It’s 11 o’clock. Do you know where your file uploads are?
Repeat contributor Erik Wynter and our own wvu-r7 each submitted modules exploiting web applications which allow attackers to upload files to arbitrary locations, including where the web application would interpret them as code! The first targets HorizontCMS, exploiting CVE-2020-27387, and was merged by cdelafuente-r7. The second targets Oracle WebLogic Server's administration console, exploiting CVE-2020-14750, and was landed by smcintyre-r7, who had the unenviable job of testing Oracle software on Windows.
Little fixes add up
A number of smaller fixes that add up to large quality of life improvements also made it in this week. Notable ones include PR #14361 by chmod750 for adding a SharePoint cookie when you have one instead of trying to re-authenticate, several reliability improvements to the SecureCRT password gatherer in PR #14341 by gwillcox-r7, and option handling fixes for default targets in PR #14359 by adfoster-r7. Thanks y'all!
CTF 2020 #2 coming soon
We're happy to announce another #Metasploit community CTF coming your way December 4! We developed this year's game to be accessible to beginners who want to connect with the community. Teams of all sizes are encouraged—registration opens 11/30. Read the full details in our blog post.
New modules (2)
- HorizontCMS Arbitrary PHP File Upload by Erik Wynter, which exploits CVE-2020-27387
- Oracle WebLogic Server Administration Console Handle RCE by wvu, Jang, and voidfyoo, which exploits CVE-2020-14750
Enhancements and features
- PR #14361 by chmod750 adds a
COOKIEoption to the
exploit/windows/http/sharepoint_ssi_viewstatemodule that is primarily useful when SharePoint is authenticated through a web form.
- PR #14341 by gwillcox-r7 improves the SecureCRT password gatherer in a few ways: 1. Applies updates to the regex to hopefully work on both new and old versions of SecureCRT. This needs to be tested further to ensure I haven't broken anything. 2. Updates the code to fix the cases where .match() results were being used without first checking if they were nil. 3. Updates the code to add in some fail_with calls where there are potential cases that the code should bail at.
- PR #14408 by cdelafuente-r7 bumps the RubySMB gem to version 2.0.7 which includes a fix for misaligned Netlogon data structures that notably caused the Zerologon module to fail when the NetBIOS name was of certain lengths.
- PR #14393 by jmartin-r7 fixes a bug where the verbose output of jobs with
jobs -v, and persistence of jobs with
jobs -P, would crash when auxiliary jobs are present.
- PR #14381 by cgranleese-r7 fixes a crash when
RHOST_HTTP_URLwas used in conjunction with the check command. The
RHOST_HTTP_URLoption can be enabled with the command
features set RHOST_HTTP_URL true.
- PR #14359 by adfoster-r7 fixes an edge case where the default options of a target were not correctly used by by the module's datastore when it was loaded by the user for the first time.
- PR #14294 by zeroSteiner adds more details to check code values and updates
ms17_010_eternalblueto validate that the target is x64. For instance, targeting a 32-bit system will now provide a failure message of
This exploit module only support x64 (64-bit) targets.
- PR #14219 by h00die fixes a bug in tests that meant Brocade hashes weren't checked for the
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).