Login
Metasploit Weekly Wrap-Up 05/03/24
Dump secrets inline
This week, our very own cdelafuente-r7 added a significant improvement to the well-known Windows Secrets Dump module to reduce the footprint when dumping SAM hashes, LSA secrets and cached credentials. The module is now directly reading the Windows Registry remotely without having to dump the full registry keys to disk and parse them, like it was originally. This idea comes from this PR proposed by antuache. The technique takes advantage of the WriteDACL privileges held by local administrators to set temporary read permissions on the SAM and SECURITY registry hives. The module also takes care of restoring the original Security Descriptors after each read. Note that it is still possible to use the original technique by setting the INLINE option to false. Happy dumping!
New module content (1)
Kemp LoadMaster Unauthenticated Command Injection
Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #18972 contributed by DaveYesland
Path: linux/http/progress_kemp_loadmaster_unauth_cmd_injection
AttackerKB reference: CVE-2024-1212
Description: This adds a module targeting CVE-2024-1212, an unauthenticated command injection vulnerability in Kemp Progress Loadmaster versions after 7.2.48.1, but patched in 7.2.59.2 (GA), 7.2.54.8 (LTSF) and 7.2.48.10 (LTS).
Enhancements and features (3)
- #19048 from cdelafuente-r7 - This updates the
windows_secrets_dumpmodule to enable accessing the necessary registry data without writing it to disk first. - #19075 from ide0x90 - :
Updates the Softing Secure Integration Server login library to allow the code to be better reused by other modules. - #19148 from adfoster-r7 - Updates Metasploit-framework to compile on x64-mingw-ucrt platforms.
Bugs fixed (5)
- #19095 from zeroSteiner - Updates the
smb_enumusersmodule to use an updated SMB implementation from RubySMB which fixes an issue where the module could sometimes time out or return an unexpected error when targeting Samba. - #19137 from zeroSteiner - Fixes an infinite recursion error where Metasploit would attempt to resolve a nameserver specified as a hostname in
/etc/resolv.confwhile initializing. - #19138 from dwelch-r7 - Fixes a crash in the
cve_2022_26923_certifriedmodule. - #19141 from jheysel-r7 - This fixes timeout issues encountered by
rocketmqandactivemqmodules that would occur when the target is not running the expected service. - #19152 from adfoster-r7 - This fixes an issue in the
exploit/multi/http/apache_normalize_path_rceexploit module that affected Metasploit Pro due to how the module was handling datastore options.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.
