In the week after our CTF, we hope the players had a good time and got back to their loved ones, jobs, lives, studies, and most importantly, back to their beds (and you can find out who the winners were here!). For the Metasploit team, we went back to baking up fresh, hot modules and improvements that remind us in this flu season to not just wash your hands, but also, sanitize your inputs!
SOHOwabout a Shell?
Several D-Link routers have firmware that fail to properly sanitize requests and are a little too efficient in the hand-off of search requests to
system() calls. This allows an attacker to execute arbitrary commands on them and
wget() themself a shell! Thanks to s1kr10s for this module!
Local access through the VPN?
Our prolific contributor bcoles sent in a module targeting vulnerable versions of Windscribe VPN which use a named pipe that is eager to please. The service allows a user to ask it to run programs, but it does not verify those programs are trusted or expected. Instead, the service simply starts whatever program the user requested as system. Again, we can’t stress this enough: please sanitize your hands and any data you take in!
wvu-r7 doubled down on his awesome DOUBLEPULSAR work, and now, metasploit supports connections to both the SMB and RDP variants of DOUBLEPULSAR. With the same features as before, but now on 3389! You can read more about DOUBLEPULSAR over RDP here and here.
New modules (4)
- D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi by s1kr10s and secenv, which exploits CVE-2019-20215
- Windscribe WindscribeService Named Pipe Privilege Escalation by Emin Ghuliev and bcoles, which exploits CVE-2018-11479
- RDP DOUBLEPULSAR Remote Code Execution by wvu, Equation Group, Luke Jennings, Shadow Brokers, Spencer McIntyre, and Tom Sellers
- Install OpenSSH for Windows by Michael Long
Enhancements and features
It may sound strange, but we had a lot of excitement around documentation this time around! adamgalway-r7 cleaned up our contributor guide located here, jkollross added documentation for auxiliary/scanner/http/apache_userdir_enum, and our benevolent doctator h00die has added a documentation equivalent to
msftidy_docs. The additional documentation msftidy:
- Checks to make sure the doc has a corresponding rb/py/go module
- Checks ## Vulnerable Application is the first line
- Checks to make sure Vulnerable Application, Verification Steps, Scenarios, Options are all present
- Checks if Description or Intro/Introduction are present and recommends moving them under Vulnerable Application
- Checks newline at end of file
- Checks the H2s mentioned in 3 are in the right order (@tperry-r7 should it be OK to be missing a section, or all all required? Right now i have all required)
- Checks for spaces EOL (when not in ``` or 4x[:space:])
- Checks that there are no H1s
- Checks line length and suggests cutting it at 140 (arbitrary number I picked, up for debate)
Also, our search command got a lot more friendly thanks to Auxilus, who changed the output from an empty search to the search help menu!
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).