Category: Metasploit Weekly Wrapup

SPIP Modules

This week brings more modules targeting the SPIP publishing platform. SPIP has gained some attention from Metasploit community contributors recently and has inspired some PHP payload and encoder improvements.

New module content (2)

SPIP BigUp Plugin Unauthenticated RCE

Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec
Type: Exploit
Pull request: #19444 contributed by Chocapikk
Path: multi/http/spip_bigup_unauth_rce
AttackerKB reference: CVE-2024-8517

Description: This adds an exploit module for CVE-2024-8517, an unauthenticated RCE able to execute arbitrary PHP code.

SPIP connect Parameter PHP Injection

Authors: Arnaud Pachot, Davy Douhine, Frederic Cikala, and Valentin Lobstein
Type: Exploit
Pull request: #19432 contributed by Chocapikk
Path: multi/http/spip_connect_exec
CVE reference: BID-54292

Description: Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Enhancements and features (3)

• #19330 from heyder - The start_service method in the http_server.rb library now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore["SSL"].
• #19352 from zgoldman-r7 - Adjusts the metadata for the ldap login scanner, adding defaults and adjusting the service and protocol values.
• #19432 from Chocapikk - Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Bugs fixed (1)

• #19439 from bcoles - This explicitly defines x86 and x64 as supported architectures for the bypassuac_comhijack module. Prior to this change there were no defined architectures and if you tried to use an x64 based payload the module would fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.25...6.4.26
• Full diff 6.4.25...6.4.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Honey, I shrunk the PHP payloads

This release contains more PHP payload improvements from Julien Voisen. Last week we landed a PR from Julien that added a datastore option to the php/base64 encoder that when enabled, will use zlib to compress the payload which significantly reduced the size, bringing a payload of 4040 bytes down to a mere 1617 bytes. This week's release includes a php/minify encoder which removes all unnecessary characters from the payload including comments, empty lines, leading spaces, trailing spaces, spaces after keywords and spaces before block openings. Using the php/minify encoder can take a payload of size 4052 bytes down to 2839 bytes. We'd like to thank Julien for their continued commitment to improving PHP payloads!

New module content (1)

PHP Minify Encoder

Author: Julien Voisin
Type: Encoder
Pull request: #19435 contributed by jvoisin
Path: php/minify

Description: This encoder minifies PHP payloads by removing spaces after keywords and before block openings. It removes comments, empty lines, new lines and leading and trailing spaces.

Enhancements and features (2)

• #19368 from h00die-gr3y - This adjusts the exploit/multi/http/geoserver_unauth_rce_cve_2024_36401 to dynamically pull and test the feature_type list to establish an RCE. This will make the module more robust towards installations with different feature_type configurations.
• #19401 from jvoisin - Add a mixin to get SPIP version and make use of it.

Bugs fixed (2)

• #19381 from Takahiro-Yoko - This fixes the gitlab_login scanner so that it uses the proper datastore options Username and Password which are the standard for login scanners. Before this fix the scanner was using HttpUsername and HttpPassword and ignoring the datastore options Username and Password.
• #19438 from cgranleese-r7 - Fixes a nil error if login is successful with ldap_login module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.24...6.4.25
• Full diff 6.4.24...6.4.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

A New Way to Encode PHP Payloads

A new PHP encoder has been released by a community contributor, jvoisin, allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters.

Ray Vulnerabilities

This release of Metasploit Framework also features 3 new modules to target ray.io, which is a framework for distributing AI-related workloads across multiple machines, which makes it an excellent exploitation target. These modules can perform arbitrary file reads, perform remote code execution and command injection, making them a great all-round addition to a penetration testing workflow.

The vulnerabilities for which modules are provided are:

• CVE-2023-6019
• CVE-2023-6020
• CVE-2023-48022

New module content (9)

Control iD iDSecure Authentication Bypass (CVE-2023-6329)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19380 contributed by h4x-x0r
Path: admin/http/idsecure_auth_bypass
AttackerKB reference: CVE-2023-6329

Description: Adds an auxiliary module targeting CVE-2023-6329, an improper access control vulnerability, which allows an unauthenticated user to compute valid credentials and to add a new administrative user to the web interface of Control iD iDSecure <= v4.7.43.0.

Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)

Authors: Michael Heinzl, mxalias, and ohnoisploited
Type: Auxiliary
Pull request: #19386 contributed by h4x-x0r
Path: admin/http/ivanti_vtm_admin
AttackerKB reference: CVE-2024-7593

Description: Adds an exploit targeting CVE-2024-7593 which is an improper access control vulnerability in Ivanti Virtual Traffic Manager (vTM) . It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product before 22.7R2.

