3 min
Metasploit
Metasploit Wrap-Up: Aug. 26, 2022
Zimbra Auth Bypass to Shell
Ron Bowes [https://github.com/rbowes-r7] added an exploit module
[https://github.com/rapid7/metasploit-framework/pull/16922] that targets
multiple versions of Zimbra Collaboration Suite. The module leverages an
authentication bypass (CVE-2022-37042) and a directory traversal vulnerability
(CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass
functionality correctly checks for a valid session; however, the function that
performs the check does not
3 min
Metasploit
Metasploit Wrap-Up: 8/19/22
Advantech iView NetworkServlet Command Injection
This week Shelby Pace [https://github.com/space-r7] has developed a new exploit
module for CVE-2022-2143
[https://attackerkb.com/topics/XYFOEYsgKa/cve-2022-2143?referrer=blog]. This
module uses an unauthenticated command injection vulnerability to gain remote
code execution against vulnerable versions of Advantech iView software below
5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user
unauthenticated privileged access
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up: 8/12/22
Putting in the work!
This week we’re extra grateful for the fantastic contributions our community
makes to Metasploit. The Metasploit team landed more than 5 PRs each from Ron
Bowes [https://github.com/rbowes-r7] and bcoles [https://github.com/bcoles],
adding some great new capabilities.
Ron Bowes [https://github.com/rbowes-r7] contributed four new modules targeting
UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit
users some excellent new vectors to leverage against
3 min
Metasploit
Metasploit Weekly Wrap-Up: 8/5/22
Log4Shell in MobileIron Core
Thanks to jbaines-r7 [https://github.com/jbaines-r7] we have yet another
Log4Shell exploit [https://github.com/rapid7/metasploit-framework/pull/16837].
Similar to the other Log4Shell exploit modules, the exploit works by sending a
JNDI string that once received by the server will be deserialized, resulting in
unauthenticated remote code execution as the tomcat user. Vulnerable versions of
MobileIron Core have been reported as exploited
[https://www.mandiant.com/resou
4 min
Metasploit
Metasploit Weekly Wrap-Up: Jul. 29, 2022
Roxy-WI Unauthenticated RCE
This week, community member Nuri Çilengir [https://github.com/ncilengir] added
an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing
HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a
specially crafted POST request to a Python script where the ipbackend parameter
is vulnerable to OS command injection. The result is reliable code execution
within the context of the web application user.
Fewer Meterpreter Scripts
Community
3 min
Metasploit
Metasploit Weekly Wrap-Up: 7/22/22
The past, present and future of Metasploit
Don't miss Spencer McIntyre's talk on the Help Net Security's blog
[https://www.helpnetsecurity.com/2022/07/20/past-present-future-metasploit-video/]
. Spencer is the Lead Security Researcher at Rapid7 and speaks about how
Metasploit has evolved since its creation back in 2003. He also explains how the
Framework is addressing today's offensive security challenges and how important
is the partnership with the community.
LDAP swiss army knife
This week,
3 min
Metasploit
Metasploit Weekly Wrap-Up: Jul 15, 2022
JBOSS EAP/AS - More Deserializations? Indeed!
Community contributor Heyder Andrade [https://github.com/heyder] added in a new
module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified
Invoker interface for versions 6.1.0 and prior. As far as we can tell this was
first disclosed by Joao Matos [https://github.com/joaomatosf] in his paper at
AlligatorCon
[https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf].
Later a PoC from Marcio Almeida [https://twit
3 min
Metasploit
Metasploit Weekly Wrap-Up: 7/8/22
DFSCoerce - Distributing more than just files
DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to
Spencer McIntyre [https://github.com/zeroSteiner] with a new
auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how
it functions. Note that unlike PetitPotam, this technique does require a normal
domain user’s credentials to work.
The following shows the workflow for targeting a 64-bit Windows Server 2019
domain controller. Metasploit is hostin
2 min
Metasploit
Metasploit Weekly Wrap-Up: Jul. 1, 2022
SAMR Auxiliary Module
A new SAMR auxiliary module has been added that allows users to add, lookup, and
delete computer accounts from an AD domain. This should be useful for pentesters
on engagements who need to create an AD account to gain an initial foothold into
the domain for lateral movement attacks, or who need to use this functionality
as an attack primitive.
Note when using this module that there is a standard number of computers a user
can add, so be wary that you may get STATUS_DS_MACH
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/24/22
Add Windows target support for the Confluence OGNL injection module
Improves the exploit/multi/http/atlassian_confluence_namespace_ognl_injection
module to support Windows server targets. This new target can be used to run
payloads in memory with Powershell using the new payload adapters or drop an
executable to disk. Once a Meterpreter session is obtained, getsystem can be
used to escalate to NT AUTHORITY\SYSTEM using the RPCSS technique (#5) since
Confluence service runs as NETWORK SERVICE by
2 min
Metasploit
Metasploit Weekly Wrap-Up: Jun. 17, 2022
vCenter Secret Extracter
Expanding on the work of the vcenter_forge_saml_token auxiliary module,
community contributor npm-cesium137-io [https://github.com/npm-cesium137-io] has
added a new module for extracting the vmdir/vmafd certificates, the IdP keypair,
the VMCA root cert, and anything from vmafd that has a private key associated,
from an offline copy of the services database. This information can then be used
with the vcenter_forge_saml_token module to gain a session cookie that grants
acc
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/10/22
A Confluence of High-Profile Modules
This release features modules covering the Confluence remote code execution bug
CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability
in the Windows Operating System accessible through malicious documents. Both
have been all over the news, and we’re very happy to bring them to you so that
you can verify mitigations and patches in your infrastructure. If you’d like to
read more about these vulnerabilities, Rapid7 has AttackerKB analy
9 min
Metasploit
Announcing Metasploit 6.2
Metasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes.
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/3/22
Ask and you may receive
Module suggestions [https://github.com/rapid7/metasploit-framework/issues/16522]
for the win, this week we see a new module written by jheysel-r7
[https://github.com/jheysel-r7] based on CVE-2022-26352
[https://attackerkb.com/topics/7i5Uf6JNl0/cve-2022-26352?referrer=blog] that
happens to have been suggested by jvoisin [https://github.com/jvoisin] in the
issue queue last month. This module targets an arbitrary file upload in dotCMS
[https://github.com/dotCMS/core.git] ve
4 min
Metasploit
Metasploit Weekly Wrap-Up: 5/27/22
PetitPotam Improvements
Metasploit’s Ruby support has been updated to allow anonymous authentication to
SMB servers. This is notably useful while exploiting the PetitPotam
vulnerability with Metasploit, which can be used to coerce a Domain Controller
to send an authentication attempt over SMB to other machines via MS-EFSRPC
methods:
msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10
[*] 192.168.159.10:445 - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159