2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 3/13/20
Four new modules and lots of productivity enhancements. You can now run `rubocop -a` to automatically fix most formatting issues when developing modules. Plus, try the new `tip` command in MSF for Framework usage tips!
3 min
Metasploit
Metasploit Wrap-Up 3/6/20
Gift exchange
If you're looking for remote code execution against Microsoft Exchange, Spencer
McIntyre [https://github.com/zeroSteiner] crafted up a cool new module
[https://github.com/rapid7/metasploit-framework/pull/13014] targeting a .NET
serialization vulnerability in the Exchange Control Panel (ECP) web page.
Vulnerable versions of Exchange don't randomize keys on a per-installation
basis, resulting in reuse of the same validationKey and decryptionKey values.
With knowledge of these, an at
3 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 2/28/20
Android Binder UAF, OpenNetAdmin RCE, and a slew of improvements, including colorized HttpTrace output and a better debugging experience for developers.
3 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 2/21/20
Long live copy and paste
Adam Galway enhanced the set PAYLOAD command to strip the /payload/, payload/,
and / prefixes from a payload name in an effort to improve the user experience
while configuring an exploit's payload. You can see the new behavior
[https://github.com/rapid7/metasploit-framework/pull/12946] below!
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload /payload/windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 2/14/20
Ricoh Privilege Escalation
No ink? No problem. Here’s some SYSTEM access. A new module
[https://github.com/rapid7/metasploit-framework/pull/12906] by our own space-r7
[https://github.com/space-r7] has been added to Metasploit Framework this week
that adds a privilege escalation exploit for various
[https://www.ricoh.com/info/2020/0122_1/list] Ricoh printer drivers on Windows
systems. This module takes advantage of CVE-2019-19363
[https://nvd.nist.gov/vuln/detail/CVE-2019-19363] by overwriting th
2 min
Metasploit
Metasploit Wrap-Up: Feb. 7, 2020
In the week after our CTF, we hope the players had a good time and got back to
their loved ones, jobs, lives, studies, and most importantly, back to their beds
(and you can find out who the winners were here
[/2020/02/03/congrats-to-the-winners-of-the-2020-metasploit-community-ctf/]!).
For the Metasploit team, we went back to baking up fresh, hot modules and
improvements that remind us in this flu season to not just wash your hands, but
also, sanitize your inputs!
SOHOwabout a Shell?
Several
[h
5 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 1/31/20
Happy CTF week, folks! If you haven't already been following along with (or
competing in) Metasploit's global community CTF
[/2020/01/15/announcing-the-2020-metasploit-community-ctf/], it started
yesterday and runs through Monday morning U.S. Eastern Time. Registration has
been full for a while, but you can join the #metasploit-ctf channel on Slack
[https://metasploit.com/slack] to participate in the joy and frustration
vicariously.
This week's Metasploit wrap-up takes a look back at work done
3 min
Metasploit
Metasploit Wrap-up: 1/24/20
Transgressive Traversal
Contributor Dhiraj Mishra [https://github.com/RootUp] authored a neat Directory
Traversal module [https://github.com/rapid7/metasploit-framework/pull/12773]
targeted at NVMS-1000 Network Surveillance Management Software developed by TVT
Digital Technology. Permitting the arbitrary downloading of files stored on a
machine running compromised software [https://www.exploit-db.com/exploits/47774]
, this module becomes all the more attractive when you consider it's providing
2 min
Metasploit
Metasploit Wrap-Up: 1/17/20
Silly admin, Citrix is for script kiddies
A hot, new module [https://github.com/rapid7/metasploit-framework/pull/12816]
has landed in Metasploit Framework this week. It takes advantage of
CVE-2019-19781 which is a directory traversal vulnerability in Citrix
Application Delivery Controller (ADC) and Gateway. This exploit takes advantage
of unsanitized input within the URL structure of one of the API endpoints to
access specified directories. Conveniently there is a directory available that
house
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 1/3/20
A new OpenBSD local exploit
Community contributor bcoles [http://github.com/bcoles] brings us a new exploit
module for CVE-2019-19726, a vulnerability originally discovered by Qualys
[https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726]
in OpenBSD. This vulnerability is pretty interesting in the sense that it
leverages a bug in the _dl_getenv function that can be triggered to load
libutil.so from an attacker controlled loca
2 min
Metasploit
Metasploit Wrap-Up: Dec. 27, 2019
With 2019 almost wrapped up, we’ve been left wondering where the time went! It’s
been a busy year for Metasploit, and we’re going out on a reptile-themed note
this wrap-up...
Python gets compatible
With the clock quickly ticking down on Python 2 support
[https://pythonclock.org/], contributor xmunoz [https://github.com/xmunoz] came
through with some changes
[https://github.com/rapid7/metasploit-framework/pull/12524] to help ensure most
of Framework works with Python 3. While Python 3’s adoption
2 min
Metasploit
Metasploit Wrap-Up: 12/19/19
It’s beginning to look a lot like HaXmas [/tag/haxmas/], everywhere you go! We
have a great selection of gift-wrapped modules this holiday season, sure to have
you entertained from one to eight nights, depending on your preference! On a
personal note, we here at the Metasploit workshop would like to welcome our
newest elf, Spencer McIntyre [https://github.com/smcintyre-r7]. Spencer has been
a long-time contributor to the project, and we’re thrilled to have him on the
team!
In the spirit of givi
3 min
Metasploit
Metasploit Wrap-Up: Dec. 13, 2019
Powershell Express Delivery
The web_delivery module
[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/script/web_delivery.rb]
is often used to deliver a payload during post exploitation by quickly firing up
a local web server. Since it does not write anything on target’s disk, payloads
are less likely to be caught by anti-virus protections. However, since Microsoft
added Antimalware Scan Interface (AMSI)
[https://docs.microsoft.com/en-us/windows/win32/amsi/antim
3 min
Metasploit
Metasploit Wrap-Up: 12/6/19
Management delegation of shells
Onur ER [https://github.com/onurer] contributed the Ajenti auth username
command
injection [https://github.com/rapid7/metasploit-framework/pull/12503] exploit
module for the vulnerability Jeremy Brown discovered and published a PoC for on
2019-10-13 (EDB 47497) against Ajenti version 2.1.31. Ajenti is an open-source
web-based server admin panel written in Python and JS. The application allows
admins to remotely perform a variety of server management tasks. The
ex
3 min
Metasploit
Metasploit Wrap-Up: 11/22/19
Payload payday
As we blogged about yesterday
[/2019/11/21/metasploit-shellcode-grows-up-encrypted-and-authenticated-c-shells/]
, a new form of payload that is compiled directly from C when generated was
added by space-7 [https://github.com/space-r7]. We hope this is only the first
step in a journey of applying the myriad tools that obfuscate C programs to our
core payloads, so be sure to check out all the nifty workings of the code! If
that wasn't enough, we also got a pair of payloads written f