Privilege Escalation

Linux BPF

CVE-2017-16995 is a Linux kernel vulnerability in the way that a Berkeley Packet Filter (BPF) is verified. Multiple sign extension bugs allows memory corruption by unprivileged users, which could be used for a local privilege escalation attack by overwriting a credential structure in memory to gain root access to a compromised host. The bpf_sign_extension_priv_esc module uses C exploit code written by rlarabee to perform the privilege escalation.

POP/MOV SS

How debug exceptions are handled after a MOV SS or POP SS instruction could lead to a privilege escalation vulnerability against certain Windows kernels. bwatters-r7 created a module in framework that utilizes a compiled version of can1357's exploit to gain SYSTEM access on vulnerable 64-bit Windows hosts. Because the CVE is recent, the exploit works with several modern releases of Windows 10x64. If you would like to dig more into how this exploit works and see brilliant older features sometimes have unexpected effects on current software, check out can1357's blog post about it.

Open Source Security Meetup (OSSM): Vegas 2018

Like open source security? Want to take a break from corporate events at hacker summer camp to share projects and chat in a low-key environment? Stop by the fourth annual Open Source Security Meetup (OSSM) in Vegas from 4-6 PM August 9. There are no formal presentations this year (true meetup-style), but if you’re an open source security dev with a project you want to discuss, let us know here.

New Modules

Exploit modules (5 new)

Improvements

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.