Transgressive Traversal

Contributor Dhiraj Mishra authored a neat Directory Traversal module targeted at NVMS-1000 Network Surveillance Management Software developed by TVT Digital Technology. Permitting the arbitrary downloading of files stored on a machine running compromised software, this module becomes all the more attractive when you consider it's providing access to recordings of a supposedly secure environment. Access to our office surveillance footage would definitely prove once and for all who keeps leaving unwashed cups in the kitchen sink, Greg.

Subscribe to this router and instantly PWN

Utilising a flaw (CVE-2019-17621) in the D-Link DIR-856 router's implementation of the UPnP protocol, Miguel Mendez Z. and Pablo Pollanco P. have authored a module capable of opening up a Telnet session on a vulnerable router using only a specially crafted HTTP SUBSCRIBE request. A nice exploit of a slightly less common protocol, this module finally proves that you really can become L33T if you just keep subscribing to stuff.

NullPointerException: "PrivilegeProtection" Not Found

A big new addition with a long list of helping hands (Jann Horn, Mohamed Ghannam, bcoles, nstarke and wbowling) this module abuses NULL pointer dereference vulnerabilities (CVE 2019-9213 & CVE 2018-5333) in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko), to gain root privileges on Linux systems. This module has had a lot of internal work and discussion surrounding it so it's great to finally get it out the door. It's so impressive I'll forgo my usual snarky joke and instead provide a fun link to a video of the man who invented Null References discussing, and apologising for, their creation.

Let your L33T FL4G Fly

It's only been a week since our last wrap-up announced our 3rd Annual(ish) Metasploit CTF and we're already booked up! Registration is for teams rather than individuals, however, and teams have no size limit, so if you hop over to the public #metasploit-ctf slack channel and ask around you may still get someone to take you on board.

Note: If you have successfully registered for the CTF and no longer want or need your spot, please let us know on Slack or at msfdev metasploit com so we can give your CTF account to another team!

Prizes as well as public (visible to potential employers) bragging rights are to be had! We're all working hard to make sure everything is ship shape for launch on January 30th, 12:00 PM EST and support will be available until the competition ends at 11:59 AM EST on February 3rd. Good luck and remember: Sleep Deprivation is temporary; Pride is eternal!

New modules (3)

Enhancements and features

  • PR #12845 Adds a check to the webmin_backdoor module to warn if the server responded with SSL and the module SSL Option isn't enabled, from wvu-r7
  • PR #12836 Limit compatible gems in preparation for Rails 5 or greater, from jmartin-r7
  • PR #12808 Job descriptions for UDP handlers will now show a URI with protocol, host, and port; similar to TCP handlers, from L-codes
  • PR #12795 This adds a command stager for binary payloads that utilizes the lwp-request (-m GET) command to fetch a payload over HTTP, from bcoles
  • PR #12790 This adds the -O option to run an optimized kernel when invoking hashcat from Metasploit. GREATLY (>200%) increases the speed of cracking, with a tradeoff of password length, from h00die
  • PR #12776 This updates the auxiliary/scanner/misc/sunrpc_portmapper module with a PROTOCOL option to select between TCP or UDP, from busterb
  • PR #12758 This adds the attributes method to the Msf::Post::File mixin, allowing module developers to list Linux file attributes for a given file. An immutable? method has been provided to check if a file is immutable, from bcoles
  • PR #12757 This randomizes the test string in Msf::Post::File's _write_file_unix_shell method, from bcoles

Bugs fixed

  • PR #12874 Adds a fix for rand_text functions allowing them to take in a range whilst debugging, from busterb
  • PR #12873 Adds support for custom HTTP cookies in reverse HTTP/HTTPS Windows payloads, from dwelch-r7
  • PR #12823 Bind payloads for Windows and *nix using the Lua scripting language no longer reference an undefined variable, from L-codes

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).