Metasploit Wrap-Up


## Spilling the (Gi)tea ![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/04/metasploit-blg-3.png) We have two modules coming in from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) targeting [CVE-2020-14144](<https://attackerkb.com/topics/ZTlYBaSclN/cve-2020-14144?referrer=blog>) for both the Gitea and Gogs self-hosted Git services. Both modules are similar: they take advantage of a user’s ability to create Git hooks by authenticating with the web interface, creating a dummy repository with the aforementioned git hook, and triggering it—which will execute the payload! ## Apache OFBiz Deserialization Here we have [wvu-r7](<https://github.com/wvu-r7>) and [zeroSteiner](<https://github.com/zeroSteiner>) joining forces to bring us a module targeting [CVE-2021-26295](<https://attackerkb.com/topics/gPRJEi19sG/cve-2021-26295?referrer=blog>). This module takes advantage of an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes an arbitrary Java object which leads to remote code execution. ## New Modules (4) * [Apache OFBiz SOAP Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14971>) by wvu, Spencer McIntyre, and yumusb: This adds an exploit module that targets Apache OFBiz versions prior to `v17.12.06`, which are vulnerable to a Java deserialization vulnerability. By sending a serialized payload to the `webtools/control/SOAPService` endpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved. * [Gitea and Gogs Git Hooks Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14978>) by Christophe De La Fuente and Podalirius: This adds two modules, `exploit/multi/http/gitea_git_hooks_rce` and `exploit/multi/http/gogs_git_hooks_rce` that both leverage a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea and Gogs respectively. With valid credentials and the permission to create git hooks, both modules create a repo and upload a payload as a `post-receive` hook. Upon creating an additional file in the repo, the `post-receive` hook will be triggered, which will grant code execution as the user running the software. * [Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server](<https://github.com/rapid7/metasploit-framework/pull/14965>) by Vladimir Ivanov and Yvan Genuer: This adds a new post module that leverages an insecure password storage vulnerability identified as CVE-2019-0307 to retrieve credentials such as SLD user connection and Solman user communication. This also improves the cve_2020_6207_solman_rce auxiliary module by adding a new SECTORE action performing the same attack remotely by leveraging an authentication bypass identified as CVE-2020-6207. ## Enhancements and features * [#14813](<https://github.com/rapid7/metasploit-framework/pull/14813>) from [bcoles](<https://github.com/bcoles>): This updates the `exploit/windows/http/dupscts_bof` module by including coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references. ## Bugs Fixed * [#14975](<https://github.com/rapid7/metasploit-framework/pull/14975>) from [timwr](<https://github.com/timwr>): This fixes an issue in `cve_2020_1054_drawiconex_lpe` module, which was throwing an exception when the target was not vulnerable. * [#14987](<https://github.com/rapid7/metasploit-framework/pull/14987>) from [dwelch-r7](<https://github.com/dwelch-r7>): Fixes an issue where users where only getting three attempts at brute forcing via `mysql_login` module. * [#14992](<https://github.com/rapid7/metasploit-framework/pull/14992>) from [jmartin-r7](<https://github.com/jmartin-r7>): Updates the auto_target_host logic to additionally handle rhost being nil * [#14998](<https://github.com/rapid7/metasploit-framework/pull/14998>) from [wvu-r7](<https://github.com/wvu-r7>): Changes CVE references from CVE Details to NVD * [#14873](<https://github.com/rapid7/metasploit-framework/pull/14873>) from [dwelch-r7](<https://github.com/dwelch-r7>): Fixes an issue where individual modules that failed to load would stop the remaining modules from loading successfully when running the `show payloads` command or `msfvenom -l payloads` * [#14988](<https://github.com/rapid7/metasploit-framework/pull/14988>) from [h00die](<https://github.com/h00die>): A fix to validation of custom wordlist values restores auxiliary cracker module functions when no custom wordlist file is supplied. * [#14991](<https://github.com/rapid7/metasploit-framework/pull/14991>) from [jra89](<https://github.com/jra89>): Fixes a regression that caused the NTP protocol fuzzer modules to crash when being used ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.0.38...6.0.39](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-01T08%3A47%3A57-05%3A00..2021-04-07T13%3A51%3A53-05%3A00%22>) * [Full diff 6.0.38...6.0.39](<https://github.com/rapid7/metasploit-framework/compare/6.0.38...6.0.39>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).