Metasploit Wrap-Up

Metasploit Wrap-Up

Has this week left you hungry for something to sink your teeth into? We've got some cool new modules that we hope you'll find appetizing!


Browse the Menu


Slurp up some sessions with a new browser exploit module from timwr targeting Google Chrome version 72.0.3626.119 on 32-bit Win 7 targets. Due to a use-after-free vuln in Chrome's FileReader API, this exploit can get you remote code execution on a vulnerable target. There's some discussion in the PR comments around potentially chaining this with a second exploit, too!


Grab a Bowl of Serial


In true "serial" fashion, acamro is back with another Oracle WebLogic exploit module for a deserialization vuln in the AsyncResponseService web service component. Using a specially-crafted SOAP request, an unauthenticated attacker can gain remote command execution on a vulnerable target. And if you missed acamro's earlier WebLogic modules, you can catch up on them here.


Clear the Table


If databases whet your appetite, Greenwolf served up a new module targeting PostgreSQL 9.3+. If you have creds for a superuser or a user in the 'pg_execute_server_program' group, this module can get you remote command execution on a vulnerable target via the COPY FROM PROGRAM mechanism. Bon appetit!


And to Top It All Off...


DEF CON is starting to bubble-up on the horizon, and so is ..