Metasploit Wrap-Up: 3/20/20

Last updated at Sat, 20 Jan 2024 21:50:59 GMT

Super serial about deserialization

The new Metasploit Framework release comes with two new exploit modules targeting deserialization vulnerabilities.

wvu added an exploit module that targets versions of the ManageEngine Desktop Central software below v10.0.474. An attacker can first upload a serialized Java payload without authentication given that the filename matches a name within the security-mdm-agent.xml file. Making a request to /cewolf with the uploaded filename denoted in the img GET parameter causes getChartImage() to be called with the img value passed. The call to getChartImage() leads to a call to readObject() on the uploaded file contents, leading to code execution as SYSTEM.

zeroSteiner added an exploit module that exploits a .Net Serialization vulnerability for SQL Server Reporting Services. To leverage the vulnerability, the user will need account credentials with at least the Browser role assigned. Making a POST request to ReportViewer.aspx with the NavigationCorrector$ViewState parameter containing a serialized payload will lead to code execution via the Deserialize() call on the payload within the LosFormatter class. Exploitation results in Service account privileges.

rConfig code execution

An exploit module by v1k1ngfr exploits a couple of vulnerabilities in rConfig to get code execution as the apache user. The module first either uses existing credentials or exploits a SQL injection vulnerability bypass authentication. Once authenticated, a request is made to ajaxArchiveFiles.php with the path parameter containing a payload. The payload gets directly passed to the exec() call, allowing for code execution.

New modules (5)

• Centreon Poller Authenticated Remote Command Execution by Fabien Aunay, Omri Baso, and mekhalleh (RAMELLA Sébastien)
• Rconfig 3.x Chained Remote Code Execution by Jean-Pascal Thomas and Orange Cyberdefense, which exploits CVE-2020-10220
• ManageEngine Desktop Central Java Deserialization by wvu and mr_me, which exploits CVE-2020-10189
• SQL Server Reporting Services (SSRS) ViewState Deserialization by Soroush Dalili and Spencer McIntyre, which exploits CVE-2020-0618
• Tautulli v2.1.9 - Shutdown Denial of Service by Ismail Tasdelen, which exploits CVE-2019-19833

Enhancements and features

• PR #13036 by dwelch-r7 enables the JSON RPC results tracking functionality to dispose of old results in favor of lower memory usage.

• PR #13057 by adfoster-r7 adds profiling tools for analyzing memory and CPU utilization.

• PR #13063 by timwr adds the PSH-AmsiBypassURI option to the exploit/multi/script/web_delivery module that allows for persistence between runs.

Bugs fixed

• PR #13054 by g0tmi1k fixes a NoMethodError found in the post/windows/manage/migrate module.

• PR #13064 by timwr fixes a missing argument error in the shell command for Windows Meterpreter.

• PR #13069 by zeroSteiner resolves a missing argument bug in the powershell extension’s powershell_shell command and the play command for Windows Meterpreter.

• PR #13079 from wvu fixes a bug involved in the generation of YSoSerial Java payloads.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 5.0.80...5.0.81
• Full diff 5.0.80...5.0.81

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).