Metasploit Wrap-Up

Metasploit keeping that developer awareness rate up.

Thanks to mr_me & wvu, SharePoint is an even better target to find in your next penetration test. The newly minted module can net you a shell and a copy of the servers config, making that report oh so much more fun.

Like to escape the sandbox? WizardOpium has your first taste of freedom. Brought to you by timwr and friends through Chrome, this module might be that push you need to get out onti solid ground.

New modules (4)

• Login to Another User with Su on Linux / Unix Systems by Gavin Youker
• Microsoft SharePoint Server-Side Include and ViewState RCE by wvu and mr_me, which exploits CVE-2020-16952
• Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization by Alvaro Muñoz, Caleb Gross, Markus Wulftange, Oleksandr Mirosh, Paul Taylor, Spencer McIntyre, and straightblast, which exploits CVE-2019-18935
• Microsoft Windows Uninitialized Variable Local Privilege Elevation by piotrflorczyk, timwr, and unamer, which exploits CVE-2019-1458

Enhancements and features

• Add version check to exchange_ecp_dlp_policy by wvu adds extended version checks for SharePoint and Exchange servers as used by the exploit modules for CVE-2020-16875 and CVE-2020-16952.
• Parameterize args to popen3() by Justin Steven improves commands executed during apk generation commands to be more explicit with options.
• More improved doc and syntax by h00die adds documentation and code quality changes for multiple modules. As always docs improvement are greatly appreciated!
• Add tab completion for run command by cgranleese-r7 adds tab completion for specifying inline options when using the run command. For example, within Metasploit’s console typing run and then hitting the tab key twice will now show all available option names. Incomplete option names and values can also be also suggested, for example run LHOST= and then hitting the tab key twice will show all available LHOST values.
• CVE-2019-1458 chrome sandbox escape by timwr adds support for exploiting CVE-2019-1458, aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the exploit/multi/browser/chrome_object_create.rb module that exploits CVE-2018-17463 in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows.
• Parameterize args to popen3() by Justin Steven improves commands executed during apk generation commands to be more explicit with options.
• More improved doc and syntax by h00die adds documentation and code quality changes for multiple modules. As always, docs improvements are greatly appreciated!

Bugs fixed

• MS17-010 improvements for SMB1 clients by Spencer McIntyre fixes an issue with the exploit/windows/smb/ms17_010_eternalblue module that was preventing sessions from being obtained successfully.
• Fix missing TLV migration from strings -> ints by Justin Steven converts a missed TLV conversion for COMMAND_ID_CORE_CHANNEL_CLOSE for PHP payloads.
• Meterpreter endless loop by vixfwis, ensured that Meterpreter can properly handle SOCKET_ERROR on recv.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.0.11…6.0.12
• Full diff 6.0.11…6.0.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).