Ricoh Privilege Escalation
No ink? No problem. Here’s some
SYSTEM access. A new module by our own space-r7 has been added to Metasploit Framework this week that adds a privilege escalation exploit for various Ricoh printer drivers on Windows systems. This module takes advantage of CVE-2019-19363 by overwriting the DLL file within
c:\ProgramData\RICOH_DRV with a malicious DLL in order to inherit
SYSTEM privileges from the
PrintIsolationHost.exe process that loads the file. Please keep in mind that multiple runs may be required given that successful exploitation is time sensitive.
OpenSMTPD MAIL FROM RCE +
An exciting new module by wvu-r7 was landed for OpenSMTPD, OpenBSD’s mail server, that exploits a command injection in the
MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user. Also along with this module, he added mixin
Expect which can be found here.
Anviz CrossChex Buffer Overflow
Anviz CrossChex is a personnel identify verification, access control, and time attendance management system, and our first module for CrossChex has been added by adamgalway-r7 which takes advantage of CVE-2019-12518. This new module waits for a given number of seconds (
TIMEOUT) for the CrossChex broadcast looking for new devices and returns a custom packet, triggering a buffer overflow. Due to the fact that both exploit and payload must be contained in a single UDP packet, there is a limitation on the size of the payload.
New modules (5)
- OpenSMTPD MAIL FROM Remote Code Execution by wvu, Qualys, and RageLtMan, which exploits CVE-2020-7247
- WordPress InfiniteWP Client Authentication Bypass by wvu and WebARX
- Ricoh Driver Privilege Escalation by Alexander Pudwill, Pentagrid AG, and Shelby Pace, which exploits CVE-2019-19363
- Anviz CrossChex Buffer Overflow by Luis Catarino, Pedro Rodrigues, adfoster-r7, and agalway-r7, which exploits CVE-2019-12518
- Windows Gather TeamViewer Passwords by Nic Losby, which exploits CVE-2019-18988
Enhancements and features
- PR #12917 by wvu-r7 adds executable permission (
chmod +x) to
- PR #12927 by zeroSteiner fixes the usage of getsockname / getlocalname for the SOCKS5 server.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).