This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. Learn more!

RISC-V Support

This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments.

SMB To HTTP(S) Relay

This new exploit worked on by Rapid7 contributors targets the ESC8 vulnerability. This work is a part of the recent Kerberos and Active Directory efforts targeting multiple ESC vulnerabilities, implementing modern security workflows into Metasploit Framework.

It includes a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.

Python Exec Payload

A new addition to the payloads catalog this week has been a new Python payload, developed by zeroSteiner allowing for the execution of arbitrary OS commands. This payload is compatible with Python 2.7 and 3.4+.

New module content (10)

SolarWinds Web Help Desk Backdoor (CVE-2024-28987)

Authors: Michael Heinzl and Zach Hanley

Type: Auxiliary

Pull request: #19499 contributed by h4x-x0r

Path: gather/solarwinds_webhelpdesk_backdoor

AttackerKB reference: CVE-2024-28987

Description: This module exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) <= v12.8.3 to retrieve all tickets from the system.

WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)

Authors: Rafie Muhammad and Valentin Lobstein

Type: Auxiliary

Pull request: #19517 contributed by Chocapikk

Path: scanner/http/wp_ti_woocommerce_wishlist_sqli

AttackerKB reference: CVE-2024-43917

Description: This new auxiliary module exploits an unauthenticated SQL injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress (versions <= 2.8.2). The vulnerability allows attackers to execute SQL queries via the order parameter which can be used to dump usernames and their hashed passwords.

ESC8 Relay: SMB to HTTP(S)

Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7

Type: Auxiliary

Pull request: #19404 contributed by bwatters-r7

Path: server/relay/esc8

Description: This is an implementation of the AD CS ESC8. It includes a library that uses a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.

Simple

Author: bcoles [email protected]

Type: Nop

Pull request: #19518 contributed by bcoles

Path: riscv32le/simple

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Simple

Author: bcoles [email protected]

Type: Nop

Pull request: #19518 contributed by bcoles

Path: riscv64le/simple

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Linux Execute Command

Authors: bcoles [email protected] and modexp

Type: Payload (Single)

Pull request: #19518 contributed by bcoles

Path: linux/riscv32le/exec

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Linux Reboot

Author: bcoles [email protected]

Type: Payload (Single)

Pull request: #19518 contributed by bcoles

Path: linux/riscv32le/reboot

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Linux Execute Command

Authors: bcoles [email protected] and modexp

Type: Payload (Single)

Pull request: #19518 contributed by bcoles

Path: linux/riscv64le/exec

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Linux Reboot

Author: bcoles [email protected]

Type: Payload (Single)

Pull request: #19518 contributed by bcoles

Path: linux/riscv64le/reboot

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Python Execute Command

Author: Spencer McIntyre

Type: Payload (Single)

Pull request: #19528 contributed by zeroSteiner

Path: python/exec

Description: Adds a new exec payload leveraging python.

Enhancements and features (2)

• #19529 from NtAlexio2 - This updates the pipe_dcerpc_auditor module to use the new pattern for handling port settings which offers users greater control over their targeting.


• #19573 from adfoster-r7 - Updates Metasploit to Ruby 3.2.5.

Bugs fixed (2)

• #19550 from Mathiou04 - Fixes an issue where when USER_AS_PASS as pass was enabled the USERNAME would not be attempted as a PASSWORD.


• #19619 from smashery - This fixes a regression crash in the auxiliary/admin/kerberos/get_ticket module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:

• Pull Requests 6.4.34...6.4.35


• Full diff 6.4.34...6.4.35

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro

Source: Rapid7
Source Link: https://blog.rapid7.com/2024/11/08/metasploit-wrap-up-11-08-2024/