Posts tagged Metasploit Weekly Wrapup

3 min Metasploit

Metasploit Weekly Wrap-Up

ManageEngine ADSelfService Plus Authenticated RCE This module is pretty exciting for us because it's for a vulnerability discovered by our very own Rapid7 researchers Jake Baines [https://github.com/jbaines-r7], Hernan Diaz, Andrew Iwamaye, and Dan Kelly. The vulnerability allowed for attackers to leverage the "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords. I won't go into too much depth though because we have a whole blog

2 min Metasploit

Metasploit Weekly Wrap-Up

Meterpreter Debugging A consistent message Metasploit hears from users is that debugging and general logging support could be improved. The gaps in functionality make it difficult for users to understand what happens when things go wrong and for new and existing developers to fix bugs and add new features. The Metasploit team has been trying to improve this in various parts of the framework, the most recent being Meterpreter. Meterpreter payloads now have additional debugging options that can be

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Five new modules targeting Windows, Linux, macOS, and more. Plus, updates to the Log4Shell scanner and a new Windows Meterpreter option to enable additional logging visible in DbgView

1 min Metasploit

Metasploit Weekly Wrap-Up

CVE-2022-22963 - Spring Cloud Function SpEL RCE A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre [https://github.com/smcintyre-r7] which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965 [https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/] , which is a separate vulnerability in the WebDataBinder component

5 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up

Capture Plugin Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote int

3 min Metasploit

Metasploit Weekly Wrap-Up

CVE-2022-21999 - SpoolFool Our very own Shelby Pace [https://github.com/space-r7] has added a new module for the CVE-2022-21999 SpoolFool privilege escalation vulnerability [https://attackerkb.com/topics/vFYqO85asS/cve-2022-21999?referrer=blog]. This escalation vulnerability can be leveraged to achieve code execution as SYSTEM. This new module has successfully been tested on Windows 10 (10.0 Build 19044) and Windows Server 2019 v1809 (Build 17763.1577). CVE-2021-4191 - Gitlab GraphQL API User E

5 min Metasploit

Metasploit Weekly Wrap-Up

Mucking out the pipes. Thanks to some quick work by timwr [https://github.com/timwr], CVE-2022-0847 [https://attackerkb.com/topics/UwW7SVPaPv/cve-2022-0847?referrer=blog] aka "Dirty Pipe" gives Metasploit a bit of digital plumber's training. The exploit targeting modern Linux v5 kernels helps elevate user privileges by overwriting a SUID binary of your choice by plunging some payload gold through a pipe. Long live the SMB relay! SMB, that magical ubiquitous service making all that noise on netw

4 min Metasploit

Metasploit Weekly Wrap-Up

This week’s Metasploit Framework release brings us seven new modules. IP Camera Exploitation Rapid7’s Jacob Baines [https://github.com/jbaines-r7] was busy this week with two exploit modules that target IP cameras. The first [https://github.com/rapid7/metasploit-framework/pull/16190] module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an attacker can upload and install an eap application which, when executed, will grant the attacker root privileg

2 min Metasploit

Metasploit Weekly Wrap-Up

Exchange RCE Exchange remote code execution vulnerabilities are always valuable exploits to have. This week Metasploit added an exploit for an authenticated RCE in Microsoft Exchange servers 2016 and server 2019 identified as CVE-2021-42321 [https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321?referrer=blog]. The flaw leveraged by the exploit exists in a misconfigured denylist that failed to prevent a serialized blob from being loaded resulting in code execution. While this is an authenticate

3 min Metasploit

Metasploit Weekly Wrap-Up

Nagios XI web shell upload module New this week is a Nagios Web Shell Upload module [https://github.com/rapid7/metasploit-framework/pull/16150] from Rapid7' own Jake Baines [https://github.com/jbaines-r7], which exploits CVE-2021-37343 [https://attackerkb.com/topics/zxpvqMqOHQ/cve-2021-37343?referrer=blog]. This module builds upon the existing Nagios XI scanner [https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/nagios_xi_scanner.md] written

2 min Metasploit

Metasploit Wrap-Up

Welcome, Little Hippo: PetitPotam Our very own @zeroSteiner [https://github.com/zeroSteiner] ported [https://github.com/rapid7/metasploit-framework/pull/16136] the PetitPotam [https://github.com/topotam/PetitPotam] exploit to Metasploit this week. This module leverages CVE-2021-36942 [https://attackerkb.com/topics/TEBmUAfeCs/cve-2021-36942?referrer=blog], a vulnerability in the Windows Encrypting File System (EFS) API, to capture machine NTLM hashes. This uses the EfsRpcOpenFileRaw function of t

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

A new NOP module, improvements to RPC functionality and PHP Meterpreter, and WordPress and Cisco RV exploits.

3 min Metasploit

Metasploit Weekly Wrap-Up

A new Log4Shell module for unauthenticated RCE on Ubiquiti UniFi devices, getsystem improvements, and more!

2 min Metasploit

Metasploit Weekly Wrap-Up

Image Credit: https://upload.wikimedia.org/wikipedia/commons/c/c7/Logs.jpg without changewhile (j==shell); Log4j; The Log4j loop continues as we release a module targeting vulnerable vCenter releases. This is a good time to suggest that you check your vCenter releases and maybe even increase the protection surrounding them, as it’s been a rough year-plus for vCenter [https://attackerkb.com/search?q=vcenter&tags=exploitedInTheWild]. Let your shell do the walking bcoles [https://github.com/bcoles

3 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up

Five new modules, including exploits for Log4Shell and SonicWall SMA 100 series devices, plus a new Meterpreter command that allows users to kill all channels at once.