National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up 03 01 2024


0 user ratings
2024-03-01 20:12:03
milo
Red Team (CNA)

 - archive -- 
Metasploit adds an RCE exploit for ConnectWise ScreenConnect and new documentation for exploiting ESC13.

Connect the dots from authentication bypass to remote code execution


Metasploit Weekly Wrap-Up 03/01/2024

This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in ConnectWise ScreenConnect to achieve remote code execution. This vulnerability, CVE-2024-1709, affects all versions of ConnectWise ScreenConnect up to and including 23.9.7.The module creates a new administrator user account on the server, which is used it to upload a malicious extension (.ashx file) and get code execution as the NT AUTHORITY\SYSTEM user on Windows or root user on Linux, depending on the target platform.


New module content (1)


ConnectWise ScreenConnect Unauthenticated Remote Code Execution


Authors: WatchTowr and sfewer-r7

Type: Exploit

Pull request: #18870 contributed by sfewer-r7

Path: multi/http/connectwise_screenconnect_rce_cve_2024_1709


Description: This PR adds an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).


Enhancements and features (8)



  • #18830 from sjanusz-r7 - Aligns the behavior of the MSSQL, PostgreSQL, and MySQL sessions. This functionality is currently behind a feature flag enabled with the features command.

  • #18833 from zeroSteiner - This catches an exception when updating a non-existing session. Prior to this PR, trying to run 'sessions -k' after running 'workspace -D' would result in a stack trace being printed to the console. This resolves issue #18561.

  • #18849 from adfoster-r7 - Adjusts the logic used for the visual indentation of tables.

  • #18872 from zgoldman-r7 - Updates the MSSQL modules to support querying database rows that contain boolean bit values.

  • #18878 from adfoster-r7 - This updates a number of rspec gems which help improve test suite error messages when string encodings are different.

  • #18879 from zeroSteiner - Updates the auxiliary/admin/kerberos/inspect_ticket module with improved error messages and support for printing Kerberos PAC credential information.

  • #18892 from zeroSteiner - Allows users to leverage the latest ADCS ESC13 technique. These changes are related to the identification of misconfigured certificate templates and workflow documentation. ldap_esc_vulnerable_cert_finder and ldap_query were also updated to improve usability.

  • #18893 from sjanusz-r7 - Updates the help command to visually align command names to the same width to improve readability.


Bugs fixed (2)



  • #18873 from cgranleese-r7 - Fixes a regression that caused a CreateSession option to be available for payloads that did not make sense.

  • #18880 from jmartin-tech - Fixes a bug with the auxiliary/capture/ldap module's handling of NTLM hashes.


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/03/01/metasploit-weekly-wrap-up-03-01-2024/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.