Posts tagged Metasploit Weekly Wrapup

2 min Metasploit

Metasploit Weekly Wrap-Up

SAMR Auxiliary Module A new SAMR auxiliary module has been added that allows users to add, lookup, and delete computer accounts from an AD domain. This should be useful for pentesters on engagements who need to create an AD account to gain an initial foothold into the domain for lateral movement attacks, or who need to use this functionality as an attack primitive. Note when using this module that there is a standard number of computers a user can add, so be wary that you may get STATUS_DS_MACH

2 min Metasploit

Metasploit Weekly Wrap-Up

Add Windows target support for the Confluence OGNL injection module Improves the exploit/multi/http/atlassian_confluence_namespace_ognl_injection module to support Windows server targets. This new target can be used to run payloads in memory with Powershell using the new payload adapters or drop an executable to disk. Once a Meterpreter session is obtained, getsystem can be used to escalate to NT AUTHORITY\SYSTEM using the RPCSS technique (#5) since Confluence service runs as NETWORK SERVICE by

2 min Metasploit

Metasploit Weekly Wrap-Up

vCenter Secret Extracter Expanding on the work of the vcenter_forge_saml_token auxiliary module, community contributor npm-cesium137-io [https://github.com/npm-cesium137-io] has added a new module for extracting the vmdir/vmafd certificates, the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, from an offline copy of the services database. This information can then be used with the vcenter_forge_saml_token module to gain a session cookie that grants acc

2 min Metasploit

Metasploit Weekly Wrap-Up

A Confluence of High-Profile Modules This release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we’re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you’d like to read more about these vulnerabilities, Rapid7 has AttackerKB analy

2 min Metasploit

Metasploit Weekly Wrap-Up

Ask and you may receive Module suggestions [https://github.com/rapid7/metasploit-framework/issues/16522] for the win, this week we see a new module written by jheysel-r7 [https://github.com/jheysel-r7] based on CVE-2022-26352 [https://attackerkb.com/topics/7i5Uf6JNl0/cve-2022-26352?referrer=blog] that happens to have been suggested by jvoisin [https://github.com/jvoisin] in the issue queue last month. This module targets an arbitrary file upload in dotCMS [https://github.com/dotCMS/core.git] ve

4 min Metasploit

Metasploit Weekly Wrap-Up

PetitPotam Improvements Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods: msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10 [*] 192.168.159.10:445 - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159

3 min Metasploit

Metasploit Weekly Wrap-Up

Zyxel firewall unauthenticated command injection This week, our very own Jake Baines [https://github.com/jbaines-r7] added an exploit module that leverages CVE-2022-30525 [https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog], an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and advisory [https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-f

4 min Metasploit

Metasploit Weekly Wrap-Up

Spring4Shell module Community contributor vleminator [https://github.com/vleminator] added a new module [https://github.com/rapid7/metasploit-framework/pull/16423] which exploits CVE-2022-22965 [https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog]—more commonly known as "Spring4Shell." Depending on its deployment configuration [https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965/rapid7-analysis?referrer=blog] , Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19

3 min Metasploit

Metasploit Wrap-Up

Three new exploit modules, and an update for Windows 11 support

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Module additions this week to enumerate all installed AV products on Windows and escape sandboxes on certain Debian-specific Redis versions. Plus, a new place for Metasploit docs focused on pen testing workflows.

3 min Metasploit

Metasploit Weekly Wrap-Up

ManageEngine ADSelfService Plus Authenticated RCE This module is pretty exciting for us because it's for a vulnerability discovered by our very own Rapid7 researchers Jake Baines [https://github.com/jbaines-r7], Hernan Diaz, Andrew Iwamaye, and Dan Kelly. The vulnerability allowed for attackers to leverage the "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords. I won't go into too much depth though because we have a whole blog

2 min Metasploit

Metasploit Weekly Wrap-Up

Meterpreter Debugging A consistent message Metasploit hears from users is that debugging and general logging support could be improved. The gaps in functionality make it difficult for users to understand what happens when things go wrong and for new and existing developers to fix bugs and add new features. The Metasploit team has been trying to improve this in various parts of the framework, the most recent being Meterpreter. Meterpreter payloads now have additional debugging options that can be

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Five new modules targeting Windows, Linux, macOS, and more. Plus, updates to the Log4Shell scanner and a new Windows Meterpreter option to enable additional logging visible in DbgView

1 min Metasploit

Metasploit Weekly Wrap-Up

CVE-2022-22963 - Spring Cloud Function SpEL RCE A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre [https://github.com/smcintyre-r7] which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965 [https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/] , which is a separate vulnerability in the WebDataBinder component

5 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up

Capture Plugin Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote int