New Privilege Escalation Exploit

The glibc 'realpath()' module was added by bcoles. It attempts to gain root privileges on Debian-based Linux systems by exploiting a vulnerability in GNU C Library (glibc) version <= 2.26. This exploit uses halfdog's RationalLove exploit to expose a buffer underflow error in glibc realpath() and create a SUID root shell. The module includes offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The victim host must have unprivileged user namespaces enabled for it to work.

New Command Injection Exploit

The DynoRoot module exploits a command injection vulnerability (CVE-2018-1111) against the DHCP client's NetworkManager script on Red Hat, CentOS, and Fedora systems. The attack surface is at least two-fold: a malicious DHCP server or an attacker that is able to spoof DHCP responses. In either scenario, arbitrary system commands could be executed on a process with root privileges. This module was contributed by kkirsche.

New Mettle Extension

A new Mettle extension has been added by one of our Google Summer of Code students, DeveloppSoft. Once an attacker has gained a session on a POSIX system, they can play sounds on the victim host. This is accomplished by transmitting the sound information directly to the victim's memory. There is no need to download a file before playing the sound, but aplay is required to be installed.

Demos for the Demo God: SOCKS5 Edition

A few weeks ago, @asoto-r7 and @zeroSteiner added the long-anticipated auxiliary/server/socks5 module. Now you can forward your scans and attacks through your Metasploit host or Meterpreter targets. Your attacks will look like they're coming from the target, confounding logs and circumventing defenses! Check out our YouTube demo and tutorial:

New Modules

Exploit modules (2 new)

Auxiliary and post modules (1 new)

  • BADPDF Malicious PDF Creator by Assaf Baharav, Ido Solomon, Richard Davy - secureyourit.co.uk, and Yaron Fruchtmann, which exploits CVE-2018-4993

Improvements

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit
Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.