2 min
Metasploit
Metasploit Weekly Wrap-Up 01/19/24
Unicode your way to a php payload and three modules to add to your playbook for
Ansible
Our own jheysel-r7 added an exploit leveraging the fascinating tool of php
filter chaining to prepend a payload using encoding conversion characters and
h00die et. al. have come through and added 3 new Ansible post modules to gather
configuration information, read files, and deploy payloads. While none offer
instantaneous answers across the universe, they will certainly help in red team
exercises.
New module
3 min
Metasploit
Metasploit Weekly Wrap-Up: Dec. 15, 2023
Continuing the 12th Labor of Metasploit
Metasploit continues its Herculean task of increasing our toolset to tame
Kerberos by adding support for AS_REP Roasting, which allows retrieving the
password hashes of users who have Do not require Kerberos preauthentication set
on the domain controller. The setting is disabled by default, but it is enabled
in some environments.
Attackers can request the hash for any user with that option enabled, and worse
(or better?) you can query the DC to determine
3 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up 12/8/2023
New this week: An OwnCloud gather module and a Docker cgroups container escape. Plus, an early feature that allows users to search module actions, targets, and aliases.
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up 11/10/23
Apache MQ and Three Cisco Modules in a Trenchcoat
This week’s release has a lot of new content and features modules targeting two
major recent vulnerabilities that got a great deal of attention: CVE-2023-46604
targeting Apache MQ
[http://lzailxt8.goldcollection7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/]
resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS
[http://lzailxt8.goldcollection7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitati
4 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 19, 2023
That Privilege Escalation Escalated Quickly
This release features a module leveraging CVE-2023-22515
[http://lzailxt8.goldcollection7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/]
, a vulnerability in Atlassian’s on-premises Confluence Server first listed as a
privilege escalation, but quickly recategorized as a “broken access control”
with a CVSS score of 10. The exploit itself is very simple and easy to use so
there was little surprise when
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 1, 2023
Pumpkin Spice Modules
Here in the northern hemisphere, fall is on the way: leaves changing, the air
growing crisp and cool, and some hackers changing the flavor of their caffeine.
This release features a new exploit module targeting Apache NiFi as well as a
new and improved library to interact with it.
New module content (1)
Apache NiFi H2 Connection String Remote Code Execution
Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #18257 [http://github.com/rapid7/metasploit-fra
3 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 25, 2023
Power[shell]Point
This week’s new features and improvements start with two new exploit modules
leveraging CVE-2023-34960
[http://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog] Chamilo
versions 1.11.18 and below and CVE-2023-26469
[http://attackerkb.com/topics/RT7G6Vyw1L/cve-2023-26469?referrer=blog] in
Jorani 1.0.0. Like CVE-2023-34960
[http://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog], I too,
feel attacked by PowerPoint sometimes.
We also have several impr
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/30/23
Nothing but .NET?
Smashery continues to… smash it by updating our .NET assembly execution module.
The original module allowed users to run a .NET exe as a thread within a process
they created on a remote host. Smashery’s improvements let users run the
executable within a thread of the process hosting Meterpreter and also changed
the I/O for the executing thread to support pipes, allowing interaction with the
spawned .NET thread, even when the other process has control over STDIN and
STDOUT. The
3 min
Metasploit
Metasploit Weekly Wrap-Up: Jun. 9, 2023
MOVEit
It has been a busy few weeks in the security space; the MOVEit
[http://lzailxt8.goldcollection7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/?utm_campaign=sm-blog&utm_source=twitter&utm_medium=organic-social]
vulnerability filling our news feeds with dancing lemurs and a Barracuda
[http://lzailxt8.goldcollection7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/?utm_campaign=sm-ETR&utm_source=twitter,linkedin&utm_me
6 min
Metasploit
Fetch Payloads: A Shorter Path from Command Injection to Metasploit Session
Rapid7 is pleased to announce the availability of Metasploit fetch payloads, which increase efficiency and user control over the commands executed.
3 min
Metasploit
Metasploit Weekly Wrap-Up: May 5, 2023
Throw another log [file] on the fire
Our own Stephen Fewer authored a module targeting CVE-2023-26360
[http://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360?referrer=blog]
affecting ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update
15 and earlier. The vulnerability allows multiple paths to code execution, but
our module works by leveraging a request that will result in the server
evaluating the ColdFusion Markup language on an arbitrary file on the remote
system. This all
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up: Jan. 1, 2023
Back from a quiet holiday season
Thankfully, it was a relatively quiet holiday break for security this year, so
we hope everyone had a relaxing time while they could. This wrapup covers the
last three Metasploit releases, and contains three new modules, two updates, and
five bug fixes.
Make sure that your OpenTSDB isn’t too open
Of particular note in this release is a new module from community contributors
Erik Wynter [http://github.com/ErikWynter] and Shai rod
[http://github.com/nightrang3r
4 min
Metasploit
Metasploit Weekly Wrap-Up: 12/16/22
A sack full of cheer from the Hacking Elves of Metasploit
It is clear that the Metasploit elves have been busy this season: Five new
modules, six new enhancements, nine new bug fixes, and a partridge in a pear
tree are headed out this week! (Partridge nor pear tree included.) In this sack
of goodies, we have a gift that keeps on giving: Shelby’s
[http://github.com/space-r7] Acronis TrueImage Privilege Escalation
[http://github.com/rapid7/metasploit-framework/pull/17265] works wonderfully,
even
3 min
Metasploit
Metasploit Weekly Wrap-Up: 11/4/22
C is for cookie
And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel
[http://github.com/jheysel-r7] added an exploit module based on CVE-2022-24706
targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie
that allows users to run OS commands.
This fake computer I just made says I’m an Admin
Metasploit’s zeroSteiner [http://github.com/zeroSteiner] added a module to
perform Role-based Constrained Delegation (RBCD) on an Active Directory network.
2 min
Metasploit
Metasploit Weekly Wrap-Up: 6/10/22
A Confluence of High-Profile Modules
This release features modules covering the Confluence remote code execution bug
CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability
in the Windows Operating System accessible through malicious documents. Both
have been all over the news, and we’re very happy to bring them to you so that
you can verify mitigations and patches in your infrastructure. If you’d like to
read more about these vulnerabilities, Rapid7 has AttackerKB analy