VPN to root
The Network Manager VPNC Username Privilege Escalation module by bcoles exploits a privilege escalation attack in the Network Manager VPNC plugin configuration data (CVE-2018-10900) to gain root privileges. Network Manager VPNC versions prior to 1.2.6 are vulnerable and the module has been successfully tested against 1.2.4-4 on Debian 9.0.0 (x64) and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64). The
exploit/linux/local/network_manager_vpnc_username_priv_esc module uses a newline character to inject a
Password helper option into the
Xauth username parameter. The
Password helper option is used to specify a path to a password program or helper name, in this case it specifies the binary the attacker would like to escalate privileges, a Meterpreter payload. When the maliciously configured VPN connection is brought up the helper is executed by Network Manager as root and this VPN grants you a root Meterpreter session.
Three shells and a PE
Have you ever wanted to play a game where you let a user bet which PE file on their system contains a payload? alpiste contributed a post module and a Meterpreter extension based on the peinjector project. The
post/windows/manage/peinjector module and
injectpe Meterpreter extension command add the ability to inject a Windows payload into a target portable executable (PE) file, x86 or x64, on a remote host without changing the original functionality. When a user executes the file, the payload will run as a thread with the same privileges within the original process. It is important to note that it is not possible to remove the injected payload so you will need to backup the original file to restore from at a later date.
Exploit modules (3 new)
- Network Manager VPNC Username Privilege Escalation by Brendan Coles and Denis Andzakovic, which exploits CVE-2018-10900
- HP Jetdirect Path Traversal Arbitrary Code Execution by Jacob Baines and Matthew Kienow, which exploits CVE-2017-2741. We dug this one out of the PR queue and dusted it off along with the printer to finally land the module and telnetd payload. If you are interested in more details about how this module came to be read A Visit From a Printer PoC.
- Foxit PDF Reader Pointer Overwrite UAF by Jacob Robles, bit from meepwn, mr_me, and saelo, which exploits ZDI-18-332 and ZDI-18-342
Auxiliary and post modules (1 new)
- Peinjector by Maximiliano Tedesco
- @wvu added a database creds and loot import of Group Policy Preferences credentials via the
- @shellfail added a Linux target and check method to the
weblogic_deserializeexploit module. The module was also moved under multi and is now available as
- @wvu reenabled the PowerShell target in
- Tim added audio playback from memory to the Windows Meterpreter.
- Brent Cook fixed an issue with the SPARC random NOP generator module where at least 1 in 4 tries it would fail to generate a NOP string.
- sinn3r added information about post-authentication requirements or default creds to the base module class as well as individual modules by way of override. Thee changes are currently only integrated into MSF5.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.