More Servers Please

A new module by Pedro Ribeiro combines vulnerabilities for certain firmware versions of AsusWRT, which allows an unauthenticated user to enable a special command mode on the device. When the command mode is enabled, the device spins up infosvr on UDP port 9999. The great thing about infosvr is that you can construct UDP packets to have it execute commands on your behalf…. as root.

Back in Windows Land

In case your yellow brick road is within a Windows environment, we have something that could be a shoo-in for you! A module for unauthenticated remote code execution on Disk Savvy Enterprise v10.4.18 by Daniel Teixeira provides SYSTEM level access to hosts running the vulnerable software. The software may not be running on your final target, but sometimes a foothold is all you need to be off to see the Wizard.

Dusting Off the Cobwebs

Two years ago, we released a scanner for the Fortinet backdoor (CVE-2016-1909), which allows you to log in to Fortinet devices such as firewalls using a super-secret-squirrel authentication to SSH.

The problem at the time was that we couldn't get a session from the module. Granted, a firewall's management shell isn't the same as a traditional Unix shell, but who doesn't like shells?

After much effort (some unfortunately wasted), we are relieved to say you can now spawn a session and interact with the device's interface. Sorry for the wait!

msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run

[+] - Logged in as Fortimanager_Access
[*] Command shell session 1 opened ( -> at 2018-02-23 14:12:56 -0600
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1
[*] Starting interaction with 1...

FortiGate-VM #

New Modules

Exploit modules (4 new)

Auxiliary and post modules (3 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc.,are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.