More Servers Please
A new module by Pedro Ribeiro combines vulnerabilities for certain firmware versions of AsusWRT, which allows an unauthenticated user to enable a special command mode on the device. When the command mode is enabled, the device spins up infosvr on UDP port 9999. The great thing about infosvr is that you can construct UDP packets to have it execute commands on your behalf…. as root.
Back in Windows Land
In case your yellow brick road is within a Windows environment, we have something that could be a shoo-in for you! A module for unauthenticated remote code execution on Disk Savvy Enterprise v10.4.18 by Daniel Teixeira provides SYSTEM level access to hosts running the vulnerable software. The software may not be running on your final target, but sometimes a foothold is all you need to be off to see the Wizard.
Dusting Off the Cobwebs
The problem at the time was that we couldn't get a session from the module. Granted, a firewall's management shell isn't the same as a traditional Unix shell, but who doesn't like shells?
After much effort (some unfortunately wasted), we are relieved to say you can now spawn a session and interact with the device's interface. Sorry for the wait!
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run [+] 192.168.212.128:22 - Logged in as Fortimanager_Access [*] Command shell session 1 opened (192.168.212.1:38833 -> 192.168.212.128:22) at 2018-02-23 14:12:56 -0600 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1 [*] Starting interaction with 1... FortiGate-VM #
Exploit modules (4 new)
- AsusWRT LAN Unauthenticated Remote Code Execution by Pedro Ribeiro, which exploits CVE-2018-6000
- MagniComp SysInfo mcsiwrapper Privilege Escalation by Brendan Coles, Daniel Lawson, and Romain Trouve, which exploits CVE-2017-6516
- CloudMe Sync v1.10.9 by Daniel Teixeira and hyp3rlinx, which exploits CVE-2018-6892
- Disk Savvy Enterprise v10.4.18 by Daniel Teixeira
Auxiliary and post modules (3 new)
- Ulterius Server File Download Vulnerability by Jacob Robles and Rick Osgood, which exploits CVE-2017-16806
- Claymore Dual GPU Miner DoS Attack by res1n and bluebird
- Web browsers HSTS entries eraser by Sheila A. Berta (UnaPibaGeek)
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc.,are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.