This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments.
This new exploit worked on by Rapid7 contributors targets the ESC8 vulnerability. This work is a part of the recent Kerberos and Active Directory efforts targeting multiple ESC vulnerabilities, implementing modern security workflows into Metasploit Framework.
It includes a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.
A new addition to the payloads catalog this week has been a new Python payload, developed by zeroSteiner allowing for the execution of arbitrary OS commands. This payload is compatible with Python 2.7 and 3.4+.
Authors: Michael Heinzl and Zach Hanley
Type: Auxiliary
Pull request: #19499 contributed by h4x-x0r
Path: gather/solarwinds_webhelpdesk_backdoor
AttackerKB reference: CVE-2024-28987
Description: This module exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) <= v12.8.3 to retrieve all tickets from the system.
Authors: Rafie Muhammad and Valentin Lobstein
Type: Auxiliary
Pull request: #19517 contributed by Chocapikk
Path: scanner/http/wp_ti_woocommerce_wishlist_sqli
AttackerKB reference: CVE-2024-43917
Description: This new auxiliary module exploits an unauthenticated SQL injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress (versions <= 2.8.2). The vulnerability allows attackers to execute SQL queries via the order parameter which can be used to dump usernames and their hashed passwords.
Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7
Type: Auxiliary
Pull request: #19404 contributed by bwatters-r7
Path: server/relay/esc8
Description: This is an implementation of the AD CS ESC8. It includes a library that uses a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.
Author: bcoles [email protected]
Pull request: #19518 contributed by bcoles and modexp
Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing:
nop/riscv64le/simple
- 64 bit nops modulenop/riscv32le/simple
- 32 bit nops modulepayload/linux/riscv32le/exec
- 32 bit Linux Execute Commandpayload/linux/riscv32le/reboot
- 32 bit Linux Rebootpayload/linux/riscv64le/exec
- 64 bit Linux Execute Commandpayload/linux/riscv64le/reboot
- 64 bit Linux RebootAuthor: Spencer McIntyre
Type: Payload (Single)
Pull request: #19528 contributed by zeroSteiner
Path: python/exec
Description: Adds a new exec payload leveraging python.
pipe_dcerpc_auditor
module to use the new pattern for handling port settings which offers users greater control over their targeting.USER_AS_PASS
as pass was enabled the USERNAME
would not be attempted as a PASSWORD
.auxiliary/admin/kerberos/get_ticket
module.You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Subscribe Now