最后更新于2023年7月28日星期五17:25:08 GMT
Unauthenticated RCE in VMware Product
This week, community contributor h00die 增加了一个利用VMWare Aria Operations for Networks中的命令注入漏洞的漏洞利用模块, formerly known as vRealize Network Insight. Versions 6.2 to 6.10 are vulnerable (CVE-2023-20887). 远程攻击者可以通过发送特制的数据来滥用Apache Thrift RPC接口,并以root用户身份在底层操作系统上执行未经身份验证的远程代码. 该模块首先绕过保护RPC接口的反向代理,并以根权限执行其有效负载. 此漏洞已被VMware评为严重漏洞,CVSSv3的基本得分为 9.8.
Again, WordPress Plugin
Community contributor h00die-gr3y 增加了一个攻击模块,目标是文件管理器高级短代码Wordpress插件. 该模块在上传文件时利用了数据验证机制中的一个缺陷,并获得了未经身份验证的远程代码执行. 插件不能正确阻止上传不允许MIME类型的文件. This vulnerability is identified as CVE-2023-2068 and affects version 2.3.2 and prior.
Kerberos身份验证和LDAP socks代理支持
这个版本增加了对通过用户可配置的Socks4/Socks5代理发送Kerberos和LDAP流量的支持. The proxies can be set with the Proxies
datastore option. 大多数模块都支持此功能,例如SMB/WinRM/等. An example network environment would be:
[ Attacker Machine ] -> [ Socks Proxy (192.168.123.144) ] -> [ Target (10.20.0.137)]
For instance running the auxiliary/gather/ldap_query
module with the inline option proxies=socks5:192.168.123.144:1080
, or using the older set proxies socks5:192.168.123.144:1080
syntax, 将通过用户指定的Socks代理发送网络流量——既请求Kerberos票据进行身份验证,也请求LDAP查询本身:
msf6 auxiliary(gather/ldap_query) > rerun rhost=10.20.0.137用户名=管理员密码=p4$$w0rd5 ldap::auth=kerberos ldap::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.137 domain=adf3.local proxies=socks5:192.168.123.144:1080
[*] Reloading module...
[*] Running module against 10.20.0.137
[+] 10.20.0.137:88 - Received a valid TGT-Response
[*] 10.20.0.137:389 - TGT MIT凭据缓存票据保存到/home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_426003.bin
[+] 10.20.0.137:88 - Received a valid TGS-Response
[*] 10.20.0.137:389 - TGS MIT凭据缓存票据保存到/home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_291783.bin
[+] 10.20.0.137:88 -收到一个有效的委托tgs响应
[*] Discovering base DN automatically
[+] 10.20.0.137:389发现基准DN: DC=adf3,DC=local
[+] 10.20.0.137:389发现模式DN: DC=adf3,DC=local
CN=Administrator CN=Users DC=adf3 DC=local
==========================================
Name Attributes
---- ----------
badpwdcount 0
description用于管理计算机/域的内置帐户
lastlogoff 1601-01 00:00:00 UTC
lastlogon 2023-07-10 16:02:38 UTC
… omitted …
New module content (2)
VMWare Aria Operations for Networks (vRealize Network Insight)预认证RCE
作者:Anonymous Trend Micro Zero Day Initiative, Sina Kheirkhah和h00die
Type: Exploit
Pull request: #18199 contributed by h00die
路径:利用/ linux / http / vmware_vrni_rce_cve_2023_20887
AttackerKB reference: CVE-2023-20887
描述:这增加了一个利用VMWare Aria Operations for Networks (vRealize Network Insight)中预认证命令注入漏洞的漏洞利用模块。. Versions from 6.2 to 6.10个漏洞已被识别为CVE-2023-20887. 该模块绕过保护访问Apache Thrift RPC接口的反向代理,并作为根用户在底层操作系统上执行任意命令.
Wordpress文件管理器高级短代码.3.2 -通过短代码执行未经身份验证的远程代码
作者:Mateus Machado Tesser和h00die- gry
Type: Exploit
Pull request: #18142 contributed by h00die-gr3y
路径:利用/多/ http / wp_plugin_fma_shortcode_unauth_rce
AttackerKB reference: CVE-2023-2068
这增加了一个Wordpress漏洞,利用Wordpress文件管理器高级短代码2.3.2插件,通过短代码获得未经身份验证的远程代码执行.
Enhancements and features (1)
- #18096 from adfoster-r7 更新了LDAP查询模块和对WinRM/MSSQL/SMB/LDAP/etc的Kerberos认证支持,以便与用户集一起工作
Proxies
datastore value, i.e.set Proxies socks5:127.0.0.1:1080
.
Bugs fixed (3)
- #18187 from cgranleese-r7 - Fixes a crash when running Ruby 3.3.0-preview1中的模块在打包或解包二进制数据时使用了无效语法.
- #18213 from adfoster-r7 - This fixes a bug in the
evasion/windows/syscall_inject
由未初始化变量引起的. - #18225 from adfoster-r7 -这修复了模块中多个缺失/无效的引用.
Documentation
您可以在我们的网站上找到最新的Metasploit文档 docs.metasploit.com.
Get it
与往常一样,您可以使用 msfupdate
自上一篇博文以来,你可以从
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
要安装fresh而不使用git,您可以使用open-source-only Nightly Installers or the
binary installers (也包括商业版).