Metasploit Wrap-Up: Sep. 18, 2020

Last updated at Fri, 09 Feb 2024 14:42:29 GMT

Refreshingly configurable

F5, on top of being a handy shortcut you can press over and over again until 3am just to watch the RTX 3080 preorders sell out instantly, is also a company that specializes in the delivery, security, performance, and availability of web applications, computing, storage, and network resources.

Community contributor h00die added support to msfconsole that allows the processing of F5 device config processing library, as well as a post module that can gather information on F5 devices, and an auxiliary module capable of processing F5 config files offline.

The Mida(s) Touch, but for vulns

A new exploit added by bcoles takes advantage of an OS command injection vulnerability in the Mida Solutions eFramework developed (shockingly) by Mida Solutions, a Unified Communication compant.

Shell commands can be executed as the apache user without authentication via the PARAM parameter in requests made to ajaxreq.php. The sudo configuration also allows the apache user to execute commands without requiring a password, making code execution as the root user possible.

The V stands for Vuln

Our very own Grant Wilcox put together a neat post module for Windows machines running Hyper-V that allows the enumeration of any Hyper-V Virtual Machines installed on said machine.

The findings of this module (status, CPU usage, Hyper-V engine version, and state) are then entered into the metasploit loot, for easy export and retrieval.

Multiple logins with Zerologon

Last but certainly not least, the gnarly "Zerologon" (CVE-2020-1472) privilege escalation vulnerability already has a PR in the works courtesy of the always wonderful zeroSteiner.

For more information on the vulnerability that everyone's talking about, see our analysis on AttackerKB.

New modules (6)

• Mida Solutions eFramework ajaxreq.php Command Injection by bcoles and elbae, which exploits CVE-2020-15920
• Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE by wvu and mr_me, which exploits CVE-2020-16875
• F5 Configuration Importer by h00die
• F5 Device General Information Gatherer by h00die
• Bypass the macOS TCC Framework by mattshockl and timwr, which exploits CVE-2020-9934
• Windows Hyper-V VM Enumeration by gwillcox-r7

Enhancements and features

• PR #14139 - This updates the HTTP client library that is used by many Metasploit modules to be more compliant across standards in regards to redirection handling while also adding a new feature to more easily manage cookies.

• PR #14126 - This adds an authenticated RCE exploit for Microsoft Exchange which leverages the flaw identified as CVE-2020-16875 to inject code when processing a new DLP policy. The user must have the "Data Loss Prevention" role assigned in order to exploit this vulnerability.

• PR #14125 - Adds SCREEN_EFFECTS and ARTIFACTS_ON_DISK notes to the post/osx/escalate/tccbypass module.

• PR #14117 - This adds a post module that checks if a target is a Hyper-V host and attempt to gather information about all Hyper-V VMs.

• PR #14074 - This adds an exploit for Mida Solutions eFramework versions 2.9.0 and below. Shell commands can be executed as the apache user via the PARAM parameter in requests to ajaxreq.php without authentication. Because the sudo configuration allows the apache user to execute commands without requiring a password, this vector ultimately achieves code execution as the root user.

• PR #13942 - This PR adds a module to leverage CVE-2020-9934 to allow a session to bypass the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data.

• PR #13571 - This updates the Session Notifier plugin to support sending notifications using DingTalk webhooks.

• PR #14111 - Removes dead code that previously tracked payload sizes when Metasploit was booting up.

Bugs fixed

• PR #14145 - A bug within the implementation of the report_loot method has been fixed to ensure that data is always base64 encoded prior to sending it to the web service, which always expects base64 encoded data. Application of this fix ensures that report_loot will not send any unencoded data which could cause an exception.

• PR #14143 - This update replaces all calls to the depreciated get_service function with calls to the more modern function known as services. This solves some known issues related to existing get_service calls that affected modules badblue_passthru and tomcat_mgr_upload when connected to a remote database.

• PR #14120 - Fixes bug that caused services -S to return results from all workspaces, instead of the current workspace.

• PR #14138 - Fixes nexus_repo_manager_el_injection.md.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.6...6.0.7
• Full diff 6.0.6...6.0.7

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).