Metasploit Weekly Wrap-Up 11/22/2024

JetBrains TeamCity Login Scanner

Metasploit added a login scanner for the TeamCity application to enable users to check for weak credentials. TeamCity has been the subject of multiple ETR vulnerabilities and is a valuable target for attackers.

Targeted DCSync added to Windows Secrets Dump

This week, Metasploit community member smashery improved the windows_secrets_dump module’s DOMAIN action to allow the operator to specify specific users or groups to retrieve Kerberos secrets for. By setting the KRB_TYPES option to USERS_ONLY or COMPUTERS_ONLY, the operator can target the specified account type. To be even more granular, the operator can target one or more accounts or groups by name with the KRB_USERS option. This should help operators obtain the desired information more quickly when targeting large domains.

New module content (4)

JetBrains TeamCity Login Scanner

Authors: adfoster-r7 and sjanusz-r7
Type: Auxiliary
Pull request: #19601 contributed by sjanusz-r7
Path: scanner/teamcity/teamcity_login

Description: Adds a new bruteforce scanner/teamcity/teamcity_login login scanner module that targets the JetBrains TeamCity service.

Judge0 sandbox escape

Authors: Takahiro Yokoyama and Tanto Security
Type: Exploit
Pull request: #19584 contributed by Takahiro-Yoko
Path: linux/http/judge0_sandbox_escape_cve_2024_28189
AttackerKB reference: CVE-2024-28189

Description: This adds an exploit module for a Judge0 sandbox escape which exploits CVE-2024-28185, CVE-2024-28189 and allows for unauthenticated RCE. Judge0 version 1.13.0 and prior are vulnerable.

Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)

Authors: Marven11, Spencer McIntyre, and jheysel-r7
Type: Exploit
Pull request: #19640 contributed by jheysel-r7
Path: linux/http/pyload_js2py_cve_2024_39205
AttackerKB reference: CVE-2024-28397

Description: This adds an exploit module that leverages CVE-2024-39205 which is an unauthenticated RCE in Pyload.

Ivanti EPM Agent Portal Command Execution

Authors: James Horseman, Spencer McIntyre, and Zach Hanley
Type: Exploit
Pull request: #19593 contributed by zeroSteiner
Path: windows/misc/ivanti_agent_portal_cmdexec
AttackerKB reference: CVE-2023-28324

Description: This adds an exploit module for, CVE-2023-28324, an unauthenticated RCE in Ivanti's EPM where a .NET remoting client can invoke a method that results in an OS command being executed in the context of NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2. Included with this exploit module is a substantial amount of code to fill in the gaps of the existing .NET (de)serialization capabilities to enable the method to be invoked.

Enhancements and features (2)

• #19185 from dwelch-r7 - This adds a feature to the msfconsole UI that will show the currently selected action and how many are available in total. This improves action discoverability.
• #19643 from smashery - This updates the DOMAIN action of the auxiliary/gather/windows_secrets_dump module to allow individual users or groups to be targeted.

Bugs fixed (2)

• #19624 from cdelafuente-r7 - This fixes a bug that would occur when generating CSRs for AD CS with OpenSSL 3.4.0. The bug was related to an attribute in the request that can no longer be explicitly set.
• #19658 from cdelafuente-r7 - Updates the auxiliary/admin/kerberos/get_ticket module to work on Windows environments

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.36...6.4.37
• Full diff 6.4.36...6.4.37

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro