In case you missed it, this past weekend the Metasploit team hosted the latest Metasploit CTF. We saw 1903 users register in this round and some excellent writeups have been published on what they found. If you participated but haven’t had a chance to fill out our feedback survey you can find it here.
Metasploit is also planning the next major round of development. Some of the ideas that are being considered have been posted to the GitHub Discussions board. Folks are welcome to upvote their favorite ideas and leave comments for consideration.
This week saw two improvements for Metasploit’s WordPress coverage, both were brought to us by community contributor h00die. First added was an auxiliary module that exploits CVE-2019-20361. This vulnerability is a SQL Injection flaw in the “Email Subscribers & Newsletters” plugin that can be used by an unauthenticated attacker to recover accounts including hashed passwords from the database. Also added was additional functionality to the existing
wordpress_scanner module that allows it to enumerate common themes and plugins. This is incredibly helpful for anyone looking to identify potentially vulnerable plugins in a WordPress instance as it also recovers the respective version numbers.
GitLab get file
Metasploit added a new GitLab exploit, targeting CVE-2020-10977. This particular vulnerability is an arbitrary file read that can be leveraged to leak the Rail secret key. Once this key is known, Metasploit uses it to sign a malicious cookie that will be deserialized by the server, triggering remote code execution.
LPE at your service
A few weeks ago, security researcher Clément Labro disclosed in a blog an unpatched vulnerability affecting Windows 7 and Server 2008 R2, both of which no longer receive security updates from Microsoft. This vulnerability was that through weak permissions on certain registry keys associated with services, an underprivileged user could cause a DLL to be loaded by a privileged process. In the case of Windows 7 and Server 2008 R2, this service was the “RpcEptMapper”. The functionality to enumerate services for this vulnerability and exploit it accordingly has been added to Metasploit through an improvement to the existing service_permissions local exploit module. Also added was documentation for the module which includes the details necessary to use it in the scenario of Windows 7 / Server 2008 R2. This particular technique may be an excellent forever day for these platforms if it is never patched due to the reliability of the exploit given that it does not rely on memory corruption.
Improvements for module developers
A number of enhancements were made that may interest module developers. One of the team’s favorite libraries the
AutoCheck mixin can now be used with auxiliary modules. A good check method is an important component of high-quality module content, and now auxiliary modules can consistently use their defined check methods like their exploit counterparts have been able to. Additionally, exploit developers that are writing DLLs to disk via an arbitrary vulnerability will notice that the default template now includes a synchronization mechanism. This means that even when the DLL is loaded multiple times, only a single session will be established to Metasploit.
New modules (5)
- Aerospike Database UDF Lua Code Execution by b4ny4n and bcoles, which exploits CVE-2020-13151
- GitLab File Read Remote Code Execution by William Bowling (vakzz) and Alan Foster, which exploits CVE-2020-10977
- FlexDotnetCMS Arbitrary ASP File Upload by Erik Wynter, which exploits CVE-2020-27386
- WordPress Email Subscribers and Newsletter Hash SQLi Scanner by Wordfence, h00die, and red0xff, which exploits CVE-2019-20361
- Windows Pulse Secure Connect Client Saved Password Extractor by Quentin Kaiser, which exploits CVE-2020-8956
Enhancements and features
- Add configurable logging to the console and support stdout sinks by Alan Foster
- Enhance exploit/multi/http/weblogic_admin_handle_rce check by William Vu
- Enhance exploit/linux/http/saltstack_salt_api_cmd_exec check by William Vu
- Add the Weak Registry Permissions technique to the Service Permissions LPE by Spencer McIntyre
- web_delivery: Add SyncAppvPublishingServer target by BColes
- Add Windows target to consul_service_exec.rb by realmatthours
- Add auxiliary support to autocheck mixin by Alan Foster
- Add synchronization to the DLL payload template by Spencer McIntyre
- Allow running local exploits in Meterpreter by Spencer McIntyre
- Force active record object load by Jeffrey Martin
- Railgun datatype updates by Spencer McIntyre
- nimcontroller_bof: return CheckCode::Unknown if response is empty by BColes
- Converts the external ms17_010_eternalblue_win8 to run only with Python3 by Adam Galway
- Updated XML Import To Utilize Base64 Decoding On The Body by Matt Hagan
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).