GSoC Rocks!

In a rare double whammy, one of our 2020 Google Summer of Code (GSoC) participants has authored a PR containing both enhancements & a new module! Improvements to our SQL injection library now allow PostgreSQL injection, and this new functionality has been verified with both a test module AND a fully functioning module exploiting CVE-2019-13375, a (Postgre)SQL Injection vuln in the D-Link Central WiFi Manager allowing both DB dumping and user insertion in all versions before v1.03R0100_BETA6. Big thanks to red0xff for authoring these changes and showing that students can hack it with the best of them.

For anyone interested in working with Metasploit in this year's Google Summer of Code, you'll have to wait until March 9th to find out if we've been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!

King KLog vs Colezilla

Our copious community contributor bcoles has written a new module exploiting CVE-2020-35729, an unauthenticated command injection vulnerability in KLog (An english translated version of their site can be found here). KLog is a Syslog server providing a time stamp service packaged in a Linux VM, and if Google Translate is to be believed, includes "Kamu SM approved SHA-512 hash algorithm has log signing feature", which is nice. By making a POST request to authenticate.php, the module can perform code execution in the VM via the PHP shell_exec() function. Additionally, the KLog VM configuration allows the apache user to execute sudo without supplying a password, ultimately allowing code execution with root privileges.

Short. Sweet. Screenshot.

Wrapping up this wrapup, timwr has fixed an issue with our Java Meterpreter that prevented screenshots from being taken. As an added bonus, it also prevents uploading a screenshot dll on non-native Windows meterpreter sessions.

New Modules (4)

  • WordPress ChopSlider3 id SQLi Scanner by Callum Murphy, SunCSR, and h00die, which exploits CVE-2020-11530 This adds a new module to exploit a SQL injection vulnerability in iDangero.us ChopSlider 3 Wordpress plugin version 3.4 and prior. It is able to remotely dump usernames and password hashes from the Wordpress database without any authentication. This vulnerability is identified as CVE-2020-11530.
  • D-Link Central WiFiManager SQL injection by M3 and Redouane NIBOUCHA, which exploits CVE-2019-13373 GSoC 2020 project supporting SQLi library usage with PostgreSQL. This support comes with a new module utilizing CVE-2019-13373 to dump database information or insert additional users into D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6.
  • Klog Server authenticate.php user Unauthenticated Command Injection by Metin Yunus Kandemir, b3kc4t, and bcoles, which exploits CVE-2020-35729 This adds an exploit module that targets an unauthenticated command injection vulnerability in Klog Server versions 2.4.1 and below. A POST request to authenticate.php can result in code execution on the target due to improper sanitization of the user parameter, which gets passed to the shell_exec() function. Additionally, Klog Server's configuration allows the apache user to execute sudo without supplying a password, so this exploit ultimately achieves code execution with root privileges.
  • Micro Focus Operations Bridge Manager Local Privilege Escalation by Pedro Ribeiro, which exploits ZDI-20-1326 (CVE-2020-11858) Allows privilege escalation assuming victim machine is running a vulnerable version of OBM & user already has a session on said machine that supports Powershell. Module writes payload to specific folder, then sends request to OBM process via the loopback address to trigger payload execution.

Enhancements and features

  • #14733 from adfoster-r7 Adds the latest rubocop rules
  • #14747 from dwelch-r7 Updates exploit/linux/http/saltstack_salt_api_cmd_exec to correctly show failure messages to the user under error scenarios
  • #14756 from bcoles Updates msftidy to warn when a module is missing its Notes metadata
  • #14762 from adfoster-r7 Adds support for ignoring Rubocop's ExtraSpacing rules for BinData objects

Bugs Fixed

  • #14602 from red0xff Improved length detection for Time Based MySQLi injections & expand support for empty strings to hex_encode_strings.
  • #14738 from timwr Fixes multi/manage/shell_to_meterpreter on macOS by using Python reflection to upgrade a shell session on macOS to a meterpreter session, in memory, without dropping a file to disk
  • #14751 from bcoles A bug has been fixed within the msftidy.rb developer tool whereby a typo was preventing several checks from being run against exploit modules to ensure they conformed to standards. This has now been fixed, along with some grammar issues that were noticed in related modules.
  • #14758 from timwr Fix platform check in Meterpreter stdapi screenshot command. This ensures Java Meterpreter can take screenshots on Windows platforms and prevents unnecessarily uploading the screenshot DLL when using the screenshot command on non-native Windows sessions.
  • #14741 from zeroSteiner Fixes typo for exchange_ecp_dlp_policy target

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).