2 min
Metasploit
Metasploit Weekly Wrap-Up: Jun. 17, 2022
vCenter Secret Extracter
Expanding on the work of the vcenter_forge_saml_token auxiliary module,
community contributor npm-cesium137-io [https://github.com/npm-cesium137-io] has
added a new module for extracting the vmdir/vmafd certificates, the IdP keypair,
the VMCA root cert, and anything from vmafd that has a private key associated,
from an offline copy of the services database. This information can then be used
with the vcenter_forge_saml_token module to gain a session cookie that grants
acc
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/10/22
A Confluence of High-Profile Modules
This release features modules covering the Confluence remote code execution bug
CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability
in the Windows Operating System accessible through malicious documents. Both
have been all over the news, and we’re very happy to bring them to you so that
you can verify mitigations and patches in your infrastructure. If you’d like to
read more about these vulnerabilities, Rapid7 has AttackerKB analy
9 min
Metasploit
Announcing Metasploit 6.2
Metasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes.
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/3/22
Ask and you may receive
Module suggestions [https://github.com/rapid7/metasploit-framework/issues/16522]
for the win, this week we see a new module written by jheysel-r7
[https://github.com/jheysel-r7] based on CVE-2022-26352
[https://attackerkb.com/topics/7i5Uf6JNl0/cve-2022-26352?referrer=blog] that
happens to have been suggested by jvoisin [https://github.com/jvoisin] in the
issue queue last month. This module targets an arbitrary file upload in dotCMS
[https://github.com/dotCMS/core.git] ve
4 min
Metasploit
Metasploit Weekly Wrap-Up: 5/27/22
PetitPotam Improvements
Metasploit’s Ruby support has been updated to allow anonymous authentication to
SMB servers. This is notably useful while exploiting the PetitPotam
vulnerability with Metasploit, which can be used to coerce a Domain Controller
to send an authentication attempt over SMB to other machines via MS-EFSRPC
methods:
msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10
[*] 192.168.159.10:445 - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159
3 min
Metasploit
Metasploit Weekly Wrap-Up: 5/20/22
Zyxel firewall unauthenticated command injection
This week, our very own Jake Baines [https://github.com/jbaines-r7] added an
exploit module that leverages CVE-2022-30525
[https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog], an
unauthenticated remote command injection vulnerability in Zyxel firewalls with
zero touch provisioning (ZTP) support. Jake is also the author of the original
research and advisory
[https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-f
4 min
Metasploit
Metasploit Weekly Wrap-Up: 5/13/22
Spring4Shell module
Community contributor vleminator [https://github.com/vleminator] added a new
module [https://github.com/rapid7/metasploit-framework/pull/16423] which
exploits CVE-2022-22965
[https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog]—more
commonly known as "Spring4Shell." Depending on its deployment configuration
[https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965/rapid7-analysis?referrer=blog]
, Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19
3 min
Metasploit
Metasploit Wrap-Up: May 6, 2022
Three new exploit modules, and an update for Windows 11 support
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 4/29/22
Module additions this week to enumerate all installed AV products on Windows and escape sandboxes on certain Debian-specific Redis versions. Plus, a new place for Metasploit docs focused on pen testing workflows.
3 min
Metasploit
Metasploit Weekly Wrap-Up: 4/22/22
ManageEngine ADSelfService Plus Authenticated RCE
This module is pretty exciting for us because it's for a vulnerability
discovered by our very own Rapid7 researchers Jake Baines
[https://github.com/jbaines-r7], Hernan Diaz, Andrew Iwamaye, and Dan Kelly.
The vulnerability allowed for attackers to leverage the "custom script"
functionality to execute arbitrary operating system commands whenever domain
users reset their passwords.
I won't go into too much depth though because we have a whole blog
2 min
Metasploit
Metasploit Weekly Wrap-Up: 4/15/22
Meterpreter Debugging
A consistent message Metasploit hears from users is that debugging and general
logging support could be improved. The gaps in functionality make it difficult
for users to understand what happens when things go wrong and for new and
existing developers to fix bugs and add new features. The Metasploit team has
been trying to improve this in various parts of the framework, the most recent
being Meterpreter. Meterpreter payloads now have additional debugging options
that can be
3 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 4/8/22
Five new modules targeting Windows, Linux, macOS, and more. Plus, updates to the Log4Shell scanner and a new Windows Meterpreter option to enable additional logging visible in DbgView
1 min
Metasploit
Metasploit Weekly Wrap-Up: 4/1/22
CVE-2022-22963 - Spring Cloud Function SpEL RCE
A new exploit/multi/http/spring_cloud_function_spel_injection module has been
developed by our very own Spencer McIntyre [https://github.com/smcintyre-r7]
which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This
module is unrelated to Spring4Shell CVE-2022-22965
[https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/]
, which is a separate vulnerability in the WebDataBinder component
5 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up: Mar. 25, 2022
Capture Plugin
Capturing credentials is a critical and early phase in the playbook of many
offensive security testers. Metasploit has facilitated this for years with
protocol-specific modules all under the auxiliary/server/capture. Users can
start and configure each of these modules individually, but now the capture
plugin can streamline the process. The capture plugin can easily start 13
different services (17 including SSL enabled versions) on the same listening IP
address including remote int
3 min
Metasploit
Metasploit Weekly Wrap-Up: Mar. 18, 2022
CVE-2022-21999 - SpoolFool
Our very own Shelby Pace [https://github.com/space-r7] has added a new module
for the CVE-2022-21999 SpoolFool privilege escalation vulnerability
[https://attackerkb.com/topics/vFYqO85asS/cve-2022-21999?referrer=blog]. This
escalation vulnerability can be leveraged to achieve code execution as SYSTEM.
This new module has successfully been tested on Windows 10 (10.0 Build 19044)
and Windows Server 2019 v1809 (Build 17763.1577).
CVE-2021-4191 - Gitlab GraphQL API User E