploit.com]().
## Get it
As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:
* [Pull Requests 6.3.18…6.3.19]()
* [Full diff 6.3.18…6.3.19]()
If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More