Quick Cookie Notification

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.


View Cookie Policy for full details

Rapid7 Blog

Product Updates  

Weekly Update: Adventures in Unstable, DoS'ing UPnP for Good, and Secret AWK Shells

Stable is for Suckers!Today on the Freenode IRC channel #metasploit, a user was asking about our old SVN repository for "unstable" Metasploit modules. He was lamenting its loss, since we recently shut down our SVN services (described in this blog post on May 22,…

Weekly Update: Apache Struts Exploit, Android Meterpreter, and New Payloads

Apache Struts ExploitThis week's update includes an exploit for a pretty recent vulnerability in Apache Struts, thanks to community contributor Richard @Console Hicks. The struts_include_param module exercises the vulnerability described at OSVDB 93645, disclosed on May 23, 2013, a bare two weeks ago,…

Weekly Update: The Nginx Exploit and Continuous Testing

Nginx Exploit for CVE-2013-2028 The most exciting element of this week's update is the new exploit for Nginx which exercises the vulnerability described by CVE-2013-2028. The Metasploit module was written by Metasploit community contributors hal and saelo, and exploits Greg McManus's bug across a bunch…

Weekly Update: 4.6.1, ColdFusion Exploit, and SVN Lockdown

Metasploit 4.6.1 ReleasedThis week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle…

Weekly Update: Pull Request Wrangling

Pull Requests: Want to help?Metasploit has a first world problem: We get so much code from contributors out in the world, it gets hard to keep up. Most open source projects aren't popular enough to warrant more than three or four contributors, total. Metasploit…

Weekly Update: Sport Fishing for Exploits and Improved Java Hackery

Java Payload CleanupIf you've been watching the Metasploit source repository, you will have noticed some movement in Java Payload land -- specifically, PR#1217, which landed this week. Thanks to the refactoring efforts of Michael @mihi42 Schriel, testing by @Meatballs, and integration from James @egyp7…

Metasploit 4.6.0 Released!

We just released Metasploit 4.6.0, so applying this week's update will get you the brand new version. While Chris has a delightful blog post of what all is new in Metasploit Pro, let's take a look at what's exciting and new between Metasploit…

Weekly Update: Minecraft RAT Attacks, PHP Shell Games, and MongoDB

Minecraft-Vectored MalwareMetasploit exploit developer Juan @_juan_vazquez_, while trawling the Internet for the next hot exploit, came across this pastie describing a Java exploit which takes advantage of a vulnerability in Java's Color Management classes. Turns out, this is also one of the vulns being…

Weekly Update: Hollywood Hacking and More Java Exploits

Hollywood Hacking: Tapping Webcams and MicsThis week's update has two new post modules for Metasploit, which enables the creative pen-tester to hit that creeper vibe so often missing on a typical engagement, both by Metasploit exploit dev Wei @_sinn3r Chen. They're both post-exploitation modules, so…

Update to the Metasploit Updates and msfupdate

The Short StoryIn order to use the binary installer's msfupdate, you need to first register your Metasploit installation. In nearly all cases, this means visiting https://localhost:3790 and filling out the form. No money, no dense acceptable use policy, just register and go. Want…

Weekly Metasploit Update: Two Dozen New Modules

The Vegas and vacation season is behind us, so it's time to release our first post-4.4.0 update. Here we go!Exploit TsunamiA few factors conspired to make this update more module-heavy than usual. We released Metasploit 4.4 in mid-July. Historically, a dot…

Security Configuration assessment capabilities that meet your needs with Nexpose 5.4

A new great looking feature in our configuration assessment component has been added in Nexpose 5.4: the ability to customize policies to meet your unique contextual needs, i.e. are specific to your environment. You are now going to be able to copy a…

Weekly Metasploit Update: Zero Days, Deprecated Commands, and More!

This week's release sees a quiet vulnerability fix, an exploit against an unpatched vulnerability in Microsoft's XML Core Services, and some helpful new/old commands, as well as the usual pile of exploity goodness you've come to expect from the Metasploit kitchen.Vulnerabilities? In My…

Weekly Metasploit Update: Encrypted Java Meterpreter, MS98-004, and New Modules!

When it rains, it pours. We released Metasploitable Version 2 , published a technique for scanning vulnerable F5 gear , and put out a module to exploit MySQL's tragically comic authentication bypass problem, all in addition to cooking up this week's update. So, kind of a busy…

Weekly Metasploit Update: Citrix Opcodes, Hash Collisions, and More!

This week's update has a nice new asymmetric DoS condition module, a bunch of churn in Metasploit's Rails components, and some new Citrix attacks, so let's get right into it. Fuzzing for Citrix Opcodes This week's update includes three new exploits for Citrix Provisioning Services,…