In this round of Metasploit wrap-up, we are offering four fresh and delicious exploits, and plenty of enhancements and fixes.
To start it off, we have template injection for Atlassian Confluence. No authentication is required, and it is a popular tool among software development companies for internal use.
Speaking of popularity, if you see Ruby environments, definitely give the Ruby on Rails directory traversal a try. It is a great way to steal Rails secrets, and could be leveraged for code execution later. Hence the name "double tap" for the exploit.
Next, we have SystemTap, a privilege escalation module for early Red Hat 4/5/6, as well as Fedora 12/13/14. Because those systems still exist, and you should never walk into a pen test without some awesome and reliable privilege escalations, especially if they're made by bcoles.
To top it off, we also have a format exploit for a 19-year-old vulnerability for WinRAR. Geez, 19 years is a long time. Most likely if you see a WinRAR, it is vulnerable, because who patches WinRAR, right?
New modules (4)
- Atlassian Confluence Template Injection by rrockru, which exploits CVE-2019-3396
- RARLAB WinRAR ACE Format Input Validation Remote Code Execution by ide0x90, which exploits CVE-2018-20250
- SystemTap MODPROBE_OPTIONS Privilege Escalation by bcoles, which exploits CVE-2010-4170
- Ruby on Rails "DoubleTap" Directory Traversal by cbrnrd, which exploits CVE-2019-5418
Enhancements and features
- PR #11753 by bcoles updates description and tested version information for glibc_origin_expansion_priv_esc.
- PR #11765 by jrobles-r7 updates NUUO mixin and moves implementation to Rex.
- PR #11771 by acammack-r7 forces UTF-8 for more module metadata fields.
- PR #11766 by zeroSteiner improves handling of spaces in tab completion.
- PR #11769 by wvu makes sure Notes fields show up when using the
- PR #11768 by wvu implements faster compatible payload logic.
- PR #11764 by bcoles updates tested versions information for xor_x11_suid_server module.
- PR #11722 by h00die expands password hash identification library.
- PR #11737 by h00die stores password in database for osx/gather/password_prompt_spoof.
- PR #11759 by bcoles updates module documentation for systemtap_modprobe_options_priv_esc.
- PR #11747 by bcoles updates test versions information for abrt_raceabrt_priv_esc.
- #11763 fixes AKA references array for rails_doubletap module
- #11760 fixes URL and restore module_metadata_base.json
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).