ESC support in Metasploit
This week, we’re excited to announce that Metasploit users can now detect certificate templates vulnerable to ESC9, ESC10, and ESC16 using the existing ldap_esc_vulnerable_template module. In addition, users can now exploit these vulnerable templates with the brand new esc_update_ldap_object module to escalate privileges. These three ESC techniques share a common pattern: each requires access to a user who has write privileges over another user account that can enroll in the vulnerable template. Exploiting these techniques with other tools require multiple manual steps, but the esc_update_ldap_object module streamlines the process. Users simply configure the datastore options, run the module, and profit i.e. receive a certificate which can be used to escalate privileges in the domain. As part of this effort, we’ve also introduced the ldap_object_attribute module, which allows users to manipulate LDAP objects in Active Directory using standard CRUD operations. This module (as well as the shadow_credentials and get_ticket module) is invoked behind the scenes by esc_update_ldap_object to simplify exploitation. Comprehensive documentation is included, covering how to configure templates vulnerable to ESC9, ESC10, and ESC16, as well as detailed instructions on how to exploit each technique using the new module.
Rapid7 at Blackhat
If you’re heading to Vegas, be sure to check out the Metasploit demos at both Black Hat and DEF CON. We’ll be there showing some of the latest workflows including relay improvements, SCCM attacks and an ESC exploit chain. We’ll even walk through the code injection improvements in Meterpreter.
At Black Hat, we’ll be in the Arsenal on Wednesday August 6th at 11:00.
At DEF CON, we’ll be at the Demo Labs multiple times:
- Friday August 8th, at 13:00 in Room 208
- Saturday August 9th, at 15:00 in Room 209
- Saturday August 9th, at 16:00 in Room 209
Stop by, say hi and check out the latest improvements to Metasploit.
New module content (4)
Exploits AD CS Template misconfigurations which involve updating an LDAP object: ESC9, ESC10, and ESC16
Authors: Lee Christensen, Oliver Lyak, Spencer McIntyre, Will Schroeder, and jheysel-r7
Type: Auxiliary Pull request: #20189 contributed by jheysel-r7
Path: admin/dcerpc/esc_update_ldap_object
Description: This adds a new module that stream lines the exploitation of ESC9, ESC10 and ESC16. It handles manipulating a target account over LDAP and then using that account to issue a certificate as an elevated user.
LDAP Update Object
Author: jheysel
Type: Auxiliary Pull request: #20189 contributed by jheysel-r7
Path: admin/ldap/ldap_object_attribute
Description: This adds a new module that stream lines the exploitation of ESC9, ESC10 and ESC16. It handles manipulating a target account over LDAP and then using that account to issue a certificate as an elevated user.
Malicious Windows Script Host JScript (.js) File
Author: bcoles [email protected]
Type: Exploit Pull request: #20398 contributed by bcoles
Path: windows/fileformat/windows_script_host_jscript
Description: This adds a new file format module that drops a Windows Script Host JScript file containing a malicious payload.
Malicious Windows Script Host VBScript (.vbs) File
Author: bcoles [email protected]
Type: Exploit Pull request: #20406 contributed by bcoles
Path: windows/fileformat/windows_script_host_vbscript
Description: This adds a new file format module for a Windows Script Host VBScript file.
Enhanced Modules (2)
Modules which have either been enhanced, or renamed:
- #20149 from jheysel-r7 – This updates the existing auxiliary/gather/ldap_esc_vulnerable_cert_finder module to support checking for templates that are vulnerable to ESC9, ESC10 and ESC16.
- #20401 from zeroSteiner – Updates the existing auxiliary/gather/ldap_passwords module to search for and extract gMSA credentials from Active Directory Domain Controllers. These credentials can then be used to authenticate as the service account.
Enhancements and features (1)
- #20421 from Chocapikk – This enhances get_nonce function in auxiliary/scanner/http/wp_ultimate_member_sorting_sqli module. Until now, the get_nonce function required the response code to be 200 before it parsed and extracted nonce. However, nonce script is present also on 404/403 sites. This update takes that into account.
Bugs fixed (2)
- #20408 from xl4635 – Fixes argument passing to the redis_command function in auxiliary/scanner/redis/redis_server. The function expects each word as a separate argument (e.g., redis_command(“LIST”, “MODULES”)). Previously, the module passed the command as a single string, resulting in unexpected responses from the Redis server. This update corrects the issue by properly splitting the command.
- #20428 from zeroSteiner – Fixes payload space in exploits/windows/misc/achat_bof. Previously, due to insufficient payload space, the module has been reported as unreliable. This fixes the issue by increasing payload space.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.