Ray static arbitrary file read

Authors: Takahiro Yokoyama, byt3bl33d3r marcello@protectai.com, and danmcinerney dan@protectai.com
Type: Auxiliary
Pull request: #19363 contributed by Takahiro-Yoko
Path: gather/ray_lfi_cve_2023_6020
AttackerKB reference: CVE-2023-6020

Description: The auxiliary module allows reading files on the remote system through a local file inclusion vulnerability.

PHP Hex Encoder

Author: Julien Voisin
Type: Encoder
Pull request: #19420 contributed by jvoisin
Path: php/hex

Description: This adds an ascii-hex encoder for PHP with optional compression.

Ray Agent Job RCE

Authors: Takahiro Yokoyama, byt3bl33d3r marcello@protectai.com, and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_agent_job_rce
AttackerKB reference: CVE-2023-48022

Description: This exploit module allows for arbitrary code execution on the target.

Ray cpu_profile command injection

Authors: Takahiro Yokoyama, byt3bl33d3r marcello@protectai.com, and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
AttackerKB reference: CVE-2023-6019

Description: This exploit module allows for command injection to be performed on the target.

GiveWP Unauthenticated Donation Process Exploit

Authors: EQSTSeminar, Julien Ahrens, Valentin Lobstein, and Villu Orav
Type: Exploit
Pull request: #19424 contributed by Chocapikk
Path: multi/http/wp_givewp_rce
AttackerKB reference: CVE-2024-5932

Description: Adds a new module exploits/multi/http/wp_givewp_rce which targets CVE-2024-5932 - a critical RCE vulnerability in the WordPress GiveWP plugin (up to version 3.14.1).

pgAdmin Binary Path API RCE

Authors: Ayoub Mokhtar, M.Selim Karahan, and Mustafa Mutlu
Type: Exploit
Pull request: #19422 contributed by igomeow
Path: windows/http/pgadmin_binary_path_api
AttackerKB reference: CVE-2024-3116

Description: Adds a new module targeting all versions of PgAdmin up to 8.4 which leverages a Remote Code Execution (RCE) CVE-2024-3116 flaw through the validate binary path API.

Gather electerm Passwords

Author: Kali-Team kali-team@qq.com
Type: Post
Pull request: #19395 contributed by cn-kali-team
Path: multi/gather/electerm

Description: Adds a post module to gather passwords and saved session information stored in the Electerm program.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #19393 from jheysel-r7 - Adds a patch bypass for CVE-2024-32113 (the original vulnerability this exploited). The patch released in 18.12.14 disallows the Path Traversal vulnerability to be exploited however it was later disclosed that the vulnerable endpoint was accessible all along, without the need for the Path Traversal. And so CVE-2024-38856 was issued as an Incorrect Authorization which was patched in version 18.12.15.
• #19417 from Chocapikk - The new PHP filter chain evaluates a POST parameter, which simplifies the process and reduces the payload size enabling the module to send the entire payload in one POST request instead of writing the payload to a file character by character over many POST requests. Support for both Windows and Linux Meterpreter payloads, not just PHP Meterpreter, has also been added.

Enhancements and features (3)

• #19377 from jvoisin - Not written.
• #19409 from jvoisin - This adds additional fingerprinting checks to the existing post/linux/gather/checkvm module to more accurately identify VMs.
• #19415 from zeroSteiner - Changes the output of the ldap_esc_vulnerable_cert_finder to be more useful, including display changes favoring useful templates and including an explanation of why a template may be vulnerable.

Bugs fixed (4)

• #19241 from zgoldman-r7 - Replaced the usage a deprecated Ruby method to fix crashing modules.
• #19376 from jvoisin - This fixes the php/base64 encoder which was previously generating php payloads that were failing when being being run due to the way single quotes were being inserted into the payload.
• #19411 from dledda-r7 - Fixes a crash in Metasploit's RPC layer when calling module.results when a nil module result was present.
• #19421 from zeroSteiner - This updates the windows/fileformat/adobe_pdf_embedded_exe exploit to define that its compatible with both ARCH_X86 and ARCH_X64 payloads due to it just generating an EXE.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.23...6.4.24
• Full diff 6.4.23...6.4.24

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (3)

Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19373 contributed by h4x-x0r
Path: admin/http/fortra_filecatalyst_workflow_sqli
AttackerKB reference: CVE-2024-5276

Description: This adds an auxiliary module to exploit the CVE-2024-5276, a SQL injection vulnerability that allows for adding an arbitrary administration user in the application.

SPIP Unauthenticated RCE via porte_plume Plugin

Authors: Julien Voisin, Laluka, and Valentin Lobstein
Type: Exploit
Pull request: #19394 contributed by Chocapikk
Path: multi/http/spip_porte_plume_previsu_rce

Description: Adds a new exploit/multi/http/spip_porte_plume_previsu_rce SPIP unauthenticated remote code execution (RCE) module targeting SPIP versions up to and including 4.2.12.

