This week our very own Spencer McIntyre has added an exploit for CVE-2020-0796, which leverages a vulnerability within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems. Previously, Metasploit offered an LPE version of this exploit but not RCE support. The exploit is heavily based on the chompie1337/SMBGhost_RCE_PoC PoC.
Note that there is a high probability that, even when the exploit is successful, the remote target will crash within about 90 minutes. It is recommended that after a successful compromise, a persistence mechanism be established and the system be rebooted to avoid a Blue Screen of Death (BSOD).
Community member pingport80 has made improvements to Metasploit’s command history management to now be context aware. The command history for both the main console and sub-shells, such as Pry and Metepreter, will now have their command history separated. This means that pressing the up arrow key within the console in these different contexts will now only show the command history for that specific context sub-shell, which should be more intuitive to users.
.gitignore
files that may contain pointers to files of interestmeterpreter
key to the compat
hash to better-provide Meterpreter session compatibility info to users, including printing the required Meterpreter extension(s) to the console in the event of a session incompatibility. Additionally, post
modules will automatically load Meterpreter extensions used, provided that the module’s Meterpreter compatibility requirements are annotated.get_processes
API on non-Windows systems with support that fails back to enumerating the /proc
directory when the ps
utility is not present.loot
command to be displayed without wrapping. This makes it easier for users to copy and paste the output.Msf::Post::Process
mixin with support for multiple session types.exploit/windows/local/tokenmagic
module by fixing a crash that occurs on some targets and moves the target validation logic to earlier in the module.checkvm
module to fix a bug where it was failing to identify certain Xen environments such as those used within AWS.RHOST_HTTP_URL
module option and feature flag as it had blocking edge cases for being enabled by default. A new implementation is being investigated.msfvenom
to only wrap output if the output is going to STDOUT.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).