Google Chrome exploits return
r4j0x00 contributed a new module for CVE-2020-16040, an integer overflow in the SimplifiedLowering phase of TurboFan in Google Chrome <= 87.0.4280.66 that grants attackers RCE. Whilst the exploit in and of itself does not grant RCE by default, unless the sandbox is disabled, it is still important to note that some embedded versions of Chrome run without the sandbox enabled by default in order to allow Chrome access to more system resources. This means that in some cases it may still be possible to use this module on its own to gain RCE on a system.
Simplifying Metasploit shell verification - Round 2
As part of his continuous updates to make Metasploit sessions easier to verify, our very own
zeroSteiner, updated several Meterpreter libraries to ensure that error messages output when commands cannot be run in a given Meterpreter session are now more intuitive and better explain what is going wrong, such as if a library has not yet been loaded.
zeroSteiner also updated these libraries to allow Metasploit to proactively identify when a command will fail in a Meterpreter session due to it not being supported by whatever type of Metepreter session is running on the remote target. This should help users to better identify what commands are not supported by a given session and also better debug things themselves if anything goes wrong, as part of our ongoing work to better improve session validation and make it more intuitive.
Reading the OS from Haserl's perspective
Community members Ike Broflovski and Julien Voisin added in a new post module that takes advantage of CVE-2021-29133 , an arbitrary read in haserl prior to 0.9.36, that allows attackers to read any file on the target file system without requiring any specific privileges. It’s important to note that in many cases attackers are often blocked from escalating their privileges due to a lack of access to some important bit of information. The ability to read arbitrary files on disk can help to lower this barrier by allowing attackers to access protected files that may contain things such as saved application credentials, source code for various sensitive components, or even just information about applications running on the system itself that may assist in identifying ways to elevate permissions, making this an incredibly versatile module should one manage to find a vulnerable target.
New modules (3)
- Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection by Erik Wynter and Haboob Team, which exploits CVE-2020-35578 - A new module has been added to exploit CVE-2020-35578, an RCE in Nagios XI versions prior to 5.8.0 that exploits a command injection when uploading plugins to allow authenticated administrative users to gain remote code execution as the
apacheuser on affected systems.
--no-sandboxChrome flag, as no sandbox escape is present.
- Haserl Arbitrary File Reader by Ike Broflovski and Julien (jvoisin) Voisin, which exploits CVE-2021-29133 - This adds a post module exploit that leverages an arbitrary read in haserl prior to 0.9.36. This vulnerability is identified as CVE-2021-29133 and allows an attacker to read any file on the target filesystem without any specific privileges.
Enhancements and features
- #14622 from blacklist-arcc - This adds the
sp_oacreatetechnique to the mssql_exec module which is a more stealthy alternative to the traditional xp_cmdshell stored procedure.
- #14701 from kalba-security - The
nagios_xi_authenticated_rce.rbmodule has been renamed to
nagios_xi_plugins_check_ping_authenticated_rceand has been updated to take advantage of the Nagios XI mixin. Additionally the documentation has been updated to reflect these changes and to better explain how the module works.
- #14994 from archcloudlabs - The
screen_spy.rbmodule has been updated to allow users to specify the PID of a process they would like to migrate into before taking screenshots, rather than forcing users to migrate into an
explorer.exeprocess. If no PID is specified, then
screen_spy.rbwill default to taking screenshots from the current process.
- #14997 from geyslan - The
payloads/singles/linux/x64/shell_bind_tcp_random_port.rbshellcode has been updated to be more efficient, resulting in its size being reduced by one byte. Additionally comments have been updated to properly mention that the payload uses the string
- #15017 from adfoster-r7 - The
modules/auxiliary/admin/http/tomcat_ghostcat.rbmodule has been updated to use a default
RPORTvalue of 8080 and to add in the
AJP_PORToption to specify where the Apache JServ Protocol Port is, which now defaults to a value of 8009.
- #15028 from geyslan - The
payloads/singles/linux/x64/exec.rbpayload has been updated to be more efficient, thereby reducing the total shellcode size. Additionally, support has been added for generating NULL byte free shellcode, and the code has been refactored to use Metasm to make it easier to understand.
- #15037 from zeroSteiner - Updates the
auxiliary/scanner/redis/redis_loginto first check if authentication is required before then attempting to bruteforce credentials.
- #15049 from zeroSteiner - Several Meterpreter libraries have been updated to raise more specific and descriptive exception messages. These changes should help users and developers more quickly and easily identify the root cause of these exception messages when they are thrown. Additionally updates have been applied to allow Metasploit to proactively identify when a command will fail in a Meterpreter session due to it not being supported by the remote end.
- #14770 from jmartin-r7 - Fixes the modules
http/solarwinds_storage_manager_sqlto correctly handle error scenarios and perform cleanup gracefully.
- #14985 from adfoster-r7 - Fixes the Json API to correctly interact with the configured framework database, as well as adding support for running the
msfdb webservicecomponent in the foreground with the
- #14996 from h00die - This fixes a logic bug in the cracker libraries where
hashcatwasn't able to be run due to invalid version expectations.
- #15034 from adfoster-r7 - Fixes broken association handling for remote
msfdbservices command, where this issue previously caused a crash when running the
servicescommand after connecting to another remote database.
- #15038 from wvu-r7 - This fixes a
pulse_secure_gzip_rcemodule which was preventing it from functioning correctly.
- #15043 from justinsteven - This change fixes a bug on the
python/meterpreter/reverse_httppayload handler where, if the LURI option did not begin with a slash, the payload would fail to stage.
- #15047 from ryananicholson - This fixes a bug in DNS reverse lookups due to an invalid answer attribute.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).