13 min
Metasploit
Metasploit Framework 6.3 Released
Metasploit Framework 6.3 is now available. New features include native Kerberos authentication support, streamlined Active Directory attack workflows (AD CS, AD DS), and new modules that request, forge, and convert tickets between formats.
2 min
Metasploit
Metasploit Weekly Wrap-Up
Cacti Unauthenticated Command Injection
Thanks to community contributor Erik Wynter [https://github.com/ErikWynter],
Metasploit Framework now has an exploit module
[https://github.com/rapid7/metasploit-framework/pull/17407] for an
unauthenticated command injection vulnerability in the Cacti network-monitoring
software. The vulnerability is due to a proc_open() call that accepts
unsanitized user input in remote_agent.php. Provided that the target server has
data that's tied to the POLLER_ACTION_S
2 min
Metasploit
Metasploit Weekly Wrap-Up
See something say something
Have an idea on how to expand on Metasploit Documentation on
https://docs.metasploit.com/? Did you see a typo or some other error on the docs
site? Thanks to adfoster-r7 [https://github.com/adfoster-r7], submitting an
update to the documentation is as easy as clicking the 'Edit this page on
GitHub' link on the page you want to change. The new link will take you directly
to the source in Metasploit's GitHub so you can quickly locate the Markdown
[https://www.markdowng
2 min
Metasploit
Metasploit Weekly Wrap-Up
New module content (2)
Gather Dbeaver Passwords
Author: Kali-Team
Type: Post
Pull request: #17337 [https://github.com/rapid7/metasploit-framework/pull/17337]
contributed by cn-kali-team [https://github.com/cn-kali-team]
Description: This adds a post exploit module that retrieves Dbeaver session data
from local configuration files. It is able to extract and decrypt credentials
stored in these files for any version of Dbeaver installed on Windows or
Linux/Unix systems.
Gather MinIO Client Key
A
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up
Back from a quiet holiday season
Thankfully, it was a relatively quiet holiday break for security this year, so
we hope everyone had a relaxing time while they could. This wrapup covers the
last three Metasploit releases, and contains three new modules, two updates, and
five bug fixes.
Make sure that your OpenTSDB isn’t too open
Of particular note in this release is a new module from community contributors
Erik Wynter [https://github.com/ErikWynter] and Shai rod
[https://github.com/nightrang3r
5 min
Haxmas
2022 Annual Metasploit Wrap-Up
It's been another gangbusters year for Metasploit, and the holidays are a time
to give thanks to all the people that help make our load a little bit lighter.
So, while this end-of-year wrap-up is a highlight reel of the headline features
and extensions that landed in Metasploit-land in 2022, we also want to express
our gratitude and appreciation for our stellar community of contributors,
maintainers, and users. The Metasploit team merged 824 pull requests across
Metasploit-related projects in 20
4 min
Metasploit
Metasploit Weekly Wrap-Up
A sack full of cheer from the Hacking Elves of Metasploit
It is clear that the Metasploit elves have been busy this season: Five new
modules, six new enhancements, nine new bug fixes, and a partridge in a pear
tree are headed out this week! (Partridge nor pear tree included.) In this sack
of goodies, we have a gift that keeps on giving: Shelby’s
[https://github.com/space-r7] Acronis TrueImage Privilege Escalation
[https://github.com/rapid7/metasploit-framework/pull/17265] works wonderfully,
even
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up
Login brute-force utility
Jan Rude [https://github.com/whoot] added a new module that gives users the
ability to brute-force login for Linux Syncovery. This expands Framework's
capability to scan logins to Syncovery, a popular web GUI for backups.
WordPress extension SQL injection module
Cydave [https://github.com/cydave], destr4ct [https://github.com/destr4ct], and
jheysel-r7 [https://github.com/jheysel-r7] contributed a new module that takes
advantage of a vulnerable WordPress extension. Thi
2 min
Metasploit
Metasploit Weekly Wrap-Up
ProxyNotShell
This week's Metasploit release includes an exploit module for CVE-2022-41082,
AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai
[https://github.com/orangetw], Piotr Bazydło
[https://mobile.twitter.com/chudypb], Rich Warren
[https://twitter.com/buffaloverflow], Soroush Dalili [https://twitter.com/irsdl]
, and our very own Spencer McIntyre [https://github.com/zeroSteiner]. The
vulnerability CVE-2022-41082, AKA ProxyNotShell is a deserialization flaw in
Microsoft Exchang
2 min
Metasploit
Metasploit Weekly Wrap-Up
2 new modules targeting F5 devices, DuckyScript support, bug fixes, and more
2 min
Metasploit
Metasploit Weekly Wrap-Up
Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream
(CVE-2021-39144)
There’s nothing quite like a pre-authenticated remote code execution
vulnerability in a piece of enterprise software. This week, community
contributor h00die-gr3y [https://github.com/h00die-gr3y] added a module
[https://github.com/rapid7/metasploit-framework/pull/17222] that targets VMware
NSX Manager using XStream. Due to an unauthenticated endpoint that leverages
XStream for input serialization in VMwa
3 min
Metasploit
Metasploit Weekly Wrap-Up
ADCS - ESC Vulnerable certificate template finder
Our very own Grant Willcox has developed a new module which allows users to
query a LDAP server for vulnerable Active Directory Certificate Services (AD CS)
certificate templates. The module will print the detected certificate details,
and the attack it is susceptible to. This module is capable of checking for
ESC1, ESC2, and ESC3 vulnerable certificates.
Example module output showing an identified vulnerable certificate template:
msf6 auxiliar
3 min
Metasploit
Metasploit Weekly Wrap-Up
C is for cookie
And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel
[https://github.com/jheysel-r7] added an exploit module based on CVE-2022-24706
targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie
that allows users to run OS commands.
This fake computer I just made says I’m an Admin
Metasploit’s zeroSteiner [https://github.com/zeroSteiner] added a module to
perform Role-based Constrained Delegation (RBCD) on an Active Directory network.
3 min
Metasploit
Metasploit Weekly Wrap-UP
GLPI htmLawed PHP Command Injection
Our very own bwatters-r7 [https://github.com/bwatters-r7] wrote a module for an
unauthenticated PHP command injection vulnerability that exists in various
versions of GLPI. The vulnerability is due to a third-party vendor test script
being present in default installations. A POST request to
vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute
exec() through the hhook and test parameters, resulting in unauthenticated RCE
as the www
3 min
Metasploit
Metasploit Weekly Wrap-Up
Zimbra with Postfix LPE (CVE-2022-3569)
This week rbowes [https://github.com/rbowes-r7] added an LPE exploit for Zimbra
with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can
run postfix as root which in turn is capable of executing arbitrary
shellscripts. This can be abused for reliable privilege escalation from the
context of the zimbra service account to root. As of this time, this
vulnerability remains unpatched.
Zimbra RCE (CVE-2022-41352)
rbowes [https://github.co