Posts tagged Metasploit

2 min Metasploit

Metasploit Wrap-Up: 7/10/20

Intensity not on the Fujita scale SOC folks may have been feeling increased pressure as word spread of CVE-2020-5902 [https://attackerkb.com/topics/evLpPlZf0i/cve-2020-5902?referrer=blog#rapid7-analysis] being exploited in the wild. Vulnerabilities in networking equipment always pose a unique set of constraints for IT operations when it comes to mitigations and patches given their role in connecting users to servers, services or applications. Yet from an attacker’s perspective this vulnerabili
2 min Metasploit

Metasploit Wrap-Up: 7/3/20

Shifting (NET)GEARs Community contributor rdomanski [https://github.com/rdomanski] added a module for Netgear R6700v3 routers [https://github.com/rapid7/metasploit-framework/pull/13768] that allows unauthenticated attackers on the same network to reset the password for the admin user back to the factory default of password. Attackers can then manually change the admin user's password and log into it after enabling telnet via the exploit/linux/telnet/netgear_telnetenable module, which will gran
2 min Metasploit

Metasploit Wrap-Up: 6/26/20

Who watches the watchers? If you are checking up on an organization using Trend Micro Web Security, it might be you. A new module this week takes advantage of a chain of vulnerabilities to give everyone (read unauthenticated users) a chance to decide what threats the network might let slip through. Following the trend, what about watchers that are not supposed to be there? Agent Tesla Panel is a fun little trojan (not to be found zipping around on our highways and byways) which now offers, agai
2 min Metasploit

Metasploit Wrap-Up: 6/19/20

Arista Shell Escape Exploit Community contributor SecurityBytesMe [https://github.com/SecurityBytesMe] added an exploit module [https://github.com/rapid7/metasploit-framework/pull/13303] for various Arista switches. With credentials, an attacker can SSH into a vulnerable device and leverage a TACACS+ shell configuration to bypass restrictions. The configuration allows the pipe character to be used only if the pipe is preceded by a grep command. This configuration ultimately allows the chaining

2 min Metasploit

Metasploit Wrap-Up: 6/12/20

Windows BITS CVE-2020-0787 LPE in the Metasploit tree! This week, Grant Willcox [https://github.com/gwillcox-r7] presents his first Metasploit module contribution [https://github.com/rapid7/metasploit-framework/pull/13554] as part of our team. Research [https://itm4n.github.io/cve-2020-0787-windows-bits-eop/] from itm4n [https://github.com/itm4n] yielded CVE-2020-0787 [https://nvd.nist.gov/vuln/detail/CVE-2020-0787], describing a vulnerability in the Windows Background Intelligent Transfer Serv
2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 6/5/20

vBulletin, WordPress, and WebLogic exploits, along with some enhancements and fixes.
2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 5/29/20

Hello, World! This week’s wrapup features six new modules, including a double-dose of Synology and everyone’s favorite, Pi-Hole. Little NAS, featuring RCE Synology stations are small(ish) NAS devices, but as Steve Kaun, Nigusu Kassahun, and h00die have shown, they are not invulnerable. In the first module, a command injection exists in a scanning function that allows for an authenticated RCE, and in the second, a coding feature leaks whether a user exists on the system, allowing for brute-forc
2 min Metasploit

Metasploit Wrap-Up: 5/22/20

Bad WebLogic Our own Shelby Pace [https://github.com/space-r7] authored an exploit taking advantage of a Java object deserialization vulnerability in multiple different versions of WebLogic. The new module has been tested with versions v12.1.3.0.0, v12.2.1.3.0, and v12.2.1.4.0 of WebLogic and allows remote code execution through the of sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers. Cram it in your Pi-Hole As the incredibly origina
2 min Metasploit

Metasploit Wrap-Up: 5/15/20

Five new modules, including SaltStack Salt Master root key disclosure and unauthenticated RCE on Salt master and minion. A new Meterpreter fix also ensures correct handling of out-of-order packets in pivoted sessions.
5 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: May 8, 2020

Nine new modules, including three IBM Data Risk Manager exploits, a couple Windows privilege elevation modules, and a .NET deserialization exploit for Veeam ONE Agent. Plus, a new .NET deserialization tool that allows users to generate serialized payloads in the vein of YSoSerial.NET.
3 min Metasploit

Metasploit Wrap-Up 5/1/20

Windows Meterpreter payload improvements Community contributor OJ [https://github.com/OJ] has made improvements to Windows Meterpreter payloads. Specifically reducing complexity around extension building and loading. This change comes with the benefit of removing some fingerprint artifacts, as well reducing the payload size as a side-effect. Note that Windows meterpreter sessions that are open prior to this bump will not be able to load new extensions after the bump if they connect with a new in
3 min Metasploit

Metasploit Wrap-Up 4/24/20

Security fix for the libnotify plugin (CVE-2020-7350) If you use the libnotify plugin to keep track of when file imports complete, the interaction between it and db_import allows a maliciously crafted XML file [https://github.com/rapid7/metasploit-framework/pull/13049] to execute arbitrary commands on your system. In proper Metasploit fashion, pastaoficial [https://github.com/pastaoficial] PR'd a file format exploit to go along with the fix, and our own smcintyre-r7 [https://github.com/smcintyre
2 min Metasploit

Metasploit Wrap-Up: Apr. 17, 2020

Nexus Repository Manager RCE This week our very own Will Vu [https://github.com/wvu-r7] wrote a module for CVE-2020-10199 which targets a remote code execution vulnerability within the Nexus Repository Manager. The vulnerability allows Java Expression Language (JavaEL) code to be executed. While the flaw requires authentication information to leverage it, any account is sufficient. This would allow any registered user to compromise the target server. Unquoted Service Path LPE Community contribu
3 min Risk Management

Meet AttackerKB

Meet AttackerKB: a new community-driven resource that highlights diverse perspectives on which vulnerabilities make the most appealing targets for attackers.
2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 4/10/20

Meterpreter bug fixes and five new modules, including an LPE exploit for SMBghost (CVE-2020-0796) and a BloodHound post module that gathers information (sessions, local admin, domain trusts, etc.) and stores it as a BloodHound-consumable ZIP file in Framework loot.

Popular Topics

Tags