Posts tagged Metasploit Weekly Wrapup

3 min Metasploit

Metasploit Weekly Wrap-Up: 11/11/22

ADCS - ESC Vulnerable certificate template finder Our very own Grant Willcox has developed a new module which allows users to query a LDAP server for vulnerable Active Directory Certificate Services (AD CS) certificate templates. The module will print the detected certificate details, and the attack it is susceptible to. This module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates. Example module output showing an identified vulnerable certificate template: msf6 auxiliar

3 min Metasploit

Metasploit Weekly Wrap-Up: 11/4/22

C is for cookie And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel [https://github.com/jheysel-r7] added an exploit module based on CVE-2022-24706 targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie that allows users to run OS commands. This fake computer I just made says I’m an Admin Metasploit’s zeroSteiner [https://github.com/zeroSteiner] added a module to perform Role-based Constrained Delegation (RBCD) on an Active Directory network.

3 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 28, 2022

GLPI htmLawed PHP Command Injection Our very own bwatters-r7 [https://github.com/bwatters-r7] wrote a module for an unauthenticated PHP command injection vulnerability that exists in various versions of GLPI. The vulnerability is due to a third-party vendor test script being present in default installations. A POST request to vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute exec() through the hhook and test parameters, resulting in unauthenticated RCE as the www

3 min Metasploit

Metasploit Weekly Wrap-Up: 10/21/22

Zimbra with Postfix LPE (CVE-2022-3569) This week rbowes [https://github.com/rbowes-r7] added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the zimbra service account to root. As of this time, this vulnerability remains unpatched. Zimbra RCE (CVE-2022-41352) rbowes [https://github.co

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 10/14/22

Remote code execution modules for Spring Cloud Function and pfSense, plus bug fixes for the Windows secrets dump module.

5 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 7, 2022

Bofloader - Windows Meterpreter Gets Beacon Object File Loader Support This week brings a new and frequently requested feature to the Windows Meterpreter, the Beacon Object File loader. This new extension, bofloader, allows for users to execute Beacon Object Files as written for either Cobalt Strike or Sliver. This extension was provided by a group effort among community members kev169 [https://github.com/kev169], GuhnooPlusLinux [https://twitter.com/GuhnooPlusLinux], R0wdyJoe [https://twitter.c

2 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 30, 2022

Veritas Backup Exec Agent RCE This module kindly provided by c0rs [https://github.com/c0rs] targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user. The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive. While you're patching, why not take the time to test your backups too. Hikvision IP Camera user impersonation This vulnerability has been present in Hikvision products since 20

4 min Metasploit

Metasploit Weekly Wrap-Up: 9/23/22

Have you built out that awesome media room? If your guilty pleasures include using a mobile device to make your home entertainment system WOW your guests, you might be using Unified Remote [https://www.unifiedremote.com/]. I hope you are extra cautious about what devices you let on that WiFi network. A prolific community member h00die [https://github.com/h00die] added a module this week that uses a recently published vulnerability from H4RK3NZ0 [https://github.com/H4rk3nz0] to leverage an unprot

5 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 16, 2022

BYOS: Bring your own stager We try hard to make sure we have a great choice of fully-functional payloads to choose from, but sometimes you might want to “branch” out on your own, and if that’s the case we’ve got you covered. In an attempt to make Metasploit play well with others, we’ve introduced a brand new payload type: “custom.” “Custom” payloads use Metasploit stagers to build a stager that will stage whatever shellcode you send it. Got a third-party payload you want to run like Sliver or a

3 min Metasploit

Metasploit Weekly Wrap-Up: 9/9/22

Authenticated command injection vulnerability of Cisco ASA-X with FirePOWER Services: jbaines-r7 [https://github.com/jbaines-r7] added a new module that exploits an authenticated command injection vulnerability CVE-2022-20828 [https://attackerkb.com/topics/wfvCFXXw2e/cve-2022-20828?referrer=blog] of Cisco ASA-X with FirePOWER Services. This vulnerability affects all Cisco ASA appliances that support ASA FirePOWER module. Note that, although a patch has been added to most recent ASA FirePOWER mod

4 min Metasploit

Metasploit Weekly Wrap-Up: 9/2/22

ICPR Certificate Management This week Metasploit has a new ICPR Certificate Management module from Oliver Lyak [https://github.com/ly4k] and our very own Spencer McIntyre [https://github.com/zeroSteiner], which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful in a few contexts including persistence, ESC1 [https://posts.specterops.io/certified-pre-owned-d95910965cd2] and as a primitive necessary for exp

3 min Metasploit

Metasploit Wrap-Up: Aug. 26, 2022

Zimbra Auth Bypass to Shell Ron Bowes [https://github.com/rbowes-r7] added an exploit module [https://github.com/rapid7/metasploit-framework/pull/16922] that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not

3 min Metasploit

Metasploit Wrap-Up: 8/19/22

Advantech iView NetworkServlet Command Injection This week Shelby Pace [https://github.com/space-r7] has developed a new exploit module for CVE-2022-2143 [https://attackerkb.com/topics/XYFOEYsgKa/cve-2022-2143?referrer=blog]. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below 5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access

3 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up: 8/12/22

Putting in the work! This week we’re extra grateful for the fantastic contributions our community makes to Metasploit. The Metasploit team landed more than 5 PRs each from Ron Bowes [https://github.com/rbowes-r7] and bcoles [https://github.com/bcoles], adding some great new capabilities. Ron Bowes [https://github.com/rbowes-r7] contributed four new modules targeting UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit users some excellent new vectors to leverage against

3 min Metasploit

Metasploit Weekly Wrap-Up: 8/5/22

Log4Shell in MobileIron Core Thanks to jbaines-r7 [https://github.com/jbaines-r7] we have yet another Log4Shell exploit [https://github.com/rapid7/metasploit-framework/pull/16837]. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited [https://www.mandiant.com/resou