Metasploit Wrap-up


![Metasploit Wrap-up](https://blog.rapid7.com/content/images/2020/09/Untitled.png) Nine! Nine new modules! (Ah ha ha!) With the coming of autumn here in the Northern hemisphere, the nights are getting longer, and the hacking is getting stronger. We’ve really got something for everybody in this release, from IoT to infrastructure, Windows, and Linux; everyone’s pretty well-represented! Windows has been patching several vulnerabilities lately, and we have modules for them! Metasploit’s own [Spencer](<https://github.com/ZeroSteiner>) and [Brendan](<https://github.com/bwatters-r7>) have been working on bringing in work from others; Spencer wrote a Zerologon ([CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?#rapid7-analysis>)) module based on the work by Tom Tervoort, and Brendan wrote a module covering the PrinterDemon vulnerability ([CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=wrap-up>)) building on the work of Alex Ionescue and [shubham0d](<https://github.com/shubham0d>). Spencer also added a new SOCKS module to unite the tribes of proxies currently in Metasploit, with one module to rule them all, and in the darkness, bind them! Not to be outdone, our own [Shelby](<https://github.com/space-r7>) added to the module count with [CVE-2017-1000353](<https://attackerkb.com/topics/V3oreaqint/cve-2017-1000353?referrer=wrap-up>) and YAJDV (Yet another Java Deserialization Vulnerability) against everyone’s favorite devops tool, Jenkins. Now you can ask Jenkins to test your code _or_ run it! While this vulnerability may be a bit older, we all know people miss patches, so it is worth checking out. Rounding out the Metasploit team’s contributions are [Grant](<https://github.com/gwillcox-r7>) and a new module to gather information on installed software on targets, and when we say targets, we mean it: Windows, Linux, Android, and Mac are all covered by this new gather module! As if the Metasploit team’s contributions were not enough, we had some seriously high-quality work come in from our community members as well! Auth bypasses for Artica Proxy by [Niboucha Redouane](<https://github.com/red0xff>), Cloud Camera command injection by Pietro Olivia, VyOS escape by Rich Mirch and [bcoles](<https://github.com/bcoles>), and a SecureCRT password decryptor by cn-kali-team. ## New modules (9) * [Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14025>) by Max0x4141 and Redouane NIBOUCHA, which exploits [CVE-2020-17506](<https://attackerkb.com/topics/TIR8HEspsz/cve-2020-17506?referrer=blog>) * [Jenkins CLI Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14122>) by SSD, Shelby Pace, and Unknown, which exploits [CVE-2017-1000353](<https://attackerkb.com/topics/V3oreaqint/cve-2017-1000353?referrer=blog>) * [TP-Link Cloud Cameras NCXXX Bonjour Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14135>) by Pietro Oliva, which exploits [CVE-2020-12109](<https://attackerkb.com/topics/TTBzMpfHr2/cve-2020-12109?referrer=blog>) * [VyOS restricted-shell Escape and Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/14123>) by Rich Mirch and bcoles, which exploits [CVE-2018-18556](<https://attackerkb.com/topics/75ZrO8GTzs/cve-2018-18556?referrer=blog>) * [Microsoft Spooler Local Privilege Elevation Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/14023>) by Alex Ionescu, Yarden Shafir, bwatters-r7, and shubham0d, which exploits [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) * [Netlogon Weak Cryptographic Authentication](<https://github.com/rapid7/metasploit-framework/pull/14151>) by Dirk-jan Mollema, Spencer McIntyre, and Tom Tervoort, which exploits [CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?referrer=blog>) * [SOCKS Proxy Server](<https://github.com/rapid7/metasploit-framework/pull/14173>) by Spencer McIntyre, sf, and surefire * [Multiplatform Installed Software Version Enumerator](<https://github.com/rapid7/metasploit-framework/pull/14140>) by gwillcox-r7 * [Windows SecureCRT Session Information Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14118>) by HyperSine and Kali-Team ## Bugs fixed * [Show correct rank for show exploits command](<https://github.com/rapid7/metasploit-framework/pull/14176>) from [Alan David Foster](<https://github.com/adfoster-r7>) fixes a bug where the ranking for exploits was not shown properly when the `show exploits` command was used. * [Always display `SRVHOST` and `SRVPORT` options when `CMDSTAGER::FLAVOR` is set to `auto`](<https://github.com/rapid7/metasploit-framework/pull/14153>) from [Christophe](<https://github.com/cdelafuente-r7>) fixes a bug where the SRVPORT and SRVHOST parameters are not displayed properly if the command stager flavor is set to `auto` * [Fix is_known_pipename module](<https://github.com/rapid7/metasploit-framework/pull/14035>) also from Christophe fixes an issue in the is_known_pipename exploit module which targets samba. There was an incorrect SMB version 1 data structure definition that was causing the module to fail to verify a writeable directory. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.0.7...6.0.8](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-09-17T11%3A03%3A21-05%3A00..2020-09-24T11%3A12%3A08-05%3A00%22>) * [Full diff 6.0.7...6.0.8](<https://github.com/rapid7/metasploit-framework/compare/6.0.7...6.0.8>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>)(master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).