exploit/windows/http/plex_unpickle_dict_rce module by h00die exploits an authenticated Python deserialization vulnerability in Plex Media Server. The module exploits the vulnerability by creating a photo library and uploading a
Dict file containing a Python payload to the library’s path. Code execution is then achieved by triggering the plugin loading functionality, which unpickles the
Dict file without any form of validation of its contents.
Through GSoC, Niboucha Redouane has added a SQL injection library supporting MySQL to Framework. The new library can aid in exploiting boolean and time-based blind injections, offering functionality that performs the more common queries for users. The auxiliary/sqli/openemr/openemr_sqli_dump and exploit/linux/http/eyesofnetwork_autodiscovery_rce modules can be utilized to see the library functionality in action.
Pandora FMS Events RCE
Erik Wynter added a new exploit module for various versions of the network monitoring software, Pandora FMS. The module exploits a command injection vulnerability found in Pandora’s
events functionality. Remote code execution can be achieved by sending a POST request containing the payload in the
target parameter. Having credentials to a low-privileged user account or higher is required to exploit this vulnerability.
New modules (2)
- Pandora FMS Events Remote Command Execution by Erik Wynter, Fernando Catoira, and Julio Sanchez, which exploits CVE-2020-13851
- Plex Unpickle Dict Windows RCE by Chris Lyne and h00die, which exploits CVE-2020-5741
Enhancements and features
- PR #13626 by bcoles adds some improvements to the
post/windows/gather/checkvmmodule: The module’s line count has been reduced by approximately 30%, and its execution time has shortened by ensuring that the
session.sys.process.get_processes()methods are only called once.
- PR #13750 by h00die consolidates the modules within the
/brocadefolders into the
/networkingfolder. This PR also improves code style and the documentation for the modules.
- PR #13759 by antoinet adds the
BaselineAuthTimeadvanced option to the
auxiliary/scanner/http/owa_loginmodule. This option allows the user to define the expected authentication response time in order to better differentiate between valid and invalid credentials.
- PR #13841 by bcoles adds the
is_root?()method to the
Msf::Post::Unixmixin and updates FreeBSD and OpenBSD local exploit modules to use the new method.
- PR #13848 by 0x44434241 adds the
telnet_cdata_ftth_backdoor_userpass.txtwordlist that contains admin credentials found hard coded in CDATA OLT devices.
- PR #13596 by Niboucha Redouane adds a new SQLi library and updates the
exploits/linux/http/eyesofnetwork_autodiscovery_rcemodules to utilize the new library functionality.
- PR #13271 by h00die fixes a timeout error in
auxiliary/server/capture/smtpby implementing logic to handle
RSETcommands. Additionally, the module can now store
plaincreds in the database.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).