Posts tagged Metasploit Weekly Wrapup

4 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

New reflective PE file loader, a new module, new search improvements, and updates on Google Summer of Code projects.

2 min Metasploit

Metasploit Wrap-Up

Give me your hash This week, community contributor HynekPetrak [https://github.com/HynekPetrak] added a new module [https://github.com/rapid7/metasploit-framework/pull/13906] for dumping passwords and hashes stored as attributes in LDAP servers. It uses an LDAP connection to retrieve data from an LDAP server and then harvests user credentials in specific attributes. This module can be used against any kind of LDAP server with either anonymous or authenticated bind. Particularly, it can be used

2 min Metasploit

Metasploit Wrap-Up

Setting module options just got easier! Rapid7's own Dean Welch [https://github.com/dwelch-r7] added a new option [https://github.com/rapid7/metasploit-framework/pull/13961] to framework called RHOST_HTTP_URL, which allows users to set values for multiple URL components, such as RHOSTS, RPORT, and SSL, by specifying a single option value. For example, instead of typing set RHOSTS example.com, set RPORT 5678, set SSL true, you can now accomplish the same thing with the command set RHOST_HTTP_URL

2 min Metasploit

Metasploit Wrap-Up

vBulletin strikes again This week saw another vBulletin exploit released by returning community member Zenofex. This exploit module allows an unauthenticated attacker to run arbitrary PHP code or operating system commands on affected versions of the vBulletin web application. The vulnerability, which was also discovered by Zenofex, is identified as CVE-2020-7373 [https://attackerkb.com/topics/aIL9b0uOYc/cve-2020-7373?referrer=blog] and is effectively a bypass for a previously patched vulnerabili

5 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Metasploit 6 initial features and active development, the 2020 open-source security meetup (OSSM), four new modules, and the longest list of enhancements and fixes we've ever written in one sitting.

3 min Metasploit

Metasploit Wrap-Up

SharePoint DataSet/DataTable deserialization First up we have an exploit from Spencer McIntyre (@zeroSteiner) for CVE-2020-1147 [https://attackerkb.com/topics/HgtakVczYd/cve-2020-1147?referrer=blog], a deserialization vulnerability in SharePoint instances that was patched by Microsoft on July 14th 2020 and which has been getting quite a bit of attention in the news lately. This module [https://github.com/rapid7/metasploit-framework/pull/13920] utilizes Steven Seeley (@stevenseeley)'s writeup al

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Yes, it’s a huge enterprise vulnerability week (again) For our 100th release since the release of 5.0 [/2019/01/10/metasploit-framework-5-0-released/] 18 months ago, our own zeroSteiner [https://github.com/zeroSteiner] got us a nifty module for the SAP "RECON" vulnerability [https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java] affecting NetWeaver version 7.30 to 7.50. It turns out those versions will allow anyone to create a

2 min Metasploit

Metasploit Wrap-Up

Plex unpickling The exploit/windows/http/plex_unpickle_dict_rce module [https://github.com/rapid7/metasploit-framework/pull/13741] by h00die [https://github.com/h00die] exploits an authenticated Python deserialization vulnerability in Plex Media Server. The module exploits the vulnerability by creating a photo library and uploading a Dict file containing a Python payload to the library’s path. Code execution is then achieved by triggering the plugin loading functionality, which unpickles the Dic

2 min Metasploit

Metasploit Wrap-Up

Intensity not on the Fujita scale SOC folks may have been feeling increased pressure as word spread of CVE-2020-5902 [https://attackerkb.com/topics/evLpPlZf0i/cve-2020-5902?referrer=blog#rapid7-analysis] being exploited in the wild. Vulnerabilities in networking equipment always pose a unique set of constraints for IT operations when it comes to mitigations and patches given their role in connecting users to servers, services or applications. Yet from an attacker’s perspective this vulnerabili

2 min Metasploit

Metasploit Wrap-Up

Shifting (NET)GEARs Community contributor rdomanski [https://github.com/rdomanski] added a module for Netgear R6700v3 routers [https://github.com/rapid7/metasploit-framework/pull/13768] that allows unauthenticated attackers on the same network to reset the password for the admin user back to the factory default of password. Attackers can then manually change the admin user's password and log into it after enabling telnet via the exploit/linux/telnet/netgear_telnetenable module, which will gran

2 min Metasploit

Metasploit Wrap-Up

Who watches the watchers? If you are checking up on an organization using Trend Micro Web Security, it might be you. A new module this week takes advantage of a chain of vulnerabilities to give everyone (read unauthenticated users) a chance to decide what threats the network might let slip through. Following the trend, what about watchers that are not supposed to be there? Agent Tesla Panel is a fun little trojan (not to be found zipping around on our highways and byways) which now offers, agai

2 min Metasploit

Metasploit Wrap-Up

Arista Shell Escape Exploit Community contributor SecurityBytesMe [https://github.com/SecurityBytesMe] added an exploit module [https://github.com/rapid7/metasploit-framework/pull/13303] for various Arista switches. With credentials, an attacker can SSH into a vulnerable device and leverage a TACACS+ shell configuration to bypass restrictions. The configuration allows the pipe character to be used only if the pipe is preceded by a grep command. This configuration ultimately allows the chaining

2 min Metasploit

Metasploit Wrap-Up

Windows BITS CVE-2020-0787 LPE in the Metasploit tree! This week, Grant Willcox [https://github.com/gwillcox-r7] presents his first Metasploit module contribution [https://github.com/rapid7/metasploit-framework/pull/13554] as part of our team. Research [https://itm4n.github.io/cve-2020-0787-windows-bits-eop/] from itm4n [https://github.com/itm4n] yielded CVE-2020-0787 [https://nvd.nist.gov/vuln/detail/CVE-2020-0787], describing a vulnerability in the Windows Background Intelligent Transfer Serv

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

vBulletin, WordPress, and WebLogic exploits, along with some enhancements and fixes.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Hello, World! This week’s wrapup features six new modules, including a double-dose of Synology and everyone’s favorite, Pi-Hole. Little NAS, featuring RCE Synology stations are small(ish) NAS devices, but as Steve Kaun, Nigusu Kassahun, and h00die have shown, they are not invulnerable. In the first module, a command injection exists in a scanning function that allows for an authenticated RCE, and in the second, a coding feature leaks whether a user exists on the system, allowing for brute-forc