Last updated at Fri, 05 Apr 2024 20:44:49 GMT
PHP code execution and Overshare[point]
Here in the Northern Hemisphere, Spring is in the air: flowers, bees, pollen… a new Metasploit 6.4 release, and now, fresh on the heels of this new release is a bountiful crop of exploits, features, and bug-fixes. Leading the pack is a pair of 2024 PHP code execution vulnerabilities in Artica Proxy and the Bricks Builder WordPress theme, and not to be outshone is a pair of Sharepoint vulnerabilities chained to give unauthenticated code execution as administrator.
New module content (3)
Artica Proxy Unauthenticated PHP Deserialization Vulnerability
Authors: Jaggar Henry of KoreLogic Inc. and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18967 contributed by h00die-gr3y
Path: linux/http/artica_proxy_unauth_rce_cve_2024_2054
AttackerKB reference: CVE-2024-2054
Description: The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40. The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data
user.
Unauthenticated RCE in Bricks Builder Theme
Authors: Calvin Alkan and Valentin Lobstein
Type: Exploit
Pull request: #18891 contributed by Chocapikk
Path: multi/http/wp_bricks_builder_rce
AttackerKB reference: CVE-2024-25600
Description: This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.
Sharepoint Dynamic Proxy Generator Unauth RCE
Authors: Jang and jheysel-r7
Type: Exploit
Pull request: #18721 contributed by jheysel-r7
Path: windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce
AttackerKB reference: CVE-2023-24955
Description: This PR adds a module that allows unauthenticated remote code execution as Administrator
on Sharepoint 2019 hosts. It performs this by exploiting two vulnerabilities in Sharepoint 2019. First, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator
user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator
.
Enhancements and features (4)
- #18925 from sjanusz-r7 - Updates RPC API to include Auxiliary and Exploit modules in
session.compatible_modules
response. - #18982 from ekalinichev-r7 - Adds RPC methods
session.interactive_read
andsession.interactive_write
that support interaction with SQL, SMB, and Meterpreter sessions via RPC API. - #19016 from zgoldman-r7 - Updates the MSSQL modules to support the GUID column type. This also improves error logging.
- #19017 from zgoldman-r7 - Improves the
auxiliary/admin/mssql/mssql_exec
andauxiliary/admin/mssql/mssql_sql
modules to have improved error logging.
Bugs fixed (6)
- #18985 from cgranleese-r7 - Fixes store_valid_credential conditional logic for
unix/webapp/wp_admin_shell_upload
module. - #18992 from adfoster-r7 - Fixes a crash within the postgres version module.
- #19006 from cgranleese-r7 - This fixes an issue where WMAP plugin module loading was causing failures.
- #19009 from sjanusz-r7 - Updates
modules/exploits/osx/local/persistence
to no longer be marked as a compatible module for Windows targets. - #19012 from zeroSteiner - This fixes an issue that was reported where msfconsole will fail to start if the user's
/etc/hosts
file contained a host name ending in a.
or containing_
characters. - #19015 from zeroSteiner - Previously, we fixed an issue where Metasploit would crash while parsing the
hosts
file if it ended in unexpected values like.
or_
. This fixes the same kind of issue in DNS names that enter the hostnames data through a different path by removing any trailing.
so they can be used for DNS resolution.
Documentation added (1)
- #18961 from zgoldman-r7 - This adds documentation for the new SQL and SMB session types.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro