Exploiting weak configurations
Community contributor Graeme Robinson added two modules targeting insecurely configured API's, both of which lead to remote code execution. The first module exploits a lack of access control in Apache NiFi, which allows for the creation of an
ExecuteProcess processor to execute arbitrary commands in the context of a user running the instance. The second module targets Kong Admin API by creating a route and assigning a pre-function serverless plugin to said route. These vulns are only exploitable when the API has been explicitly made accessible in the configuration. Please take the time to correctly configure your applications by restricting access to such critical APIs.
Pwn2Own Miami 2020 new module
This week, community contributors Pedro Ribeiro and Radek Domanski added another great module from
Pwn2Own Miami 2020 contest, which exploits Rockwell FactoryTalk View SE 2020, the industrial application monitoring software from Rockwell Automation. This module chains five different vulnerabilities to achieve unauthenticated code execution. FactoryTalk View SE remotely exposes several REST endpoints on Microsoft IIS, which can be leveraged to drop a file in the IIS server directory. These vulnerabilities are identified as CVE-2020-12027, CVE-2020-12028, and CVE-2020-12029.
Get root on your NAS
Contributor Anastasios Stasinopoulos added a module targeting the OpenMediaVault network attached storage (NAS) solution. This module exploits an authenticated PHP code injection vulnerability found in versions prior to 4.1.36 and all 5.x versions prior to 5.5.12. This vuln is the result of a lack of sanitization in the
sortfield POST parameter on the
rpc.php page. A successful exploitation leads to arbitrary command execution on the underlying operating system as root. This vulnerability is identified as CVE-2020-26124
Register for the 2020 December Metasploit Community CTF 2020
Registration opens on Monday, November 30th, so don't miss out! The CTF usually runs out of space pretty quickly. Please read the full details in our blog before signing up.
Here are some importants dates to keep in mind (all times in U.S. Central Standard Time):
- Initial team registration opens for the first 750 teams on Monday, November 30, 2020 at 11:00 AM CST (UTC-6).
- CTF game play begins on Friday, December 4, 2020 at 9:00 AM CST (UTC-6). When the CTF officially begins, we will open registration for an additional 250 teams.
- The CTF ends on Monday, December 7, 2020, at 3:00 PM CST (UTC-6).
New modules (5)
- Apache NiFi API Remote Code Execution by Graeme Robinson
- Kong Gateway Admin API Remote Code Execution by Graeme Robinson
- WordPress Simple File List Unauthenticated Remote Code Execution by coiffeur and h00die
- OpenMediaVault rpc.php Authenticated PHP Code Injection by Anastasios Stasinopoulos, which exploits CVE-2020-26124
- Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution by Pedro Ribeiro and Radek Domanski, which exploits ZDI-20-730
Enhancements and features
- PR #14419 from h00die updates the external development scripts used to acquire the latest static resources for certain external framework components. This also updates two Wordpress wordlists.
- PR #14417 from bcoles improves the way Metasploit tips are displayed by wrapping them at 60 columns.
- PR #13954 from Auxilus updates Meterpreter's
cmd_downloadfunctions to properly support expanding local paths (e.g
- PR #14325 from smcintyre-r7 updates the four Python shell payloads to be compatible with Python version 3.4+ while retaining compatibility with 2.6+
- PR #14405 from timwr fixes an issue in
shell_to_meterpreterthat prevented to upgrade a meterpreter session to another meterpreter session with
- PR #14412 from cgranleese-r7 improves the
ssh_loginmodule when attempting to gather proof with low privilege Windows user by falling back to using the
vercommand if the required permissions to run
- PR #14427 from Natto97 fixes
phpstudy_backdoor_rcemodule to treat
TARGETURIas a single endpoint and not as a directory that
index.phpis appended to.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).