metasploit-framework
metasploit-framework copied to clipboard
rapid7
local_exploit_suggester: Many viable modules are never checked
Running local_exploit_suggester on a Windows 7 SP1 (x64) host suggested only 3 modules. It used to suggest more than 60+.
windows/meterpreter/reverse_tcp payload
msf6 exploit(multi/handler) >
[*] Sending stage (175174 bytes) to 172.16.191.236
[*] Meterpreter session 1 opened (172.16.191.192:1337 -> 172.16.191.236:57997 ) at 2021-12-09 09:49:04 -0500
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set verbose true
verbose => true
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 172.16.191.236 - Collecting local exploits for x86/windows...
[*] 172.16.191.236 - The following 4 exploit checks are being tried:
[*] 172.16.191.236 - exploit/windows/local/adobe_sandbox_adobecollabsync
[*] 172.16.191.236 - exploit/windows/local/always_install_elevated
[*] 172.16.191.236 - exploit/windows/local/ms10_092_schelevator
[*] 172.16.191.236 - exploit/windows/local/panda_psevents
[*] 172.16.191.236 - exploit/windows/local/adobe_sandbox_adobecollabsync: Cannot reliably check exploitability.
[*] 172.16.191.236 - exploit/windows/local/always_install_elevated: The target is not exploitable.
[+] 172.16.191.236 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[*] 172.16.191.236 - exploit/windows/local/panda_psevents: The target is not exploitable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
windows/x64/meterpreter/reverse_tcp payload
msf6 exploit(multi/handler) >
[*] Sending stage (200262 bytes) to 172.16.191.236
[*] Meterpreter session 1 opened (172.16.191.192:1337 -> 172.16.191.236:58012 ) at 2021-12-09 09:51:05 -0500
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > set verbose true
verbose => true
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 172.16.191.236 - Collecting local exploits for x64/windows...
[*] 172.16.191.236 - The following 3 exploit checks are being tried:
[*] 172.16.191.236 - exploit/windows/local/always_install_elevated
[*] 172.16.191.236 - exploit/windows/local/ms10_092_schelevator
[*] 172.16.191.236 - exploit/windows/local/virtual_box_opengl_escape
[*] 172.16.191.236 - exploit/windows/local/always_install_elevated: The target is not exploitable.
[+] 172.16.191.236 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[*] 172.16.191.236 - exploit/windows/local/virtual_box_opengl_escape: The target is not exploitable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
The following diff yields more reasonable results.
diff --git a/modules/post/multi/recon/local_exploit_suggester.rb b/modules/post/multi/recon/local_exploit_suggester.rb
index 4ddbbc16e5..7112a0f408 100644
--- a/modules/post/multi/recon/local_exploit_suggester.rb
+++ b/modules/post/multi/recon/local_exploit_suggester.rb
@@ -77,9 +77,9 @@ class MetasploitModule < Msf::Post
(
mod.kind_of?(Msf::Exploit::Local) &&
mod.has_check? &&
- is_session_type_compat?(mod) &&
+ #is_session_type_compat?(mod) &&
is_module_platform?(mod) &&
- is_module_arch?(mod) &&
+ #is_module_arch?(mod) &&
is_module_options_ready?(mod)
)
end
This diff removes the check for arch and mod.session_compatible?.
The check for arch fails due to a long existing systemic issue due to us not always specify the arch in each module (because this becomes cumbersome for userland exploits which are effectively architecture agnostic and thus support every arch so long as a suitable payload exists). This should be fixed. It accounts for about 40 missed exploits.
The check for mod.session_compatible? results in 60+ missed modules.
A quick run through some of the modules which weren't detected, but should have been, reveals that they all claim to be missing stdapi_sys_process_set_term_size.
Why is this capability missing on native Meterpreter? Native Meterpreter should be the most feature-complete Meterpreter.
And why do we need it? These modules appear to function fine without it. Zero modules in the framework have this capability listed in Compat, so why is it being queried.
