The Rapid7 Metasploit development team discusses (and demonstrates!) ongoing Metasploit work and features during their bimonthly sprint meeting, including the following NEW modules:

* Login to Another User with Su on Linux / Unix Systems
* Microsoft SharePoint Server-Side Include and ViewState RCE (CVE-2020-16952)
* Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization (CVE-2019-18935)
* Microsoft Windows Uninitialized Variable Local Privilege Elevation, a.k.a. WizardOpium (CVE-2019-1458)

Included in this recording are demos of the new WizardOpium LPE (CVE-2019-1458) module and a handful of enhancements, including `run` command tab completion, an update to the `enum_putty_saved_sessions` module to gather ProxyUsername and ProxyPassword values, and enhanced error logging around external modules.

Also, our new web app that we’ve been building called AttackerKB (Attacker Knowledge Base) is NOW GA!!! AttackerKB is a new resource to highlight hacker community knowledge on which vulns matter most — and why! You can check out the site yourself at!

See all the latest modules, PRs, Metasploit blogs, and contributors at