Posts tagged Metasploit

3 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up

Putting in the work! This week we’re extra grateful for the fantastic contributions our community makes to Metasploit. The Metasploit team landed more than 5 PRs each from Ron Bowes [https://github.com/rbowes-r7] and bcoles [https://github.com/bcoles], adding some great new capabilities. Ron Bowes [https://github.com/rbowes-r7] contributed four new modules targeting UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit users some excellent new vectors to leverage against

3 min Metasploit

Metasploit Weekly Wrap-Up

Log4Shell in MobileIron Core Thanks to jbaines-r7 [https://github.com/jbaines-r7] we have yet another Log4Shell exploit [https://github.com/rapid7/metasploit-framework/pull/16837]. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited [https://www.mandiant.com/resou

4 min Metasploit

Metasploit Weekly Wrap-Up

Roxy-WI Unauthenticated RCE This week, community member Nuri Çilengir [https://github.com/ncilengir] added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user. Fewer Meterpreter Scripts Community

3 min Metasploit

Metasploit Weekly Wrap-Up

The past, present and future of Metasploit Don't miss Spencer McIntyre's talk on the Help Net Security's blog [https://www.helpnetsecurity.com/2022/07/20/past-present-future-metasploit-video/] . Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today's offensive security challenges and how important is the partnership with the community. LDAP swiss army knife This week,

3 min Metasploit

Metasploit Weekly Wrap-Up

JBOSS EAP/AS - More Deserializations? Indeed! Community contributor Heyder Andrade [https://github.com/heyder] added in a new module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior. As far as we can tell this was first disclosed by Joao Matos [https://github.com/joaomatosf] in his paper at AlligatorCon [https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf]. Later a PoC from Marcio Almeida [https://twit

3 min Metasploit

Metasploit Weekly Wrap-Up

DFSCoerce - Distributing more than just files DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to Spencer McIntyre [https://github.com/zeroSteiner] with a new auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain user’s credentials to work. The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hostin

2 min Metasploit

Metasploit Weekly Wrap-Up

SAMR Auxiliary Module A new SAMR auxiliary module has been added that allows users to add, lookup, and delete computer accounts from an AD domain. This should be useful for pentesters on engagements who need to create an AD account to gain an initial foothold into the domain for lateral movement attacks, or who need to use this functionality as an attack primitive. Note when using this module that there is a standard number of computers a user can add, so be wary that you may get STATUS_DS_MACH

2 min Metasploit

Metasploit Weekly Wrap-Up

Add Windows target support for the Confluence OGNL injection module Improves the exploit/multi/http/atlassian_confluence_namespace_ognl_injection module to support Windows server targets. This new target can be used to run payloads in memory with Powershell using the new payload adapters or drop an executable to disk. Once a Meterpreter session is obtained, getsystem can be used to escalate to NT AUTHORITY\SYSTEM using the RPCSS technique (#5) since Confluence service runs as NETWORK SERVICE by

2 min Metasploit

Metasploit Weekly Wrap-Up

vCenter Secret Extracter Expanding on the work of the vcenter_forge_saml_token auxiliary module, community contributor npm-cesium137-io [https://github.com/npm-cesium137-io] has added a new module for extracting the vmdir/vmafd certificates, the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, from an offline copy of the services database. This information can then be used with the vcenter_forge_saml_token module to gain a session cookie that grants acc

2 min Metasploit

Metasploit Weekly Wrap-Up

A Confluence of High-Profile Modules This release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we’re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you’d like to read more about these vulnerabilities, Rapid7 has AttackerKB analy

9 min Metasploit

Announcing Metasploit 6.2

Metasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes.

2 min Metasploit

Metasploit Weekly Wrap-Up

Ask and you may receive Module suggestions [https://github.com/rapid7/metasploit-framework/issues/16522] for the win, this week we see a new module written by jheysel-r7 [https://github.com/jheysel-r7] based on CVE-2022-26352 [https://attackerkb.com/topics/7i5Uf6JNl0/cve-2022-26352?referrer=blog] that happens to have been suggested by jvoisin [https://github.com/jvoisin] in the issue queue last month. This module targets an arbitrary file upload in dotCMS [https://github.com/dotCMS/core.git] ve

4 min Metasploit

Metasploit Weekly Wrap-Up

PetitPotam Improvements Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods: msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10 [*] 192.168.159.10:445 - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159

3 min Metasploit

Metasploit Weekly Wrap-Up

Zyxel firewall unauthenticated command injection This week, our very own Jake Baines [https://github.com/jbaines-r7] added an exploit module that leverages CVE-2022-30525 [https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog], an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and advisory [https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-f

4 min Metasploit

Metasploit Weekly Wrap-Up

Spring4Shell module Community contributor vleminator [https://github.com/vleminator] added a new module [https://github.com/rapid7/metasploit-framework/pull/16423] which exploits CVE-2022-22965 [https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog]—more commonly known as "Spring4Shell." Depending on its deployment configuration [https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965/rapid7-analysis?referrer=blog] , Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19