Rocket Software UniRPC Exploits Ron Bowes [https://github.com/rbowes-r7] submitted two exploit modules [https://github.com/rapid7/metasploit-framework/pull/17832] for vulnerabilities he discovered [https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed/] in the UniRPC server for Rocket Software’s UniData product. The first exploit module, exploit/linux/misc/unidata_udadmin_auth_bypass exploits an authentication bypass to ultimately gain remot
Cacti Unauthenticated Command Injection Thanks to community contributor Erik Wynter [https://github.com/ErikWynter], Metasploit Framework now has an exploit module [https://github.com/rapid7/metasploit-framework/pull/17407] for an unauthenticated command injection vulnerability in the Cacti network-monitoring software. The vulnerability is due to a proc_open() call that accepts unsanitized user input in remote_agent.php. Provided that the target server has data that's tied to the POLLER_ACTION_S
GLPI htmLawed PHP Command Injection Our very own bwatters-r7 [https://github.com/bwatters-r7] wrote a module for an unauthenticated PHP command injection vulnerability that exists in various versions of GLPI. The vulnerability is due to a third-party vendor test script being present in default installations. A POST request to vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute exec() through the hhook and test parameters, resulting in unauthenticated RCE as the www
Zimbra Auth Bypass to Shell Ron Bowes [https://github.com/rbowes-r7] added an exploit module [https://github.com/rapid7/metasploit-framework/pull/16922] that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not
Log4Shell in MobileIron Core Thanks to jbaines-r7 [https://github.com/jbaines-r7] we have yet another Log4Shell exploit [https://github.com/rapid7/metasploit-framework/pull/16837]. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited [https://www.mandiant.com/resou
Module additions this week to enumerate all installed AV products on Windows and escape sandboxes on certain Debian-specific Redis versions. Plus, a new place for Metasploit docs focused on pen testing workflows.
This week’s Metasploit Framework release brings us seven new modules. IP Camera Exploitation Rapid7’s Jacob Baines [https://github.com/jbaines-r7] was busy this week with two exploit modules that target IP cameras. The first [https://github.com/rapid7/metasploit-framework/pull/16190] module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an attacker can upload and install an eap application which, when executed, will grant the attacker root privileg
Three fresh modules for Cisco targets and rConfig, plus new enhancements and fixes.
A local exploit for a Windows Server 2012 DLL hijacking vulnerability, plus a slew of fixes and improvements.
Four new modules, including an exploit for SaltStack Salt and an exploit for a now-patched vuln in Metasploit, plus new enhancements and fixes.
Plex unpickling The exploit/windows/http/plex_unpickle_dict_rce module [https://github.com/rapid7/metasploit-framework/pull/13741] by h00die [https://github.com/h00die] exploits an authenticated Python deserialization vulnerability in Plex Media Server. The module exploits the vulnerability by creating a photo library and uploading a Dict file containing a Python payload to the library’s path. Code execution is then achieved by triggering the plugin loading functionality, which unpickles the Dic
Arista Shell Escape Exploit Community contributor SecurityBytesMe [https://github.com/SecurityBytesMe] added an exploit module [https://github.com/rapid7/metasploit-framework/pull/13303] for various Arista switches. With credentials, an attacker can SSH into a vulnerable device and leverage a TACACS+ shell configuration to bypass restrictions. The configuration allows the pipe character to be used only if the pipe is preceded by a grep command. This configuration ultimately allows the chaining
Five new modules plus fixes and enhancements. Exploits for ManageEngine, rConfig, and SQL Server Reporting Services, among others.
Introducing encrypted, compiled payloads in Metasploit Framework 5
BlueKeep is Here The BlueKeep exploit module [https://github.com/rapid7/metasploit-framework/pull/12283] is now officially a part of Metasploit Framework. This module reached merged status thanks to lots of collaboration between Rapid7 and the MSF community members. The module requires some manual configuration per target, and targets include both virtualized and non-virtualized versions of Windows 7 and Windows Server 2008. For a full overview of the exploit’s development and notes on use and d