This week's Metasploit wrap-up ships a new exploit module against Nostromo, a directory traversal vulnerability that allows system commands to be executed remotely. Also, improvements have been made for the grub_creds module for better post exploitation experience against Unix-like machines. Plus a few bugs that have been addressed, including the
-s option for NOPs generation, the meterpreter prompt, and reverse_tcp hanging due to newer Ruby versions.
New modules (1)
- Nostromo Directory Traversal Remote Command Execution by Quentin Kaiser and sp0re, which exploits CVE-2019-16278
Enhancements and features
- PR #12491 by Christophe De La Fuente, updates the .mailmap file.
- PR #12513 by ducksecops, updates Metasploit's docker file to Alpine 3.10 with Ruby 2.6.5.
- PR #12505 by Brent Cook, enhances grub_creds module from grub_password module
- PR #12467 by nil0x42, fixes the -s option that is ignored in nops' generate command.
- PR #12482 by zeroSteiner, fixes the default meterpreter prompt.
- PR #12500 by bcoles, fixes a couple of modules that use #second instead of #message.
- PR #12502 by Brent Cook, fixes process migration on reverse_tcp meterpreter sessions with newer Ruby.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).