Shifting (NET)GEARs

Community contributor rdomanski added a module for Netgear R6700v3 routers that allows unauthenticated attackers on the same network to reset the password for the admin user back to the factory default of password. Attackers can then manually change the admin user's password and log into it after enabling telnet via the exploit/linux/telnet/netgear_telnetenable module, which will grant the attacker a remote shell with root privileges. The vulnerability duo was exploited by the Flashback team during Pwn2Own Toyko 2019. Insert “Tokyo Drift” joke here.

Pick a desk… AnyDesk…

Lead Metasploit researcher zeroSteiner added a module for CVE-2020-13160, a remotely exploitable format string vulnerability in AnyDesk versions before 5.5.3 on Linux and FreeBSD. Successful exploitation means code is executed in the context of the user who started the AnyDesk GUI.

Something bugging you?

In the vein of “help us help you”, our own adamgalway-r7 added a new debug command to the msfconsole. This command will display some information that is generally useful for (and requested by) us when understanding a problem a user is having with Framework, allowing you to easily copy-paste that command output into a GitHub issue. There’s also a handy reminder when you run the command to redact any sensitive information/values from the debug output before submitting it in an issue.

New modules (4)

Enhancements and features

  • PR #13787 from adfoster-r7 updates the AutoCheck mixin to use Module#prepend instead of Module#include, improving the developer experience. Alan also added the ForceExploit advanced option, allowing user-override of the module’s check result.
  • PR #13601 from gwillcox-r7 adds a new --service-name cmdline option to msfvenom, supporting creation of x86 and x64 exe-service payloads with arbitrary service names.
  • PR #13430 from adamgalway-r7 adds a new debug command to msfconsole for helping provide relevant data when understanding a user issue.
  • PR #13770 from pedrib improved three IBM DRM modules and their docs by updating details with more-current information.
  • PR #13795 from adfoster-r7 appends a helpful ‘hint’ to the search command output, informing the user that they can use the use command to easily select an item.

Bugs fixed

  • PR #13773 pulls in Java Meterpreter fixes from timwr around handling of stderr output.
  • PR #13782 from akkuman fixes the ability to use environment variable MSF_WS_JSON_RPC_API_TOKEN for authenticating with the Metasploit JSON-RPC web service when a database is connected.
  • PR #13725 from kalba-security fixes an error which occurs when running exploit/linux/http/atutor_filemanager_traversal without creds (and also cleaned up some code!).

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).