F5, on top of being a handy shortcut you can press over and over again until 3am just to watch the RTX 3080 preorders sell out instantly, is also a company that specializes in the delivery, security, performance, and availability of web applications, computing, storage, and network resources.
Community contributor h00die added support to msfconsole that allows the processing of F5 device config processing library, as well as a post module that can gather information on F5 devices, and an auxiliary module capable of processing F5 config files offline.
A new exploit added by bcoles takes advantage of an OS command injection vulnerability in the Mida Solutions eFramework developed (shockingly) by Mida Solutions, a Unified Communication compant.
Shell commands can be executed as the apache
user without authentication via the PARAM
parameter in requests made to ajaxreq.php
. The sudo
configuration also allows the apache
user to execute commands without requiring a password, making code execution as the root
user possible.
Our very own Grant Wilcox put together a neat post module for Windows machines running Hyper-V that allows the enumeration of any Hyper-V Virtual Machines installed on said machine.
The findings of this module (status, CPU usage, Hyper-V engine version, and state) are then entered into the metasploit loot
, for easy export and retrieval.
Last but certainly not least, the gnarly "Zerologon" (CVE-2020-1472) privilege escalation vulnerability already has a PR in the works courtesy of the always wonderful zeroSteiner.
For more information on the vulnerability that everyone’s talking about, see our analysis on AttackerKB.
PR #14139 - This updates the HTTP client library that is used by many Metasploit modules to be more compliant across standards in regards to redirection handling while also adding a new feature to more easily manage cookies.
PR #14126 - This adds an authenticated RCE exploit for Microsoft Exchange which leverages the flaw identified as CVE-2020-16875 to inject code when processing a new DLP policy. The user must have the "Data Loss Prevention" role assigned in order to exploit this vulnerability.
PR #14125 - Adds SCREEN_EFFECTS and ARTIFACTS_ON_DISK notes to the post/osx/escalate/tccbypass
module.
PR #14117 - This adds a post module that checks if a target is a Hyper-V host and attempt to gather information about all Hyper-V VMs.
PR #14074 - This adds an exploit for Mida Solutions eFramework versions 2.9.0
and below. Shell commands can be executed as the apache
user via the PARAM
parameter in requests to ajaxreq.php
without authentication. Because the sudo
configuration allows the apache
user to execute commands without requiring a password, this vector ultimately achieves code execution as the root
user.
PR #13942 - This PR adds a module to leverage CVE-2020-9934 to allow a session to bypass the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data.
PR #13571 - This updates the Session Notifier plugin to support sending notifications using DingTalk webhooks.
PR #14111 - Removes dead code that previously tracked payload sizes when Metasploit was booting up.
PR #14145 - A bug within the implementation of the report_loot
method has been fixed to ensure that data is always base64 encoded prior to sending it to the web service, which always expects base64 encoded data. Application of this fix ensures that report_loot
will not send any unencoded data which could cause an exception.
PR #14143 - This update replaces all calls to the depreciated get_service
function with calls to the more modern function known as services
. This solves some known issues related to existing get_service
calls that affected modules badblue_passthru
and tomcat_mgr_upload
when connected to a remote database.
PR #14120 - Fixes bug that caused services -S
to return results from all workspaces, instead of the current workspace.
PR #14138 - Fixes nexus_repo_manager_el_injection.md
.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).