Last updated at Fri, 30 May 2025 18:56:14 GMT

The internet is a series of Tube [SOCKS]

Metasploit has supported SOCKS proxies for years now, being able to both act as both a client (by setting the Proxies datastore option) and a server (by running the auxiliary/server/socks_proxy module). While Metasploit has supported both SOCKS versions 4a and 5, there became some ambiguity in regards to how Domain Name System (DNS) requests are made by Metasploit through these versions. Both versions 4a and 5 notably enable clients to make connections to hosts identified by hostnames leading to the DNS resolution to take place on the SOCKS server. Whether or not the SOCKS client chooses to resolve the hostname to an address itself or to use the server is an implementation detail that is inconsistent among many pieces of software.

In the case of Metasploit, the framework opted to handle the DNS resolution itself. This was to ensure consistent behavior of running a module with and without a proxy when the target hostname resolved to multiple IP addresses. Many years ago, when Metasploit shifted focus to assessing targets in bulk, we decided that if a hostname was specified as a target by a user that mapped to multiple IP addresses, the module should be run for each IP address. This behavior is mostly intended for modules targeting web servers and can be seen by running the auxiliary/scanner/http/http_version module with a target behind a CDN such as cloudfront (it’s pretty easy to guess a suitable example here).

This did however introduce a problem for users that intended to use Metasploit as a SOCKS proxy client by setting the Proxies datastore option because Metasploit was performing the DNS resolution instead of passing the hostname to the proxy server as the user might expect. To explicitly facilitate what is probably the expected behavior of using the proxy server for name resolution, Metasploit added the unofficial SOCKS5H scheme used by cURL and other clients. The convention here being that if SOCKS5H is used, that the proxy server should be used for name resolution. Now in this case, Metasploit users can leverage the resolution capabilities of the SOCKS5 server, however that may be implemented, to initiate their connection.

To use this new capability, simply specify the server in the Proxies option as socks5h://192.0.2.0:1080 where 192.0.2.0 is the target SOCKS5 server.

At this time, Metasploit does not currently have client support for the older SOCKS4a version. If this is something that would interest you, please let us know in our ticket.

New module content (2)

WordPress Depicter Plugin SQL Injection (CVE-2025-2011)

Authors: Muhamad Visat and Valentin Lobstein
Type: Auxiliary
Pull request: #20185 contributed by Chocapikk
Path: gather/wp_depicter_sqli_cve_2025_2011
AttackerKB reference: CVE-2025-2011

Description: This adds a module for exploiting CVE-2025-2011 which is an unauthenticated SQL injection vulnerability in the "Slider & Popup Builder" plugin versions <= 3.6.1.

Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization

Authors: H00die Gr3y and Huntress Team
Type: Exploit
Pull request: #20096 contributed by h00die-gr3y
Path: windows/http/gladinet_viewstate_deserialization_cve_2025_30406
AttackerKB reference: CVE-2025-30406

Description: This adds an exploit module for Gladinet CentreStack/Triofox, the vulnerability, an unsafe deserialization allows execution of arbitrary commands.

Enhancements and features (2)

  • #20147 from zeroSteiner - This adds support for the SOCKS5H protocol, allowing DNS resolution through a SOCKS5 proxy.
  • #20180 from smashery - This adds a warning to PowerShell use when an impersonation token is active.

Bugs fixed (3)

  • #20257 from cgranleese-r7 - Fixes an issue where the report_note deprecation message calling method incorrectly.
  • #20261 from bwatters-r7 - This updates the vmware_vcenter_vmdir_auth_bypass module and accompanying documentation to refer to the new datastore option name.

Documentation added (1)

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.