Ricoh Privilege Escalation

No ink? No problem. Here’s some SYSTEM access. A new module by our own space-r7 has been added to Metasploit Framework this week that adds a privilege escalation exploit for various Ricoh printer drivers on Windows systems. This module takes advantage of CVE-2019-19363 by overwriting the DLL file within c:\ProgramData\RICOH_DRV with a malicious DLL in order to inherit SYSTEM privileges from the PrintIsolationHost.exe process that loads the file. Please keep in mind that multiple runs may be required given that successful exploitation is time sensitive.

OpenSMTPD MAIL FROM RCE +

An exciting new module by wvu-r7 was landed for OpenSMTPD, OpenBSD’s mail server, that exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user. Also along with this module, he added mixin Expect which can be found here.

Anviz CrossChex Buffer Overflow

Anviz CrossChex is a personnel identify verification, access control, and time attendance management system, and our first module for CrossChex has been added by adamgalway-r7 which takes advantage of CVE-2019-12518. This new module waits for a given number of seconds (TIMEOUT) for the CrossChex broadcast looking for new devices and returns a custom packet, triggering a buffer overflow. Due to the fact that both exploit and payload must be contained in a single UDP packet, there is a limitation on the size of the payload.

New modules (5)

Enhancements and features

Bugs fixed

  • PR #12917 by wvu-r7 adds executable permission (chmod +x) to tools/dev/msftidy_docs.rb.
  • PR #12927 by zeroSteiner fixes the usage of getsockname / getlocalname for the SOCKS5 server.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).