Posts by Pearce Barry

1 min Metasploit

Open Source Security Meetup (OSSM): Virtual Edition

The Rapid7 Metasploit team will be hosting our annual Open Source Security Meetup (OSSM) as a virtual event Thursday, August 6th!

2 min Metasploit

Metasploit Wrap-Up: 7/3/20

Shifting (NET)GEARs Community contributor rdomanski [https://github.com/rdomanski] added a module for Netgear R6700v3 routers [https://github.com/rapid7/metasploit-framework/pull/13768] that allows unauthenticated attackers on the same network to reset the password for the admin user back to the factory default of password. Attackers can then manually change the admin user's password and log into it after enabling telnet via the exploit/linux/telnet/netgear_telnetenable module, which will gran

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 4/10/20

Meterpreter bug fixes and five new modules, including an LPE exploit for SMBghost (CVE-2020-0796) and a BloodHound post module that gathers information (sessions, local admin, domain trusts, etc.) and stores it as a BloodHound-consumable ZIP file in Framework loot.

3 min Metasploit

Metasploit Wrap-Up 3/6/20

Gift exchange If you're looking for remote code execution against Microsoft Exchange, Spencer McIntyre [https://github.com/zeroSteiner] crafted up a cool new module [https://github.com/rapid7/metasploit-framework/pull/13014] targeting a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. Vulnerable versions of Exchange don't randomize keys on a per-installation basis, resulting in reuse of the same validationKey and decryptionKey values. With knowledge of these, an at

2 min Metasploit

Metasploit Wrap-Up: Dec. 27, 2019

With 2019 almost wrapped up, we’ve been left wondering where the time went! It’s been a busy year for Metasploit, and we’re going out on a reptile-themed note this wrap-up... Python gets compatible With the clock quickly ticking down on Python 2 support [https://pythonclock.org/], contributor xmunoz [https://github.com/xmunoz] came through with some changes [https://github.com/rapid7/metasploit-framework/pull/12524] to help ensure most of Framework works with Python 3. While Python 3’s adoption

2 min Metasploit

Metasploit Wrap-Up: Nov. 8, 2019

Config R Us Many versions of network management tool rConfig are vulnerable to unauthenticated command injection, and contributor bcoles [https://github.com/bcoles] added a new exploit module [https://github.com/rapid7/metasploit-framework/pull/12507] for targeting those versions. Present in v3.9.2 and prior, this vulnerability centers around the install directory not being automatically cleaned up following software installation, leaving behind a PHP file that can be utilized to execute arbitr

3 min Events

Metasploit Open Source Office Hours: Vegas 2019

The Metasploit crew at Rapid7 is headed out to Las Vegas for DEF CON 27, bringing a new incarnation of the Open Source Security Meetup (OSSM) with us! We will have a Metasploit Suite at Bally’s this year, where we’ll be hosting “Open Source Office Hours” (OSOH). If you’ll be out in Vegas for DEF CON 27, take a moment and ask yourself: * Are you currently working on a Metasploit module/payload and could use some guidance? * Are you modifying Framework and you’d like to discuss? * Are you w