Posts tagged Metasploit

3 min Metasploit

Metasploit Weekly Wrap-Up 11/22/2024

JetBrains TeamCity Login Scanner Metasploit added a login scanner for the TeamCity application to enable users to check for weak credentials. TeamCity has been the subject of multiple ETR vulnerabilities [https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/] and is a valuable target for attackers. Targeted DCSync added to Windows Secrets Dump This week, Metasploit community member smashery [ht

2 min Metasploit

Metasploit Weekly Wrap-Up: 11/15/2024

Palo Alto Expedition RCE module This week's release includes an exploit module for the Palo Alto Expedition exploit chain that's been making headlines recently. The first vulnerability, CVE-2024-5910, allows attackers to reset the password of the admin user. The second vulnerability, CVE-2024-9464 is an authenticated OS command injection. The module makes use of both vulnerabilities in order to obtain unauthenticated RCE in the context of the user www-data. New module content (1) Palo Alto Expe

3 min Metasploit

Metasploit Wrap-Up: 11/08/2024

RISC-V Support This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments. SMB To HTTP(S) Relay This new exploit worked on by Rapid7 contributors targets the ESC8 vulnerability. This work is a part of the recent Kerberos and Active Directory efforts targeting multiple

6 min Metasploit

Metasploit Weekly Wrap-Up 11/01/2024

Pool Party Windows Process Injection This Metasploit-Framework release includes a new injection technique deployed on core Meterpreter functionalities such as process migration and DLL Injection. The research of a new injection technique known as PoolParty [https://www.safebreach.com/blog/process-injection-using-windows-thread-pools/] highlighted new ways to gain code execution on a remote process by abusing Thread-Pool management features included on Windows kernel starting from Windows Vista.

2 min Metasploit

Metasploit Weekly Wrap-Up 10/25/2024

Hackers and Vampires Agree: Every Byte Counts Headlining the release today is a new exploit module by jheysel-r7 [https://github.com/jheysel-r7] that chains two vulnerabilities to target Magento/Adobe Commerce systems: the first, CVE-2024-34102 [https://attackerkb.com/search?q=CVE-2024-34102&referrer=blog] is an arbitrary file read used to determine the version and layout of the glibc library, and the second, CVE-2024-2961 [https://attackerkb.com/search?q=CVE-2024-2961&referrer=blog] is a single

3 min Metasploit

Metasploit Weekly Wrap-Up 10/18/2024

ESC15: EKUwu AD CS continues to be a popular target for penetration testers and security practitioners. The latest escalation technique (hence the the ESC in ESC15) was discovered [https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc] by Justin Bollinger [https://x.com/bandrel] with details being released just last week. This latest configuration flaw has common issuance requirements to other ESC flaws such as requiring no authorized signatures or manager approval. Additionally, templa

2 min Metasploit

Metasploit Weekly Wrap-Up 10/04/2024

New module content (3) cups-browsed Information Disclosure Authors: bcoles and evilsocket Type: Auxiliary Pull request: #19510 [https://github.com/rapid7/metasploit-framework/pull/19510] contributed by bcoles [https://github.com/bcoles] Path: scanner/misc/cups_browsed_info_disclosure Description: Adds scanner module to retrieve CUPS version and kernel version information from cups-browsed services. Acronis Cyber Infrastructure default password remote code execution Authors: Acronis Internatio

3 min Metasploit

Metasploit Weekly Wrap-Up 09/27/2024

Epic Release! This week's release includes 5 new modules, 6 enhancements, 4 fixes and 1 documentation update. Among the new additions, we have an account take over, SQL injection, RCE, and LPE! Thank you to all the contributors who made it possible! New Module Content (5) Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419) Authors: Michael Heinzl and Mohammed Adel Type: Auxiliary Pull request: #19375 [https://github.com/rapid7/metasploit-framework/pull/19375] contribut

2 min Metasploit

Metasploit Weekly Wrap-Up 09/20/2024

New module content (3) update-motd.d Persistence Author: Julien Voisin Type: Exploit Pull request: #19454 [https://github.com/rapid7/metasploit-framework/pull/19454] contributed by jvoisin [https://github.com/jvoisin] Path: linux/local/motd_persistence Description: This adds a post module to keep persistence on a Linux target by writing a motd [https://manpages.ubuntu.com/manpages/trusty/man5/update-motd.5.html] bash script triggered with root privileges every time a user logs into the system

2 min Metasploit

Metasploit Weekly Wrap-Up 09/13/2024

SPIP Modules This week brings more modules targeting the SPIP publishing platform. SPIP has gained some attention from Metasploit community contributors recently and has inspired some PHP payload and encoder improvements. New module content (2) SPIP BigUp Plugin Unauthenticated RCE Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec Type: Exploit Pull request: #19444 [https://github.com/rapid7/metasploit-framework/pull/19444] contributed by Chocapikk [https://github.com/Chocapikk] Pat

2 min Metasploit

Metasploit Weekly Wrap-Up 09/06/2024

Honey, I shrunk the PHP payloads This release contains more PHP payload improvements from Julien Voisin. Last week we landed a PR from Julien that added a datastore option to the php/base64 encoder that when enabled, will use zlib to compress the payload which significantly reduced the size, bringing a payload of 4040 bytes down to a mere 1617 bytes. This week's release includes a php/minify encoder which removes all unnecessary characters from the payload including comments, empty lines, leadin

4 min Metasploit

Metasploit Weekly Wrap-Up 08/30/2024

A New Way to Encode PHP Payloads A new PHP encoder has been released by a community contributor, jvoisin [https://github.com/jvoisin], allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters. Ray Vulnerabilities This release of Metasploit Framework also features 3 new modules to target ray.io, which is a framework for distributing AI-related workloads across multiple machines, which makes it an exce

1 min Metasploit

Metasploit Weekly Wrap-Up 08/23/2024

New module content (3) Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276) Authors: Michael Heinzl and Tenable Type: Auxiliary Pull request: #19373 [https://github.com/rapid7/metasploit-framework/pull/19373] contributed by h4x-x0r [https://github.com/h4x-x0r] Path: admin/http/fortra_filecatalyst_workflow_sqli AttackerKB reference: CVE-2024-5276 [https://attackerkb.com/search?q=CVE-2024-5276&referrer=blog] Description: This adds an auxiliary module to exploit the CVE-2024-5276, a SQL inj

2 min Metasploit

Metasploit Weekly Wrap-Up 08/16/2024

New module content (3) Apache HugeGraph Gremlin RCE Authors: 6right and jheysel-r7 Type: Exploit Pull request: #19348 [https://github.com/rapid7/metasploit-framework/pull/19348] contributed by jheysel-r7 [https://github.com/jheysel-r7] Path: linux/http/apache_hugegraph_gremlin_rce AttackerKB reference: CVE-2024-27348 [https://attackerkb.com/search?q=CVE-2024-27348&referrer=blog] Description: Adds an Apache HugeGraph Server exploit for GHSA-29rc-vq7f-x335 [https://github.com/advisories/GHSA-29r

1 min Metasploit

Metasploit Weekly Wrap-Up 08/09/2024

Black Hat & DEF CON Hopefully folks were able to catch our Rapid7 researchers @zeroSteiner [https://x.com/zeroSteiner] & Jack Heysel show off the Metasploit 6.4's features, focusing on combinations that allow for new, streamlined attack workflows at Black Hat. If not they will also be demoing at DEF CON tomorrow in room W304! New module content (1) Calibre Python Code Injection (CVE-2024-6782) Authors: Amos Ng and Michael Heinzl Type: Exploit Pull request: #19357 [https://github.com/rapid7/meta