New Privilege Escalation Exploit
The glibc 'realpath()' module was added by bcoles. It attempts to gain root privileges on Debian-based Linux systems by exploiting a vulnerability in GNU C Library (glibc) version <=
2.26. This exploit uses halfdog's RationalLove exploit to expose a buffer underflow error in glibc
realpath() and create a SUID root shell. The module includes offsets for glibc versions
2.24-11+deb9u1. The victim host must have unprivileged user namespaces enabled for it to work.
New Command Injection Exploit
The DynoRoot module exploits a command injection vulnerability (CVE-2018-1111) against the DHCP client's NetworkManager script on Red Hat, CentOS, and Fedora systems. The attack surface is at least two-fold: a malicious DHCP server or an attacker that is able to spoof DHCP responses. In either scenario, arbitrary system commands could be executed on a process with root privileges. This module was contributed by kkirsche.
New Mettle Extension
A new Mettle extension has been added by one of our Google Summer of Code students, DeveloppSoft. Once an attacker has gained a session on a POSIX system, they can play sounds on the victim host. This is accomplished by transmitting the sound information directly to the victim's memory. There is no need to download a file before playing the sound, but aplay is required to be installed.
Demos for the Demo God: SOCKS5 Edition
A few weeks ago, @asoto-r7 and @zeroSteiner added the long-anticipated
auxiliary/server/socks5 module. Now you can forward your scans and attacks through your Metasploit host or Meterpreter targets. Your attacks will look like they're coming from the target, confounding logs and circumventing defenses! Check out our YouTube demo and tutorial:
Exploit modules (2 new)
- glibc 'realpath()' Privilege Escalation by Brendan Coles and halfdog, which exploits CVE-2018-1000001
- DHCP Client Command Injection (DynoRoot) by Felix Wilhelm and Kevin Kirsche, which exploits CVE-2018-1111
Auxiliary and post modules (1 new)
- BADPDF Malicious PDF Creator by Assaf Baharav, Ido Solomon, Richard Davy - secureyourit.co.uk, and Yaron Fruchtmann, which exploits CVE-2018-4993
- Multi Dropper module now includes
.URLfiles, thanks to Richard Davy - secureyourit.co.uk
- Lync subdomains word list added for use with the enum_dns module, added by jrobles-r7
- pSnuffle options validation bug fixed, thanks to bcoles
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit
Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.