It's the week of December 17th and that can only mean one thing: a week until Christmas! For those of you who don't celebrate Christmas, a very happy Hanukkah/Chanukah, Kwanzaa, Diwali, Chinese New Year, Winter Solstice and Las Posadas to you all!
This is our last weekly wrap-up this year, but as always, we'll be publishing an annual Metasploit wrap-up just after the new year that covers all the shells we got in 2020.
Without further ado, let's jump into it!
CVE-2020-1054: I heard you still got Windows 7, so let’s play a game
Oh dear Windows 7, you just can't catch a break. timwr continued his LPE contributions this week with a exploit for CVE-2020-1054, a OOB write vulnerability via the
DrawIconEx() function in
win32k.sys. This bug was originally found by bee13oy of Qihoo 360 Vulcan Team and Netanel Ben-Simon and Yoav Alon of Check Point Research and was reported to Microsoft in May 2020. The module targets Windows 7 SP1 x64 and grants
SYSTEM level code execution. Whilst Windows 7 is EOL, it is still being used by 17.68% of all Windows computers as of November 2020 according to some statistics. That is still a fair market share even if its popularity has been gradually diminishing over time. Furthermore, although users can update Windows 7, it is now mostly a manual process unless you are on one of Windows extended support plans. This increases the time needed to apply patches and also increases the possibility that users may forget to install specific patches. Hopefully none of your clients’ systems are still running Windows 7, but in case you are on a pen test and happen to encounter one, this exploit might provide the access you need to pivot further into the network.
Parse me to your shell
The second highlight of this week was a PR from our very own wvu-r7 targeting CVE-2020-14871, a buffer overflow within the
parse_user_name() function of the PAM (Pluggable Authentication Module) component of Solaris SunSSH running on Oracle Solaris versions 10 and 11. The exploit supports SunSSH 1.1.5 running on solaris 10u11 1/13 (x86) within either VMWare or VirtualBox and grants unauthenticated users a shell as the
root user. Pretty nifty stuff!
New modules (2)
- Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow by wvu-r7, Aaron Carreras, Hacker Fantastic, Jacob Thompson, and Jeffrey Martin, which exploits CVE-2020-14871
- Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation by Netanel Ben-Simon, Yoav Alon, bee13oy, and timwr, which exploits CVE-2020-1054
Enhancements and features
- Cygwin SSH Windows Identification by mhagan-r7 improved the SSH login scanner library to help identify Windows systems that are running Cygwin to provide SSH services.
- beSECURE Integration by nrathaus added a new plugin for importing beSECURE reports using their API, which can then be used to launch exploits against imported targets.
- Use CVE-2020-5752 path traversal bypass for CVE-2019-3999 by bcoles updated the Druva inSync Privilege Escalation module to use the CVE-2020-5752 path traversal bypass when exploiting CVE-2019-3999, thereby allowing users to target users who may have applied the CVE-2019-3999 patch but not the CVE-2020-5752 patch.
- Msf::Auxiliary::EPMP: replace hard-coded port 80 with rport by bcoles replaced the hardcoded ports in
final_cookievariable with the user-configurable
- fix railgun file_version and add test by timwr fixed a definition used by Meterpreter's Railgun plugin which was causing a crash when attempting to fetch the version of files on disk.
- Replace self with the explicit Module name In AuthServlet lambdas by dwelch-r7 fixes an issue reported by community member LucasAnderson07 involving a regression issue that prevented the
msfdb initcommand from successfully completing.
- Eagerly load hrr_rb_ssh within reverse_ssh module by adfoster-r7 fixes a regression issue introduced in Metasploit 6.0.22 which stopped Windows consoles from starting.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).