Our very own zeroSteiner added exploit/multi/http/struts2_multi_eval_ognl
, which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times (CVE-2019-0230 and CVE-2020-17530). The CVE-2019-0230 OGNL chain for remote code execution requires a one-time chain to enable the RCE gadget, which is handled automatically by the module. The OGNL gadget chain for CVE-2020-17530 will echo the command output. Both chains use a simple mathematical expression to ensure that evaluation occurs. These vulnerabilities are application dependent, and the user does need to know which CVE they are targeting. Setting the NAME
parameter appropriately and using the check method to ensure evaluation takes place inside an HTML attribute are key to successful exploitation.
Exploit module exploits/windows/local/bits_ntlm_token_impersonation
was added by Metasploit contributor C4ssandre. It exploits BITS connecting to a local Windows Remote Management server (WinRM) at startup time. A fake WinRM server listening on port 5985
is started by a DLL
loaded from a previous unprivileged meterpreter session. The fake server triggers BITS and then steals a SYSTEM
token from the subsequent authentication request. The token is then used to start a new process and launch powershell.exe
as the SYSTEM
user. It downloads a malicious PowerShell script and executes it on a second local HTTP server, not writing any files to disk. The exploit is based on decoder’s PoC. It has been successfully tested on Windows 10 (10.0 Build 19041) 32 bits.
Metasploit contributor h00die added an exploit that targets Pulse Connect Secure server version 9.1R8
and earlier. The vulnerability was originally discovered by the NCC Group. It achieves authenticated remote code execution as root
by uploading an encrypted config that contains an overwrite for a Perl template file. This module was made possible by rxwx, who shared the encryption code with the author. Admin credentials are required for successful root
access. The module has been tested against server version 9.1R8
.
auxiliary/server/socks_proxy
replaces modules/auxiliary/server/socks4a.rb
and modules/auxiliary/server/socks5.rb
.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).