Original Post from Rapid7
Author: Pearce Barry
Release the hound(s)
If you’re a fan of BloodHound, community contributor h4ng3r has added a new post module just for you. Utilizing an existing session on a Windows target, this new module will reflectively load and execute SharpHound to gather information on sessions, local admin, domain trusts, etc., which is ultimately stored as a BloodHound-consumable ZIP file in Framework loot. Load that ZIP’d data into BloodHound and see the opportunities awaiting in your target’s Active Directory environment!
SMBGhost in the machine
Follow-on to a “nothing to see here” situation last month, our own zeroSteiner added a new module for Windows 10 targets vulnerable to CVE-2020-0796 (a.k.a. SMBGhost). With a big hat-tip to danigargu’s and dialluvioso’s C++ implementation, this new Framework module will allow users to leverage an existing session with a vulnerable target that is running compression-enabled SMBv3 to both escalate privilege and execute a payload as the SYSTEM user. Apparitions beware!
Contributor h00die came through with a nice lift on the Ubiquiti Unifi code in Framework. With a new mixin in place, there’s now a new module for ingesting a Ubuiti config file, itself, into Framework, accepting both unf and db formats. h00die also support for UniFi Dream Machine Pro, too!
Share your attacker knowledge!
Do you have opinions on vulns? Want to learn others’ opinions about vulns? Our new AttackerKB (Attacker Knowledge Base) web app has got you covered! We’re currently in Beta with AttackerKB, where you can read about vulns, opinions and analysis around them, and provide your own analysis and thoughts, too! You can get the deets on AttackerKB (and request Beta access) here!
New modules (5)
- Pandora FMS Ping Authenticated Remote Code Execution by Onur ER
- PlaySMS index.php Unauthenticated Template Injection Code Execution by Lucas Rosevear and Touhid M.Shaikh, which exploits CVE-2020-8644
- SMBv3 Compression Buffer Overflow by Daniel García Gutiérrez, Manuel Blanco Parajón, and Spencer McIntyre, which exploits CVE-2020-0796
- Ubiquiti Configuration Importer by h00die
- BloodHound Ingestor by h4ng3r
Enhancements and features
- PR #13188 from h00die adds additional checks to the tools/dev/msftidy_docs.rb module documentation linter.
- PR#13186 from bwatters-r7 brought in a Windows Meterpreter update by slyd0g to adjust permissions when opening a process for steal_token to only those required.
- PR #13212 from busterb pulled in fixes for several Meterpreter bugs, including a crash with stageless Windows meterpreter fix from OJ, a crash handling Android wakelocks fix from timwr, and implementing proper filesystem wildcard handling with Java meterpreter from timwr.
- PR #13220 from adfoster-r7 fixed a few Ubquiti RSpec tests so they now pass correctly.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo(master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
Go to Source
Author: Pearce Barry