3 min
Metasploit
Metasploit Weekly Wrap-Up: 11/11/22
ADCS - ESC Vulnerable certificate template finder
Our very own Grant Willcox has developed a new module which allows users to
query a LDAP server for vulnerable Active Directory Certificate Services (AD CS)
certificate templates. The module will print the detected certificate details,
and the attack it is susceptible to. This module is capable of checking for
ESC1, ESC2, and ESC3 vulnerable certificates.
Example module output showing an identified vulnerable certificate template:
msf6 auxiliar
3 min
Metasploit
Metasploit Weekly Wrap-Up: 11/4/22
C is for cookie
And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel
[https://github.com/jheysel-r7] added an exploit module based on CVE-2022-24706
targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie
that allows users to run OS commands.
This fake computer I just made says I’m an Admin
Metasploit’s zeroSteiner [https://github.com/zeroSteiner] added a module to
perform Role-based Constrained Delegation (RBCD) on an Active Directory network.
3 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 28, 2022
GLPI htmLawed PHP Command Injection
Our very own bwatters-r7 [https://github.com/bwatters-r7] wrote a module for an
unauthenticated PHP command injection vulnerability that exists in various
versions of GLPI. The vulnerability is due to a third-party vendor test script
being present in default installations. A POST request to
vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute
exec() through the hhook and test parameters, resulting in unauthenticated RCE
as the www
3 min
Metasploit
Metasploit Weekly Wrap-Up: 10/21/22
Zimbra with Postfix LPE (CVE-2022-3569)
This week rbowes [https://github.com/rbowes-r7] added an LPE exploit for Zimbra
with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can
run postfix as root which in turn is capable of executing arbitrary
shellscripts. This can be abused for reliable privilege escalation from the
context of the zimbra service account to root. As of this time, this
vulnerability remains unpatched.
Zimbra RCE (CVE-2022-41352)
rbowes [https://github.co
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 10/14/22
Remote code execution modules for Spring Cloud Function and pfSense, plus bug fixes for the Windows secrets dump module.
5 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 7, 2022
Bofloader - Windows Meterpreter Gets Beacon Object File Loader Support
This week brings a new and frequently requested feature to the Windows
Meterpreter, the Beacon Object File loader. This new extension, bofloader,
allows for users to execute Beacon Object Files as written for either Cobalt
Strike or Sliver. This extension was provided by a group effort among community
members kev169 [https://github.com/kev169], GuhnooPlusLinux
[https://twitter.com/GuhnooPlusLinux], R0wdyJoe [https://twitter.c
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 30, 2022
Veritas Backup Exec Agent RCE
This module kindly provided by c0rs [https://github.com/c0rs] targets the
Veritas Backup Exec Agent in order to gain RCE as the system/root user.
The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876,
CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive.
While you're patching, why not take the time to test your backups too.
Hikvision IP Camera user impersonation
This vulnerability has been present in Hikvision products since 20
4 min
Metasploit
Metasploit Weekly Wrap-Up: 9/23/22
Have you built out that awesome media room?
If your guilty pleasures include using a mobile device to make your home
entertainment system WOW your guests, you might be using Unified Remote
[https://www.unifiedremote.com/]. I hope you are extra cautious about what
devices you let on that WiFi network. A prolific community member h00die
[https://github.com/h00die] added a module this week that uses a recently
published vulnerability from H4RK3NZ0 [https://github.com/H4rk3nz0] to leverage
an unprot
5 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 16, 2022
BYOS: Bring your own stager
We try hard to make sure we have a great choice of fully-functional payloads to
choose from, but sometimes you might want to “branch” out on your own, and if
that’s the case we’ve got you covered. In an attempt to make Metasploit play
well with others, we’ve introduced a brand new payload type: “custom.” “Custom”
payloads use Metasploit stagers to build a stager that will stage whatever
shellcode you send it.
Got a third-party payload you want to run like Sliver or a
3 min
Metasploit
Metasploit Weekly Wrap-Up: 9/9/22
Authenticated command injection vulnerability of Cisco ASA-X with FirePOWER
Services:
jbaines-r7 [https://github.com/jbaines-r7] added a new module that exploits an
authenticated command injection vulnerability CVE-2022-20828
[https://attackerkb.com/topics/wfvCFXXw2e/cve-2022-20828?referrer=blog] of Cisco
ASA-X with FirePOWER Services. This vulnerability affects all Cisco ASA
appliances that support ASA FirePOWER module. Note that, although a patch has
been added to most recent ASA FirePOWER mod
4 min
Metasploit
Metasploit Weekly Wrap-Up: 9/2/22
ICPR Certificate Management
This week Metasploit has a new ICPR Certificate Management module from Oliver
Lyak [https://github.com/ly4k] and our very own Spencer McIntyre
[https://github.com/zeroSteiner], which can be utilized for issuing certificates
via Active Directory Certificate Services. It has the capability to issue
certificates which is useful in a few contexts including persistence, ESC1
[https://posts.specterops.io/certified-pre-owned-d95910965cd2] and as a
primitive necessary for exp
3 min
Metasploit
Metasploit Wrap-Up: Aug. 26, 2022
Zimbra Auth Bypass to Shell
Ron Bowes [https://github.com/rbowes-r7] added an exploit module
[https://github.com/rapid7/metasploit-framework/pull/16922] that targets
multiple versions of Zimbra Collaboration Suite. The module leverages an
authentication bypass (CVE-2022-37042) and a directory traversal vulnerability
(CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass
functionality correctly checks for a valid session; however, the function that
performs the check does not
3 min
Metasploit
Metasploit Wrap-Up: 8/19/22
Advantech iView NetworkServlet Command Injection
This week Shelby Pace [https://github.com/space-r7] has developed a new exploit
module for CVE-2022-2143
[https://attackerkb.com/topics/XYFOEYsgKa/cve-2022-2143?referrer=blog]. This
module uses an unauthenticated command injection vulnerability to gain remote
code execution against vulnerable versions of Advantech iView software below
5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user
unauthenticated privileged access
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up: 8/12/22
Putting in the work!
This week we’re extra grateful for the fantastic contributions our community
makes to Metasploit. The Metasploit team landed more than 5 PRs each from Ron
Bowes [https://github.com/rbowes-r7] and bcoles [https://github.com/bcoles],
adding some great new capabilities.
Ron Bowes [https://github.com/rbowes-r7] contributed four new modules targeting
UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit
users some excellent new vectors to leverage against
3 min
Metasploit
Metasploit Weekly Wrap-Up: 8/5/22
Log4Shell in MobileIron Core
Thanks to jbaines-r7 [https://github.com/jbaines-r7] we have yet another
Log4Shell exploit [https://github.com/rapid7/metasploit-framework/pull/16837].
Similar to the other Log4Shell exploit modules, the exploit works by sending a
JNDI string that once received by the server will be deserialized, resulting in
unauthenticated remote code execution as the tomcat user. Vulnerable versions of
MobileIron Core have been reported as exploited
[https://www.mandiant.com/resou