Metasploit Weekly Wrap-Up

Last updated at Thu, 19 Oct 2023 21:10:23 GMT

That Privilege Escalation Escalated Quickly

This release features a module leveraging CVE-2023-22515, Atlassian的本地Confluence服务器中的一个漏洞首先被列为特权升级, 但很快就被重新归类为“访问控制被破坏”，CVSS得分为10分. 这个漏洞本身非常简单，很容易使用，所以当CISA发布一个 advisory 声明威胁行为者在野外使用它. 任何使用受影响版本的人都必须尽可能快地降低风险并打补丁.

Improved sessions searching

这个版本用额外的搜索过滤器增强了sessions命令，例如:

#返回会话id为1或5的所有会话
sessions -S 'sesion_id:1 session_id:5'

返回所有session_type等于meterpreter的会话
sessions -S 'session_type:meterpreter'

返回check in时间在1小时到10分钟之间，小于2小时的所有会话 
sessions -S 'last_checkin:greater_than:1h10m last_checkin:less_than:2h'

这些搜索选项可以与其他会话选项一起使用. For instance the --verbose flag:

msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -v

Active sessions
===============

  Session ID: 8
        Name: 
        Type: meterpreter windows
        Info: NT AUTHORITY\SYSTEM @ WINDEV
      Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50564 (192.168.123.132)
         Via: exploit/windows/smb/psexec
   Encrypted: Yes (AES-256-CBC)
        UUID: 4 = 1/2023-10-19T19:44:23Z d78f75abbdbf0c8 / x86 = 1 /窗口
     CheckIn: 18003年前@ 2023-10-19 15:45:30 +0100
  Registered: No

  Session ID: 9
        Name: 
        Type: meterpreter windows
        Info: NT AUTHORITY\SYSTEM @ WINDEV
      Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50565 (192.168.123.132)
         Via: exploit/windows/smb/psexec
   Encrypted: Yes (AES-256-CBC)
        UUID: 48 d32692e0633293 / x86 = 1 / windows = 1/2023-10-19T19:44:23Z
     CheckIn: 10803s ago @ 2023-10-19 17:45:30 +0100
  Registered: No

或者作为一种简单的方法来搜索和终止匹配陈旧的会话 --kill-all:

msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -K
[*] Killing matching sessions...

Active sessions
===============

  Id名称类型信息连接
  --  ----  ----                     -----------                   ----------
  4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WINDEV 192.168.123.1:4444 -> 192.168.123.132:50540 (192.168.123.132)
  5 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WINDEV 192.168.123.1:4444 -> 192.168.123.132:50555 (192.168.123.132)

[*] 192.168.123.132 - Meterpreter session 4 closed.
[*] 192.168.123.132 - Meterpreter session 5 closed.

New module content (2)

Apache Superset Signed Cookie RCE

作者:Naveen Sunkavally, Spencer McIntyre, h00die和paradoxis
Type: Exploit
Pull request: #18351 contributed by h00die
Path: linux/http/apache_superset_cookie_sig_rce

描述:这增加了一个针对CVE-2023-37941的漏洞，该漏洞是Apache Superset中经过身份验证的RCE.

Atlassian Confluence未验证远程代码执行

Author: sfewer-r7
Type: Exploit
Pull request: #18461 contributed by sfewer-r7
Path: 多/ http / atlassian_confluence_rce_cve_2023_22515

描述:这增加了一个漏洞利用模块，利用不正确的输入验证问题在Atlassian Confluence版本8之间.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. 此漏洞标识为CVE-2023-22515，允许未经身份验证的远程代码执行. 该模块首先通过滥用嵌入式XWorks2中间件并上传恶意插件来执行代码，从而创建一个新的管理员. 请注意，该模块目前无法删除它创建的新管理员帐户. This would require a manual clean up.

Enhancements and features (7)

• #17689 from manishkumarr1017 - Adds an additional column to the creds 命令，以额外显示已被破解的密码 auxiliary/analyze/crack_databases module or similar.
• #18364 from zgoldman-r7 —增加根据上次签入时间、会话类型和会话id过滤会话的支持.
• #18381 from sjanusz-r7 - Adds new options -r and --reload-libs to the check, recheck, to_handler, reload, run and rerun commands. 这个新选项将在执行原始命令之前重新加载所有库文件.
• #18428 from AleksaZatezalo —本PR增加了mssql_login模块的文档.
• #18438 from adfoster-r7 —改进了数据库管理提示的用户体验. Now when running msfdb init 不再提示用户删除数据库. 清除未使用的数据服务凭据的消息已被改写.
• #18450 from adfoster-r7 - Adds support for Ruby 3.3.0-preview2.
• #18451 from adfoster-r7 —将新增加的破解密码列作为 creds to work with the remote database.

Bugs fixed (3)

• #18442 from adfoster-r7 —提高windows环境下msfdb初始化的稳定性. 以前，msfdb初始化脚本在Windows环境中会无限期挂起, 以及在检测数据库是否正在运行时存在假阴性.
• #18443 from adfoster-r7 - Adds a fix for the handler/reverse_ssh 在Windows机器上启动msfconsole时返回警告的模块.
• #18449 from adfoster-r7 - Fixes an issue with the scanner/mysql/mysql_authbypass_hashdump module to now correctly close sockets.

Documentation added (1)

• #18452 from jheysel-r7 -更新Metasploit Wiki，包括如何在模块文档上运行质量工具的信息.

你可以在我们的网站上找到更多的文档 docs.metasploit.com.

Get it

与往常一样，您可以使用 msfupdate
自上一篇博文以来，你可以从
GitHub:

• Pull Requests 6.3.38...6.3.39
• Full diff 6.3.38...6.3.39

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
要安装fresh而不使用git，您可以使用open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).