2 min
Metasploit
Metasploit Wrap-Up: 6/19/20
Arista Shell Escape Exploit
Community contributor SecurityBytesMe [https://github.com/SecurityBytesMe] added
an exploit module [https://github.com/rapid7/metasploit-framework/pull/13303]
for various Arista switches. With credentials, an attacker can SSH into a
vulnerable device and leverage a TACACS+ shell configuration to bypass
restrictions. The configuration allows the pipe character to be used only if the
pipe is preceded by a grep command. This configuration ultimately allows the
chaining
2 min
Metasploit
Metasploit Wrap-Up: 6/12/20
Windows BITS CVE-2020-0787 LPE in the Metasploit tree!
This week, Grant Willcox [https://github.com/gwillcox-r7] presents his first
Metasploit module contribution
[https://github.com/rapid7/metasploit-framework/pull/13554] as part of our team.
Research [https://itm4n.github.io/cve-2020-0787-windows-bits-eop/] from itm4n
[https://github.com/itm4n] yielded CVE-2020-0787
[https://nvd.nist.gov/vuln/detail/CVE-2020-0787], describing a vulnerability in
the Windows Background Intelligent Transfer Serv
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 6/5/20
vBulletin, WordPress, and WebLogic exploits, along with some enhancements and fixes.
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 5/29/20
Hello, World!
This week’s wrapup features six new modules, including a double-dose of Synology
and everyone’s favorite, Pi-Hole.
Little NAS, featuring RCE
Synology stations are small(ish) NAS devices, but as Steve Kaun, Nigusu
Kassahun, and h00die have shown, they are not invulnerable. In the first module,
a command injection exists in a scanning function that allows for an
authenticated RCE, and in the second, a coding feature leaks whether a user
exists on the system, allowing for brute-forc
2 min
Metasploit
Metasploit Wrap-Up: 5/22/20
Bad WebLogic
Our own Shelby Pace [https://github.com/space-r7] authored an exploit taking
advantage of a Java object deserialization vulnerability in multiple different
versions of WebLogic. The new module has been tested with versions v12.1.3.0.0,
v12.2.1.3.0, and v12.2.1.4.0 of WebLogic and allows remote code execution
through the of sending a serialized BadAttributeValueExpException object over
the T3 protocol to vulnerable WebLogic servers.
Cram it in your Pi-Hole
As the incredibly origina
2 min
Metasploit
Metasploit Wrap-Up: 5/15/20
Five new modules, including SaltStack Salt Master root key disclosure and unauthenticated RCE on Salt master and minion. A new Meterpreter fix also ensures correct handling of out-of-order packets in pivoted sessions.
5 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: May 8, 2020
Nine new modules, including three IBM Data Risk Manager exploits, a couple Windows privilege elevation modules, and a .NET deserialization exploit for Veeam ONE Agent. Plus, a new .NET deserialization tool that allows users to generate serialized payloads in the vein of YSoSerial.NET.
3 min
Metasploit
Metasploit Wrap-Up 5/1/20
Windows Meterpreter payload improvements
Community contributor OJ [https://github.com/OJ] has made improvements to
Windows Meterpreter payloads. Specifically reducing complexity around extension
building and loading. This change comes with the benefit of removing some
fingerprint artifacts, as well reducing the payload size as a side-effect.
Note that Windows meterpreter sessions that are open prior to this bump will not
be able to load new extensions after the bump if they connect with a new
in
3 min
Metasploit
Metasploit Wrap-Up 4/24/20
Security fix for the libnotify plugin (CVE-2020-7350)
If you use the libnotify plugin to keep track of when file imports complete, the
interaction between it and db_import allows a maliciously crafted XML file
[https://github.com/rapid7/metasploit-framework/pull/13049] to execute arbitrary
commands on your system. In proper Metasploit fashion, pastaoficial
[https://github.com/pastaoficial] PR'd a file format exploit to go along with
the fix, and our own smcintyre-r7 [https://github.com/smcintyre
2 min
Metasploit
Metasploit Wrap-Up: Apr. 17, 2020
Nexus Repository Manager RCE
This week our very own Will Vu [https://github.com/wvu-r7] wrote a module for
CVE-2020-10199 which targets a remote code execution vulnerability within the
Nexus Repository Manager. The vulnerability allows Java Expression Language
(JavaEL) code to be executed. While the flaw requires authentication information
to leverage it, any account is sufficient. This would allow any registered user
to compromise the target server.
Unquoted Service Path LPE
Community contribu
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 4/10/20
Meterpreter bug fixes and five new modules, including an LPE exploit for SMBghost (CVE-2020-0796) and a BloodHound post module that gathers information (sessions, local admin, domain trusts, etc.) and stores it as a BloodHound-consumable ZIP file in Framework loot.
3 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up 4/3/2020
This week's release includes a local privilege escalation exploit for VMware Fusion through 11.5.3 on OS X, as well as RCE on Apache Solr and DNN cookie deserialization.
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 3/27/20
Three new modules, including a post module to automate the installation of an embeddable Python interpreter on a target, and a new exploit for Microsoft SharePoint Workflows.
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 3/20/20
Five new modules plus fixes and enhancements. Exploits for ManageEngine, rConfig, and SQL Server Reporting Services, among others.
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 3/13/20
Four new modules and lots of productivity enhancements. You can now run `rubocop -a` to automatically fix most formatting issues when developing modules. Plus, try the new `tip` command in MSF for Framework usage tips!