We have two modules coming in from cdelafuente-r7 targeting CVE-2020-14144 for both the Gitea and Gogs self-hosted Git services.
Both modules are similar: they take advantage of a user’s ability to create Git hooks by authenticating with the web interface, creating a dummy repository with the aforementioned git hook, and triggering it—which will execute the payload!
Here we have wvu-r7 and zeroSteiner joining forces to bring us a module targeting CVE-2021-26295.
This module takes advantage of an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes an arbitrary Java object which leads to remote code execution.
v17.12.06, which are vulnerable to a Java deserialization vulnerability. By sending a serialized payload to the
webtools/control/SOAPServiceendpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved.
exploit/multi/http/gogs_git_hooks_rcethat both leverage a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea and Gogs respectively. With valid credentials and the permission to create git hooks, both modules create a repo and upload a payload as a
post-receivehook. Upon creating an additional file in the repo, the
post-receivehook will be triggered, which will grant code execution as the user running the software.
exploit/windows/http/dupscts_bofmodule by including coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references.
cve_2020_1054_drawiconex_lpemodule, which was throwing an exception when the target was not vulnerable.
show payloadscommand or
msfvenom -l payloads
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).