SharePoint DataSet/DataTable deserialization

First up we have an exploit from Spencer McIntyre (@zeroSteiner) for CVE-2020-1147, a deserialization vulnerability in SharePoint instances that was patched by Microsoft on July 14th 2020 and which has been getting quite a bit of attention in the news lately. This module utilizes Steven Seeley (@stevenseeley)'s writeup along with some helpful tips from Soroush Dalili (@irsdl), to make a working exploit that grants authenticated attackers RCE as the user configured to run SharePoint when it was installed (which will typically be the local administrator account). Note that whilst authentication is required, an attacker mearly needs to be authenticated as any user on the domain, making this an attractive target for attackers. If you haven't already patched this vulnerability, you should definetely look at doing so as soon as possible.

Stealing back from the stealers

Continuing the trend of Metasploit modules for CnC/botnet control panels, this week @EgeBalci added a new module targeting an arbitary file upload vulnerability within the Baldr Botnet Panel, which can be exploited to gain arbitrary code execution on the targeted server as an unauthenticated user. Baldr is well known in the Russian criminal hacking forms as a stealer that quickly grabs sensitive information from compromised computers before then exfiltrating that information back to CnC servers owned by the attackers. Hopefully this module should help malware investigators shut down some of these servers and prevent such activies from occuring.

FreeBSD UAF

Last but not least, contributor @bcoles added a module for a CVE-2020-7457, a use-after-free vulnerability within FreeBSD's kernel when handling IPv6 sockets which was found by Andy Nguyen (@theflow0). This module supports several different FreeBSD versions including 9.1, 9.2, 9.3, 12.0 and 12.1, and which was tested it on a range of FreeBSD versions from 9.1 to 9.3, and 12.0 to 12.1, and grants local attackers arbirary code execution as the root user upon successful exploitation. Definetely interesting to see a kernel module with support for such a range of kernel versions!

New modules (4)

Enhancements and features

  • PR #13895 from @zeroSteiner adds support for the check method to the CVE-2020-6287 SAP RECON module, and also adds a REMOVE action so the module can now remove accounts on the targeted system.
  • PR #13896 from @zeroSteiner updates the msftidy_docs.rb script to add in new checks and updates the documentation template to be compliant with these new checks and to add more explanation around the exploit ranking and module traits to the documentation template.
  • PR #13921 from @jmartin-r7 updates msfconsole so that it always displays the major version that the user is running, regardless of if they are running msf4, msf5, or msf6.

Bugs fixed

  • PR #13898 from @timwr fixes an issue with the wlan_gather.rb module so that it appropriately returns an error when an invalid API_KEY is passed to the geolocation API.
  • PR #13899 from @digitalcombine updates the post/multi/manage/sudo module so that it automatically removes clear text sudo passwords from the temporary files it creates in /tmp/ upon completion.
  • PR #13900 from @red0xff updates lib/rex/proto/http/packet/header.rb so that it uses case insensitive checks when checking for the presence of HTTP headers in requests or responses, thereby making it compliant with existing Metasploit behavior.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).