Operations and management software make popular targets due to their users typically having elevated privileges across a network. Our own wvu contributed the VMware vRealize Operations (vROps) Manager SSRF RCE exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The
exploit/linux/http/vmware_vrops_mgr_ssrf_rce module achieves remote code execution (RCE) as the
admin Unix user by chaining the two vulnerabilities. First, CVE-2021-21975 pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the
/casa/nodes/thumbprints endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit CVE-2021-21983 via the
/casa/private/config/slice/ha/certificate endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions:
- 8.0.0, 8.0.1
- 8.1.0, 8.1.1
Data rules everything around me
Many dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules!
The first, an Apache Druid RCE exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability CVE-2021-25646 was discovered by Litch1, and je5442804 contributed the module. The second, a gather module named Redis Extractor contributed by Geoff Rainville (noncenz) enables easy looting of any key-value stores you discover.
New Module Content (5)
- Redis Extractor by Geoff Rainville noncenz - Adds a module to retrieve all data from a Redis instance (version 2.8.0 and above).
- Apache Druid 0.20.0 Remote Command Execution by Litch1, Security Team of Alibaba Cloud and je5442804, which exploits CVE-2021-25646 - This adds an exploit module that targets Apache Druid versions prior to
- VMware vRealize Operations (vROps) Manager SSRF RCE by wvu and Egor Dimitrenko, which exploits CVE-2021-21983 - This adds a module that exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the
adminuser on vulnerable VMware vRealize Operations Manager installs.
- Micro Focus Operations Bridge Reporter shrboadmin default password by Pedro Ribeiro, which exploits ZDI-20-1215 - This adds an exploit for CVE-2020-11857 which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.
- KOFFEE - Kia OFFensivE Exploit by Gianpiero Costantino and Ilaria Matteucci, which exploits CVE-2020-8539 - This adds a post module that leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.
Enhancements and features
- #11257 from sempervictus - This PR adds the ability to wrap some powershell used for exploitation purposes with RC4 for obfuscation.
- #15014 from ctravis-r7 - Adds the ability to specify an individual private key as a string parameter into the
- #15110 from zeroSteiner - This adds the necessary functionality to the Java Meterpreter to resolve hostnames over DNS, closing a feature gap that had been present with other Meterpreters.
- #14953 from bwatters-r7 - Fix the python 3.6 string formatting syntax in modules/auxiliary/scanner/http/rdp_web_login
- #15050 from cgranleese-r7 - Fixes a crash in Metasploit's console when the user tried to tab complete values such as file paths that were missing their final ending quote
- #15081 from cgranleese-r7 - Updates the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously this would result in a module crash.
- #15094 from timwr - This fixed a bug in how certain Meterpreter's would execute command issued through
sessions -cwhere some would use a subshell while others would not.
- #15114 from smashery - Updates the
auxiliary/scanner/redis/file_uploadmodule to correctly handle Redis instances that require authenticated access
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).