Metasploit Weekly Wrap up

最后更新于2023年7月28日星期五17:25:08 GMT

Unauthenticated RCE in VMware Product

This week, community contributor h00die 增加了一个利用VMWare Aria Operations for Networks中的命令注入漏洞的漏洞利用模块, formerly known as vRealize Network Insight. Versions 6.2 to 6.10 are vulnerable (CVE-2023-20887). 远程攻击者可以通过发送特制的数据来滥用Apache Thrift RPC接口，并以root用户身份在底层操作系统上执行未经身份验证的远程代码. 该模块首先绕过保护RPC接口的反向代理，并以根权限执行其有效负载. 此漏洞已被VMware评为严重漏洞，CVSSv3的基本得分为 9.8.

Again, WordPress Plugin

Community contributor h00die-gr3y 增加了一个攻击模块，目标是文件管理器高级短代码Wordpress插件. 该模块在上传文件时利用了数据验证机制中的一个缺陷，并获得了未经身份验证的远程代码执行. 插件不能正确阻止上传不允许MIME类型的文件. This vulnerability is identified as CVE-2023-2068 and affects version 2.3.2 and prior.

Kerberos身份验证和LDAP socks代理支持

这个版本增加了对通过用户可配置的Socks4/Socks5代理发送Kerberos和LDAP流量的支持. The proxies can be set with the Proxies datastore option. 大多数模块都支持此功能，例如SMB/WinRM/等. An example network environment would be:

[ Attacker Machine ] -> [ Socks Proxy (192.168.123.144) ] -> [ Target (10.20.0.137)]

For instance running the auxiliary/gather/ldap_query module with the inline option proxies=socks5:192.168.123.144:1080, or using the older set proxies socks5:192.168.123.144:1080 syntax, 将通过用户指定的Socks代理发送网络流量——既请求Kerberos票据进行身份验证，也请求LDAP查询本身:

msf6 auxiliary(gather/ldap_query) > rerun rhost=10.20.0.137用户名=管理员密码=p4$$w0rd5 ldap::auth=kerberos ldap::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.137 domain=adf3.local proxies=socks5:192.168.123.144:1080
[*] Reloading module...
[*] Running module against 10.20.0.137

[+] 10.20.0.137:88 - Received a valid TGT-Response
[*] 10.20.0.137:389 - TGT MIT凭据缓存票据保存到/home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_426003.bin
[+] 10.20.0.137:88 - Received a valid TGS-Response
[*] 10.20.0.137:389 - TGS MIT凭据缓存票据保存到/home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_291783.bin
[+] 10.20.0.137:88 -收到一个有效的委托tgs响应
[*] Discovering base DN automatically
[+] 10.20.0.137:389发现基准DN: DC=adf3,DC=local
[+] 10.20.0.137:389发现模式DN: DC=adf3,DC=local
CN=Administrator CN=Users DC=adf3 DC=local
==========================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description用于管理计算机/域的内置帐户
 lastlogoff 1601-01 00:00:00 UTC
 lastlogon 2023-07-10 16:02:38 UTC
… omitted …

New module content (2)

VMWare Aria Operations for Networks (vRealize Network Insight)预认证RCE

作者:Anonymous Trend Micro Zero Day Initiative, Sina Kheirkhah和h00die
Type: Exploit
Pull request: #18199 contributed by h00die
路径:利用/ linux / http / vmware_vrni_rce_cve_2023_20887
AttackerKB reference: CVE-2023-20887

描述:这增加了一个利用VMWare Aria Operations for Networks (vRealize Network Insight)中预认证命令注入漏洞的漏洞利用模块。. Versions from 6.2 to 6.10个漏洞已被识别为CVE-2023-20887. 该模块绕过保护访问Apache Thrift RPC接口的反向代理，并作为根用户在底层操作系统上执行任意命令.

Wordpress文件管理器高级短代码.3.2 -通过短代码执行未经身份验证的远程代码

作者:Mateus Machado Tesser和h00die- gry
Type: Exploit
Pull request: #18142 contributed by h00die-gr3y
路径:利用/多/ http / wp_plugin_fma_shortcode_unauth_rce
AttackerKB reference: CVE-2023-2068

这增加了一个Wordpress漏洞，利用Wordpress文件管理器高级短代码2.3.2插件，通过短代码获得未经身份验证的远程代码执行.

Enhancements and features (1)

• #18096 from adfoster-r7 更新了LDAP查询模块和对WinRM/MSSQL/SMB/LDAP/etc的Kerberos认证支持，以便与用户集一起工作 Proxies datastore value, i.e. set Proxies socks5:127.0.0.1:1080.

Bugs fixed (3)

• #18187 from cgranleese-r7 - Fixes a crash when running Ruby 3.3.0-preview1中的模块在打包或解包二进制数据时使用了无效语法.
• #18213 from adfoster-r7 - This fixes a bug in the evasion/windows/syscall_inject 由未初始化变量引起的.
• #18225 from adfoster-r7 -这修复了模块中多个缺失/无效的引用.

Documentation

您可以在我们的网站上找到最新的Metasploit文档 docs.metasploit.com.

Get it

与往常一样，您可以使用 msfupdate
自上一篇博文以来，你可以从
GitHub:

• Pull Requests 6.3.26...6.3.27
• Full diff 6.3.26...6.3.27

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
要安装fresh而不使用git，您可以使用open-source-only Nightly Installers or the
binary installers (也包括商业版).