National Cyber Warfare Foundation (NCWF)

Metasploit Weekly Wrap-Up 08 30 2024


0 user ratings
2024-08-30 18:49:28
milo
Red Team (CNA)

 - archive -- 

A New Way to Encode PHP Payloads


A new PHP encoder has been released by a community contributor, jvoisin, allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters.


Ray Vulnerabilities


This release



A New Way to Encode PHP Payloads


Metasploit Weekly Wrap-Up 08/30/2024

A new PHP encoder has been released by a community contributor, jvoisin, allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters.


Ray Vulnerabilities


This release of Metasploit Framework also features 3 new modules to target ray.io, which is a framework for distributing AI-related workloads across multiple machines, which makes it an excellent exploitation target. These modules can perform arbitrary file reads, perform remote code execution and command injection, making them a great all-round addition to a penetration testing workflow.


The vulnerabilities for which modules are provided are:



New module content (9)


Control iD iDSecure Authentication Bypass (CVE-2023-6329)


Authors: Michael Heinzl and Tenable

Type: Auxiliary

Pull request: #19380 contributed by h4x-x0r

Path: admin/http/idsecure_auth_bypass

AttackerKB reference: CVE-2023-6329


Description: Adds an auxiliary module targeting CVE-2023-6329, an improper access control vulnerability, which allows an unauthenticated user to compute valid credentials and to add a new administrative user to the web interface of Control iD iDSecure <= v4.7.43.0.


Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)


Authors: Michael Heinzl, mxalias, and ohnoisploited

Type: Auxiliary

Pull request: #19386 contributed by h4x-x0r

Path: admin/http/ivanti_vtm_admin

AttackerKB reference: CVE-2024-7593


Description: Adds an exploit targeting CVE-2024-7593 which is an improper access control vulnerability in Ivanti Virtual Traffic Manager (vTM) . It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product before 22.7R2.


Ray static arbitrary file read


Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and danmcinerney [email protected]

Type: Auxiliary

Pull request: #19363 contributed by Takahiro-Yoko

Path: gather/ray_lfi_cve_2023_6020

AttackerKB reference: CVE-2023-6020


Description: The auxiliary module allows reading files on the remote system through a local file inclusion vulnerability.


PHP Hex Encoder


Author: Julien Voisin

Type: Encoder

Pull request: #19420 contributed by jvoisin

Path: php/hex


Description: This adds an ascii-hex encoder for PHP with optional compression.


Ray Agent Job RCE


Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and sierrabearchell

Type: Exploit

Pull request: #19363 contributed by Takahiro-Yoko

Path: linux/http/ray_agent_job_rce

AttackerKB reference: CVE-2023-48022


Description: This exploit module allows for arbitrary code execution on the target.


Ray cpu_profile command injection


Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and sierrabearchell

Type: Exploit

Pull request: #19363 contributed by Takahiro-Yoko

Path: linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019

AttackerKB reference: CVE-2023-6019


Description: This exploit module allows for command injection to be performed on the target.


GiveWP Unauthenticated Donation Process Exploit


Authors: EQSTSeminar, Julien Ahrens, Valentin Lobstein, and Villu Orav

Type: Exploit

Pull request: #19424 contributed by Chocapikk

Path: multi/http/wp_givewp_rce

AttackerKB reference: CVE-2024-5932


Description: Adds a new module exploits/multi/http/wp_givewp_rce which targets CVE-2024-5932 - a critical RCE vulnerability in the WordPress GiveWP plugin (up to version 3.14.1).


pgAdmin Binary Path API RCE


Authors: Ayoub Mokhtar, M.Selim Karahan, and Mustafa Mutlu

Type: Exploit

Pull request: #19422 contributed by igomeow

Path: windows/http/pgadmin_binary_path_api

AttackerKB reference: CVE-2024-3116


Description: Adds a new module targeting all versions of PgAdmin up to 8.4 which leverages a Remote Code Execution (RCE) CVE-2024-3116 flaw through the validate binary path API.


Gather electerm Passwords


Author: Kali-Team [email protected]

Type: Post

Pull request: #19395 contributed by cn-kali-team

Path: multi/gather/electerm


Description: Adds a post module to gather passwords and saved session information stored in the Electerm program.


Enhanced Modules (2)


Modules which have either been enhanced, or renamed:



  • #19393 from jheysel-r7 - Adds a patch bypass for CVE-2024-32113 (the original vulnerability this exploited). The patch released in 18.12.14 disallows the Path Traversal vulnerability to be exploited however it was later disclosed that the vulnerable endpoint was accessible all along, without the need for the Path Traversal. And so CVE-2024-38856 was issued as an Incorrect Authorization which was patched in version 18.12.15.

  • #19417 from Chocapikk - The new PHP filter chain evaluates a POST parameter, which simplifies the process and reduces the payload size enabling the module to send the entire payload in one POST request instead of writing the payload to a file character by character over many POST requests. Support for both Windows and Linux Meterpreter payloads, not just PHP Meterpreter, has also been added.


Enhancements and features (3)



  • #19377 from jvoisin - Not written.

  • #19409 from jvoisin - This adds additional fingerprinting checks to the existing post/linux/gather/checkvm module to more accurately identify VMs.

  • #19415 from zeroSteiner - Changes the output of the ldap_esc_vulnerable_cert_finder to be more useful, including display changes favoring useful templates and including an explanation of why a template may be vulnerable.


Bugs fixed (4)



  • #19241 from zgoldman-r7 - Replaced the usage a deprecated Ruby method to fix crashing modules.

  • #19376 from jvoisin - This fixes the php/base64 encoder which was previously generating php payloads that were failing when being being run due to the way single quotes were being inserted into the payload.

  • #19411 from dledda-r7 - Fixes a crash in Metasploit's RPC layer when calling module.results when a nil module result was present.

  • #19421 from zeroSteiner - This updates the windows/fileformat/adobe_pdf_embedded_exe exploit to define that its compatible with both ARCH_X86 and ARCH_X64 payloads due to it just generating an EXE.


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro


Metasploit Weekly Wrap-Up 08/30/2024




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/08/30/metasploit-weekly-wrap-up-08-30-2024/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.