In case you missed it, this past weekend the Metasploit team hosted the latest Metasploit CTF. We saw 1903 users register in this round and some excellent writeups have been published on what they found. If you participated but haven’t had a chance to fill out our feedback survey you can find it here.

Metasploit is also planning the next major round of development. Some of the ideas that are being considered have been posted to the GitHub Discussions board. Folks are welcome to upvote their favorite ideas and leave comments for consideration.

(Word)Pressing matters

This week saw two improvements for Metasploit’s WordPress coverage, both were brought to us by community contributor h00die. First added was an auxiliary module that exploits CVE-2019-20361. This vulnerability is a SQL Injection flaw in the “Email Subscribers & Newsletters” plugin that can be used by an unauthenticated attacker to recover accounts including hashed passwords from the database. Also added was additional functionality to the existing wordpress_scanner module that allows it to enumerate common themes and plugins. This is incredibly helpful for anyone looking to identify potentially vulnerable plugins in a WordPress instance as it also recovers the respective version numbers.

GitLab get file

Metasploit added a new GitLab exploit, targeting CVE-2020-10977. This particular vulnerability is an arbitrary file read that can be leveraged to leak the Rail secret key. Once this key is known, Metasploit uses it to sign a malicious cookie that will be deserialized by the server, triggering remote code execution.

LPE at your service

A few weeks ago, security researcher Clément Labro disclosed in a blog an unpatched vulnerability affecting Windows 7 and Server 2008 R2, both of which no longer receive security updates from Microsoft. This vulnerability was that through weak permissions on certain registry keys associated with services, an underprivileged user could cause a DLL to be loaded by a privileged process. In the case of Windows 7 and Server 2008 R2, this service was the “RpcEptMapper”. The functionality to enumerate services for this vulnerability and exploit it accordingly has been added to Metasploit through an improvement to the existing service_permissions local exploit module. Also added was documentation for the module which includes the details necessary to use it in the scenario of Windows 7 / Server 2008 R2. This particular technique may be an excellent forever day for these platforms if it is never patched due to the reliability of the exploit given that it does not rely on memory corruption.

Improvements for module developers

A number of enhancements were made that may interest module developers. One of the team’s favorite libraries the AutoCheck mixin can now be used with auxiliary modules. A good check method is an important component of high-quality module content, and now auxiliary modules can consistently use their defined check methods like their exploit counterparts have been able to. Additionally, exploit developers that are writing DLLs to disk via an arbitrary vulnerability will notice that the default template now includes a synchronization mechanism. This means that even when the DLL is loaded multiple times, only a single session will be established to Metasploit.

New modules (5)

Enhancements and features

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).