Posts by Shelby Pace

4 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up: 4/14/23

Rocket Software UniRPC Exploits Ron Bowes [] submitted two exploit modules [] for vulnerabilities he discovered [] in the UniRPC server for Rocket Software’s UniData product. The first exploit module, exploit/linux/misc/unidata_udadmin_auth_bypass exploits an authentication bypass to ultimately gain remot

2 min Metasploit

Metasploit Weekly Wrap-Up: 1/27/23

Cacti Unauthenticated Command Injection Thanks to community contributor Erik Wynter [], Metasploit Framework now has an exploit module [] for an unauthenticated command injection vulnerability in the Cacti network-monitoring software. The vulnerability is due to a proc_open() call that accepts unsanitized user input in remote_agent.php. Provided that the target server has data that's tied to the POLLER_ACTION_S

3 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 28, 2022

GLPI htmLawed PHP Command Injection Our very own bwatters-r7 [] wrote a module for an unauthenticated PHP command injection vulnerability that exists in various versions of GLPI. The vulnerability is due to a third-party vendor test script being present in default installations. A POST request to vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute exec() through the hhook and test parameters, resulting in unauthenticated RCE as the www

3 min Metasploit

Metasploit Wrap-Up: Aug. 26, 2022

Zimbra Auth Bypass to Shell Ron Bowes [] added an exploit module [] that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not

3 min Metasploit

Metasploit Weekly Wrap-Up: 8/5/22

Log4Shell in MobileIron Core Thanks to jbaines-r7 [] we have yet another Log4Shell exploit []. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited [

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 4/29/22

Module additions this week to enumerate all installed AV products on Windows and escape sandboxes on certain Debian-specific Redis versions. Plus, a new place for Metasploit docs focused on pen testing workflows.

4 min Metasploit

Metasploit Weekly Wrap-Up: Mar. 4, 2022

This week’s Metasploit Framework release brings us seven new modules. IP Camera Exploitation Rapid7’s Jacob Baines [] was busy this week with two exploit modules that target IP cameras. The first [] module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an attacker can upload and install an eap application which, when executed, will grant the attacker root privileg

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: Jun. 25, 2021

Three fresh modules for Cisco targets and rConfig, plus new enhancements and fixes.

4 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: Mar. 19, 2021

A local exploit for a Windows Server 2012 DLL hijacking vulnerability, plus a slew of fixes and improvements.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 11/13/20

Four new modules, including an exploit for SaltStack Salt and an exploit for a now-patched vuln in Metasploit, plus new enhancements and fixes.

2 min Metasploit

Metasploit Wrap-Up: 7/17/20

Plex unpickling The exploit/windows/http/plex_unpickle_dict_rce module [] by h00die [] exploits an authenticated Python deserialization vulnerability in Plex Media Server. The module exploits the vulnerability by creating a photo library and uploading a Dict file containing a Python payload to the library’s path. Code execution is then achieved by triggering the plugin loading functionality, which unpickles the Dic

2 min Metasploit

Metasploit Wrap-Up: 6/19/20

Arista Shell Escape Exploit Community contributor SecurityBytesMe [] added an exploit module [] for various Arista switches. With credentials, an attacker can SSH into a vulnerable device and leverage a TACACS+ shell configuration to bypass restrictions. The configuration allows the pipe character to be used only if the pipe is preceded by a grep command. This configuration ultimately allows the chaining

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 3/20/20

Five new modules plus fixes and enhancements. Exploits for ManageEngine, rConfig, and SQL Server Reporting Services, among others.

7 min Metasploit

Metasploit Shellcode Grows Up: Encrypted and Authenticated C Shells

Introducing encrypted, compiled payloads in Metasploit Framework 5

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up 9/27/19

BlueKeep is Here The BlueKeep exploit module [] is now officially a part of Metasploit Framework. This module reached merged status thanks to lots of collaboration between Rapid7 and the MSF community members. The module requires some manual configuration per target, and targets include both virtualized and non-virtualized versions of Windows 7 and Windows Server 2008. For a full overview of the exploit’s development and notes on use and d