Our very own zeroSteiner added a new module, which exploits insufficient access control in Dell’s dbutil_2_3.sys
firmware update driver included in the Dell Bios Utility that comes pre-installed with most Windows machines. The driver accepts Input/Output Control (IOCTL) requests without ACL requirements, allowing non-privileged users to perform memory read/write operations via the memmove
function. This module exploits the arbitrary read/write vulnerability to perform local kernel-mode privilege escalation using the same token upgrade technique developed for the Win32k ConsoleControl Offset Confusion exploit. The exploit needs to be run from within at least a Medium integrity process to be successful, and any invalid read/write addresses will result in an immediate blue screen. The module has been tested on Windows version 1803
through 20H2
.
Metasploit contributor jheysel-r7 added a new exploit module that leverages TokenMagic to elevate privileges and execute code as SYSTEM
. This module can either be used to spawn a malicious service on a target system using the TokenMagic High IL, or it can be used to write a System32 DLL that is vulnerable to hijacking. The service method has been tested against Windows 7
, 8.1
, and 10
(1511
, 1803
). The DLL method has been tested against Windows 10
(1703
, 1803
).
SYSTEM
. Affected systems can be exploited either via exploiting a DLL hijacking vulnerability affecting Windows 10 build 15063 up to build 17134 inclusive, or by creating a new service on the target system.auxiliary/client/telegram/send_message.rb
module has been updated to support sending documents as well as to send documents and/or messages to multiple chat IDs.auxiliary/scanner/http/wordpress_scanner
exploit/multi/http/gitlab_file_read_rce
has been updated to provide additional information on how to set GitLab up with a SSL certificate for encrypted communications, allowing users to easily test scenarios in which an encrypted GitLab connection might be needed.msfdb
script that prevented users from being able to run the script if they installed Metasploit into a location that contained spaces within its path.exploit/multi/http/gitlab_file_read_rce
module to allow it to target vulnerable GitLab servers where TLS is enabled.msfdb
to use the passed in SSL key path (if provided) instead of the default one at ~/.msf4/msf-ws-key.pem
, which may not exist if users have passed in a SSL key path as an option.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).