Apache Struts Namespace Exploit
Metasploit now includes an exploit module that targets the Apache Struts Namespace vulnerability (CVE-2018-11776), which affects common Struts endpoints. An attacker could inject an arbitrary string of Object-Graph Navigation Language (OGNL) as a parameter in an HTTP request. The weakness is in the Struts framework core, where that parameter is insufficiently validated. The OGNL could be used to perform remote code execution (RCE) or to modify files. RCE is possible when the
alwaysSelectFullNamespace flag is set to true in the Struts configuration, and the application uses actions that are configured without specifying a namespace or with a wildcard namespace (e.g.
“/*”). This vulnerability affects Apache Struts versions
2.5.16. It was reported to Apache by Man Yue Mo from the Semmle Security Research Team in April 2018, and the Metasploit module was contributed by asoto-r7, wvu-r7, and hook-s3c.
Peinjector Meterpreter Extension
Thealpiste's first contribution to Metasploit was a big one: a peinjector extension to meterpreter. The peinjector allows a user to inject a payload into a binary file. When the binary file is launched, the payload is executed with the same privileges as the original binary's process. Not all processes are cooperative, however. Windows Calculator is one example. The original process can be killed depending on the session exit type. Also, it's advised to migrate as soon as possible. The session not only kills the process that hosts it, but the host process will also kill the session when it exits. Since it's written as a meterpreter extension, it can be used directly in meterpreter with
load peinjector or through the post module
Exploit modules (1 new)
- Apache Struts 2 Namespace Redirect OGNL Injection by Man Yue Mo, asoto-r7, wvu, and hook-s3c, which exploits CVE-2018-11776
post/linux/gather/phpmyadmin_credstealmodule now stores the extracted
dbpassvalues from the retrieved
config-db.phpfile, courtesy of space-r7.
post/windows/gather/credentials/mremotemodule now uses the correct
AppDatapath and stores the entire file as loot, by h00die.
auxiliary/fileformat/multidropwas enhanced by asoto-r7 to enable the ability to create an XML file that when opened by Microsoft Word, a request is sent to an SMB listener that connects and captures an NTLM hash.
- A warning message was added to Meterpreter to tell users to pick either
kiwi, depending on the Windows operating system version, courtesy of OJ.Thanks to clickbaitcake for reporting!
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.