Last updated at Sat, 20 Jan 2024 22:58:17 GMT
Shifting (NET)GEARs
Community contributor rdomanski added a module for Netgear R6700v3 routers that allows unauthenticated attackers on the same network to reset the password for the admin user back to the factory default of password. Attackers can then manually change the admin user's password and log into it after enabling telnet via the exploit/linux/telnet/netgear_telnetenable module, which will grant the attacker a remote shell with root privileges. The vulnerability duo was exploited by the Flashback team during Pwn2Own Toyko 2019. Insert “Tokyo Drift” joke here.
Pick a desk… AnyDesk…
Lead Metasploit researcher zeroSteiner added a module for CVE-2020-13160, a remotely exploitable format string vulnerability in AnyDesk versions before 5.5.3 on Linux and FreeBSD. Successful exploitation means code is executed in the context of the user who started the AnyDesk GUI.
Something bugging you?
In the vein of “help us help you”, our own adamgalway-r7 added a new debug command to the msfconsole. This command will display some information that is generally useful for (and requested by) us when understanding a problem a user is having with Framework, allowing you to easily copy-paste that command output into a GitHub issue. There’s also a handy reminder when you run the command to redact any sensitive information/values from the debug output before submitting it in an issue.
New modules (4)
- AnyDesk GUI Format String Write by Spencer McIntyre and scryh, which exploits CVE-2020-13160
- ATutor 2.2.4 - Directory Traversal / Remote Code Execution by Erik Wynter and liquidsky (JMcPeters), which exploits CVE-2019-12169
- Bolt CMS 3.7.0 - Authenticated Remote Code Execution by Erik Wynter, Sivanesh Ashok, and r3m0t3nu11
- Netgear R6700v3 Unauthenticated LAN Admin Password Reset by Pedro Ribeiro, Radek Domanski, and gwillcox-r7, which exploits CVE-2020-10923 (ZDI-20-0703) and CVE-2020-10924 (ZDI-20-704)
Enhancements and features
- PR #13787 from adfoster-r7 updates the AutoCheck mixin to use
Module#prependinstead ofModule#include, improving the developer experience. Alan also added theForceExploitadvanced option, allowing user-override of the module’scheckresult. - PR #13601 from gwillcox-r7 adds a new
--service-namecmdline option tomsfvenom, supporting creation of x86 and x64 exe-service payloads with arbitrary service names. - PR #13430 from adamgalway-r7 adds a new
debugcommand tomsfconsolefor helping provide relevant data when understanding a user issue. - PR #13770 from pedrib improved three IBM DRM modules and their docs by updating details with more-current information.
- PR #13795 from adfoster-r7 appends a helpful ‘hint’ to the
searchcommand output, informing the user that they can use theusecommand to easily select an item.
Bugs fixed
- PR #13773 pulls in Java Meterpreter fixes from timwr around handling of stderr output.
- PR #13782 from akkuman fixes the ability to use environment variable MSF_WS_JSON_RPC_API_TOKEN for authenticating with the Metasploit JSON-RPC web service when a database is connected.
- PR #13725 from kalba-security fixes an error which occurs when running
exploit/linux/http/atutor_filemanager_traversalwithout creds (and also cleaned up some code!).
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
