Nine! Nine new modules! (Ah ha ha!)
With the coming of autumn here in the Northern hemisphere, the nights are getting longer, and the hacking is getting stronger. We’ve really got something for everybody in this release, from IoT to infrastructure, Windows, and Linux; everyone’s pretty well-represented!
Windows has been patching several vulnerabilities lately, and we have modules for them! Metasploit’s own Spencer and Brendan have been working on bringing in work from others; Spencer wrote a Zerologon (CVE-2020-1472) module based on the work by Tom Tervoort, and Brendan wrote a module covering the PrinterDemon vulnerability (CVE-2020-1048) building on the work of Alex Ionescue and shubham0d.
Spencer also added a new SOCKS module to unite the tribes of proxies currently in Metasploit, with one module to rule them all, and in the darkness, bind them!
Not to be outdone, our own Shelby added to the module count with CVE-2017-1000353 and YAJDV (Yet another Java Deserialization Vulnerability) against everyone’s favorite devops tool, Jenkins. Now you can ask Jenkins to test your code or run it! While this vulnerability may be a bit older, we all know people miss patches, so it is worth checking out.
Rounding out the Metasploit team’s contributions are Grant and a new module to gather information on installed software on targets, and when we say targets, we mean it: Windows, Linux, Android, and Mac are all covered by this new gather module!
As if the Metasploit team’s contributions were not enough, we had some seriously high-quality work come in from our community members as well! Auth bypasses for Artica Proxy by Niboucha Redouane, Cloud Camera command injection by Pietro Olivia, VyOS escape by Rich Mirch and bcoles, and a SecureCRT password decryptor by cn-kali-team.
New modules (9)
- Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection by Max0x4141 and Redouane NIBOUCHA, which exploits CVE-2020-17506
- Jenkins CLI Deserialization by SSD, Shelby Pace, and Unknown, which exploits CVE-2017-1000353
- TP-Link Cloud Cameras NCXXX Bonjour Command Injection by Pietro Oliva, which exploits CVE-2020-12109
- VyOS restricted-shell Escape and Privilege Escalation by Rich Mirch and bcoles, which exploits CVE-2018-18556
- Microsoft Spooler Local Privilege Elevation Vulnerability by Alex Ionescu, Yarden Shafir, bwatters-r7, and shubham0d, which exploits CVE-2020-1048
- Netlogon Weak Cryptographic Authentication by Dirk-jan Mollema, Spencer McIntyre, and Tom Tervoort, which exploits CVE-2020-1472
- SOCKS Proxy Server by Spencer McIntyre, sf, and surefire
- Multiplatform Installed Software Version Enumerator by gwillcox-r7
- Windows SecureCRT Session Information Enumeration by HyperSine and Kali-Team
- Show correct rank for show exploits command from Alan David Foster fixes a bug where the ranking for exploits was not shown properly when the
show exploitscommand was used.
- Always display
CMDSTAGER::FLAVORis set to
autofrom Christophe fixes a bug where the SRVPORT and SRVHOST parameters are not displayed properly if the command stager flavor is set to
- Fix is_known_pipename module also from Christophe fixes an issue in the is_known_pipename exploit module which targets samba. There was an incorrect SMB version 1 data structure definition that was causing the module to fail to verify a writeable directory.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog
post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo(master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).