Skip to content Skip to footer

Metasploit Weekly Wrap-Up 01/26/24

Direct Syscalls Support for Windows Meterpreter

Direct system calls are a popular technique for bypassing EDR/AV detection. It is beneficial in dynamic analysis, where security software monitors every process on the system to detect any suspicious activity. The technique involves running system calls directly to enter kernel mode without passing through the Win32 API, which is commonly hooked by malware.

The first implementation of this technique focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with Direct Syscalls to the corresponding Native API's. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. This substitution was made because Meterpreter and its extensions use RDI everywhere, making it a great candidate for this initial work.

The main challenge of this technique is finding the correct syscall number since it varies across Windows versions. Additionally, EDR's usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. This technique assumes that the syscall numbers are assigned in a sequential order starting from the number 0 to overcome this challenge. The syscall number can be deduced from the position of the related native API function in memory. The technique consists of selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list.

Another improvement is to ensure that the call to the syscall instruction is made through ntdll.dll, as EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. The complexity here is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will parse ntdll.dll to get the correct trampoline address when executing the system call.

This work is just the first step; we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using Direct Syscalls. The long-term goal is to make Direct Syscalls a standard for future Windows-based development (payload, , etc.).

New module content (8)

GL.iNet Unauthenticated Remote Command Execution via the logread module.

Authors: 

DZONERZY, Unknown, and h00die-gr3y h00die.gr3y@gmail.com

Type: 

ExploitPull request: #18648 contributed by h00die-gr3y

Path: 

linux/http/glinet_unauth_rce_cve_2023_50445

Description: 

This PR adds an module for a number of different GL.iNet network products. The module combines an authentication bypass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: 

sfewer-r7Type: 

ExploitPull request: 

#18708 contributed by sfewer-r7

Path: 

linux/http/ivanti_connect_secure_rce_cve_2023_46805

Description: 

This PR adds an chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.

MajorDoMo Command Injection

Authors: 

Valentin Lobstein and smcintyre-r7

Type: 

ExploitPull request: 

#18630 contributed by Chocapikk

Path: 

linux/http/majordomo_cmd_inject_cve_2023_50917

Description: 

This adds an for a command injection vulnerability in MajorDoMo versions before 0662e5e.

Saltstack Minion Payload Deployer

Authors: 

c2Vlcgo and h00dieType: 

ExploitPull request: 

#18626 contributed by h00die

Path: 

linux/local/saltstack_salt_minion_deployer

Description: 

This PR adds an module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.

Apache Commons Text RCE

Authors: 

Alvaro Muñoz, Gaurav Jain, and Karthik UJType: 

ExploitPull request: 

#18638 contributed by errorxyz

Path: 

multi/http/apache_commons_text4shell

Description: 

Adds an module for CVE-2022-42889 that targets web apps utilizing Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.

Atlassian Confluence SSTI Injection

Authors: 

Harsh Jaiswal, Rahul Maini, and Spencer McIntyre

Type: 

ExploitPull request: 

#18734 contributed by zeroSteiner

Path: 

multi/http/atlassian_confluence_rce_cve_2023_22527

Description: 

This adds an for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.

PRTG CVE-2023-32781 Authenticated RCE

Author: 

Kevin Joensen kevin@baldur.dk

Type: 

ExploitPull request: 

#18568 contributed by ggisz

Path: 

windows/http/prtg_authenticated_rce_cve_2023_32781

Description: 

This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier.

Enhancements and features (6)

#17634 from adfoster-r7 – Reliability and stability notes that have been previously missing have been added to some modules.

#18645 from jvoisin – This adds a way to get the Build ID from ld.so by using the ‘perf' command. Before this module depended on the commands ‘file' and ‘readelf' being installed to get the Build ID.

#18663 from sjanusz-r7 – Adds a new Postgres session type, which is current behind a feature flag that can be activated with: features set postgresql_session_type true. Example usage: use scanner/postgres/postgres_login followed by run postgres://postgres:password@127.0.0.1:9000/template1 createsession=true verbose=false.

#18720 from zeroSteiner – This enhancement marks the existing Unix encoders as also being compatible with Linux. Previously, no encoder modules were marked as compatible with Linux, so users could not set bad character when using the new fetch payloads.

#18735 from AleksaZatezalo – Adds additional module metadata to the /windows/iis/iis_webdav_scstoragepathfromurl module.

#18737 from zeroSteiner – This updates -payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

Bugs fixed (3)

#18662 from dwelch-r7 – Fixes an edgecase where features set dns_feature true did not correctly parse a user's /etc/resolv.conf file if there were multiple nameservers present.

#18712 from ekalinichev-r7 – Fixes a crash with Metasploit's REST api when calling /api/v1/modules?name=aux.

#18746 from zeroSteiner – Fixes a module bug when using the generate OPTION=VALUE syntax. Previously, the module's datastore would be unintentionally updated with the new option value.

Documentation added (1)

#18729 from poupapaa – This fixes a typo in Metasploit-Guide-SMB.md.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdateand you can get more details on the changes since the last blog post fromGitHub:

Pull Requests 6.3.52…6.3.53

Full diff 6.3.52…6.3.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or thecommercial edition Metasploit Pro

Metasploit Weekly Wrapup | Noise. https://noise.getoto.net/tag/metasploit-weekly-wrapup/

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I know kung-fuNeo

Deitasoft © 2024. All Rights Reserved.