9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Exploiting firmware authored by UDP Technology and provided to multiple large OEMs (including Geutebruck), community contributor TrGFxX has authored a neat module that allows RCE as root on machines running the web interface of the Geutebruck G-Cam and G-Code products. For more information on the vulnerability check out the CISA advisory.
Our very own zeroSteiner authored a module implementing both an exploit and patch bypass for a Java deserialization vulnerability that exists in numerous versions of ManageEngineβs OpManager software. This module allows payload execution as either NT AUTHORITY\SYSTEM
on Windows or root on Linux. On top of this new module, zeroSteiner made improvements to help utilize the increasingly essential YSoSerial tool. You should definitely check it out if youβre interested in exploring other Java deserialization vulns.
In a big win for Metasploit, community contributor smashery finished off their month-long effort to get fully functional shells working across WinRM! These new sessions support post modules, NTLMSSP authentication, and are also able to run without a payload in remote memory, making these sessions pretty hard to detect. This is a major improvement over the previous WinRM implementation that only supported execution of a single command, so huge thanks again to smashery.
In one final noteworthy addition, smashery has once again come through with a PR that significantly improves our RDP library. Metasploit users can now capture the NETBIOS computer name, NETBIOS domain name, DNS computer name, DNS domain name, and OS version from the NTLM handshake carried out over RDP, and our rdp_scanner module has been updated to display this info to all the RDP sniffers out there.
action
parameter of the /uapi-cgi/instantrec.cgi
endpoint in various Geutebruck G-Cam and G-Code devices. The exploit results in code execution as the root
user on target devices.exploit/multi/http/opmanager_sumpdu_deserialization
module implements an exploit (CVE-2020-28653) and patch bypass (CVE-2021-3287) for a Java deserialization vulnerability that exists in numerous versions of ManageEngineβs OpManager software. Arbitrary code execution as the NT AUTHORITY\SYSTEM
user on Windows or the root
user on Linux is achieved by sending a PDU to the SmartUpdateManager handler.download
functionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.msfrpc
that occurs due to the exploit/linux/misc/saltstack_salt_unauth_rce
moduleβs MINIONS
option default being a regex instead of a string.exploit/unix/local/setuid_nmap
module and adds logging to print the result of the exploitβs last command so the user knows what happened in the event of a failure.Net::NTLM
library for consistent data processing without a custom parser.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P