Metasploit Town Hall @ Derbycon

Metasploit’s Brent Cook, Adam Cammack, Aaron Soto, and Cody Pierce are offering themselves up to the crowds at this year’s fourth annual Metasploit Town Hall at Derbycon. Block off your 5 p.m. EDT hour on Saturday, Oct. 6 to join the team (livestreamed) as they unveil some new hotness in Metasploit Framework and take questions and requests. Can’t make it but still have something to add? Join us on Slack or @ us on Twitter.

Pyriphlegethon discovered vulnerabilities in Navigate CMS v2.8 and submitted a module that can be used to perform remote code execution on vulnerable applications. The module performs an injection through a cookie header to retrieve a valid session ID. Then, an upload feature with a directory traversal flaw is used to overwrite a PHP file within the application's web root. Once the file is overwritten with a generated payload, the payload is executed by making a request to the overwritten page.

VNC Password Retrieval

Looking for passwords on a host can be fun(ny), especially if there is a file named passwords.txt. In this case, the file is named com.apple.VNCSettings.txt. interhack86 provided a post module that retrieves and decrypts VNC passwords from OS X High Sierra.

New Modules

Exploit modules (2 new)

Auxiliary and post modules (1 new)

Improvements

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.