VPN to root

The Network Manager VPNC Username Privilege Escalation module by bcoles exploits a privilege escalation attack in the Network Manager VPNC plugin configuration data (CVE-2018-10900) to gain root privileges. Network Manager VPNC versions prior to 1.2.6 are vulnerable and the module has been successfully tested against 1.2.4-4 on Debian 9.0.0 (x64) and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64). The exploit/linux/local/network_manager_vpnc_username_priv_esc module uses a newline character to inject a Password helper option into the Xauth username parameter. The Password helper option is used to specify a path to a password program or helper name, in this case it specifies the binary the attacker would like to escalate privileges, a Meterpreter payload. When the maliciously configured VPN connection is brought up the helper is executed by Network Manager as root and this VPN grants you a root Meterpreter session.

Three shells and a PE

Have you ever wanted to play a game where you let a user bet which PE file on their system contains a payload? alpiste contributed a post module and a Meterpreter extension based on the peinjector project. The post/windows/manage/peinjector module and injectpe Meterpreter extension command add the ability to inject a Windows payload into a target portable executable (PE) file, x86 or x64, on a remote host without changing the original functionality. When a user executes the file, the payload will run as a thread with the same privileges within the original process. It is important to note that it is not possible to remove the injected payload so you will need to backup the original file to restore from at a later date.

New Modules

Exploit modules (3 new)

Auxiliary and post modules (1 new)

Improvements

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.