National Cyber Warfare Foundation (NCWF) Forums


Metasploit Wrap-Up 11 08 2024


0 user ratings
2024-11-08 19:31:19
milo
Red Team (CNA)

RISC-V Support


This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments.


SMB To HTTP(S) Relay


This



RISC-V Support


Metasploit Wrap-Up 11/08/2024

This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments.


SMB To HTTP(S) Relay


This new exploit worked on by Rapid7 contributors targets the ESC8 vulnerability. This work is a part of the recent Kerberos and Active Directory efforts targeting multiple ESC vulnerabilities, implementing modern security workflows into Metasploit Framework.


It includes a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.


Python Exec Payload


A new addition to the payloads catalog this week has been a new Python payload, developed by zeroSteiner allowing for the execution of arbitrary OS commands. This payload is compatible with Python 2.7 and 3.4+.


New module content (10)


SolarWinds Web Help Desk Backdoor (CVE-2024-28987)


Authors: Michael Heinzl and Zach Hanley

Type: Auxiliary

Pull request: #19499 contributed by h4x-x0r

Path: gather/solarwinds_webhelpdesk_backdoor

AttackerKB reference: CVE-2024-28987


Description: This module exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) <= v12.8.3 to retrieve all tickets from the system.


WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)


Authors: Rafie Muhammad and Valentin Lobstein

Type: Auxiliary

Pull request: #19517 contributed by Chocapikk

Path: scanner/http/wp_ti_woocommerce_wishlist_sqli

AttackerKB reference: CVE-2024-43917


Description: This new auxiliary module exploits an unauthenticated SQL injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress (versions <= 2.8.2). The vulnerability allows attackers to execute SQL queries via the order parameter which can be used to dump usernames and their hashed passwords.


ESC8 Relay: SMB to HTTP(S)


Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7

Type: Auxiliary

Pull request: #19404 contributed by bwatters-r7

Path: server/relay/esc8


Description: This is an implementation of the AD CS ESC8. It includes a library that uses a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.


Simple


Author: bcoles [email protected]

Type: Nop

Pull request: #19518 contributed by bcoles

Path: riscv32le/simple


Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.


Simple


Author: bcoles [email protected]

Type: Nop

Pull request: #19518 contributed by bcoles

Path: riscv64le/simple


Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.


Linux Execute Command


Authors: bcoles [email protected] and modexp

Type: Payload (Single)

Pull request: #19518 contributed by bcoles

Path: linux/riscv32le/exec


Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.


Linux Reboot


Author: bcoles [email protected]

Type: Payload (Single)

Pull request: #19518 contributed by bcoles

Path: linux/riscv32le/reboot


Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.


Linux Execute Command


Authors: bcoles [email protected] and modexp

Type: Payload (Single)

Pull request: #19518 contributed by bcoles

Path: linux/riscv64le/exec


Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.


Linux Reboot


Author: bcoles [email protected]

Type: Payload (Single)

Pull request: #19518 contributed by bcoles

Path: linux/riscv64le/reboot


Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.


Python Execute Command


Author: Spencer McIntyre

Type: Payload (Single)

Pull request: #19528 contributed by zeroSteiner

Path: python/exec


Description: Adds a new exec payload leveraging python.


Enhancements and features (2)



  • #19529 from NtAlexio2 - This updates the pipe_dcerpc_auditor module to use the new pattern for handling port settings which offers users greater control over their targeting.

  • #19573 from adfoster-r7 - Updates Metasploit to Ruby 3.2.5.


Bugs fixed (2)



  • #19550 from Mathiou04 - Fixes an issue where when USER_AS_PASS as pass was enabled the USERNAME would not be attempted as a PASSWORD.

  • #19619 from smashery - This fixes a regression crash in the auxiliary/admin/kerberos/get_ticket module.


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/11/08/metasploit-wrap-up-11-08-2024/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.