1 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up: Nov. 17, 2023
Possible Web Service Removal
Metasploit has support for running with a local database, or from a remote web
service which can be initialized with msfdb init --component webservice. Future
versions of Metasploit Framework may remove the msfdb remote webservice. Users
that leverage this functionality are invited to react on an issue currently on
GitHub [https://github.com/rapid7/metasploit-framework/issues/18439] to inform
the maintainers that the feature is used.
New module content (1)
ZoneMind
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up 11/10/23
Apache MQ and Three Cisco Modules in a Trenchcoat
This week’s release has a lot of new content and features modules targeting two
major recent vulnerabilities that got a great deal of attention: CVE-2023-46604
targeting Apache MQ
[https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/]
resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS
[https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitati
2 min
Metasploit
Metasploit Weekly Wrap-Up: Nov. 3, 2023
PTT for DCSync
This week, community member smashery [https://github.com/smashery] made an
improvement to the windows_secrets_dump module to enable it to dump domain
hashes using the DCSync method after having authenticated with a Kerberos
ticket. Now, if a user has a valid Kerberos ticket for a privileged account,
they can run the windows_secrets_dump module with the DOMAIN action and obtain
the desired information. No password required. This is particularly useful in
workflows involving the exp
2 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 27, 2023
New module content (4)
Atlassian Confluence Data Center and Server Authentication Bypass via Broken
Access Control
Authors: Emir Polat and Unknown
Type: Auxiliary
Pull request: #18447 [https://github.com/rapid7/metasploit-framework/pull/18447]
contributed by emirpolatt [https://github.com/emirpolatt]
Path: admin/http/atlassian_confluence_auth_bypass
AttackerKB reference: CVE-2023-22515
[https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515?referrer=blog]
Description: This adds an exploit for
4 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 19, 2023
That Privilege Escalation Escalated Quickly
This release features a module leveraging CVE-2023-22515
[https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/]
, a vulnerability in Atlassian’s on-premises Confluence Server first listed as a
privilege escalation, but quickly recategorized as a “broken access control”
with a CVSS score of 10. The exploit itself is very simple and easy to use so
there was little surprise when
3 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 13, 2023
Pollution in Kibana
This week, contributor h00die [https://github.com/h00die] added a module that
leverages a prototype pollution bug in Kibana prior to version 7.6.3.
Particularly, this issue is within the Upgrade Assistant and enables an attacker
to execute arbitrary code. This vulnerability can be triggered by sending a
queries that sets a new constructor.prototype.sourceURL directly to Elastic or
by using Kibana to submit the same queries. Note that Kibana needs to be
restarted or wait for c
2 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 6, 2023
New module content (3)
LDAP Login Scanner
Author: Dean Welch
Type: Auxiliary
Pull request: #18197 [https://github.com/rapid7/metasploit-framework/pull/18197]
contributed by dwelch-r7 [https://github.com/dwelch-r7]
Path: scanner/ldap/ldap_login
Description: This PR adds a new login scanner module for LDAP. Login scanners
are the classes that provide functionality for testing authentication against
various different protocols and mechanisms. This LDAP login scanner supports
multiple types of aut
3 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 29, 2023
TeamCity authentication bypass and remote code execution
This week’s Metasploit release includes a new module for a critical
authentication bypass in JetBrains TeamCity CI/CD Server. All versions of
TeamCity prior to version 2023.05.4 are vulnerable to this issue. The
vulnerability was originally discovered by SonarSource, and the Metasploit
module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who
additionally published a technical analysis on AttackerKB for CVE-2023-4279
4 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 22, 2023
Improved Ticket Forging
Metasploit’s admin/kerberos/forge_ticket module has been updated to work with
Server 2022. In Windows Server 2022, Microsoft started requiring additional new
PAC elements to be present - the PAC requestor and PAC attributes. The newly
forged tickets will have the necessary elements added automatically based on the
user provided domain SID and user RID. For example:
msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649
4 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 15, 2023
Flask Cookies
This week includes two modules related to Flask cookie signatures. One is
specific to Apache Superset where session cookies can be resigned, allowing an
attacker to elevate their privileges and dump the database connection strings.
While adding this functionality, community member h00die
[https://github.com/h00die] also added a module for generically working with the
default session cookies used by Flask. This generic module
auxiliary/gather/python_flask_cookie_signer
[https://git
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 8, 2023
New module content (4)
Roundcube TimeZone Authenticated File Disclosure
Authors: joel, stonepresto, and thomascube
Type: Auxiliary
Pull request: #18286 [https://github.com/rapid7/metasploit-framework/pull/18286]
contributed by cudalac [https://github.com/cudalac]
Path: auxiliary/gather/roundcube_auth_file_read
AttackerKB reference: CVE-2017-16651
[https://attackerkb.com/topics/He57FR8fB4/cve-2017-16651?referrer=blog]
Description: This PR adds a module to retrieve an arbitrary file on hosts
run
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 1, 2023
Pumpkin Spice Modules
Here in the northern hemisphere, fall is on the way: leaves changing, the air
growing crisp and cool, and some hackers changing the flavor of their caffeine.
This release features a new exploit module targeting Apache NiFi as well as a
new and improved library to interact with it.
New module content (1)
Apache NiFi H2 Connection String Remote Code Execution
Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #18257 [https://github.com/rapid7/metasploit-fra
3 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 25, 2023
Power[shell]Point
This week’s new features and improvements start with two new exploit modules
leveraging CVE-2023-34960
[https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog] Chamilo
versions 1.11.18 and below and CVE-2023-26469
[https://attackerkb.com/topics/RT7G6Vyw1L/cve-2023-26469?referrer=blog] in
Jorani 1.0.0. Like CVE-2023-34960
[https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog], I too,
feel attacked by PowerPoint sometimes.
We also have several impr
2 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 18, 2023
Meterpreter Testing
This week’s release adds new payload tests to our automated test suite. This is
intended to help the team and community members identify issues and behavior
discrepancies before changes are made. Payloads run on a variety of different
platforms including Windows, Linux, and OS X each of which has multiple
Meterpreter implementations available that are now tested to help ensure
consistency. This should improve payload stability and make testing easier for
community members tha
2 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 11, 2023
A new Metabase RCE module, updates to the citrix_formssso_target_rce module for CVE-2023-3519 to include two new targets, Citrix ADC (NetScaler) 12.1-65.25, and 12.1-64.17, and more