Posts tagged Metasploit

13 min Metasploit

Metasploit Framework 6.3 Released

Metasploit Framework 6.3 is now available. New features include native Kerberos authentication support, streamlined Active Directory attack workflows (AD CS, AD DS), and new modules that request, forge, and convert tickets between formats.

2 min Metasploit

Metasploit Weekly Wrap-Up

Cacti Unauthenticated Command Injection Thanks to community contributor Erik Wynter [https://github.com/ErikWynter], Metasploit Framework now has an exploit module [https://github.com/rapid7/metasploit-framework/pull/17407] for an unauthenticated command injection vulnerability in the Cacti network-monitoring software. The vulnerability is due to a proc_open() call that accepts unsanitized user input in remote_agent.php. Provided that the target server has data that's tied to the POLLER_ACTION_S

2 min Metasploit

Metasploit Weekly Wrap-Up

See something say something Have an idea on how to expand on Metasploit Documentation on https://docs.metasploit.com/? Did you see a typo or some other error on the docs site? Thanks to adfoster-r7 [https://github.com/adfoster-r7], submitting an update to the documentation is as easy as clicking the 'Edit this page on GitHub' link on the page you want to change. The new link will take you directly to the source in Metasploit's GitHub so you can quickly locate the Markdown [https://www.markdowng

2 min Metasploit

Metasploit Weekly Wrap-Up

New module content (2) Gather Dbeaver Passwords Author: Kali-Team Type: Post Pull request: #17337 [https://github.com/rapid7/metasploit-framework/pull/17337] contributed by cn-kali-team [https://github.com/cn-kali-team] Description: This adds a post exploit module that retrieves Dbeaver session data from local configuration files. It is able to extract and decrypt credentials stored in these files for any version of Dbeaver installed on Windows or Linux/Unix systems. Gather MinIO Client Key A

3 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up

Back from a quiet holiday season Thankfully, it was a relatively quiet holiday break for security this year, so we hope everyone had a relaxing time while they could. This wrapup covers the last three Metasploit releases, and contains three new modules, two updates, and five bug fixes. Make sure that your OpenTSDB isn’t too open Of particular note in this release is a new module from community contributors Erik Wynter [https://github.com/ErikWynter] and Shai rod [https://github.com/nightrang3r

5 min Haxmas

2022 Annual Metasploit Wrap-Up

It's been another gangbusters year for Metasploit, and the holidays are a time to give thanks to all the people that help make our load a little bit lighter. So, while this end-of-year wrap-up is a highlight reel of the headline features and extensions that landed in Metasploit-land in 2022, we also want to express our gratitude and appreciation for our stellar community of contributors, maintainers, and users. The Metasploit team merged 824 pull requests across Metasploit-related projects in 20

4 min Metasploit

Metasploit Weekly Wrap-Up

A sack full of cheer from the Hacking Elves of Metasploit It is clear that the Metasploit elves have been busy this season: Five new modules, six new enhancements, nine new bug fixes, and a partridge in a pear tree are headed out this week! (Partridge nor pear tree included.) In this sack of goodies, we have a gift that keeps on giving: Shelby’s [https://github.com/space-r7] Acronis TrueImage Privilege Escalation [https://github.com/rapid7/metasploit-framework/pull/17265] works wonderfully, even

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Login brute-force utility Jan Rude [https://github.com/whoot] added a new module that gives users the ability to brute-force login for Linux Syncovery. This expands Framework's capability to scan logins to Syncovery, a popular web GUI for backups. WordPress extension SQL injection module Cydave [https://github.com/cydave], destr4ct [https://github.com/destr4ct], and jheysel-r7 [https://github.com/jheysel-r7] contributed a new module that takes advantage of a vulnerable WordPress extension. Thi

2 min Metasploit

Metasploit Weekly Wrap-Up

ProxyNotShell This week's Metasploit release includes an exploit module for CVE-2022-41082, AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai [https://github.com/orangetw], Piotr Bazydło [https://mobile.twitter.com/chudypb], Rich Warren [https://twitter.com/buffaloverflow], Soroush Dalili [https://twitter.com/irsdl] , and our very own Spencer McIntyre [https://github.com/zeroSteiner]. The vulnerability CVE-2022-41082, AKA ProxyNotShell is a deserialization flaw in Microsoft Exchang

2 min Metasploit

Metasploit Weekly Wrap-Up

2 new modules targeting F5 devices, DuckyScript support, bug fixes, and more

2 min Metasploit

Metasploit Weekly Wrap-Up

Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream (CVE-2021-39144) There’s nothing quite like a pre-authenticated remote code execution vulnerability in a piece of enterprise software. This week, community contributor h00die-gr3y [https://github.com/h00die-gr3y] added a module [https://github.com/rapid7/metasploit-framework/pull/17222] that targets VMware NSX Manager using XStream. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMwa

3 min Metasploit

Metasploit Weekly Wrap-Up

ADCS - ESC Vulnerable certificate template finder Our very own Grant Willcox has developed a new module which allows users to query a LDAP server for vulnerable Active Directory Certificate Services (AD CS) certificate templates. The module will print the detected certificate details, and the attack it is susceptible to. This module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates. Example module output showing an identified vulnerable certificate template: msf6 auxiliar

3 min Metasploit

Metasploit Weekly Wrap-Up

C is for cookie And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel [https://github.com/jheysel-r7] added an exploit module based on CVE-2022-24706 targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie that allows users to run OS commands. This fake computer I just made says I’m an Admin Metasploit’s zeroSteiner [https://github.com/zeroSteiner] added a module to perform Role-based Constrained Delegation (RBCD) on an Active Directory network.

3 min Metasploit

Metasploit Weekly Wrap-UP

GLPI htmLawed PHP Command Injection Our very own bwatters-r7 [https://github.com/bwatters-r7] wrote a module for an unauthenticated PHP command injection vulnerability that exists in various versions of GLPI. The vulnerability is due to a third-party vendor test script being present in default installations. A POST request to vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute exec() through the hhook and test parameters, resulting in unauthenticated RCE as the www

3 min Metasploit

Metasploit Weekly Wrap-Up

Zimbra with Postfix LPE (CVE-2022-3569) This week rbowes [https://github.com/rbowes-r7] added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the zimbra service account to root. As of this time, this vulnerability remains unpatched. Zimbra RCE (CVE-2022-41352) rbowes [https://github.co