3 min
Metasploit
Metasploit Weekly Wrap-Up 11/22/2024
JetBrains TeamCity Login Scanner
Metasploit added a login scanner for the TeamCity application to enable users to
check for weak credentials. TeamCity has been the subject of multiple ETR
vulnerabilities
[https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/]
and is a valuable target for attackers.
Targeted DCSync added to Windows Secrets Dump
This week, Metasploit community member smashery [ht
2 min
Metasploit
Metasploit Weekly Wrap-Up: 11/15/2024
Palo Alto Expedition RCE module
This week's release includes an exploit module for the Palo Alto Expedition
exploit chain that's been making headlines recently. The first vulnerability,
CVE-2024-5910, allows attackers to reset the password of the admin user. The
second vulnerability, CVE-2024-9464 is an authenticated OS command injection.
The module makes use of both vulnerabilities in order to obtain unauthenticated
RCE in the context of the user www-data.
New module content (1)
Palo Alto Expe
3 min
Metasploit
Metasploit Wrap-Up: 11/08/2024
RISC-V Support
This release of Metasploit Framework has added exciting new features such as new
payloads that target the RISC-V architecture. These payloads allow for the
execution of commands on compromised hardware, allowing Metasploit Framework and
Metasploit Payloads to be used in more environments.
SMB To HTTP(S) Relay
This new exploit worked on by Rapid7 contributors targets the ESC8
vulnerability. This work is a part of the recent Kerberos and Active Directory
efforts targeting multiple
6 min
Metasploit
Metasploit Weekly Wrap-Up 11/01/2024
Pool Party Windows Process Injection
This Metasploit-Framework release includes a new injection technique deployed on
core Meterpreter functionalities such as process migration and DLL Injection.
The research of a new injection technique known as PoolParty
[https://www.safebreach.com/blog/process-injection-using-windows-thread-pools/]
highlighted new ways to gain code execution on a remote process by abusing
Thread-Pool management features included on Windows kernel starting from Windows
Vista.
2 min
Metasploit
Metasploit Weekly Wrap-Up 10/25/2024
Hackers and Vampires Agree: Every Byte Counts
Headlining the release today is a new exploit module by jheysel-r7
[https://github.com/jheysel-r7] that chains two vulnerabilities to target
Magento/Adobe Commerce systems: the first, CVE-2024-34102
[https://attackerkb.com/search?q=CVE-2024-34102&referrer=blog] is an arbitrary
file read used to determine the version and layout of the glibc library, and the
second, CVE-2024-2961
[https://attackerkb.com/search?q=CVE-2024-2961&referrer=blog] is a single
3 min
Metasploit
Metasploit Weekly Wrap-Up 10/18/2024
ESC15: EKUwu
AD CS continues to be a popular target for penetration testers and security
practitioners. The latest escalation technique (hence the the ESC in ESC15) was
discovered [https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc] by
Justin Bollinger [https://x.com/bandrel] with details being released just last
week. This latest configuration flaw has common issuance requirements to other
ESC flaws such as requiring no authorized signatures or manager approval.
Additionally, templa
2 min
Metasploit
Metasploit Weekly Wrap-Up 10/04/2024
New module content (3)
cups-browsed Information Disclosure
Authors: bcoles and evilsocket
Type: Auxiliary
Pull request: #19510 [https://github.com/rapid7/metasploit-framework/pull/19510]
contributed by bcoles [https://github.com/bcoles]
Path: scanner/misc/cups_browsed_info_disclosure
Description: Adds scanner module to retrieve CUPS version and kernel version
information from cups-browsed services.
Acronis Cyber Infrastructure default password remote code execution
Authors: Acronis Internatio
3 min
Metasploit
Metasploit Weekly Wrap-Up 09/27/2024
Epic Release!
This week's release includes 5 new modules, 6 enhancements, 4 fixes and 1
documentation update. Among the new additions, we have an account take over, SQL
injection, RCE, and LPE! Thank you to all the contributors who made it possible!
