Metasploit Town Hall @ Derbycon
Metasploit’s Brent Cook, Adam Cammack, Aaron Soto, and Cody Pierce are offering themselves up to the crowds at this year’s fourth annual Metasploit Town Hall at Derbycon. Block off your 5 p.m. EDT hour on Saturday, Oct. 6 to join the team (livestreamed) as they unveil some new hotness in Metasploit Framework and take questions and requests. Can’t make it but still have something to add? Join us on Slack or @ us on Twitter.
Pyriphlegethon discovered vulnerabilities in Navigate CMS v2.8 and submitted a module that can be used to perform remote code execution on vulnerable applications. The module performs an injection through a cookie header to retrieve a valid session ID. Then, an upload feature with a directory traversal flaw is used to overwrite a PHP file within the application's web root. Once the file is overwritten with a generated payload, the payload is executed by making a request to the overwritten page.
VNC Password Retrieval
Looking for passwords on a host can be fun(ny), especially if there is a file named
passwords.txt. In this case, the file is named
com.apple.VNCSettings.txt. interhack86 provided a post module that retrieves and decrypts VNC passwords from OS X High Sierra.
Exploit modules (2 new)
- Navigate CMS Unauthenticated Remote Code Execution by Pyriphlegethon, which exploits CVE-2018-17552 and CVE-2018-17553
- Zahir Enterprise Plus 6 Stack Buffer Overflow by f3ci and modpr0be, which exploits CVE-2018-17408
Auxiliary and post modules (1 new)
- OS X Display Apple VNC Password by Kevin Gonzalvo
- busterb fixed a Meterpreter channel closing issue that would cause errors to appear when pivoting through Meterpreter with Metasploit running on Ruby 2.5 and later.
- Green-m improved error handling and aborting execution of exploit modules running against multiple hosts.
- wvu-r7 added ARGS and TIMEOUT options to the upload_exec module, which fixed an issue report by bcoles.
- timwr added an API key option to the wlan_geolocate module, which fixed an issue reported by V3rB0se
- mkienow-r7 enhanced the module information retrieved over RPC to optionally include additional information and added architecture filtering as well.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.