Posts by Dean Welch

2 min Metasploit

Metasploit Weekly Wrap-Up

Veritas Backup Exec Agent RCE This module kindly provided by c0rs [https://github.com/c0rs] targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user. The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive. While you're patching, why not take the time to test your backups too. Hikvision IP Camera user impersonation This vulnerability has been present in Hikvision products since 20

3 min Metasploit

Metasploit Weekly Wrap-Up

DFSCoerce - Distributing more than just files DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to Spencer McIntyre [https://github.com/zeroSteiner] with a new auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain user’s credentials to work. The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hostin

3 min Metasploit

Metasploit Weekly Wrap-Up

ManageEngine ADSelfService Plus Authenticated RCE This module is pretty exciting for us because it's for a vulnerability discovered by our very own Rapid7 researchers Jake Baines [https://github.com/jbaines-r7], Hernan Diaz, Andrew Iwamaye, and Dan Kelly. The vulnerability allowed for attackers to leverage the "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords. I won't go into too much depth though because we have a whole blog

3 min Metasploit

Metasploit Weekly Wrap-Up

A new Log4Shell module for unauthenticated RCE on Ubiquiti UniFi devices, getsystem improvements, and more!

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Metasploit's first modules targeting Kubernetes, plus Windows support for exploiting Confluence Server CVE-2021-26084.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Spilling the (Gi)tea We have two modules coming in from cdelafuente-r7 targeting CVE-2020-14144 for both the Gitea and Gogs self-hosted Git services. Both modules are similar: they take advantage of a user's ability to create Git hooks by authenticating with the web interface, creating a dummy repos

3 min Metasploit

Metasploit Wrap-Up

A new Microsoft Windows Spooler privesc module, along with some fixes and improvements!

5 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Metasploit 6 initial features and active development, the 2020 open-source security meetup (OSSM), four new modules, and the longest list of enhancements and fixes we've ever written in one sitting.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Four new modules and lots of productivity enhancements. You can now run `rubocop -a` to automatically fix most formatting issues when developing modules. Plus, try the new `tip` command in MSF for Framework usage tips!

1 min Metasploit

Metasploit Wrap-Up

Command and Control with DOUBLEPULSAR We now have a DOUBLEPULSAR exploit module [https://github.com/rapid7/metasploit-framework/pull/12374] thanks to some amazing work by our own wvu [https://github.com/wvu-r7], Jacob Robles, and some significant contributions from the wider community. The module allows you to check for the DOUBLEPULSAR implant, disable it, or even load your own payloads as well; it really deserves its own blog post… [/2019/10/02/open-source-command-and-control-of-the-doublepuls