Hey @bcoles thanks for highlighting this, I added the stdapi_sys_process_set_term_size and it's only for linux meterpreters at the minute, what I didn't realise at the time was that a number of modules listed stdapi_sys_process_* in compat and the wildcard includes the new api, so my bad, I'll work on sorting this out
Ran both these against the Granny machine on Hack the Box, 37 exploits being checked on 6.0.30 vs 4 on 6.1.14
Version 6.0.30
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 37 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
Version 6.1.14
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 4 exploit checks are being tried...
[*] Post module execution completed
The is_session_type_compat?(mod) method failing on missing stdapi_sys_process_set_term_size is fixed by https://github.com/rapid7/metasploit-framework/pull/15842
Haven't looked into confirming if there's a still an edgecase/regression to fix in is_module_arch?(mod)
Haven't looked into confirming if there's a still an edgecase/regression to fix in
is_module_arch?(mod)
I haven't looked into this deeply, but I suspect there's a couple of things at play.
Firstly, local exploit suggester does some magic with target selection (possibly selecting the first target IIRC). Individual targets can specify an arch which may cause issues.
Secondly, many userland modules are arch agnostic (command injection / logic flaws / code execution by design / etc). In which case, the module can realistically support any arch so long as there is a suitable payload.
To solve this, modules do one of a few things:
- do not specify
archin the module info meta hash; instead specifying thearchin individual targets. - do not include
archat all - neither in the info meta hash or in targets. - specify
'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE, ...].
These approaches suck as every time we add a payload for an arch to the framework (MIPS, RISCV, ARM, ...) then the arch specified in these modules is no longer accurate. This will cause arch matching (ie, in local exploit suggester) to fail, and will cause payload selection / tab autocompletion to be inaccurately restricted.
Edit: Here's some examples of modules which specify a million different architectures:
https://github.com/rapid7/metasploit-framework/blob/cc18c8d4abdd5bf63cb2949e8c806891b507bf3c/modules/exploits/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.rb#L49-L58
https://github.com/rapid7/metasploit-framework/blob/cc18c8d4abdd5bf63cb2949e8c806891b507bf3c/modules/exploits/linux/local/yum_package_manager_persistence.rb#L26-L36
https://github.com/rapid7/metasploit-framework/blob/cc18c8d4abdd5bf63cb2949e8c806891b507bf3c/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb#L54-L63
And here's one that supports most (but not all) architectures. It is unclear whether these were excluded in error or intentionally.
https://github.com/rapid7/metasploit-framework/blob/cc18c8d4abdd5bf63cb2949e8c806891b507bf3c/modules/exploits/linux/local/docker_privileged_container_escape.rb#L30
Here's one which only specifies the arch in the target:
https://github.com/rapid7/metasploit-framework/blob/cc18c8d4abdd5bf63cb2949e8c806891b507bf3c/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb#L37
Here's a couple of modules which take the lets-not-include-arch-at-all approach.
- modules/exploits/windows/local/plantronics_hub_spokesupdateservice_privesc.rb
- modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb
This is still an issue, ran into this at the weekend. Will have to fix :+1:
Since this issue was raised we made a bunch of improvements to the module in the above pull requests - such as changes to setting the target etc.
I think the metadata issue on modules still needs to be fixed though, but I'm hoping it suggests more than 3 modules on your environment nowadays 🤞
Since this issue was raised we made a bunch of improvements to the module in the above pull requests - such as changes to setting the target etc.
I think the metadata issue on modules still needs to be fixed though, but I'm hoping it suggests more than 3 modules on your environment nowadays crossed_fingers
Here's output from the same Windows 7 SP1 (x64) test box. The test box has had no Windows updates applied since the last attempt, although the box itself is very far from a clean install, and I have installed some software since (and maybe remove some too).
I haven't compared with the previous result, nor verified whether these results are expected. While less results are returned than I remember from a few years ago, that may be due to reliability/accuracy improvements to the check methods. None the less, the results look better,
Note: Ignore "test" in the output. My working branch has a exploit/windows/local/test module which defines the following check method (the system hostname is test):
def check
puts get_hostname.inspect
CheckCode::Unknown
end
I don't see any exploit/multi/local modules in the output. That is unexpected. I would have expected this module to have been attempted:
https://github.com/rapid7/metasploit-framework/blob/37fe3b909a298e46db21380ebcda7965ad6fe492/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb#L36-L38
Verbose output shows it wasn't selected due to the specified platform and arch:
77 exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout Not Compatible (architecture, platform)
Ruby ruby meterpreter, powershell, shell
windows/meterpreter/reverse_tcp payload
msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.200.190 - Collecting local exploits for x86/windows...
[*] 192.168.200.190 - 184 exploit checks are being tried...
[+] 192.168.200.190 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 192.168.200.190 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 192.168.200.190 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
"test"nning check method for exploit 39 / 42
[+] 192.168.200.190 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 192.168.200.190 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
2 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
3 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
4 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
5 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
6 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
7 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
8 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
9 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
10 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
11 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
12 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
13 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
14 exploit/windows/local/always_install_elevated No The target is not exploitable.
15 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
16 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
17 exploit/windows/local/bthpan No The target is not exploitable.
18 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
19 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
20 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
21 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
22 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
23 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
24 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
25 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
26 exploit/windows/local/ikeext_service No The check raised an exception.
27 exploit/windows/local/ipass_launch_app No The check raised an exception.
28 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
29 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
30 exploit/windows/local/mqac_write No The target is not exploitable.
31 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
32 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
33 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
34 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
35 exploit/windows/local/ms_ndproxy No The target is not exploitable.
36 exploit/windows/local/novell_client_nicm No The target is not exploitable.
37 exploit/windows/local/ntapphelpcachecontrol No The target is not exploitable.
38 exploit/windows/local/panda_psevents No The target is not exploitable.
39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
40 exploit/windows/local/test No Cannot reliably check exploitability.
41 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
42 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
windows/x64/meterpreter/reverse_tcp payload
msf6 exploit(multi/handler) > [*] Meterpreter session 1 opened (192.168.200.130:1337 -> 192.168.200.190:50417) at 2022-12-17 06:05:00 -0500
msf6 exploit(multi/handler) > back
msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.200.190 - Collecting local exploits for x64/windows...
[*] 192.168.200.190 - 184 exploit checks are being tried...
[+] 192.168.200.190 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 192.168.200.190 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 192.168.200.190 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 192.168.200.190 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
"test"nning check method for exploit 39 / 42
[+] 192.168.200.190 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 192.168.200.190 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/cve_2019_1458_wizardopium Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2020_1054_drawiconex_lpe Yes The target appears to be vulnerable.
3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
4 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
5 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
6 exploit/windows/local/ms16_014_wmi_recv_notif Yes The target appears to be vulnerable.
7 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
8 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
9 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
10 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
11 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
12 exploit/windows/local/always_install_elevated No The target is not exploitable.
13 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
14 exploit/windows/local/bypassuac_dotnet_profiler No The target is not exploitable.
15 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
16 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
17 exploit/windows/local/bypassuac_sdclt No The target is not exploitable.
18 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
19 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
20 exploit/windows/local/capcom_sys_exec No The target is not exploitable.
21 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
22 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable.
23 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
24 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable.
25 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
26 exploit/windows/local/cve_2020_17136 No Cannot reliably check exploitability. Couldn't retrieve the target's build number!
27 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable.
28 exploit/windows/local/cve_2021_40449 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
29 exploit/windows/local/cve_2022_21882_win32k No The target is not exploitable.
30 exploit/windows/local/cve_2022_21999_spoolfool_privesc No The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot.
31 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
32 exploit/windows/local/ikeext_service No The check raised an exception.
33 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store
34 exploit/windows/local/ms15_078_atmfd_bof No Cannot reliably check exploitability.
35 exploit/windows/local/ntapphelpcachecontrol No The target is not exploitable.
36 exploit/windows/local/nvidia_nvsvc No The check raised an exception.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
39 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.
40 exploit/windows/local/test No Cannot reliably check exploitability.
41 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable.
42 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >