Spencer McIntyre

I appreciate everyone dropping linux privesc 0days in the current AI renaissance, but to really make it feel like the good ol days someone needs to drop a weaponized pre-auth SMB or RDP RCE. We haven't had a good Windows worm in AGES.

@_RastaMouse @metasploit The Block API then changed to use the Length field instead of MaximumLength so it wouldn't be tricked into using a planted value in memory. We'd occassionally get reports of what was fundamentally the same issue e.g. blog.nviso.eu/2021/09/02/ana… 2/2

@zeroSteiner @metasploit Oh, what was that?

FWIW, @metasploit made an update to how ror13 hashes are calculated for the first time in (I think?) over a decade to address some limitations in the block API we were running into.

@_RastaMouse @metasploit The ROR13 calculation was switched to use an "IV" of 0 by default, and the module name hash is used as the IV when calculating the function name hash. Framework now randomizes the IV at assembly time so the ROR13 hashes aren't hard-coded anymore 1/2

Coming soon to a @metasploit near you 👀

Catch this episode of Hacktics and Telemetry on Youtube, featuring our very own @zeroSteiner talking about the Metasploit MCP! youtube.com/watch?v=A05dD5…

Active Directory Exploitation with Metasploit hackingarticles.in/active-directo…

This weeks wrap up is packed with new stuff including an MCP server, and new modules for relaying NTLM from HTTP to LDAP and a Copy Fail exploit with x64 and AARCH64 support rapid7.com/blog/post/pt-m…

The annual wrap-up for Metasploit Framework is out now, and it includes the entirety of stats for 2025. This wrap-up and its contents would not be possible without the participation and dedication of our contributors and researchers, and all of our thanks goes to them! Metasploit Framework wouldn't be the same without you, thank you. rapid7.com/blog/post/pt-m…

From Zero to Shell: Hunting Critical Vulnerabilities in AVideo chocapikk.com/posts/2025/avi…

New NTLM relay dropped for MSSQL. Should see some SCCM modules to use it next. @unsigned_sh0rt gave me all kinds of ideas.

Metasploit also has a merged exploit with check for react2shell. ⌨️ module: multi/http/react2shell_cve_2025_55182 📦 Dockerfile to test available in: Data\exploits\react2shell_unauth_rce_cve_2025_55102 github.com/rapid7/metaspl…

New Metasploit module for CVE-2025-54236 (SessionReaper) - Unauthenticated RCE in Magento github.com/rapid7/metaspl…

I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)

Come join @rapid7! I’m hiring for a Senior Security Researcher to join our team. You'll get to work on n-day analysis, zero-day research, exploit development, and more - focusing on enterprise software and appliances. Fully remote in the UK, details here: careers.rapid7.com/jobs/senior-se…

Today @rapid7 is disclosing 8 new printer vulnerabilities affecting 742 models across 4 vendors. After 13 months of coordinated disclosure with Brother Industries, Ltd, we're detailing all issues including a critical auth bypass. Full details here: rapid7.com/blog/post/mult…

Our @metasploit auxiliary module for the new Brother auth bypass is available. The module will leak a serial number via HTTP/HTTPS/IPP (CVE-2024-51977), SNMP, or PJL, generate the devices default admin password (CVE-2024-51978) and then validate the creds: github.com/rapid7/metaspl…

Today @rapid7 disclosed two vulns affecting NetScaler Console and NetScaler SDX, found by Senior Security Researcher Calum Hutton! 🎉 Our blog details the authenticated arbitrary file read vuln (CVE-2025-4365), and the authenticated arbitrary file write vuln (Which the vendor has not assigned a CVE for).

Submitted a PR to enhance ReflectiveDLLInjection in @Metasploit: 
✅ ARM64 reflective loading (using resolved APIs, not syscalls!)
✅ Refactored x86/64/ARM32 loader
✅ Major injector CLI & feature upgrades
✅ API to pass params to DllMain
Details: github.com/rapid7/Reflect… Fingers crossed @stephenfewer doesn't mind the tinkering! 😄