Metasploit keeping that developer awareness rate up.

CVE-2019-18935

Thanks to mr_me & wvu, SharePoint is an even better target to find in your next penetration test. The newly minted module can net you a shell and a copy of the servers config, making that report oh so much more fun.

Like to escape the sandbox? WizardOpium has your first taste of freedom. Brought to you by timwr and friends through Chrome, this module might be that push you need to get out onti solid ground.

New modules (4)

Enhancements and features

  • Add version check to exchange_ecp_dlp_policy by wvu adds extended version checks for SharePoint and Exchange servers as used by the exploit modules for CVE-2020-16875 and CVE-2020-16952.
  • Parameterize args to popen3() by Justin Steven improves commands executed during apk generation commands to be more explicit with options.
  • More improved doc and syntax by h00die adds documentation and code quality changes for multiple modules. As always docs improvement are greatly appreciated!
  • Add tab completion for run command by cgranleese-r7 adds tab completion for specifying inline options when using the run command. For example, within Metasploit's console typing run and then hitting the tab key twice will now show all available option names. Incomplete option names and values can also be also suggested, for example run LHOST= and then hitting the tab key twice will show all available LHOST values.
  • CVE-2019-1458 chrome sandbox escape by timwr adds support for exploiting CVE-2019-1458, aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the exploit/multi/browser/chrome_object_create.rb module that exploits CVE-2018-17463 in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows.
  • Parameterize args to popen3() by Justin Steven improves commands executed during apk generation commands to be more explicit with options.
  • More improved doc and syntax by h00die adds documentation and code quality changes for multiple modules. As always, docs improvements are greatly appreciated!

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).