Skip to content
feed: live about
>_ 0dayNews
vendor advisory

Metasploit's July 3 drop: SMB-to-Meterpreter and Peyara RCE — the detection tune

Rapid7 shipped an SMB-to-Meterpreter session upgrade and a Peyara Remote Mouse RCE module this week. Neither is novel research. Both change what your alerts will look like. Here's the tune.

Metasploit's July 3 drop: SMB-to-Meterpreter and Peyara RCE — the detection tune
Photo: ch3k1s7 / Wikimedia Commons · Public domain
Marisol "Fuse" Delgado · Published · 3 min read

Rapid7’s Metasploit weekly wrap-up for July 3, authored by Jack Heysel, lands two modules worth noting for detection engineering plus the usual smaller cleanup. Neither module is a zero-day. Both wrap public research into a form a red team can hit run on tomorrow morning, and that is the news — not the vulns.

What actually shipped

SMB-to-Meterpreter session upgrade. Contributor Dean Welch added windows/manage/smb_to_meterpreter, which takes an existing SMB session — the kind you get from credential reuse, harvested hashes, or an already-established relay — and upgrades it into a full Meterpreter shell using PsExec. Available via the module or the shorthand sessions -u <session_id>. This is convenience, not new capability. PsExec has been the workhorse post-SMB pivot for a decade. What changes is that the tradecraft floor for that pivot dropped again.

Peyara Remote Mouse RCE. Peyara is a small open-source “turn your desktop into a wireless mouse server” project — the kind of thing a developer installs on a personal machine, forgets, and leaves running. The research came out of capture0x’s public PoC: unauthenticated WebSocket on TCP 1313, no input validation on simulated keyboard commands, keystrokes-as-arbitrary-command execution against whoever’s logged in. Small install base. That does not mean zero install base, and Metasploit shipping the module means opportunistic scanning will start including port 1313.

The wrap-up also lists smaller updates and a docs refresh for the older Remote Mouse RCE module against Emote Interactive’s separate Remote Mouse Server. Different product, same class of bug: unauthenticated input protocol handled as trusted.

What defenders actually do about this

1. Find and kill Peyara and its cousins inside the perimeter.

If there is no business reason to run a wireless-mouse-server product on managed endpoints, it should be gone. Standard vulnerability scans rarely fingerprint this class — port 1313 is not on default scan profiles. Check your endpoint agent’s process telemetry, your software inventory, or a targeted sweep of developer subnets. Yes, developer laptops specifically. This class of app tends to install on the personal side of the corporate hardware and stay there.

2. Tune your PsExec detection, again, because it is about to fire more.

The SMB-to-Meterpreter module drives PsExec the same way SysInternals PsExec does: install a service on the target host with a semi-random name, run the payload as SYSTEM, clean up. Your SIEM already has this — Windows event ID 7045 (service installed), 4624 with logon type 3 from a workstation source, admin$ share access from an unusual host. If it doesn’t, the honest timeline is: today is a good day to write the rule, because red teams inside your company will run this module before you finish reviewing the ticket.

3. Chase the SMB session hygiene the upgrade module assumes, not the upgrade itself.

The module assumes a valid SMB session already exists. That means upstream, an attacker already had valid credentials — a phish, a dump, a reused password, an OAuth device-code grant. Detecting the Meterpreter upgrade is detecting the second stage. The initial access is where the actual gate sits. If password reuse is soft and hash exposure is unmanaged, this module makes exploitation cleaner — it does not make it start. Fix the credential posture and the module is irrelevant.

Priority call

Patch first: nothing here forces a patch cycle. Metasploit did not disclose new vulns this week; it shipped tooling around existing research. If Peyara is somewhere in your environment, get rid of it — but nobody is losing sleep over the population count.

Detect first: PsExec service-creation and admin$ authentication from workstations. Evergreen, unglamorous, and this drop makes it more relevant than it was a week ago. If your PsExec ruleset is older than a year, review it this week.

Metasploit weekly drops aren’t an interesting news signal by themselves. They are useful as a calibration check: red teams inside your company will run the new modules on Monday. If your detection catches the tooling, you learned something. If it doesn’t, you learned more.

Found this useful? Share it.