New Module Content (5)
Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)
Authors: Michael Heinzl and Mohammed Adel
Type: Auxiliary
Pull request: #19375 [https://github.com/rapid7/metasploit-framework/pull/19375]
contribut
2 min
Metasploit
Metasploit Weekly Wrap-Up 09/20/2024
New module content (3)
update-motd.d Persistence
Author: Julien Voisin
Type: Exploit
Pull request: #19454 [https://github.com/rapid7/metasploit-framework/pull/19454]
contributed by jvoisin [https://github.com/jvoisin]
Path: linux/local/motd_persistence
Description: This adds a post module to keep persistence on a Linux target by
writing a motd
[https://manpages.ubuntu.com/manpages/trusty/man5/update-motd.5.html] bash
script triggered with root privileges every time a user logs into the system
2 min
Metasploit
Metasploit Weekly Wrap-Up 09/13/2024
SPIP Modules
This week brings more modules targeting the SPIP publishing platform. SPIP has
gained some attention from Metasploit community contributors recently and has
inspired some PHP payload and encoder improvements.
New module content (2)
SPIP BigUp Plugin Unauthenticated RCE
Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec
Type: Exploit
Pull request: #19444 [https://github.com/rapid7/metasploit-framework/pull/19444]
contributed by Chocapikk [https://github.com/Chocapikk]
Pat
2 min
Metasploit
Metasploit Weekly Wrap-Up 09/06/2024
Honey, I shrunk the PHP payloads
This release contains more PHP payload improvements from Julien Voisin. Last
week we landed a PR from Julien that added a datastore option to the php/base64
encoder that when enabled, will use zlib to compress the payload which
significantly reduced the size, bringing a payload of 4040 bytes down to a mere
1617 bytes. This week's release includes a php/minify encoder which removes all
unnecessary characters from the payload including comments, empty lines, leadin
4 min
Metasploit
Metasploit Weekly Wrap-Up 08/30/2024
A New Way to Encode PHP Payloads
A new PHP encoder has been released by a community contributor, jvoisin
[https://github.com/jvoisin], allowing a PHP payload to be encoded as an
ASCII-Hex string. This can then be decoded on the receiver to prevent issues
with unescaped or bad characters.
Ray Vulnerabilities
This release of Metasploit Framework also features 3 new modules to target
ray.io, which is a framework for distributing AI-related workloads across
multiple machines, which makes it an exce
1 min
Metasploit
Metasploit Weekly Wrap-Up 08/23/2024
New module content (3)
Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)
Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19373 [https://github.com/rapid7/metasploit-framework/pull/19373]
contributed by h4x-x0r [https://github.com/h4x-x0r]
Path: admin/http/fortra_filecatalyst_workflow_sqli
AttackerKB reference: CVE-2024-5276
[https://attackerkb.com/search?q=CVE-2024-5276&referrer=blog]
Description: This adds an auxiliary module to exploit the CVE-2024-5276, a SQL
inj
2 min
Metasploit
Metasploit Weekly Wrap-Up 08/16/2024
New module content (3)
Apache HugeGraph Gremlin RCE
Authors: 6right and jheysel-r7
Type: Exploit
Pull request: #19348 [https://github.com/rapid7/metasploit-framework/pull/19348]
contributed by jheysel-r7 [https://github.com/jheysel-r7]
Path: linux/http/apache_hugegraph_gremlin_rce
AttackerKB reference: CVE-2024-27348
[https://attackerkb.com/search?q=CVE-2024-27348&referrer=blog]
Description: Adds an Apache HugeGraph Server exploit for GHSA-29rc-vq7f-x335
[https://github.com/advisories/GHSA-29r
1 min
Metasploit
Metasploit Weekly Wrap-Up 08/09/2024
Black Hat & DEF CON
Hopefully folks were able to catch our Rapid7 researchers @zeroSteiner
[https://x.com/zeroSteiner] & Jack Heysel show off the Metasploit 6.4's
features, focusing on combinations that allow for new, streamlined attack
workflows at Black Hat. If not they will also be demoing at DEF CON tomorrow in
room W304!
New module content (1)
Calibre Python Code Injection (CVE-2024-6782)
Authors: Amos Ng and Michael Heinzl
Type: Exploit
Pull request: #19357 [https://github.com/rapid7/meta