Give me your hash
This week, community contributor HynekPetrak added a new module for dumping passwords and hashes stored as attributes in LDAP servers. It uses an LDAP connection to retrieve data from an LDAP server and then harvests user credentials in specific attributes. This module can be used against any kind of LDAP server with either anonymous or authenticated bind. Particularly, it can be used to exploit a flaw in VMware vCenter Server v6.7, identified as CVE-2020-3952, which, under certain conditions, does not correctly implement access controls. A successful exploitation could lead to administrative account credentials leak, which can be used to compromise vCenter Server or other services.
Cisco Conference Station Module Series
Three Python external modules (#13984, #13985 and #13982) were added by community contributor debifrank. These exploits target Cisco Unified IP Conference Station 7937G, which is vulnerable to Denial of Service flaws and a Privilege Escalation via the web administration portal. These vulnerabilities are identified as CVE-2020-16139, CVE-2020-16138 and CVE-2020-16137. The first DoS exploit (CVE-2020-16139) enables an attacker to restart the device by sending a specially crafted request to the web administration portal. The second one (CVE-2020-16138) abuses the SSH service to hang the device until a manual restart is done. Finally, the third module exploit (CVE-2020-16137) overwrites the SSH credentials to give access to the SSH administrative console. More detail here. Note that this product is end of life and no update will be provided. It's time to upgrade to a new system if you own one of these.
New modules (4)
- Cisco 7937G SSH Privilege Escalation by Cody Martin, which exploits CVE-2020-16137
- Cisco 7937G Denial-of-Service Attack by Cody Martin, which exploits CVE-2020-16138
- Cisco 7937G Denial-of-Service Reboot Attack by Cody Martin, which exploits CVE-2020-16139
- LDAP Information Disclosure by Hynek Petrak, which exploits CVE-2020-3952
Enhancements and features
- PR #14045 from adfoster-r7 reloads the current module when toggling a feature to ensure the
RHOST_HTTP_URLappears as an option.
- PR #14039 from bcoles improves the
freebsd/local/rtld_execl_priv_escmodule by using
AutoCheckmixin and prefering CC over GCC.
- PR #13913 from red0xff adds specs for testing the SQL Injection library.
- PR #14048 from zeroSteiner fixes error handling for auxiliary scanners by allowing modules to skip hosts and continue when a fail_with exception is raised.
- PR #14043 from zeroSteiner fixes a bug that would cause a stack trace and a failure to scan other services other than Jupyter when given a range.
- PR #14034 from bcoles fixes a path traversal vulnerability in
- PR #14014 from 0x44434241 improves the
squid_pivot_scanningmodule to correctly handle redirect HTTP response codes, as well as adding more detailed verbose logging.
- PR #13979 from Michael-ZecOps fixes an issue with the 64-bit segment injector logic used by 64-bit PE templates. The injector now properly handles the arguments and stack alignment.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.