Our own Shelby Pace authored an exploit taking advantage of a Java object deserialization vulnerability in multiple different versions of WebLogic. The new module has been tested with versions
v22.214.171.124.0 of WebLogic and allows remote code execution through the of sending a serialized
BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers.
Cram it in your Pi-Hole
As the incredibly original and hilarious title has pointed out, Pi-Hole has a Unrestricted File Upload vulnerability! Added by our frequent community contributor h00die, this new module adds a new blocklist to Pi-Hole, forces a gravity update to pull in the blocklist content, then writes PHP content to a file within the webroot, allowing for Remote Code Execution. Tasty.
- WebLogic Server Deserialization RCE - BadAttributeValueExpException by Jang, Shelby Pace, and Y4er, which exploits CVE-2020-2555
- Pi-Hole heisenbergCompensator Blocklist OS Command Execution by Nick Frichette and h00die, which exploits CVE-2020-11108
Enhancements and features
- PR #13496 - This adds tests to verify that payloads, when used with the cmd_exec API, return the output of the stderr process stream in their results. Authored by timwr.
- PR #13443 - This adds or updates action descriptions for numerous auxiliary and post modules in order to improve the user experience when listing or choosing actions. Authored by cnotin.
- PR #13262 - This adds our first cross-architecture stager/payload. It uses a python stager to load a binary meterpreter stage. Authored by timwr.
- PR #13499 - This fixes a bug in Java meterpreter where the result of the stderr text stream was not returned when used with the cmd_exec post-exploitation API. Authored by timwr and added to MSF by busterb.
- PR #13493 - Miscellaneous fixes for the ThinkPHP and ManageEngine exploits. Authored by wvu.
- PR #13492 - This fixes a punctuation issue within the module description and documentation for the Exchange ECP Viewstate exploit. Authored by wvu.
- PR #13465 - This fixes an issue within Meterpreter's packet dispatcher code where under certain conditions packets would be processed out of order leading to failed protocol negotiation sequences. Authored by OJ.
- PR #13436 - This fixes a regression in the SERVICE_FILENAME and SERVICE_STUB_ENCODER options in psexec code. Authored by cnotin.
- PR #13415 - This enhancement/fix changes the behavior of payload encoding in Metasploit, such that payloads free of any specified bad characters skip the encoding phase altogether. Previously, payloads would be unconditionally encoded if any badchars were specified at all. Authored by acammack.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).