Posts by Jacob Robles

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

RCE with a Key An exploit module [https://github.com/rapid7/metasploit-framework/pull/12062] for Laravel Framework was submitted by community contributor aushack [https://github.com/aushack]. The module targets an insecure unserialize call with the X-XSRF-TOKEN HTTP request header, which was discovered by Ståle Pettersen. Since the exploit requires the Laravel APP_KEY to reach the vulnerable unserialize call, aushack included information leak [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

WordPress RCE tiyeuse [https://github.com/tiyeuse] submitted a Metasploit module [https://github.com/rapid7/metasploit-framework/pull/11587] for an authenticated remote code execution vulnerability in WordPress, which was described in a blog post by RIPS Technology [https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/]. After authenticating as a user with at least author privileges, the module starts by uploading an image file with PHP code that will be used later. Then the imag

2 min Metasploit Weekly Wrapup

Metasploit Wrap-up

MSF 5 in the wild We announced the release [/2019/01/10/metasploit-framework-5-0-released/] of Metasploit Framework 5.0 this week. It’s Metasploit’s first major version release since 2011, and it includes lots of good stuff the team has been working on for the past year-plus. It will be packaged and integrated into your favorite software distributions over the next few months; until then, you can get MSF 5 by checking out the 5.0.0 tag [https://github.com/rapid7/metasploit-framework/releases/tag

2 min Metasploit Weekly Wrapup

Metasploit Wrapup

Metasploit’s Brent Cook, Adam Cammack, Aaron Soto, and Cody Pierce are offering themselves up to the crowds at this year’s fourth annual Metasploit Town Hall at Derbycon.

2 min Metasploit Weekly Wrapup

Metasploit Wrapup

Privilege Escalation Linux BPF CVE-2017-16995 [https://nvd.nist.gov/vuln/detail/CVE-2017-16995] is a Linux kernel vulnerability in the way that a Berkeley Packet Filter (BPF) is verified. Multiple sign extension bugs allows memory corruption by unprivileged users, which could be used for a local privilege escalation attack by overwriting a credential structure in memory to gain root access to a compromised host. The bpf_sign_extension_priv_esc module [https://github.com/rapid7/metasploit-framew

2 min Metasploit Weekly Wrapup

Metasploit Wrapup

Chaining Vulnerabilities Philip Pettersson discovered vulnerabilities in certain PAN OS versions [http://seclists.org/fulldisclosure/2017/Dec/38] that could lead to remote code execution and hdm wrote a Metasploit module for the exploit chain [https://github.com/rapid7/metasploit-framework/pull/9980]. The exploit chain starts off with an authentication bypass, which allows the module to access a page that is vulnerable to an XML injection. This page is then used to create a directory where a pay

2 min Metasploit Weekly Wrapup

Metasploit Wrapup

What's Your Favorite Security Site? When you are browsing sites on the Internet, you may notice some sites [http://www.irongeek.com/] will include your public IP address on their pages. But what if you came across a site that also showed your IP address from your private network range [https://media.giphy.com/media/3otPoDVeyxTT1jIKqc/giphy.gif]? This might be a little worrying [https://media.giphy.com/media/xhaHU2l56OSYM/giphy.gif], but before you run off you check to make sure the coast is cle

3 min Metasploit Weekly Wrapup

Metasploit Wrapup

More Servers Please A new module [https://github.com/rapid7/metasploit-framework/pull/9441] by Pedro Ribeiro combines vulnerabilities for certain firmware versions of AsusWRT, which allows an unauthenticated user to enable a special command mode on the device. When the command mode is enabled, the device spins up infosvr on UDP port 9999. The great thing about infosvr is that you can construct UDP packets to have it execute commands on your behalf…. as root. Back in Windows Land In case your