Contributor Dhiraj Mishra authored a neat Directory Traversal module targeted at
NVMS-1000 Network Surveillance Management Software developed by
TVT Digital Technology. Permitting the arbitrary downloading of files stored on a machine running compromised software, this module becomes all the more attractive when you consider it's providing access to recordings of a supposedly secure environment. Access to our office surveillance footage would definitely prove once and for all who keeps leaving unwashed cups in the kitchen sink, Greg.
Subscribe to this router and instantly PWN
Utilising a flaw (CVE-2019-17621) in the
D-Link DIR-856 router's implementation of the
UPnP protocol, Miguel Mendez Z. and Pablo Pollanco P. have authored a module capable of opening up a Telnet session on a vulnerable router using only a specially crafted
HTTP SUBSCRIBE request. A nice exploit of a slightly less common protocol, this module finally proves that you really can become L33T if you just keep subscribing to stuff.
NullPointerException: "PrivilegeProtection" Not Found
A big new addition with a long list of helping hands (Jann Horn, Mohamed Ghannam, bcoles, nstarke and wbowling) this module abuses NULL pointer dereference vulnerabilities (CVE 2019-9213 & CVE 2018-5333) in the
rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko), to gain root privileges on Linux systems. This module has had a lot of internal work and discussion surrounding it so it's great to finally get it out the door. It's so impressive I'll forgo my usual snarky joke and instead provide a fun link to a video of the man who invented Null References discussing, and apologising for, their creation.
Let your L33T FL4G Fly
It's only been a week since our last wrap-up announced our 3rd Annual(ish) Metasploit CTF and we're already booked up! Registration is for teams rather than individuals, however, and teams have no size limit, so if you hop over to the public #metasploit-ctf slack channel and ask around you may still get someone to take you on board.
Note: If you have successfully registered for the CTF and no longer want or need your spot, please let us know on Slack or at msfdev
Prizes as well as public (visible to potential employers) bragging rights are to be had! We're all working hard to make sure everything is ship shape for launch on January 30th, 12:00 PM EST and support will be available until the competition ends at 11:59 AM EST on February 3rd. Good luck and remember: Sleep Deprivation is temporary; Pride is eternal!
New modules (3)
- Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation by Jann Horn, Mohamed Ghannam, bcoles, nstarke, and wbowling, which exploits CVE-2019-9213
- D-Link DIR-859 Unauthenticated Remote Command Execution by Miguel Mendez Z., and Pablo Pollanco P., which exploits CVE-2019-17621
- TVT NVMS-1000 Directory Traversal by Dhiraj Mishra and Numan Türle, which exploits CVE-2019-20085
Enhancements and features
- PR #12845 Adds a check to the webmin_backdoor module to warn if the server responded with SSL and the module SSL Option isn't enabled, from wvu-r7
- PR #12836 Limit compatible gems in preparation for Rails 5 or greater, from jmartin-r7
- PR #12808 Job descriptions for UDP handlers will now show a URI with protocol, host, and port; similar to TCP handlers, from L-codes
- PR #12795 This adds a command stager for binary payloads that utilizes the
lwp-request (-m GET)command to fetch a payload over HTTP, from bcoles
- PR #12790 This adds the -O option to run an optimized kernel when invoking hashcat from Metasploit. GREATLY (>200%) increases the speed of cracking, with a tradeoff of password length, from h00die
- PR #12776 This updates the auxiliary/scanner/misc/sunrpc_portmapper module with a PROTOCOL option to select between TCP or UDP, from busterb
- PR #12758 This adds the attributes method to the
Msf::Post::Filemixin, allowing module developers to list Linux file attributes for a given file. An
immutable?method has been provided to check if a file is immutable, from bcoles
- PR #12757 This randomizes the test string in
_write_file_unix_shellmethod, from bcoles
- PR #12874 Adds a fix for
rand_textfunctions allowing them to take in a range whilst debugging, from busterb
- PR #12873 Adds support for custom HTTP cookies in reverse HTTP/HTTPS Windows payloads, from dwelch-r7
- PR #12823 Bind payloads for Windows and *nix using the Lua scripting language no longer reference an undefined variable, from L-codes
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).