SAP Internet Graphics Server (IGS)
This week includes a new module targeting the SAP Internet Graphics Server application, contributed by community member Vladimir Ivanov. This particular module covers two CVEs that are both XML External Entity (XXE) bugs that are remotely exploitable. The module comes fully featured with the ability to check for the presence of the vulnerabilities as well as two methods to leverage them. The first is a read action that allows users to read files from the remote server, while the second can be used to trigger a denial of service (DoS) condition.
Just read the (new Zerologon) docs
The module documentation for the Zerologon (CVE-2020-1472) module has been updated with details of how to run the entire attack workflow through Metasploit. This specifically included leveraging the new
auxiliary/gather/windows_secrets_dump which can recover the machine password to restore on the targeted Domain Controller and using the PSexec module to execute a payload. It’s important to restore the machine account password to prevent services from breaking. Module documentation can be accessed from msfconsole by using the
info -d command. The most recent Metasploit Demo meeting also covered this content, showing the newly documented workflow in action.
New modules (1)
- SAP Internet Graphics Server (IGS) XMLCHART XXE by Vladimir Ivanov and Yvan Genuer, which exploits CVE-2018-2393
Enhancements and features
- Update sap_service_discovery.rb to support discovering SAP IGS servers by Vladimir Ivanov
- Tab-completion improved for module OPTIONS not available by mariabelenTC
- Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates by Alan David Foster
- Add the DOMAIN option to the CVE-2020-0688 Exploit by Spencer McIntyre
- Update the module docs for CVE-2020-1472 (Zerologon) by Spencer McIntyre
- Fix msf6 TLV_TYPE_PIVOT_STAGE_DATA_SIZE pivoting error by Alan David Foster
- Always show module actions within the info command by Alan David Foster
- Remove modules whose deprecation date has passed by Spencer McIntyre
- Convert myworkspace.id to myworkspace_id for no db compat by h00die
- Disconnect the named pipe and break after the impersonation callback by Spencer McIntyre
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).