F5, on top of being a handy shortcut you can press over and over again until 3am just to watch the RTX 3080 preorders sell out instantly, is also a company that specializes in the delivery, security, performance, and availability of web applications, computing, storage, and network resources.
Community contributor h00die added support to msfconsole that allows the processing of F5 device config processing library, as well as a post module that can gather information on F5 devices, and an auxiliary module capable of processing F5 config files offline.
The Mida(s) Touch, but for vulns
A new exploit added by bcoles takes advantage of an OS command injection vulnerability in the Mida Solutions eFramework developed (shockingly) by Mida Solutions, a Unified Communication compant.
Shell commands can be executed as the
apache user without authentication via the
PARAM parameter in requests made to
sudo configuration also allows the
apache user to execute commands without requiring a password, making code execution as the
root user possible.
The V stands for Vuln
Our very own Grant Wilcox put together a neat post module for Windows machines running Hyper-V that allows the enumeration of any Hyper-V Virtual Machines installed on said machine.
The findings of this module (status, CPU usage, Hyper-V engine version, and state) are then entered into the metasploit
loot, for easy export and retrieval.
Multiple logins with Zerologon
For more information on the vulnerability that everyone's talking about, see our analysis on AttackerKB.
New modules (6)
- Mida Solutions eFramework ajaxreq.php Command Injection by bcoles and elbae, which exploits CVE-2020-15920
- Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE by wvu and mr_me, which exploits CVE-2020-16875
- F5 Configuration Importer by h00die
- F5 Device General Information Gatherer by h00die
- Bypass the macOS TCC Framework by mattshockl and timwr, which exploits CVE-2020-9934
- Windows Hyper-V VM Enumeration by gwillcox-r7
Enhancements and features
PR #14139 - This updates the HTTP client library that is used by many Metasploit modules to be more compliant across standards in regards to redirection handling while also adding a new feature to more easily manage cookies.
PR #14126 - This adds an authenticated RCE exploit for Microsoft Exchange which leverages the flaw identified as CVE-2020-16875 to inject code when processing a new DLP policy. The user must have the "Data Loss Prevention" role assigned in order to exploit this vulnerability.
PR #14125 - Adds SCREEN_EFFECTS and ARTIFACTS_ON_DISK notes to the
PR #14117 - This adds a post module that checks if a target is a Hyper-V host and attempt to gather information about all Hyper-V VMs.
PR #14074 - This adds an exploit for Mida Solutions eFramework versions
2.9.0and below. Shell commands can be executed as the
apacheuser via the
PARAMparameter in requests to
ajaxreq.phpwithout authentication. Because the
sudoconfiguration allows the
apacheuser to execute commands without requiring a password, this vector ultimately achieves code execution as the
PR #13942 - This PR adds a module to leverage CVE-2020-9934 to allow a session to bypass the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data.
PR #13571 - This updates the Session Notifier plugin to support sending notifications using DingTalk webhooks.
PR #14111 - Removes dead code that previously tracked payload sizes when Metasploit was booting up.
PR #14145 - A bug within the implementation of the
report_lootmethod has been fixed to ensure that data is always base64 encoded prior to sending it to the web service, which always expects base64 encoded data. Application of this fix ensures that
report_lootwill not send any unencoded data which could cause an exception.
PR #14143 - This update replaces all calls to the depreciated
get_servicefunction with calls to the more modern function known as
services. This solves some known issues related to existing
get_servicecalls that affected modules
tomcat_mgr_uploadwhen connected to a remote database.
PR #14120 - Fixes bug that caused
services -Sto return results from all workspaces, instead of the current workspace.
PR #14138 - Fixes
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).