Metasploit Wrap-Up

Archive directory traversals, now with your daily allowance of JSP

In a year already full of hot vulnerabilities, CVE-2021-21972 in VMware’s vCenter Server may already seem like old news. It’s not, though! Thanks to wvu-r7 for grabbing this unauthenticated file upload combined with archive directory traversal to upload some sweet web shells. Also, thanks to smcintyre-r7 for reviewing and testing.

Keeping track of your favorite modules

If Metasploit’s more than 3,500 modules ever feel like too much to track, kalba-security has added the favorites command to msfconsole. This new command allows users to save their favorite modules in a list viewable with show favorites. Thanks to space-r7 for helping get this over the line!

Google Summer of Code 2021

We are happy to announce that Metasploit Framework has been accepted for the 2021 iteration of Google Summer of Code! This year we are primarily looking for projects that increase visibility into the data that Metasploit collects or that make using exploitation APIs smoother. For more details on project ideas and how to apply, check out our GSoC wiki page.

New Modules (3)

• VMware vCenter Server Unauthenticated OVA File Upload RCE by wvu, Mikhail Klyuchnikov, Viss, and mr_me, which exploits CVE-2021-21972, an unauthenticated RCE in VMware Center.
• HPE Systems Insight Manager AMF Deserialization RCE by Grant Willcox, Harrison Neal, and Jang, which exploits ZDI-20-1449 (CVE-2020-7200), targeting the 7.6.x versions of HPE Systems Insight Manager software. Unauthenticated code execution as the user running the HPE SIM software (typically local administrator) can be obtained by sending a serialized AMF request to the /simsearch/messagebroker/amfsecure page.
• Microsoft Windows RRAS Service MIBEntryGet Overflow by Equation Group, Shadow Brokers, Víctor Portal, and bcoles, which exploits CVE-2017-8461, a remote RCE in Routing and Remote Access Service (RRAS) on Windows Server 2003 identified as CVE-2017-8461. This allows executing arbitrary commands with SYSTEM user privileges.

Enhancements and features

• #14201 from kalba-security implements a new msfconsole command, favorite, which allows users to save favorite / commonly-used modules to a list for easy retrieval later.
• #14732 from zeroSteiner adds a new Java deserialization mixin and modifies existing Java deserialization exploit modules to use the new mixin. Additionally, this fixes both the generation of the ysoserial payloads and the payloads themselves with improvements to the generation script, find_ysoserial_offsets.rb and pinning the ysoserial version that’s used in the generation process.

Bugs Fixed

• #14792 from gwillcox-r7 updates 11 modules targeting Windows systems that were improperly checking the environment architecture which led to broken WOW64 detection in some cases.
• #14871 from dwelch-r7 ensures that the BinData library is always available for use within modules
• #14874 from dwelch-r7 fixes autoloading when utilizing Msf::RPC::Client in external tooling.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.33…6.0.34
• Full diff 6.0.33…6.0.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).