We have two modules coming in from cdelafuente-r7 targeting CVE-2020-14144 for both the Gitea and Gogs self-hosted Git services.
Both modules are similar: they take advantage of a user’s ability to create Git hooks by authenticating with the web interface, creating a dummy repository with the aforementioned git hook, and triggering it—which will execute the payload!
Here we have wvu-r7 and zeroSteiner joining forces to bring us a module targeting CVE-2021-26295.
This module takes advantage of an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes an arbitrary Java object which leads to remote code execution.
v17.12.06
, which are vulnerable to a Java deserialization vulnerability. By sending a serialized payload to the webtools/control/SOAPService
endpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved.exploit/multi/http/gitea_git_hooks_rce
and exploit/multi/http/gogs_git_hooks_rce
that both leverage a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea and Gogs respectively. With valid credentials and the permission to create git hooks, both modules create a repo and upload a payload as a post-receive
hook. Upon creating an additional file in the repo, the post-receive
hook will be triggered, which will grant code execution as the user running the software.exploit/windows/http/dupscts_bof
module by including coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references.cve_2020_1054_drawiconex_lpe
module, which was throwing an exception when the target was not vulnerable.mysql_login
module.show payloads
command or msfvenom -l payloads
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).