Metasploit Wrap-Up


![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/image.png) ## Clone your way to code execution ![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/metasploit-sky-2.png) We’ve had a busy week bringing you exploits, features, enhancements, and fixes. Exploit modules for Git and El Finder lead the pack this week with an information disclosure against Jira and a post exploitation module targeting Geutebruck white-labelled cameras to freeze them like every movie ever! ## Git push upstream git-lfs:payload Our own Jack Hysel and Shelby Pace had some fun creating an exploit module targeting Github, originally discovered by Dawid Golunski. The exploit requires a user to clone an infected Github repository to gain remote code execution, and before you ask, we promise it is safe to clone ours. ## Jira users Brian Halbach and Mikhail Klyuchnikov sent us a nice module exploiting [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) to get a list of Jira users, helping those social engineers among us to get more targets or login scanners more data. Unfortunately, it does not track my tickets and keep them up to date. ## New module content (4) * [Jira Users Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14631>) by Brian Halbach and Mikhail Klyuchnikov, which exploits [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) \- This obtains user names on Jira Server by exploiting an information disclosure vulnerability that exists at the `/ViewUserHover.jspa` endpoint. * [elFinder Archive Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15658>) by Shelby Pace and Thomas Chauchefoin, which exploits [CVE-2021-32682](<https://attackerkb.com/topics/llBeWZGXq9/cve-2021-32682?referrer=blog>) \- This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed. * [Git Remote Code Execution via git-lfs (CVE-2020-27955)](<https://github.com/rapid7/metasploit-framework/pull/15624>) by Dawid Golunski, [jheysel-r7](<https://github.com/jheysel-r7>), and [space-r7](<https://github.com/space-r7>), which exploits [CVE-2020-27955](<https://attackerkb.com/topics/33ELRpbDyL/cve-2020-27955-git-large-file-storage-git-lfs-git-lfs---remote-code-execution-rce?referrer=blog>) \- This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository. * [Geutebruck Camera Deface](<https://github.com/rapid7/metasploit-framework/pull/15601>) by Ibrahim Ayadhi and Sébastien Charbonnier - A new post exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera. ## Enhancements and features * [#15609](<https://github.com/rapid7/metasploit-framework/pull/15609>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality. * [#15674](<https://github.com/rapid7/metasploit-framework/pull/15674>) from [digininja](<https://github.com/digininja>) \- Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module has succeeded ## Bugs fixed * [#15667](<https://github.com/rapid7/metasploit-framework/pull/15667>) from [bwatters-r7](<https://github.com/bwatters-r7>) \- Fix powershell_reverse_tcp file operations and update the file operations test module ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-08T18%3A07%3A57-05%3A00..2021-09-15T14%3A13%3A18-05%3A00%22>) * [Full diff 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/compare/6.1.5...6.1.6>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition). * _Image credit: Toni Barros from São Paulo, Brasil - Hello, Dolly!, CC BY-SA 2.0 <https://creativecommons.org/licenses/by-sa/2.0>, via Wikimedia Commons_