RISC-V Support
This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments.
SMB To HTTP(S) Relay
This
RISC-V Support
This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments.
SMB To HTTP(S) Relay
This new exploit worked on by Rapid7 contributors targets the ESC8 vulnerability. This work is a part of the recent Kerberos and Active Directory efforts targeting multiple ESC vulnerabilities, implementing modern security workflows into Metasploit Framework.
It includes a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.
Python Exec Payload
A new addition to the payloads catalog this week has been a new Python payload, developed by zeroSteiner allowing for the execution of arbitrary OS commands. This payload is compatible with Python 2.7 and 3.4+.
New module content (10)
SolarWinds Web Help Desk Backdoor (CVE-2024-28987)
Authors: Michael Heinzl and Zach Hanley
Type: Auxiliary
Pull request: #19499 contributed by h4x-x0r
Path: gather/solarwinds_webhelpdesk_backdoor
AttackerKB reference: CVE-2024-28987
Description: This module exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) <= v12.8.3 to retrieve all tickets from the system.
WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)
Authors: Rafie Muhammad and Valentin Lobstein
Type: Auxiliary
Pull request: #19517 contributed by Chocapikk
Path: scanner/http/wp_ti_woocommerce_wishlist_sqli
AttackerKB reference: CVE-2024-43917
Description: This new auxiliary module exploits an unauthenticated SQL injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress (versions <= 2.8.2). The vulnerability allows attackers to execute SQL queries via the order parameter which can be used to dump usernames and their hashed passwords.
ESC8 Relay: SMB to HTTP(S)
Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7
Type: Auxiliary
Pull request: #19404 contributed by bwatters-r7
Path: server/relay/esc8
Description: This is an implementation of the AD CS ESC8. It includes a library that uses a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.
Simple
Author: bcoles [email protected]
Type: Nop
Pull request: #19518 contributed by bcoles
Path: riscv32le/simple
Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.
Simple
Author: bcoles [email protected]
Type: Nop
Pull request: #19518 contributed by bcoles
Path: riscv64le/simple
Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.
Linux Execute Command
Authors: bcoles [email protected] and modexp
Type: Payload (Single)
Pull request: #19518 contributed by bcoles
Path: linux/riscv32le/exec
Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.
Linux Reboot
Author: bcoles [email protected]
Type: Payload (Single)
Pull request: #19518 contributed by bcoles
Path: linux/riscv32le/reboot
Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.
Linux Execute Command
Authors: bcoles [email protected] and modexp
Type: Payload (Single)
Pull request: #19518 contributed by bcoles
Path: linux/riscv64le/exec
Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.
Linux Reboot
Author: bcoles [email protected]
Type: Payload (Single)
Pull request: #19518 contributed by bcoles
Path: linux/riscv64le/reboot
Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.
Python Execute Command
Author: Spencer McIntyre
Type: Payload (Single)
Pull request: #19528 contributed by zeroSteiner
Path: python/exec
Description: Adds a new exec payload leveraging python.
Enhancements and features (2)
- #19529 from NtAlexio2 - This updates the
pipe_dcerpc_auditor
module to use the new pattern for handling port settings which offers users greater control over their targeting. - #19573 from adfoster-r7 - Updates Metasploit to Ruby 3.2.5.
Bugs fixed (2)
- #19550 from Mathiou04 - Fixes an issue where when
USER_AS_PASS
as pass was enabled theUSERNAME
would not be attempted as aPASSWORD
. - #19619 from smashery - This fixes a regression crash in the
auxiliary/admin/kerberos/get_ticket
module.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/11/08/metasploit-wrap-up-11-08-2024/