Community member r4j0x00
contributed a new module for CVE-2020-16040, an integer overflow in the SimplifiedLowering phase of TurboFan in Google Chrome <= 87.0.4280.66 that grants attackers RCE. Whilst the exploit in and of itself does not grant RCE by default, unless the sandbox is disabled, it is still important to note that some embedded versions of Chrome run without the sandbox enabled by default in order to allow Chrome access to more system resources. This means that in some cases it may still be possible to use this module on its own to gain RCE on a system.
As part of his continuous updates to make Metasploit sessions easier to verify, our very own zeroSteiner
, updated several Meterpreter libraries to ensure that error messages output when commands cannot be run in a given Meterpreter session are now more intuitive and better explain what is going wrong, such as if a library has not yet been loaded. zeroSteiner
also updated these libraries to allow Metasploit to proactively identify when a command will fail in a Meterpreter session due to it not being supported by whatever type of Metepreter session is running on the remote target. This should help users to better identify what commands are not supported by a given session and also better debug things themselves if anything goes wrong, as part of our ongoing work to better improve session validation and make it more intuitive.
Community members Ike Broflovski and Julien Voisin added in a new post module that takes advantage of CVE-2021-29133 , an arbitrary read in haserl prior to 0.9.36, that allows attackers to read any file on the target file system without requiring any specific privileges. Itβs important to note that in many cases attackers are often blocked from escalating their privileges due to a lack of access to some important bit of information. The ability to read arbitrary files on disk can help to lower this barrier by allowing attackers to access protected files that may contain things such as saved application credentials, source code for various sensitive components, or even just information about applications running on the system itself that may assist in identifying ways to elevate permissions, making this an incredibly versatile module should one manage to find a vulnerable target.
apache
user on affected systems.--no-sandbox
Chrome flag, as no sandbox escape is present.sp_oacreate
technique to the mssql_exec module which is a more stealthy alternative to the traditional xp_cmdshell stored procedure.nagios_xi_authenticated_rce.rb
module has been renamed to nagios_xi_plugins_check_ping_authenticated_rce
and has been updated to take advantage of the Nagios XI mixin. Additionally the documentation has been updated to reflect these changes and to better explain how the module works.screen_spy.rb
module has been updated to allow users to specify the PID of a process they would like to migrate into before taking screenshots, rather than forcing users to migrate into an explorer.exe
process. If no PID is specified, then screen_spy.rb
will default to taking screenshots from the current process.payloads/singles/linux/x64/shell_bind_tcp_random_port.rb
shellcode has been updated to be more efficient, resulting in its size being reduced by one byte. Additionally comments have been updated to properly mention that the payload uses the string //bin/sh
, not /bin/sh
.modules/auxiliary/admin/http/tomcat_ghostcat.rb
module has been updated to use a default RPORT
value of 8080 and to add in the AJP_PORT
option to specify where the Apache JServ Protocol Port is, which now defaults to a value of 8009.payloads/singles/linux/x64/exec.rb
payload has been updated to be more efficient, thereby reducing the total shellcode size. Additionally, support has been added for generating NULL byte free shellcode, and the code has been refactored to use Metasm to make it easier to understand.auxiliary/scanner/redis/redis_login
to first check if authentication is required before then attempting to bruteforce credentials.freefloatftp_wbem
, open_ftpd_wbem
, ftp/quickshare_traversal_write
, and http/solarwinds_storage_manager_sql
to correctly handle error scenarios and perform cleanup gracefully.msfdb webservice
component in the foreground with the --no-daemon
flag.hashcat
wasnβt able to be run due to invalid version expectations.msfdb
services command, where this issue previously caused a crash when running the services
command after connecting to another remote database.NameError
in the pulse_secure_gzip_rce
module which was preventing it from functioning correctly.python/meterpreter/reverse_http
payload handler where, if the LURI option did not begin with a slash, the payload would fail to stage.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).