DIAEnergie SQL Injection (CVE-2024-4548)

Authors: Michael Heinzl and Tenable
Type: Exploit
Pull request: #19351 contributed by h4x-x0r
Path: windows/scada/diaenergie_sqli
AttackerKB reference: CVE-2024-4548

Description: This adds an exploit module for CVE-2024-4548, an unauthenticated SQL injection vulnerability that allows remote code execution as NT AUTHORITY\SYSTEM.

Bugs fixed (1)

• #19366 from adeherdt-r7 - Updates the Jenkins login scanner to correctly determine whether authentication is required.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.22...6.4.23
• Full diff 6.4.22...6.4.23

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (3)

Apache HugeGraph Gremlin RCE

Authors: 6right and jheysel-r7
Type: Exploit
Pull request: #19348 contributed by jheysel-r7
Path: linux/http/apache_hugegraph_gremlin_rce
AttackerKB reference: CVE-2024-27348

Description: Adds an Apache HugeGraph Server exploit for GHSA-29rc-vq7f-x335, which is a Remote Code Execution (RCE) vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server.

OpenMetadata authentication bypass and SpEL injection exploit chain

Authors: Alvaro Muñoz alias pwntester (https://github.com/pwntester) and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19347 contributed by h00die-gr3y
Path: linux/http/openmetadata_auth_bypass_rce
AttackerKB reference: CVE-2024-28254

Description: This module chains two vulnerabilities that exist in the OpenMetadata application. The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens. It misuses the JwtFilter that checks the path of the URL endpoint against a list of excluded endpoints that does not require authentication. By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection at the endpoint.

LG Simple Editor Command Injection (CVE-2023-40504)

Authors: Michael Heinzl and rgod
Type: Exploit
Pull request: #19370 contributed by h4x-x0r
Path: windows/http/lg_simple_editor_rce_uploadvideo
CVE reference: ZDI-23-1208

Description: This adds an exploit module for CVE-2023-40504, a command injection vulnerability in LG Simple Editor application allowing the execution of arbitrary commands as NT AUTHORITY\SYSTEM.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.21...6.4.22
• Full diff 6.4.21...6.4.22

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Black Hat & DEF CON

Hopefully folks were able to catch our Rapid7 researchers @zeroSteiner & Jack Heysel show off the Metasploit 6.4's features, focusing on combinations that allow for new, streamlined attack workflows at Black Hat. If not they will also be demoing at DEF CON tomorrow in room W304!

New module content (1)

Calibre Python Code Injection (CVE-2024-6782)

Authors: Amos Ng and Michael Heinzl
Type: Exploit
Pull request: #19357 contributed by h4x-x0r
Path: multi/misc/calibre_exec
AttackerKB reference: CVE-2024-6782

Description: Adds a module targeting CVE-2024-6782, an unauthenticated Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.14.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic. The injected payload will get executed in the same context under which Calibre is being executed.

Bugs fixed (1)

• #19355 from dledda-r7 - Fixes an issue where Meterpreter sessions would fail to migrate when MeterpreterDebugBuild is enabled.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.20...6.4.21
• Full diff 6.4.20...6.4.21

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit goes to Hacker Summer Camp

Next week, Metasploit will have demos at both Black Hat and DEF CON where the latest functionality from this year will be presented. The Black Hat demo will be on Thursday the 8th from 10:10 to 11:25 and the DEF CON demo will be on Saturday the 10th from 12:00 to 13:45.

The highlights will include demonstrations of:

• Exploiting unconstrained delegation entirely in Metasploit with the new post/windows/manage/kerberos_tickets module and Pass-the-Ticket support for auxiliary/gather/windows_secrets_dump. Next with secrets in hand, we’ll demonstrate forging tickets using the new diamond and sapphire techniques.
• Using the new LDAP, SMB and MSSQL session types for both interactive exploration and post modules.
• Configuring the latest DNS options for advanced pivoting scenarios.

