Posts by Shelby Pace

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Three fresh modules for Cisco targets and rConfig, plus new enhancements and fixes.

4 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

A local exploit for a Windows Server 2012 DLL hijacking vulnerability, plus a slew of fixes and improvements.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Four new modules, including an exploit for SaltStack Salt and an exploit for a now-patched vuln in Metasploit, plus new enhancements and fixes.

2 min Metasploit

Metasploit Wrap-Up

Plex unpickling The exploit/windows/http/plex_unpickle_dict_rce module [https://github.com/rapid7/metasploit-framework/pull/13741] by h00die [https://github.com/h00die] exploits an authenticated Python deserialization vulnerability in Plex Media Server. The module exploits the vulnerability by creating a photo library and uploading a Dict file containing a Python payload to the library’s path. Code execution is then achieved by triggering the plugin loading functionality, which unpickles the Dic

2 min Metasploit

Metasploit Wrap-Up

Arista Shell Escape Exploit Community contributor SecurityBytesMe [https://github.com/SecurityBytesMe] added an exploit module [https://github.com/rapid7/metasploit-framework/pull/13303] for various Arista switches. With credentials, an attacker can SSH into a vulnerable device and leverage a TACACS+ shell configuration to bypass restrictions. The configuration allows the pipe character to be used only if the pipe is preceded by a grep command. This configuration ultimately allows the chaining

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Five new modules plus fixes and enhancements. Exploits for ManageEngine, rConfig, and SQL Server Reporting Services, among others.

7 min Metasploit

Metasploit Shellcode Grows Up: Encrypted and Authenticated C Shells

Introducing encrypted, compiled payloads in Metasploit Framework 5

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

BlueKeep is Here The BlueKeep exploit module [https://github.com/rapid7/metasploit-framework/pull/12283] is now officially a part of Metasploit Framework. This module reached merged status thanks to lots of collaboration between Rapid7 and the MSF community members. The module requires some manual configuration per target, and targets include both virtualized and non-virtualized versions of Windows 7 and Windows Server 2008. For a full overview of the exploit’s development and notes on use and d

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

I am Root An exploit module [https://github.com/rapid7/metasploit-framework/pull/11987] for Nagios XI v5.5.6 was added by community contributor yaumn [https://github.com/yaumn]. This module includes two exploits chained together to achieve code execution with root privileges, and it all happens without authentication. A single unsanitized parameter in magpie_debug.php enables the ability to write arbitrary PHP code to a publicly accessible directory and get code execution. Privilege escalation

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Introducing Metasploit Development Diaries We are happy to introduce a new quarterly series, the Metasploit Development Diaries [/2019/03/26/introducing-the-metasploit-development-diaries/]. The dev diaries walk users and developers through some example exploits and give detailed analysis of how the exploits operate and how Metasploit evaluates vulnerabilities for inclusion in Framework. The first in the dev diaries series features technical analysis by sinn3r [https://twitter.com/_sinn3r?lang=e

2 min Metasploit Weekly Wrapup

Metasploit Wrapup

Backups that Cause Problems hypn0s [https://github.com/hypn0s] contributed a module [https://github.com/rapid7/metasploit-framework/pull/10960] that exploits Snap Creek’s Duplicator plugin for WordPress. Duplicator is a plugin that eases the backup and migration of WordPress installations. For versions 1.2.40 and below, Duplicator leaves behind a number of sensitive files, including one that gives access to controlling the WordPress restoration process. Sending a POST request to the now accessib

1 min Metasploit Weekly Wrapup

Metasploit Wrapup

ssh_enumusers Gets An Update wvu [https://github.com/wvu-r7] integrated the malformed packet technique [https://nvd.nist.gov/vuln/detail/CVE-2018-15473] into the ssh_enumusers module originally written by kenkeiras [https://github.com/kenkeiras]. This module allows an attacker to guess the user accounts on an OpenSSH server on versions up to 7.7, allowing the module to work on more versions than before. GSoC Wraps Up As Google Summer of Code finished up, Framework received an array of new and e