A new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the 2020 December Metasploit community CTF and achieved 100 or more points:
If you missed out on participating in this most recent event, be sure to follow the Metasploit Twitter and Metasploit blog posts. If there are any future Metasploit CTF events, all details will be announced there!
If the banners arenβt quite your style, you can always disable them with the quiet
flag:
msfconsole -q
Our very own gwillcox-r7 has created a new module for CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP, with credit to James Foreshaw for the initial vulnerability discovery and proof of concept. The Cloud Filter driver, cldflt.sys
, on Windows 10 v1803 and later, prior to December 2020, did not set the IO_FORCE_ACCESS_CHECK
or OBJ_FORCE_ACCESS_CHECK
flags when calling FltCreateFileEx()
and FltCreateFileEx2()
within its HsmpOpCreatePlaceholders()
function with attacker-controlled input. This meant that files were created with KernelMode
permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they donβt have permissions to create files in.
This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE
user. Users are strongly encouraged to set the PAYLOAD
option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE
to SYSTEM
by using Meterpreterβs getsystem
command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM
user.
AIT CSV Import / Export
plugin for Wordpress. This module exploits an unauthenticated file upload vulnerability in plugin versions below v3.0.4
to gain code execution against Wordpress installations.VHOST
option was not being correctly populated when the RHOST
option was a domain nameFile.expand_path()
to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when running msfconsole
.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).