3 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 29, 2023
TeamCity authentication bypass and remote code execution
This week’s Metasploit release includes a new module for a critical
authentication bypass in JetBrains TeamCity CI/CD Server. All versions of
TeamCity prior to version 2023.05.4 are vulnerable to this issue. The
vulnerability was originally discovered by SonarSource, and the Metasploit
module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who
additionally published a technical analysis on AttackerKB for CVE-2023-4279
4 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 22, 2023
Improved Ticket Forging
Metasploit’s admin/kerberos/forge_ticket module has been updated to work with
Server 2022. In Windows Server 2022, Microsoft started requiring additional new
PAC elements to be present - the PAC requestor and PAC attributes. The newly
forged tickets will have the necessary elements added automatically based on the
user provided domain SID and user RID. For example:
msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649
4 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 15, 2023
Flask Cookies
This week includes two modules related to Flask cookie signatures. One is
specific to Apache Superset where session cookies can be resigned, allowing an
attacker to elevate their privileges and dump the database connection strings.
While adding this functionality, community member h00die
[https://github.com/h00die] also added a module for generically working with the
default session cookies used by Flask. This generic module
auxiliary/gather/python_flask_cookie_signer
[https://git
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 8, 2023
New module content (4)
Roundcube TimeZone Authenticated File Disclosure
Authors: joel, stonepresto, and thomascube
Type: Auxiliary
Pull request: #18286 [https://github.com/rapid7/metasploit-framework/pull/18286]
contributed by cudalac [https://github.com/cudalac]
Path: auxiliary/gather/roundcube_auth_file_read
AttackerKB reference: CVE-2017-16651
[https://attackerkb.com/topics/He57FR8fB4/cve-2017-16651?referrer=blog]
Description: This PR adds a module to retrieve an arbitrary file on hosts
run
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 1, 2023
Pumpkin Spice Modules
Here in the northern hemisphere, fall is on the way: leaves changing, the air
growing crisp and cool, and some hackers changing the flavor of their caffeine.
This release features a new exploit module targeting Apache NiFi as well as a
new and improved library to interact with it.
New module content (1)
Apache NiFi H2 Connection String Remote Code Execution
Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #18257 [https://github.com/rapid7/metasploit-fra
3 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 25, 2023
Power[shell]Point
This week’s new features and improvements start with two new exploit modules
leveraging CVE-2023-34960
[https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog] Chamilo
versions 1.11.18 and below and CVE-2023-26469
[https://attackerkb.com/topics/RT7G6Vyw1L/cve-2023-26469?referrer=blog] in
Jorani 1.0.0. Like CVE-2023-34960
[https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog], I too,
feel attacked by PowerPoint sometimes.
We also have several impr
2 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 18, 2023
Meterpreter Testing
This week’s release adds new payload tests to our automated test suite. This is
intended to help the team and community members identify issues and behavior
discrepancies before changes are made. Payloads run on a variety of different
platforms including Windows, Linux, and OS X each of which has multiple
Meterpreter implementations available that are now tested to help ensure
consistency. This should improve payload stability and make testing easier for
community members tha
2 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 11, 2023
A new Metabase RCE module, updates to the citrix_formssso_target_rce module for CVE-2023-3519 to include two new targets, Citrix ADC (NetScaler) 12.1-65.25, and 12.1-64.17, and more
4 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 4, 2023
Fly High in the Sky With This New Cloud Exploit!
This week, a new module was added that takes advantage of both authentication
bypass and command injection in certain versions of Western Digital's MyCloud
hardware. Submitted by community member Erik Wynter
[https://github.com/ErikWynter], this module gains access to the target,
attempts to bypass authentication, verifies whether that was successful, then
executes the payload with root privileges. This works on versions before
2.30.196, and offer
3 min
Metasploit
Metasploit Weekly Wrap-Up: July 28, 2023
Unauthenticated RCE in VMware Product
This week, community contributor h00die [https://github.com/h00die] added an
exploit module that leverages a command injection vulnerability in VMWare Aria
Operations for Networks, formerly known as vRealize Network Insight. Versions
6.2 to 6.10 are vulnerable (CVE-2023-20887
[https://attackerkb.com/topics/gxz1cUyFh2/cve-2023-20887?referrer=blog]). A
remote attacker could abuse the Apache Thrift RPC interface by sending specially
crafted data and get unauthe
2 min
Metasploit
Metasploit Weekly Wrap Up: July 21, 2023
This week's weekly wrapup includes two new Metasploit modules - Piwigo Gather Credentials via SQL Injection ( CVE-2023-26876 ) and Openfire authentication bypass with RCE plugin (CVE-2023-32315)
2 min
Metasploit
Metasploit Weekly Wrap-Up: July 14, 2023
Authentication bypass in Wordpress Plugin WooCommerce Payments
This week's Metasploit release includes a module for CVE-2023-28121 by h00die
[https://github.com/h00die]. This module can be used against any wordpress
instance that uses WooCommerce payments < 5.6.1. This module exploits an auth
by-pass vulnerability in the WooCommerce WordPress plugin. You can simply add a
header to execute the bypass and use the API to create a new admin user in
Wordpress.
New module content (3)
Wordpress Plugin
2 min
Metasploit
Metasploit Weekly Wrap-Up: 7/7/23
Apache RocketMQ
We saw some great teamwork this week from jheysel-r7
[https://github.com/jheysel-r7] and h00die [https://github.com/h00die] to bring
you an exploit module for CVE-2023-33246
[https://attackerkb.com/topics/YBI7e7fY0a/cve-2023-33246?referrer=blog].
In Apache RocketMQ version 5.1.0 and under, there is an access control issue
which the module leverages to update the broker's configuration file without
authentication. From here we can gain remote code execution as whichever user is
ru
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/30/23
Nothing but .NET?
Smashery continues to… smash it by updating our .NET assembly execution module.
The original module allowed users to run a .NET exe as a thread within a process
they created on a remote host. Smashery’s improvements let users run the
executable within a thread of the process hosting Meterpreter and also changed
the I/O for the executing thread to support pipes, allowing interaction with the
spawned .NET thread, even when the other process has control over STDIN and
STDOUT. The
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/23/23
I like to MOVEit, MOVEit, We like to MOVEit!
Party hard just like it's Mardi Gras! bwatters-r7
[https://github.com/bwatters-r7] delivered the dance moves this week with a
masterful performance. The windows/http/moveit_cve_2023_34362 module is
available for all your party needs, taking advantage of CVE-2023-34362
[https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362?referrer=blog], this
module gets into the MOVEit database and nets shells to help you "Keep on
jumpin' off the floor"!
New modul