Last updated at Fri, 18 Oct 2024 18:14:07 GMT

ESC15: EKUwu

AD CS continues to be a popular target for penetration testers and security practitioners. The latest escalation technique (hence the the ESC in ESC15) was 发现 by 贾斯汀•博林格 with details being released just last week. This latest configuration flaw has common issuance requirements to other ESC flaws such as requiring no authorized signatures or manager approval. 另外, templates must be schema version 1 which enables an attacker to craft a signing request with a custom set of EKU OIDs which will be present in the issued certificate. 通过重写oid, the template can be used in a few ways with the most useful being as a certificate enrollment agent. With a valid enrollment agent certificate, a user can issue certificates for other users which, when combined with the builtin “User” certificate, can enable Kerberos authentication to a wide variety of services.

本周发布的Metasploit做到了 添加支持 to our existing AD CS related modules for identifying and exploiting ESC15.

The auxiliary/admin/ldap/ad_cs_cert_template 模块可以与新的 esc15_template to create a vulnerable certificate or (by leveraging ESC4) update an existing certificate to be vulnerable to ESC15.
The auxiliary/收集/ ldap_esc_vulnerable_cert_finder module has been updated to identify vulnerable certificate templates.
The 辅助/ admin / dcerpc / icpr_cer 模块已更新为新的 ADD_CERT_APP_POLICY option to enable users to add EKUs by OID, thus enabling exploitation of ESC15.

For exploitation steps, see the ESC15 section of our AD CS文档.

新增模块内容(2)

WordPress WP Fastest Cache Unauthenticated SQLi (cve - 2023 - 6063)

Authors: Alex Sanford, Julien Voisin, and Valentin Lobstein
类型:辅助
拉的要求: #19473 提供的 Chocapikk
Path: 扫描仪/ http / wp_fastest_cache_sqli
AttackerKB参考: cve - 2023 - 6063

Description: This adds an auxiliary module to dump user credentials through a Time-based SQL injection present in WP Fastest Cache Plugin <= 1.2.2.

BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, cve - 2024 - 45257)

作者:Valentin Lobstein和chebuya
类型:利用
拉的要求: #19485 提供的 Chocapikk
Path: unix / webapp / byob_unauth_rce
AttackerKB参考: cve - 2024 - 45257

Description: This adds an exploit module for BYOB unauthenticated RCE (CVE-2024-45256, cve - 2024 - 45257).

增强模块(2)

Modules which have either been enhanced, or renamed:

  • #19482 from Chocapikk - The module allows users to select between the two vulnerabilities (c_only_fields for CVE-2024-8522 and c_fields for CVE-2024-8529) and includes options such as specifying the number of rows to retrieve (COUNT).
  • #19538 from zeroSteiner - This adds support for ESC15 to various AD CS related modules.

增强功能和特性(6)

  • #19108 from smashery -添加一个新的API, create_process, which supports creating processes against an open session from an array of args, rather than from a commandline string that needs to go through a subshell. This pull request also fixes multiple module compatibility issues across different session types, i.e. targeting Meterpreter/PowerShell/Cmd/Unix sessions should now behave consistently when running post exploitation and local privilege escalation modules that execute processes.
  • #19497 from Chocapikk - This adds an helper library for the development of Wordpress SQLi modules.
  • #19539 from smashery - This adds functionality to keep the new LDAP sessions alive beyond a server's idle timeout.
  • #19540 from smashery - Update Metasploit's HTTP request User Agent strings for October 2024.
  • #19549 from zeroSteiner - This pull request includes multiple fixes and improvements to the Meterpreter payloads. zeroSteiner 固定一个 stdapi_fs_ls: Operation failed: 1 运行时出现错误。 ls 命令. cdelafuente-r7 has updated the Java Meterpreter payload to now run on newer OpenJDK versions on Alpine Linux hosts. wolfcod has made improvements for running the C Meterpreter on Windows XP machines when creating remote threads, 以及修复内存泄漏 sysinfo command.
  • #19561 from cdelafuente-r7 -更新 收集/ ldap_esc_vulnerable_cert_finder module to now register the detected vulnerabilities into the Metasploit database if it is currently active.

bug修复(2)

  • #19495 from cdelafuente-r7 修复了一个边缘崩溃的问题 管理/ kerberos / get_ticket module when the supplied cert_file contained a subjectAltName extension with an unexpected value present.
  • #19563 from adfoster-r7 - - -更新 exploits/linux/http/metabase_setup_token_rce 支持旧版本.

文档

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

如果你是 git 用户,可以克隆 Metasploit框架 (主分支)为最新.
To install fresh without using git, you can use the open-source-only 夜间的安装程序 or the
商业版 Metasploit职业