Last updated at Thu, 25 Jan 2024 00:33:39 GMT
New Privilege Escalation Exploit
The glibc 'realpath()' module was added by bcoles. It attempts to gain root privileges on Debian-based Linux systems by exploiting a vulnerability in GNU C Library (glibc) version <= 2.26
. This exploit uses halfdog's RationalLove exploit to expose a buffer underflow error in glibc realpath()
and create a SUID root shell. The module includes offsets for glibc versions 2.23-0ubuntu9
and 2.24-11+deb9u1
. The victim host must have unprivileged user namespaces enabled for it to work.
New Command Injection Exploit
The DynoRoot module exploits a command injection vulnerability (CVE-2018-1111) against the DHCP client's NetworkManager script on Red Hat, CentOS, and Fedora systems. The attack surface is at least two-fold: a malicious DHCP server or an attacker that is able to spoof DHCP responses. In either scenario, arbitrary system commands could be executed on a process with root privileges. This module was contributed by kkirsche.
New Mettle Extension
A new Mettle extension has been added by one of our Google Summer of Code students, DeveloppSoft. Once an attacker has gained a session on a POSIX system, they can play sounds on the victim host. This is accomplished by transmitting the sound information directly to the victim's memory. There is no need to download a file before playing the sound, but aplay is required to be installed.
Demos for the Demo God: SOCKS5 Edition
A few weeks ago, @asoto-r7 and @zeroSteiner added the long-anticipated auxiliary/server/socks5
module. Now you can forward your scans and attacks through your Metasploit host or Meterpreter targets. Your attacks will look like they're coming from the target, confounding logs and circumventing defenses! Check out our YouTube demo and tutorial:
New Modules
Exploit modules (2 new)
- glibc 'realpath()' Privilege Escalation by Brendan Coles and halfdog, which exploits CVE-2018-1000001
- DHCP Client Command Injection (DynoRoot) by Felix Wilhelm and Kevin Kirsche, which exploits CVE-2018-1111
Auxiliary and post modules (1 new)
- BADPDF Malicious PDF Creator by Assaf Baharav, Ido Solomon, Richard Davy - secureyourit.co.uk, and Yaron Fruchtmann, which exploits CVE-2018-4993
Improvements
- Multi Dropper module now includes
IconFile=
path in.URL
files, thanks to Richard Davy - secureyourit.co.uk - Lync subdomains word list added for use with the enum_dns module, added by jrobles-r7
- pSnuffle options validation bug fixed, thanks to bcoles
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit
Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.