2020 was certainly an interesting year. There were quite a few newsworthy events and some fantastic exploit content released. Let’s take a look at what 2020 meant for Metasploit.
Some quick statistics for Metasploit’s year.
- 737 pull requests merged (and counting)
- A net gain of +179 non-payload modules
- 50 new Auxiliary modules
- 134 new Exploit modules
- 23 new Post modules
- 2 CTFs hosted
- 1 new version
The Metasploit team released version 6.0 of the framework over the summer. This major change brought quite a few improvements on two fronts: the Meterpreter transport protocol and SMBv3 support for client connections. Both of these offered transport encryption for common operations performed by Metasploit, providing better security for the users. Additionally, to showcase the SMBv3 support, Metasploit added a new module to perform agentless dumping of SAM hashes and LSA secrets (including cached creds) from remote Windows targets. The technique employed by this module has become very popular due to its reliability, and the native integration into the Metasploit Framework makes it easily accessible for users with all the related benefits like database and pivoting support.
There were not one but two open CTFs hosted by the Metasploit team in 2020. These events invited the community to solve challenges in a fun and competitive environment. The most recent event included 1,903 users registered across 874 teams.
New module highlights
- exploit/windows/local/anyconnect_lpe (CVE-2020-3153 & CVE-2020-3433) - This exploit module was an excellent example of a trend of patch bypasses this year. The module is capable of leveraging both the original vulnerability along with the bypass for maximum coverage.
- exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move (CVE-2020-0787) - This exploit targeted Windows BITS to overwrite a DLL. Exploiting native services included on Windows is always useful, and the technique leveraged here to use the file system operation to obtain code execution was an interesting case.
- post/multi/gather/enum_software_versions - It’s often important for users to know what is on a system they have compromised. This new module helps make that process simple by enumerating the installed software and their versions, allowing the user to identify interesting entries for exploitation or living-off-the-land techniques.
- exploit/multi/misc/weblogic_deserialize_badattrval (CVE-2020-2555) - WebLogic is always a valuable target and deserialization vulnerabilities are quite reliable by nature. That combination makes this module particularly useful.
- exploit/multi/misc/weblogic_deserialize_badattr_extcomp (CVE-2020-2883) - Another more recent WebLogic RCE that makes use of deserialization. Similar to CVE-2020-2555, this module is equally useful.
- exploit/windows/local/cve_2020_0668_service_tracing (CVE-2020-0668) - Users can never have enough Windows LPE exploits, and this module offered another reliable vector. This module uses a simple DLL-based technique to obtain code execution from a file system operation.
Metasploit added its first exploits for the popular SharePoint platform since 2010. Four exploit modules were added, three leverage XML injection flaws while the fourth targets a server side include. These exploits leverage .NET deserialization to execute operating system commands, avoiding any kind of memory corruption and making exploitation relatively reliable. The .NET deserialization gadgets leveraged by these modules were also new in 2020. This functionality came in the form of a new library that even includes a command line tool for generating gadget chains for researchers.
Over the course of the year, there were some interesting patterns that were observable. In general, there seemed to have been an increase in vulnerabilities that were disclosed and related to an insufficient remediation for a previous vulnerability. These so-called patch bypasses seem to be indicative of the increasing complexity of vulnerabilities and their respective solutions. Additionally, there were multiple exploits added to Metasploit that leveraged vulnerable file system operations to obtain code execution on Windows. These LPEs used a combination of techniques that are becoming increasingly common including op-locks and junctions. Metasploit is working on better support for these primitives to facilitate exploitation of vulnerabilities that use them.
With all that the project accomplished in 2020, the team looks forward to what 2021 will hold. New features are being discussed, and as always, the module pipeline continues to flow. Our sincere gratitude goes to all the members of the community that contributed to the project this year.
More HaXmas blogs
- Help Others Be "Cyber Aware" This Festive Season—And All Year Round!
- UPnP With a Holiday Cheer
- Metasploit Tips and Tricks for HaXmas 2020
- Top Security Recommendations for 2021
- Rapid7 Labs’ 2020 Naughty List Summary Report to Santa
- Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year
- Predicting the Unpredictable: What Will the Cybersecurity Space Look Like in 2021?
- HaXmas Hardware Hacking