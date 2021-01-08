Our very own zeroSteiner added exploit/multi/http/struts2_multi_eval_ognl, which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times (CVE-2019-0230 and https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog). The CVE-2019-0230 OGNL chain for remote code execution requires a one-time chain to enable the RCE gadget, which is handled automatically by the module. The OGNL gadget chain for CVE-2020-17530 will echo the command output. Both chains use a simple mathematical expression to ensure that evaluation occurs. These vulnerabilities are application dependent, and the user does need to know which CVE they are targeting. Setting the NAME parameter appropriately and using the check method to ensure evaluation takes place inside an HTML attribute are key to successful exploitation.
JuicyPotato-like Windows privilege escalation exploit
Exploit module exploits/windows/local/bits_ntlm_token_impersonation was added by Metasploit contributor C4ssandre. It exploits BITS connecting to a local Windows Remote Management server (WinRM) at startup time. A fake WinRM server listening on port 5985 is started by a DLL loaded from a previous unprivileged meterpreter session. The fake server triggers BITS and then steals a SYSTEM token from the subsequent authentication request. The token is then used to start a new process and launch powershell.exe as the SYSTEM user. It downloads a malicious PowerShell script and executes it on a second local HTTP server, not writing any files to disk. The exploit is based on decoder's PoC. It has been successfully tested on Windows 10 (10.0 Build 19041) 32 bits.
Pulse Connect Secure Gzip RCE
Metasploit contributor h00die added an exploit that targets Pulse Connect Secure server version 9.1R8 and earlier. The vulnerability was originally discovered by the NCC Group. It achieves authenticated remote code execution as root by uploading an encrypted config that contains an overwrite for a Perl template file. This module was made possible by rxwx, who shared the encryption code with the author. Admin credentials are required for successful root access. The module has been tested against server version 9.1R8.