3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up
Back from a quiet holiday season
Thankfully, it was a relatively quiet holiday break for security this year, so
we hope everyone had a relaxing time while they could. This wrapup covers the
last three Metasploit releases, and contains three new modules, two updates, and
five bug fixes.
Make sure that your OpenTSDB isn’t too open
Of particular note in this release is a new module from community contributors
Erik Wynter [https://github.com/ErikWynter] and Shai rod
[https://github.com/nightrang3r
5 min
Haxmas
2022 Annual Metasploit Wrap-Up
It's been another gangbusters year for Metasploit, and the holidays are a time
to give thanks to all the people that help make our load a little bit lighter.
So, while this end-of-year wrap-up is a highlight reel of the headline features
and extensions that landed in Metasploit-land in 2022, we also want to express
our gratitude and appreciation for our stellar community of contributors,
maintainers, and users. The Metasploit team merged 824 pull requests across
Metasploit-related projects in 20
4 min
Metasploit
Metasploit Weekly Wrap-Up
A sack full of cheer from the Hacking Elves of Metasploit
It is clear that the Metasploit elves have been busy this season: Five new
modules, six new enhancements, nine new bug fixes, and a partridge in a pear
tree are headed out this week! (Partridge nor pear tree included.) In this sack
of goodies, we have a gift that keeps on giving: Shelby’s
[https://github.com/space-r7] Acronis TrueImage Privilege Escalation
[https://github.com/rapid7/metasploit-framework/pull/17265] works wonderfully,
even
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up
Login brute-force utility
Jan Rude [https://github.com/whoot] added a new module that gives users the
ability to brute-force login for Linux Syncovery. This expands Framework's
capability to scan logins to Syncovery, a popular web GUI for backups.
WordPress extension SQL injection module
Cydave [https://github.com/cydave], destr4ct [https://github.com/destr4ct], and
jheysel-r7 [https://github.com/jheysel-r7] contributed a new module that takes
advantage of a vulnerable WordPress extension. Thi
2 min
Metasploit
Metasploit Weekly Wrap-Up
ProxyNotShell
This week's Metasploit release includes an exploit module for CVE-2022-41082,
AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai
[https://github.com/orangetw], Piotr Bazydło
[https://mobile.twitter.com/chudypb], Rich Warren
[https://twitter.com/buffaloverflow], Soroush Dalili [https://twitter.com/irsdl]
, and our very own Spencer McIntyre [https://github.com/zeroSteiner]. The
vulnerability CVE-2022-41082, AKA ProxyNotShell is a deserialization flaw in
Microsoft Exchang
2 min
Metasploit
Metasploit Weekly Wrap-Up
2 new modules targeting F5 devices, DuckyScript support, bug fixes, and more
2 min
Metasploit
Metasploit Weekly Wrap-Up
Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream
(CVE-2021-39144)
There’s nothing quite like a pre-authenticated remote code execution
vulnerability in a piece of enterprise software. This week, community
contributor h00die-gr3y [https://github.com/h00die-gr3y] added a module
[https://github.com/rapid7/metasploit-framework/pull/17222] that targets VMware
NSX Manager using XStream. Due to an unauthenticated endpoint that leverages
XStream for input serialization in VMwa
3 min
Metasploit
Metasploit Weekly Wrap-Up
ADCS - ESC Vulnerable certificate template finder
Our very own Grant Willcox has developed a new module which allows users to
query a LDAP server for vulnerable Active Directory Certificate Services (AD CS)
certificate templates. The module will print the detected certificate details,
and the attack it is susceptible to. This module is capable of checking for
ESC1, ESC2, and ESC3 vulnerable certificates.
Example module output showing an identified vulnerable certificate template:
msf6 auxiliar
3 min
Metasploit
Metasploit Weekly Wrap-Up
C is for cookie
And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel
[https://github.com/jheysel-r7] added an exploit module based on CVE-2022-24706
targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie
that allows users to run OS commands.
This fake computer I just made says I’m an Admin
Metasploit’s zeroSteiner [https://github.com/zeroSteiner] added a module to
perform Role-based Constrained Delegation (RBCD) on an Active Directory network.
3 min
Metasploit
Metasploit Weekly Wrap-UP
GLPI htmLawed PHP Command Injection
Our very own bwatters-r7 [https://github.com/bwatters-r7] wrote a module for an
unauthenticated PHP command injection vulnerability that exists in various
versions of GLPI. The vulnerability is due to a third-party vendor test script
being present in default installations. A POST request to
vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute
exec() through the hhook and test parameters, resulting in unauthenticated RCE
as the www
3 min
Metasploit
Metasploit Weekly Wrap-Up
Zimbra with Postfix LPE (CVE-2022-3569)
This week rbowes [https://github.com/rbowes-r7] added an LPE exploit for Zimbra
with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can
run postfix as root which in turn is capable of executing arbitrary
shellscripts. This can be abused for reliable privilege escalation from the
context of the zimbra service account to root. As of this time, this
vulnerability remains unpatched.
Zimbra RCE (CVE-2022-41352)
rbowes [https://github.co
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up
Remote code execution modules for Spring Cloud Function and pfSense, plus bug fixes for the Windows secrets dump module.
5 min
Metasploit
Metasploit Weekly Wrap-Up
Bofloader - Windows Meterpreter Gets Beacon Object File Loader Support
This week brings a new and frequently requested feature to the Windows
Meterpreter, the Beacon Object File loader. This new extension, bofloader,
allows for users to execute Beacon Object Files as written for either Cobalt
Strike or Sliver. This extension was provided by a group effort among community
members kev169 [https://github.com/kev169], GuhnooPlusLinux
[https://twitter.com/GuhnooPlusLinux], R0wdyJoe [https://twitter.c
2 min
Metasploit
Metasploit Weekly Wrap-Up
Veritas Backup Exec Agent RCE
This module kindly provided by c0rs [https://github.com/c0rs] targets the
Veritas Backup Exec Agent in order to gain RCE as the system/root user.
The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876,
CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive.
While you're patching, why not take the time to test your backups too.
Hikvision IP Camera user impersonation
This vulnerability has been present in Hikvision products since 20
4 min
Metasploit
Metasploit Weekly Wrap-Up
Have you built out that awesome media room?
If your guilty pleasures include using a mobile device to make your home
entertainment system WOW your guests, you might be using Unified Remote
[https://www.unifiedremote.com/]. I hope you are extra cautious about what
devices you let on that WiFi network. A prolific community member h00die
[https://github.com/h00die] added a module this week that uses a recently
published vulnerability from H4RK3NZ0 [https://github.com/H4rk3nz0] to leverage
an unprot