2 min
Metasploit
Metasploit Weekly Wrap-Up 06/28/2024
Unauthenticated Command Injection in Netis Router
This week's Metasploit release includes an exploit module for an unauthenticated
command injection vulnerability in the Netis MW5360 router which is being
tracked as CVE-2024-22729. The vulnerability stems from improper handling of the
password parameter within the router's web interface which allows for command
injection. Fortunately for attackers, the router's login page authorization can
be bypassed by simply deleting the authorization header,
3 min
Metasploit
Metasploit Weekly Wrap-Up 06/21/2024
Argument Injection for PHP on Windows
This week includes modules that target file traversal and arbitrary file read
vulnerabilities for software such as Apache, SolarWinds and Check Point, with
the highlight being a module for the recent PHP vulnerability submitted by
sfewer-r7 [http://github.com/sfewer-r7]. This module exploits an argument
injection vulnerability, resulting in remote code execution and a Meterpreter
shell running in the context of the Administrator user.
Note, that this attac
3 min
Metasploit
Metasploit Weekly Wrap-Up 06/14/2024
New module content (5)
Telerik Report Server Auth Bypass
Authors: SinSinology and Spencer McIntyre
Type: Auxiliary
Pull request: #19242 [http://github.com/rapid7/metasploit-framework/pull/19242]
contributed by zeroSteiner [http://github.com/zeroSteiner]
Path: scanner/http/telerik_report_server_auth_bypass
AttackerKB reference: CVE-2024-4358
[http://attackerkb.com/search?q=CVE-2024-4358?referrer=blog]
Description: This adds an exploit for CVE-2024-4358 which is an authentication
bypass in Te
2 min
Metasploit
Metasploit Weekly Wrap-Up 06/07/2024
New OSX payloads:ARMed and Dangerous
In addition to an RCE leveraging CVE-2024-5084 to gain RCE through a WordPress
Hash form, this release features the addition of several new binary OSX
stageless payloads with aarch64 support: Execute Command, Shell Bind TCP, and
Shell Reverse TCP.
The new osx/aarch64/shell_bind_tcp payload opens a listening port on the target
machine, which allows the attacker to connect to this open port to spawn a
command shell using the user provided command using the exe
2 min
Metasploit
Metasploit Weekly Wrap-Up 05/31/2024
Quis dīrumpet ipsos dīrumpēs
In this release, we feature a double-double: two exploits each targeting two
pieces of software. The first pair is from h00die [http://github.com/h00die]
targeting the Jasmine Ransomeware Web Server. The first uses CVE-2024-30851 to
retrieve the login for the ransomware server, and the second is a directory
traversal vulnerability allowing arbitrary file read. The second pair from Dave
Yesland of Rhino Security targets Progress Flowmon with CVE-2024-2389 and it
pai
3 min
Metasploit
Metasploit Weekly Wrap-Up 05/23/2024
Infiltrate the Broadcast!
A new module from Chocapikk [http://github.com/Chocapikk] allows the user to
perform remote code execution on vulnerable versions of streaming platform
AVideo (12.4 - 14.2). The multi/http/avideo_wwbnindex_unauth_rce module
leverages CVE-2024-31819
[http://attackerkb.com/topics/y127ezofMQ/cve-2024-31819], a vulnerability to
PHP Filter Chaining, to gain unauthenticated and unprivileged access, earning it
an attacker value of High on AttackerKB
[http://attackerkb.com/t
3 min
Metasploit
Metasploit Wrap-Up 05/17/2024
LDAP Authentication Improvements
This week, in Metasploit v6.4.9, the team has added multiple improvements for
LDAP related attacks. Two improvements relating to authentication is the new
support for Signing [http://github.com/rapid7/metasploit-framework/pull/19127]
and Channel Binding [http://github.com/rapid7/metasploit-framework/pull/19132].
Microsoft has been making changes
[http://support.microsoft.com/en-gb/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for
2 min
Metasploit
Metasploit Wrap-Up 05/10/2024
Password Spraying support
Multiple bruteforce/login scanner modules have been updated to support a
PASSWORD_SPRAY module option. This work was completed in pull request #19079
[http://github.com/rapid7/metasploit-framework/pull/19079] from nrathaus
[http://github.com/nrathaus] as well as an additional update from our
developers [http://github.com/rapid7/metasploit-framework/pull/19158] . When
the password spraying option is set, the order of attempted users and password
attempts are changed
2 min
Metasploit
Metasploit Weekly Wrap-Up 05/03/24
Dump secrets inline
This week, our very own cdelafuente-r7 [http://github.com/cdelafuente-r7] added
a significant improvement to the well-known Windows Secrets Dump module
[http://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/windows_secrets_dump.rb]
to reduce the footprint when dumping SAM hashes, LSA secrets and cached
credentials. The module is now directly reading the Windows Registry remotely
without having to dump the full registry keys to disk and parse th
4 min
Metasploit
Metasploit Weekly Wrap-Up 04/26/24
Rancher Modules
This week, Metasploit community member h00die [http://github.com/h00die] added
the second of two modules targeting Rancher instances. These modules each leak
sensitive information from vulnerable instances of the application which is
intended to manage Kubernetes clusters. These are a great addition to
Metasploit’s coverage for testing Kubernetes environments
[http://docs.metasploit.com/docs/pentesting/metasploit-guide-kubernetes.html].
PAN-OS RCE
Metasploit also released an e
2 min
Events
Take Command Summit: Take Breaches from Inevitable to Preventable on May 21
Registration is now open for Take Command, a day-long virtual summit in partnership with AWS. You’ll get new attack intelligence, insight into AI disruption, transparent MDR partnerships, and more.
2 min
Metasploit
Metasploit Weekly Wrap-Up 04/19/24
Welcome Ryan and the new CrushFTP module
It's not every week we add an awesome new exploit module to the Framework while
adding the original discoverer of the vulnerability to the Rapid7 team as well.
We're very excited to welcome Ryan Emmons to the Emergent Threat Response team,
which works alongside Metasploit here at Rapid7. Ryan discovered an Improperly
Controlled Modification of Dynamically-Determined Object Attributes
vulnerability in CrushFTP (CVE-2023-43177) versions prior to 10.5.1 whic
3 min
Metasploit
Metasploit Weekly Wrap-Up 04/12/24
Account Takeover using Shadow Credentials
The new release of Metasploit Framework includes a Shadow Credentials module
added by smashery [http://github.com/rapid7/metasploit-framework/pull/19051]
used for reliably taking over an Active Directory user account or computer, and
letting future authentication to happen as that account. This can be chained
with other modules present in Metasploit Framework such as windows_secrets_dump.
Details
The module targets a ‘victim’ account that is part of a
3 min
Metasploit
Metasploit Weekly Wrap-Up 04/05/2024
New ESC4 Templates for AD CS
Metasploit added capabilities
[http://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html]
for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4
technique in particular has been supported for some time now thanks to the
ad_cs_cert_templates module which enables users to read and write certificate
template objects. This facilitates the exploitation of ESC4 which is a
misconfiguration in
3 min
Metasploit
Metasploit Weekly Wrap-Up 03/29/2024
Metasploit adds three new exploit modules including an RCE for SharePoint.