Posts tagged Metasploit Weekly Wrapup

4 min Metasploit

Metasploit Weekly Wrap-Up

Have you built out that awesome media room? If your guilty pleasures include using a mobile device to make your home entertainment system WOW your guests, you might be using Unified Remote [https://www.unifiedremote.com/]. I hope you are extra cautious about what devices you let on that WiFi network. A prolific community member h00die [https://github.com/h00die] added a module this week that uses a recently published vulnerability from H4RK3NZ0 [https://github.com/H4rk3nz0] to leverage an unprot

5 min Metasploit

Metasploit Weekly Wrap-Up

BYOS: Bring your own stager We try hard to make sure we have a great choice of fully-functional payloads to choose from, but sometimes you might want to “branch” out on your own, and if that’s the case we’ve got you covered. In an attempt to make Metasploit play well with others, we’ve introduced a brand new payload type: “custom.” “Custom” payloads use Metasploit stagers to build a stager that will stage whatever shellcode you send it. Got a third-party payload you want to run like Sliver or a

3 min Metasploit

Metasploit Weekly Wrap-Up

Authenticated command injection vulnerability of Cisco ASA-X with FirePOWER Services: jbaines-r7 [https://github.com/jbaines-r7] added a new module that exploits an authenticated command injection vulnerability CVE-2022-20828 [https://attackerkb.com/topics/wfvCFXXw2e/cve-2022-20828?referrer=blog] of Cisco ASA-X with FirePOWER Services. This vulnerability affects all Cisco ASA appliances that support ASA FirePOWER module. Note that, although a patch has been added to most recent ASA FirePOWER mod

4 min Metasploit

Metasploit Weekly Wrap-Up

ICPR Certificate Management This week Metasploit has a new ICPR Certificate Management module from Oliver Lyak [https://github.com/ly4k] and our very own Spencer McIntyre [https://github.com/zeroSteiner], which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful in a few contexts including persistence, ESC1 [https://posts.specterops.io/certified-pre-owned-d95910965cd2] and as a primitive necessary for exp

3 min Metasploit

Metasploit Wrap-Up

Zimbra Auth Bypass to Shell Ron Bowes [https://github.com/rbowes-r7] added an exploit module [https://github.com/rapid7/metasploit-framework/pull/16922] that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not

3 min Metasploit

Metasploit Wrap-Up

Advantech iView NetworkServlet Command Injection This week Shelby Pace [https://github.com/space-r7] has developed a new exploit module for CVE-2022-2143 [https://attackerkb.com/topics/XYFOEYsgKa/cve-2022-2143?referrer=blog]. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below 5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access

3 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up

Putting in the work! This week we’re extra grateful for the fantastic contributions our community makes to Metasploit. The Metasploit team landed more than 5 PRs each from Ron Bowes [https://github.com/rbowes-r7] and bcoles [https://github.com/bcoles], adding some great new capabilities. Ron Bowes [https://github.com/rbowes-r7] contributed four new modules targeting UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit users some excellent new vectors to leverage against

3 min Metasploit

Metasploit Weekly Wrap-Up

Log4Shell in MobileIron Core Thanks to jbaines-r7 [https://github.com/jbaines-r7] we have yet another Log4Shell exploit [https://github.com/rapid7/metasploit-framework/pull/16837]. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited [https://www.mandiant.com/resou

4 min Metasploit

Metasploit Weekly Wrap-Up

Roxy-WI Unauthenticated RCE This week, community member Nuri Çilengir [https://github.com/ncilengir] added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user. Fewer Meterpreter Scripts Community

3 min Metasploit

Metasploit Weekly Wrap-Up

The past, present and future of Metasploit Don't miss Spencer McIntyre's talk on the Help Net Security's blog [https://www.helpnetsecurity.com/2022/07/20/past-present-future-metasploit-video/] . Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today's offensive security challenges and how important is the partnership with the community. LDAP swiss army knife This week,

3 min Metasploit

Metasploit Weekly Wrap-Up

JBOSS EAP/AS - More Deserializations? Indeed! Community contributor Heyder Andrade [https://github.com/heyder] added in a new module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior. As far as we can tell this was first disclosed by Joao Matos [https://github.com/joaomatosf] in his paper at AlligatorCon [https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf]. Later a PoC from Marcio Almeida [https://twit

3 min Metasploit

Metasploit Weekly Wrap-Up

DFSCoerce - Distributing more than just files DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to Spencer McIntyre [https://github.com/zeroSteiner] with a new auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain user’s credentials to work. The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hostin

2 min Metasploit

Metasploit Weekly Wrap-Up

SAMR Auxiliary Module A new SAMR auxiliary module has been added that allows users to add, lookup, and delete computer accounts from an AD domain. This should be useful for pentesters on engagements who need to create an AD account to gain an initial foothold into the domain for lateral movement attacks, or who need to use this functionality as an attack primitive. Note when using this module that there is a standard number of computers a user can add, so be wary that you may get STATUS_DS_MACH

2 min Metasploit

Metasploit Weekly Wrap-Up

Add Windows target support for the Confluence OGNL injection module Improves the exploit/multi/http/atlassian_confluence_namespace_ognl_injection module to support Windows server targets. This new target can be used to run payloads in memory with Powershell using the new payload adapters or drop an executable to disk. Once a Meterpreter session is obtained, getsystem can be used to escalate to NT AUTHORITY\SYSTEM using the RPCSS technique (#5) since Confluence service runs as NETWORK SERVICE by

2 min Metasploit

Metasploit Weekly Wrap-Up

vCenter Secret Extracter Expanding on the work of the vcenter_forge_saml_token auxiliary module, community contributor npm-cesium137-io [https://github.com/npm-cesium137-io] has added a new module for extracting the vmdir/vmafd certificates, the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, from an offline copy of the services database. This information can then be used with the vcenter_forge_saml_token module to gain a session cookie that grants acc