Apache Struts Namespace Exploit

Metasploit now includes an exploit module that targets the Apache Struts Namespace vulnerability (CVE-2018-11776), which affects common Struts endpoints. An attacker could inject an arbitrary string of Object-Graph Navigation Language (OGNL) as a parameter in an HTTP request. The weakness is in the Struts framework core, where that parameter is insufficiently validated. The OGNL could be used to perform remote code execution (RCE) or to modify files. RCE is possible when the alwaysSelectFullNamespace flag is set to true in the Struts configuration, and the application uses actions that are configured without specifying a namespace or with a wildcard namespace (e.g. “/*”). This vulnerability affects Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. It was reported to Apache by Man Yue Mo from the Semmle Security Research Team in April 2018, and the Metasploit module was contributed by asoto-r7, wvu-r7, and hook-s3c.

Peinjector Meterpreter Extension

Thealpiste's first contribution to Metasploit was a big one: a peinjector extension to meterpreter. The peinjector allows a user to inject a payload into a binary file. When the binary file is launched, the payload is executed with the same privileges as the original binary's process. Not all processes are cooperative, however. Windows Calculator is one example. The original process can be killed depending on the session exit type. Also, it's advised to migrate as soon as possible. The session not only kills the process that hosts it, but the host process will also kill the session when it exits. Since it's written as a meterpreter extension, it can be used directly in meterpreter with load peinjector or through the post module windows/post/manage/peinjector.

New Modules

Exploit modules (1 new)

Improvements

  • The post/linux/gather/phpmyadmin_credsteal module now stores the extracted dbuser and dbpass values from the retrieved config-db.php file, courtesy of space-r7.
  • The post/windows/gather/credentials/mremote module now uses the correct AppData path and stores the entire file as loot, by h00die.
  • Module auxiliary/fileformat/multidrop was enhanced by asoto-r7 to enable the ability to create an XML file that when opened by Microsoft Word, a request is sent to an SMB listener that connects and captures an NTLM hash.
  • A warning message was added to Meterpreter to tell users to pick either mimikatz or kiwi, depending on the Windows operating system version, courtesy of OJ.Thanks to clickbaitcake for reporting!

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.