Posts by Alan David Foster

3 min Metasploit

Metasploit Weekly Wrap-Up 04/05/2024

New ESC4 Templates for AD CS Metasploit added capabilities [] for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write certificate template objects. This facilitates the exploitation of ESC4 which is a misconfiguration in

5 min Metasploit

Metasploit Weekly Wrap-Up 01/26/24

Direct Syscalls Support for Windows Meterpreter Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel

3 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 29, 2023

TeamCity authentication bypass and remote code execution This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-4279

5 min Metasploit

Metasploit Weekly Wrap-Up: Jun. 16, 2023

Metasploit T-Shirt Design Contest In honor of Metasploit's 20th anniversary, Rapid7 is launching special edition t-shirts - and we're inviting members of our community to have a hand in its creation. The contest winner will have their design featured on the shirts, which will then be available to pick up at Black Hat 2023. We will be accepting submissions from now through June 30! Contest details, design guidelines, and submission instructions here [

4 min Metasploit

Metasploit Wrap-Up: May 12, 2023

New modules for Zyxel Router RCE, Pentaho Business Server Auth Bypass, ManageEngine ADAudit authenticated file write RCE, and HTTPTrace functionality added to scanner modules

7 min Metasploit

Metasploit Weekly Wrap-Up: Mar. 31, 2023

5 new modules including Windows 11 WinSock Priv Esc, SolarWinds Information Service (SWIS) RCE and AMQP Support

13 min Metasploit

Metasploit Framework 6.3 Released

Metasploit Framework 6.3 is now available. New features include native Kerberos authentication support, streamlined Active Directory attack workflows (AD CS, AD DS), and new modules that request, forge, and convert tickets between formats.

3 min Metasploit

Metasploit Weekly Wrap-Up: 11/11/22

ADCS - ESC Vulnerable certificate template finder Our very own Grant Willcox has developed a new module which allows users to query a LDAP server for vulnerable Active Directory Certificate Services (AD CS) certificate templates. The module will print the detected certificate details, and the attack it is susceptible to. This module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates. Example module output showing an identified vulnerable certificate template: msf6 auxiliar

3 min Metasploit

Metasploit Wrap-Up: 8/19/22

Advantech iView NetworkServlet Command Injection This week Shelby Pace [] has developed a new exploit module for CVE-2022-2143 []. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access

9 min Metasploit

Announcing Metasploit 6.2

Metasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes.

4 min Metasploit

Metasploit Weekly Wrap-Up: 5/27/22

PetitPotam Improvements Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods: msf6 auxiliary(scanner/dcerpc/petitpotam) > run [*] - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159

3 min Metasploit

Metasploit Wrap-Up: May 6, 2022

Three new exploit modules, and an update for Windows 11 support

1 min Metasploit

Metasploit Weekly Wrap-Up: 4/1/22

CVE-2022-22963 - Spring Cloud Function SpEL RCE A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre [] which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965 [] , which is a separate vulnerability in the WebDataBinder component

3 min Metasploit

Metasploit Weekly Wrap-Up: Mar. 18, 2022

CVE-2022-21999 - SpoolFool Our very own Shelby Pace [] has added a new module for the CVE-2022-21999 SpoolFool privilege escalation vulnerability []. This escalation vulnerability can be leveraged to achieve code execution as SYSTEM. This new module has successfully been tested on Windows 10 (10.0 Build 19044) and Windows Server 2019 v1809 (Build 17763.1577). CVE-2021-4191 - Gitlab GraphQL API User E

3 min Metasploit

Metasploit Wrap-Up: Dec. 17, 2021

A new Log4Shell / Log4j scanner module for Metasploit, a new WordPress module, and multiple enhancements and bug fixes