New module content (2)

OpenMediaVault rpc.php Authenticated Cron Remote Code Execution

Authors: Brandon Perry bperry.volatile@gmail.com and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19298 contributed by h00die-gr3y
Path: unix/webapp/openmediavault_auth_cron_rce
AttackerKB reference: CVE-2013-3632

Description: This adds a new module that leverages a vulnerability in OpenMediaVault versions starting from 1.0 until the recent release 7.4.2-2. This vulnerability (CVE-2013-3632) allows an authenticated user to create cron jobs as root on the system and achieve remote code execution.

mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)

Author: Michael Heinzl
Type: Exploit
Pull request: #19337 contributed by h4x-x0r
Path: windows/scada/mypro_cmdexe
AttackerKB reference: CVE-2023-28384

Description: This adds an exploit module for CVE-2023-28384, a command injection vulnerability in MySCADA MyPRO versions before and including 2.28 allowing the execution of arbitrary commands as NT AUTHORITY\SYSTEM.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #19331 from Takahiro-Yoko - This update the linux/http/empire_skywalker exploit module to add a new technique that leverages a path traversal vulnerability in BC Security Empire versions before 5.9.3 (CVE-2024-6127). An attacker can achieve unauthenticated remote code execution over HTTP by acting as a normal agent. It is still possible to use this module with older versions from ProjectEmpire/Empire by setting a specific datastore option.
• #19344 from jheysel-r7 - This updates the windows/http/forticlient_ems_fctid_sqli exploit module to gain code execution on FortiClient EMS FCTID for the affected version within the range 7.2.x.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.19...6.4.20
• Full diff 6.4.19...6.4.20

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (3)

Magento XXE Unserialize Arbitrary File Read

Authors: Heyder and Sergey Temnikov
Type: Auxiliary
Pull request: #19304 contributed by heyder
Path: gather/magento_xxe_cve_2024_34102
AttackerKB reference: CVE-2024-34102

Description: This adds an auxiliary module for an XXE which results in an arbitrary file in Magento which is being tracked as CVE-2024-34102.

Ghostscript Command Execution via Format String

Authors: Christophe De La fuente and Thomas Rinsma
Type: Exploit
Pull request: #19313 contributed by cdelafuente-r7
Path: multi/fileformat/ghostscript_format_string_cve_2024_29510
AttackerKB reference: CVE-2024-29510

Description: This adds an exploit module targeting CVE-2024-29510, a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands.

Softing Secure Integration Server v1.22 Remote Code Execution

Authors: Chris Anastasio (muffin) of Incite Team, Imran E. Dawoodjee imrandawoodjee.infosec@gmail.com, and Steven Seeley (mr_me) of Incite Team
Type: Exploit
Pull request: #19084 contributed by ide0x90
Path: windows/http/softing_sis_rce
CVE reference: ZDI-22-1156

Description: This adds a module targeting CVE-2022-1373 and CVE-2022-2334 as an exploit chain against Softing Secure Integration Server 1.22.

Enhancements and features (2)

• #19338 from adfoster-r7 - Improves error handling and progress tracking in the auxiliary/gather/kerberos_enumusers and gather/asrep modules.
• #19340 from adfoster-r7 - Improve setg SessionLogging support to work with command shells, as well as allowing logging to be turned on/off at any point - not just for newly created sessions.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.18...6.4.19
• Full diff 6.4.18...6.4.19

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

The Usual Suspects

This release features two new exploits targeting old friends: Confluence and Ivanti. CVE-2024-21683 is a very easy vulnerability to exploit, but as pointed out in the AttackerKB Review, it requires authentication as a ‘Confluence Administrator.’ On the other hand, CVE-2024-29824 is an unauthenticated SQL Injection in Ivanti Endpoint Manager up to version 2022 SU5 that results in code execution as the NT Service user.

New module content (2)

Atlassian Confluence Administrator Code Macro Remote Code Execution

Authors: Ankita Sawlani, Huong Kieu, W01fh4cker, and remmons-r7
Type: Exploit
Pull request: #19314 contributed by remmons-r7
Path: multi/http/atlassian_confluence_rce_cve_2024_21683
AttackerKB reference: CVE-2024-21683

Description: This adds an exploit for CVE-2024-21683 which is an authenticated RCE in Atlassian Confluence affecting all versions prior to 7.17 and many versions up to 8.9.0.

Ivanti EPM RecordGoodApp SQLi RCE

Authors: Christophe De La Fuente and James Horseman
Type: Exploit
Pull request: #19274 contributed by cdelafuente-r7
Path: windows/http/ivanti_epm_recordgoodapp_sqli_rce
CVE reference: ZDI-24-507

Description: This adds an exploit for CVE-2024-29824, which is unauthenticated SQLi in Ivanti Endpoint Manager 2022 SU5 and prior which can be used to obtain RCE.

Bugs fixed (1)

• #19312 from adfoster-r7 - Fixes a regression issue that caused the Mettle sniffer extension to not correctly load.

Documentation added (2)

• #19301 from adeherdt-r7 - Updates the documentation for setting up developer environments to include running PostgreSQL in a docker container.
• #19315 from h00die - Removes duplicate wording from the setting up a developer environment documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.16...6.4.17
• Full diff 6.4.16...6.4.17

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro