Last updated at Sat, 20 Jan 2024 20:55:02 GMT
Gift exchange
If you're looking for remote code execution against Microsoft Exchange, Spencer McIntyre crafted up a cool new module targeting a .NET
serialization vulnerability in the Exchange Control Panel (ECP) web page. Vulnerable versions of Exchange don't randomize keys on a per-installation basis, resulting in reuse of the same validationKey and decryptionKey values. With knowledge of these, an attacker can craft a special Viewstate to cause an OS command to be executed as NT_AUTHORITY\SYSTEM using .NET
deserialization. Note that this module does require the user to authenticate to Exchange, be a member of the Domain Users
group, and have a mailbox configured on the Exchange server.
Open sesame
Courtesy our friendly neighborhood researcher, wvu added a new local module targeting OpenSMTPD. Vulnerable versions of OpenSMTPD (prior to v6.6.4) contain an out-of-bounds read vulnerability in their MTA implementation, allowing an attacker escalated command execution as either the root
or nobody
user (depending on the grammar used by OpenSMTPD). Simple!
You down with PHP...?
And not to be missed, cdelafuente-r7 dropped in a new exploit module targeting PHP-FPM, where an underflow vulnerability in message passing between Nginx and PHP can lead to code execution on a vulnerable target. Versions containing this vulnerability are scattered about a bit, you can check out the new module here.
Share your attacker knowledge!
Do you have opinions on vulns? Want to learn others' opinions about vulns? Our new AttackerKB (Attacker Knowledge Base) web app has got you covered! We're currently in Beta with AttackerKB, where you can read about vulns, opinions and analysis around them, and provide your own analysis and thoughts, too! You can get the deets on AttackerKB (and request Beta access) here!
New modules (6)
- EyesOfNetwork AutoDiscovery Target Command Execution by Clément Billac, Erik Wynter, and bcoles, which exploits CVE-2020-8657
- Google Chrome 80 JSCreate side-effect type confusion exploit by Clément Lecigne, István Kurucsai, Vignesh S Rao, and timwr, which exploits CVE-2020-6418
- PHP-FPM Underflow RCE by cdelafuente-r7 and neex, which exploits CVE-2019-11043
- OpenSMTPD OOB Read Local Privilege Escalation by wvu and Qualys, which exploits CVE-2020-8794
- Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload by David Jorm and Erik Wynter, which exploits CVE-2015-1830
- Exchange Control Panel Viewstate Deserialization by Spencer McIntyre, which exploits CVE-2020-0688
Enhancements and features
- PR #12929 by 0x44434241, adds the
DB_ALL_USERS
option toauxiliary/scanner/smb/smb_enumusers
, which allows users to store enumerated user names in the database. - PR #12984 by Spencer McIntyre, corrects an issue with remote Meterpreter-backed network connections where local socket parameters where not updated properly on connect.
- PR #12985 by timwr, switches the powershell payload to a polling read, preventing some issues where it read before having a message.
- PR #12989 by adamgalway-r7, sanitizes user input for module and payload paths, removing starting
.
,./ /
,[module|payload]/
, &/[module|payload]/
from a path. Also trims trailing . & extensions from a path, as well as any possible misspellings of an extension. - PR #12998 by adamgalway-r7, allows users to say either type:aux or type:auxiliary when searching for auxiliary modules.
- PR #13012 by adfoster-r7, improves error handling when a plugin fails to load, now displaying the reason for the failure.
- PR #13015 by space-r7, updates login scanners to work with usernames stored in the database and sets the
last_attempted_at
value inscanner/smb/smb_login
.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).