logo
DATABASE RESOURCES PRICING ABOUT US

Metasploit Wrap-Up

Description

![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2020/10/metasploit-blg-3-copy.png) Metasploit keeping that developer awareness rate up. ![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2020/10/telerik-fake-text-2.png) Thanks to [mr_me](<https://github.com/stevenseeley>) & [wvu](<https://github.com/wvu-r7>), SharePoint is an even better target to find in your next penetration test. The newly minted module can net you a shell and a copy of the servers config, making that report oh so much more fun. Like to escape the sandbox? WizardOpium has your first taste of freedom. Brought to you by [timwr](<https://github.com/timwr>) and friends through Chrome, [this module](<https://github.com/rapid7/metasploit-framework/blob/4fb0c4ac8ab89575c4358d2369d3650bc3e1c10d/modules/exploits/multi/browser/chrome_object_create.rb>) might be that push you need to get out onti solid ground. ## New modules (4) * [Login to Another User with Su on Linux / Unix Systems](<https://github.com/rapid7/metasploit-framework/pull/14179>) by [Gavin Youker](<https://github.com/youkergav>) * [Microsoft SharePoint Server-Side Include and ViewState RCE](<https://github.com/rapid7/metasploit-framework/pull/14265>) by [wvu](<https://github.com/wvu-r7>) and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>) * [Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14229>) by [Alvaro Muñoz](<https://github.com/pwntester>), [Caleb Gross](<https://github.com/noperator>), [Markus Wulftange](<https://github.com/mwulftange>), [Oleksandr Mirosh](<https://twitter.com/olekmirosh>), [Paul Taylor](<https://github.com/bao7uo>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [straightblast](<https://github.com/straightblast>), which exploits [CVE-2019-18935](<https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935?referrer=wrapup>) * [Microsoft Windows Uninitialized Variable Local Privilege Elevation](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [piotrflorczyk](<https://github.com/piotrflorczyk>), [timwr](<https://github.com/timwr>), and [unamer](<https://github.com/unamer>), which exploits [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>) ## Enhancements and features * [Add version check to exchange_ecp_dlp_policy](<https://github.com/rapid7/metasploit-framework/pull/14289>) by [wvu](<https://github.com/wvu-r7>) adds extended version checks for SharePoint and Exchange servers as used by the exploit modules for [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=wrapup>) and [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>). * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options. * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always docs improvement are greatly appreciated! * [Add tab completion for `run` command](<https://github.com/rapid7/metasploit-framework/pull/14240>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) adds tab completion for specifying inline options when using the `run` command. For example, within Metasploit's console typing `run` and then hitting the tab key twice will now show all available option names. Incomplete option names and values can also be also suggested, for example `run LHOST=` and then hitting the tab key twice will show all available LHOST values. * [CVE-2019-1458 chrome sandbox escape](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [timwr](<https://github.com/timwr>) adds support for exploiting [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>), aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the `exploit/multi/browser/chrome_object_create.rb` module that exploits [CVE-2018-17463](<https://attackerkb.com/topics/fgJVNLkV6f/cve-2018-17463?referrer=wrapup>) in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows. * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options. * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always, docs improvements are greatly appreciated! ## Bugs fixed * [MS17-010 improvements for SMB1 clients](<https://github.com/rapid7/metasploit-framework/pull/14290>) by [Spencer McIntyre](<https://github.com/zeroSteiner>) fixes an issue with the exploit/windows/smb/ms17_010_eternalblue module that was preventing sessions from being obtained successfully. * [Fix missing TLV migration from strings -> ints](<https://github.com/rapid7/metasploit-payloads/pull/441>) by [Justin Steven](<https://github.com/justinsteven>) converts a missed TLV conversion for COMMAND_ID_CORE_CHANNEL_CLOSE for PHP payloads. * [Meterpreter endless loop](<https://github.com/rapid7/metasploit-payloads/pull/439>) by [vixfwis](<https://github.com/vixfwis>), ensured that Meterpreter can properly handle SOCKET_ERROR on recv. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-13T14%3A57%3A09-05%3A00..2020-10-22T09%3A00%3A02-05%3A00%22>) * [Full diff 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/compare/6.0.11...6.0.12>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).


Related