Metasploit kicked November off to a roaring start with a wholesome dose of RCE, LPE, command injection, DoS, and more fixes/improvements.

So many file choosers…but which one to choose?

Big ups to @RootUP for the DoS module targeting a vulnerability in IBM’s Lotus Notes client (CVE-2017-1130). The DoS module targets the web interface via malicious JavaScript (😱). An enterprising ‘sploiter can share a URL with the injected code that triggers not one, not two, not even three…but uncountably-infinitely-many file chooser dialogs (no human can cancel them fast enough!). This in turn hangs the app, rendering it unusable. I heard you like file choosers…

CVE-2017-8464: The Local Privilege Escalation Version

@zeroSteiner extended on the original fileformat exploit for CVE-2017-8464 to add a local privilege escalation version. The module drops a specially-crafted LNK file and DLL to disk, causing SearchProtocolHost.exe to parse the LNK which in turn loads the DLL. Since SearchProtocolHost.exe runs as SYSTEM, this can be used to elevate privileges.

Mako Server v2.5 Command Injection

@shogunlab upped his Ruby programming/Framework game with a command injection module for Mako Server (a compact application and web server ideal for embedded systems). The module exploits an OS command injection vulnerability in the tutorial page of Mako Server version 2.5 on both Windows x86 and x64 systems. A user can inject arbitrary OS commands in the page through a PUT request to save save.lsp. Input is saved on the target machine and can then be executed via GET request to manage.lsp.

Geutebrueck GCore video management RCE

@m4p0’s RCE Buffer Overflow module for Geutebrueck GCore has landed after months of working with @h00die and @bcoles on refinement. This exploit achieves full remote code execution with NT/System level privileges on Windows (Win 2012R2,Win8.1,...). Thank you to authors Luca Cappiello and Maurice Popp, as well as everyone involved!

Fix for recv failure in various payload transports

Bug fixes seldom get the spotlight they deserve, but this week’s fix in payloads from the man-with-the-plan @busterb is one to certainly phone home about. This fix resolves an issue where the packet dispatcher can end up in an infinite loop while attempting to receive packets on closed transports. The issue was manifesting itself in various areas, most notably in migration. @OJ and @wwebb-r7 tried and tried to break @busterb’s fix, but their efforts were futile; the code was rock solid.

Get it

As always, you can update to the latest Metasploit Framework by simply updating to the latest version provided by BlackArch Linux, Kali Linux, or Metasploit Pro, or you can avail yourself of the handy msfupdate command available in the Nightly Installers.

You can get more details on the changes since the last wrapup here at:

To install fresh, you can use the:

Want a fresh wrapup in your RSS feed every week? You’re in luck.