5 min
Metasploit
Metasploit Weekly Wrap-Up
Mucking out the pipes.
Thanks to some quick work by timwr [https://github.com/timwr], CVE-2022-0847
[https://attackerkb.com/topics/UwW7SVPaPv/cve-2022-0847?referrer=blog] aka
"Dirty Pipe" gives Metasploit a bit of digital plumber's training. The exploit
targeting modern Linux v5 kernels helps elevate user privileges by overwriting a
SUID binary of your choice by plunging some payload gold through a pipe.
Long live the SMB relay!
SMB, that magical ubiquitous service making all that noise on netw
4 min
Metasploit
Metasploit Weekly Wrap-Up
This week’s Metasploit Framework release brings us seven new modules.
IP Camera Exploitation
Rapid7’s Jacob Baines [https://github.com/jbaines-r7] was busy this week with
two exploit modules that target IP cameras. The first
[https://github.com/rapid7/metasploit-framework/pull/16190] module exploits an
authenticated file upload on Axis IP cameras. Due to lack of proper
sanitization, an attacker can upload and install an eap application which, when
executed, will grant the attacker root privileg
2 min
Metasploit
Metasploit Weekly Wrap-Up
Exchange RCE
Exchange remote code execution vulnerabilities are always valuable exploits to
have. This week Metasploit added an exploit for an authenticated RCE in
Microsoft Exchange servers 2016 and server 2019 identified as CVE-2021-42321
[https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321?referrer=blog]. The
flaw leveraged by the exploit exists in a misconfigured denylist that failed to
prevent a serialized blob from being loaded resulting in code execution. While
this is an authenticate
3 min
Metasploit
Metasploit Weekly Wrap-Up
Nagios XI web shell upload module
New this week is a Nagios Web Shell Upload module
[https://github.com/rapid7/metasploit-framework/pull/16150] from Rapid7' own
Jake Baines [https://github.com/jbaines-r7], which exploits CVE-2021-37343
[https://attackerkb.com/topics/zxpvqMqOHQ/cve-2021-37343?referrer=blog]. This
module builds upon the existing Nagios XI scanner
[https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/nagios_xi_scanner.md]
written
2 min
Metasploit
Metasploit Wrap-Up
Welcome, Little Hippo: PetitPotam
Our very own @zeroSteiner [https://github.com/zeroSteiner] ported
[https://github.com/rapid7/metasploit-framework/pull/16136] the PetitPotam
[https://github.com/topotam/PetitPotam] exploit to Metasploit this week. This
module leverages CVE-2021-36942
[https://attackerkb.com/topics/TEBmUAfeCs/cve-2021-36942?referrer=blog], a
vulnerability in the Windows Encrypting File System (EFS) API, to capture
machine NTLM hashes. This uses the EfsRpcOpenFileRaw function of t
3 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up
A new NOP module, improvements to RPC functionality and PHP Meterpreter, and WordPress and Cisco RV exploits.
3 min
Metasploit
Metasploit Weekly Wrap-Up
A new Log4Shell module for unauthenticated RCE on Ubiquiti UniFi devices, getsystem improvements, and more!
2 min
Metasploit
Metasploit Weekly Wrap-Up
Image Credit: https://upload.wikimedia.org/wikipedia/commons/c/c7/Logs.jpg
without changewhile (j==shell); Log4j;
The Log4j loop continues as we release a module targeting vulnerable vCenter
releases. This is a good time to suggest that you check your vCenter releases
and maybe even increase the protection surrounding them, as it’s been a rough
year-plus for vCenter
[https://attackerkb.com/search?q=vcenter&tags=exploitedInTheWild].
Let your shell do the walking
bcoles [https://github.com/bcoles
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up
Five new modules, including exploits for Log4Shell and SonicWall SMA 100 series devices, plus a new Meterpreter command that allows users to kill all channels at once.
3 min
Metasploit
Metasploit Wrap-Up
Dump Windows secrets from Active Directory
This week, our very own Christophe De La Fuente
[https://github.com/cdelafuente-r7] added an important update
[https://github.com/rapid7/metasploit-framework/pull/15924] to the existing
Windows Secret Dump module. It is now able to dump secrets from Active
Directory, which will be very useful for Metasploit users. This new feature uses
the Directory Replication Service through RPC to retrieve data such as SIDs,
password history, Domain user NTLM hashes
3 min
Metasploit
Metasploit Wrap-Up
A new Log4Shell / Log4j scanner module for Metasploit, a new WordPress module, and multiple enhancements and bug fixes
2 min
Metasploit
Metasploit Wrap-Up
Word and Javascript are a rare duo.
Thanks to thesunRider [https://github.com/thesunRider]. you too can experience
the wonder of this mystical duo. The sole new metasploit module this release
adds a file format attack to generate a very special document. By utilizing
Javascript embedded in a Word document to trigger a chain of events that slip
through various Windows facilities, a session as the user who opened the
document can be yours.
Do you like spiders?
It has been 3 years since SMB2 suppo
2 min
Metasploit
Metasploit Wrap-Up
Metasploit CTF 2021 starts today
It’s that time of year again! Time for the 2021 Metasploit Community CTF
[https://www.rapid7.com/blog/post/2021/11/16/announcing-the-2021-metasploit-community-ctf/]
. Earlier today over 1,100 users in more than 530 teams were registered and
opened for participation to solve this year’s 18 challenges. Next week a recap
and the winners will be announced, so stay tuned for more information.
Overlayfs LPE
This week Metasploit shipped an exploit for the recent Overla
3 min
Metasploit
Metasploit Wrap-Up
Self-Service Remote Code Execution
This week, our own @wvu-r7 [https://github.com/wvu-r7] added an exploit module
[https://github.com/rapid7/metasploit-framework/pull/15874] that achieves
unauthenticated remote code execution in ManageEngine ADSelfService Plus, a
self-service password management and single sign-on solution for Active
Directory. This new module leverages a REST API authentication bypass
vulnerability identified as CVE-2021-40539
[https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-
3 min
Metasploit
Metasploit Wrap-Up
Azure Active Directory login scanner module
Community contributor k0pak4 [https://github.com/k0pak4] added a new login
scanner module for Azure Active Directory
[https://github.com/rapid7/metasploit-framework/pull/15755]. This module
exploits a vulnerable
[https://attackerkb.com/topics/rZ1JlQhXhc/cve-2020-16152?referrer=blog]
authentication endpoint in order to enumerate usernames without generating log
events. The error code returned by the endpoint can be used to discover the
validity of user