Spilling the (Gi)tea

We have two modules coming in from cdelafuente-r7 targeting CVE-2020-14144 for both the Gitea and Gogs self-hosted Git services.
Both modules are similar: they take advantage of a user’s ability to create Git hooks by authenticating with the web interface, creating a dummy repository with the aforementioned git hook, and triggering it—which will execute the payload!

Apache OFBiz Deserialization

Here we have wvu-r7 and zeroSteiner joining forces to bring us a module targeting CVE-2021-26295.
This module takes advantage of an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes an arbitrary Java object which leads to remote code execution.

New Modules (4)

  • Apache OFBiz SOAP Java Deserialization by wvu, Spencer McIntyre, and yumusb: This adds an exploit module that targets Apache OFBiz versions prior to v17.12.06, which are vulnerable to a Java deserialization vulnerability. By sending a serialized payload to the webtools/control/SOAPService endpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved.
  • Gitea and Gogs Git Hooks Remote Code Execution by Christophe De La Fuente and Podalirius: This adds two modules, exploit/multi/http/gitea_git_hooks_rce and exploit/multi/http/gogs_git_hooks_rce that both leverage a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea and Gogs respectively. With valid credentials and the permission to create git hooks, both modules create a repo and upload a payload as a post-receive hook. Upon creating an additional file in the repo, the post-receive hook will be triggered, which will grant code execution as the user running the software.
  • Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server by Vladimir Ivanov and Yvan Genuer: This adds a new post module that leverages an insecure password storage vulnerability identified as CVE-2019-0307 to retrieve credentials such as SLD user connection and Solman user communication. This also improves the cve_2020_6207_solman_rce auxiliary module by adding a new SECTORE action performing the same attack remotely by leveraging an authentication bypass identified as CVE-2020-6207.

Enhancements and features

  • #14813 from bcoles: This updates the exploit/windows/http/dupscts_bof module by including coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references.

Bugs Fixed

  • #14975 from timwr: This fixes an issue in cve_2020_1054_drawiconex_lpe module, which was throwing an exception when the target was not vulnerable.
  • #14987 from dwelch-r7: Fixes an issue where users where only getting three attempts at brute forcing via mysql_login module.
  • #14992 from jmartin-r7: Updates the auto_target_host logic to additionally handle rhost being nil
  • #14998 from wvu-r7: Changes CVE references from CVE Details to NVD
  • #14873 from dwelch-r7: Fixes an issue where individual modules that failed to load would stop the remaining modules from loading successfully when running the show payloads command or msfvenom -l payloads
  • #14988 from h00die: A fix to validation of custom wordlist values restores auxiliary cracker module functions when no custom wordlist file is supplied.
  • #14991 from jra89: Fixes a regression that caused the NTP protocol fuzzer modules to crash when being used

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).