SharePoint DataSet/DataTable deserialization
First up we have an exploit from Spencer McIntyre (@zeroSteiner) for CVE-2020-1147, a deserialization vulnerability in SharePoint instances that was patched by Microsoft on July 14th 2020 and which has been getting quite a bit of attention in the news lately. This module utilizes Steven Seeley (@stevenseeley)'s writeup along with some helpful tips from Soroush Dalili (@irsdl), to make a working exploit that grants authenticated attackers RCE as the user configured to run SharePoint when it was installed (which will typically be the local administrator account). Note that whilst authentication is required, an attacker mearly needs to be authenticated as any user on the domain, making this an attractive target for attackers. If you haven't already patched this vulnerability, you should definetely look at doing so as soon as possible.
Stealing back from the stealers
Continuing the trend of Metasploit modules for CnC/botnet control panels, this week @EgeBalci added a new module targeting an arbitary file upload vulnerability within the Baldr Botnet Panel, which can be exploited to gain arbitrary code execution on the targeted server as an unauthenticated user. Baldr is well known in the Russian criminal hacking forms as a stealer that quickly grabs sensitive information from compromised computers before then exfiltrating that information back to CnC servers owned by the attackers. Hopefully this module should help malware investigators shut down some of these servers and prevent such activies from occuring.
Last but not least, contributor @bcoles added a module for a CVE-2020-7457, a use-after-free vulnerability within FreeBSD's kernel when handling IPv6 sockets which was found by Andy Nguyen (@theflow0). This module supports several different FreeBSD versions including 9.1, 9.2, 9.3, 12.0 and 12.1, and which was tested it on a range of FreeBSD versions from 9.1 to 9.3, and 12.0 to 12.1, and grants local attackers arbirary code execution as the
root user upon successful exploitation. Definetely interesting to see a kernel module with support for such a range of kernel versions!
New modules (4)
- FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation by Andy Nguyen (@theflow0) and @bcoles, which exploits CVE-2020-7457
- Baldr Botnet Panel Shell Upload Exploit by Ege Balcı (@EgeBalci), which grants remote unauthenticated attackers RCE on affected Baldr Botnet Panels
- SharePoint DataSet / DataTable Deserialization by Soroush Dalili (@irsdl), Spencer McIntyre (@zeroSteiner), and Steven Seeley (@stevenseeley), which exploits CVE-2020-1147
- Telegram Message Client by Ege Balcı (@EgeBalci) adds support for recieving Telegram messages when a new session is opened
Enhancements and features
- PR #13895 from @zeroSteiner adds support for the
checkmethod to the CVE-2020-6287 SAP RECON module, and also adds a
REMOVEaction so the module can now remove accounts on the targeted system.
- PR #13896 from @zeroSteiner updates the
msftidy_docs.rbscript to add in new checks and updates the documentation template to be compliant with these new checks and to add more explanation around the exploit ranking and module traits to the documentation template.
- PR #13921 from @jmartin-r7 updates
msfconsoleso that it always displays the major version that the user is running, regardless of if they are running msf4, msf5, or msf6.
- PR #13898 from @timwr fixes an issue with the
wlan_gather.rbmodule so that it appropriately returns an error when an invalid
API_KEYis passed to the geolocation API.
- PR #13899 from @digitalcombine updates the
post/multi/manage/sudomodule so that it automatically removes clear text sudo passwords from the temporary files it creates in
- PR #13900 from @red0xff updates
lib/rex/proto/http/packet/header.rbso that it uses case insensitive checks when checking for the presence of HTTP headers in requests or responses, thereby making it compliant with existing Metasploit behavior.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).