Posts tagged Metasploit

4 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 19, 2023

That Privilege Escalation Escalated Quickly This release features a module leveraging CVE-2023-22515 [https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/] , a vulnerability in Atlassian’s on-premises Confluence Server first listed as a privilege escalation, but quickly recategorized as a “broken access control” with a CVSS score of 10. The exploit itself is very simple and easy to use so there was little surprise when

3 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 13, 2023

Pollution in Kibana This week, contributor h00die [https://github.com/h00die] added a module that leverages a prototype pollution bug in Kibana prior to version 7.6.3. Particularly, this issue is within the Upgrade Assistant and enables an attacker to execute arbitrary code. This vulnerability can be triggered by sending a queries that sets a new constructor.prototype.sourceURL directly to Elastic or by using Kibana to submit the same queries. Note that Kibana needs to be restarted or wait for c

2 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 6, 2023

New module content (3) LDAP Login Scanner Author: Dean Welch Type: Auxiliary Pull request: #18197 [https://github.com/rapid7/metasploit-framework/pull/18197] contributed by dwelch-r7 [https://github.com/dwelch-r7] Path: scanner/ldap/ldap_login Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication against various different protocols and mechanisms. This LDAP login scanner supports multiple types of aut

3 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 29, 2023

TeamCity authentication bypass and remote code execution This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-4279

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 22, 2023

Improved Ticket Forging Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present - the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example: msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 15, 2023

Flask Cookies This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die [https://github.com/h00die] also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer [https://git

2 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 8, 2023

New module content (4) Roundcube TimeZone Authenticated File Disclosure Authors: joel, stonepresto, and thomascube Type: Auxiliary Pull request: #18286 [https://github.com/rapid7/metasploit-framework/pull/18286] contributed by cudalac [https://github.com/cudalac] Path: auxiliary/gather/roundcube_auth_file_read AttackerKB reference: CVE-2017-16651 [https://attackerkb.com/topics/He57FR8fB4/cve-2017-16651?referrer=blog] Description: This PR adds a module to retrieve an arbitrary file on hosts run

2 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 1, 2023

Pumpkin Spice Modules Here in the northern hemisphere, fall is on the way: leaves changing, the air growing crisp and cool, and some hackers changing the flavor of their caffeine. This release features a new exploit module targeting Apache NiFi as well as a new and improved library to interact with it. New module content (1) Apache NiFi H2 Connection String Remote Code Execution Authors: Matei "Mal" Badanoiu and h00die Type: Exploit Pull request: #18257 [https://github.com/rapid7/metasploit-fra

3 min Metasploit

Metasploit Weekly Wrap-Up: Aug. 25, 2023

Power[shell]Point This week’s new features and improvements start with two new exploit modules leveraging CVE-2023-34960 [https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog] Chamilo versions 1.11.18 and below and CVE-2023-26469 [https://attackerkb.com/topics/RT7G6Vyw1L/cve-2023-26469?referrer=blog] in Jorani 1.0.0. Like CVE-2023-34960 [https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog], I too, feel attacked by PowerPoint sometimes. We also have several impr

2 min Metasploit

Metasploit Weekly Wrap-Up: Aug. 18, 2023

Meterpreter Testing This week’s release adds new payload tests to our automated test suite. This is intended to help the team and community members identify issues and behavior discrepancies before changes are made. Payloads run on a variety of different platforms including Windows, Linux, and OS X each of which has multiple Meterpreter implementations available that are now tested to help ensure consistency. This should improve payload stability and make testing easier for community members tha

2 min Metasploit

Metasploit Weekly Wrap-Up: Aug. 11, 2023

A new Metabase RCE module, updates to the citrix_formssso_target_rce module for CVE-2023-3519 to include two new targets, Citrix ADC (NetScaler) 12.1-65.25, and 12.1-64.17, and more

4 min Metasploit

Metasploit Weekly Wrap-Up: Aug. 4, 2023

Fly High in the Sky With This New Cloud Exploit! This week, a new module was added that takes advantage of both authentication bypass and command injection in certain versions of Western Digital's MyCloud hardware. Submitted by community member Erik Wynter [https://github.com/ErikWynter], this module gains access to the target, attempts to bypass authentication, verifies whether that was successful, then executes the payload with root privileges. This works on versions before 2.30.196, and offer

3 min Metasploit

Metasploit Weekly Wrap-Up: July 28, 2023

Unauthenticated RCE in VMware Product This week, community contributor h00die [https://github.com/h00die] added an exploit module that leverages a command injection vulnerability in VMWare Aria Operations for Networks, formerly known as vRealize Network Insight. Versions 6.2 to 6.10 are vulnerable (CVE-2023-20887 [https://attackerkb.com/topics/gxz1cUyFh2/cve-2023-20887?referrer=blog]). A remote attacker could abuse the Apache Thrift RPC interface by sending specially crafted data and get unauthe

2 min Metasploit

Metasploit Weekly Wrap Up: July 21, 2023

This week's weekly wrapup includes two new Metasploit modules - Piwigo Gather Credentials via SQL Injection ( CVE-2023-26876 ) and Openfire authentication bypass with RCE plugin (CVE-2023-32315)

2 min Metasploit

Metasploit Weekly Wrap-Up: July 14, 2023

Authentication bypass in Wordpress Plugin WooCommerce Payments This week's Metasploit release includes a module for CVE-2023-28121 by h00die [https://github.com/h00die]. This module can be used against any wordpress instance that uses WooCommerce payments < 5.6.1. This module exploits an auth by-pass vulnerability in the WooCommerce WordPress plugin. You can simply add a header to execute the bypass and use the API to create a new admin user in Wordpress. New module content (3) Wordpress Plugin