Metasploit Weekly Wrap-Up 08/30/2024
A New Way to Encode PHP Payloads
A new PHP encoder has been released by a community contributor, jvoisin, allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters.
Ray Vulnerabilities
This release of Metasploit Framework also features 3 new modules to target ray.io, which is a framework for distributing AI-related workloads across multiple machines, which makes it an excellent exploitation target. These modules can perform arbitrary file reads, perform remote code execution and command injection, making them a great all-round addition to a penetration testing workflow.
The vulnerabilities for which modules are provided are:
New module content (9)
Control iD iDSecure Authentication Bypass (CVE-2023-6329)
Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19380 contributed by h4x-x0r
Path: admin/http/idsecure_auth_bypass
AttackerKB reference: CVE-2023-6329
Description: Adds an auxiliary module targeting CVE-2023-6329, an improper access control vulnerability, which allows an unauthenticated user to compute valid credentials and to add a new administrative user to the web interface of Control iD iDSecure <= v4.7.43.0.
Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)
Authors: Michael Heinzl, mxalias, and ohnoisploited
Type: Auxiliary
Pull request: #19386 contributed by h4x-x0r
Path: admin/http/ivanti_vtm_admin
AttackerKB reference: CVE-2024-7593
Description: Adds an exploit targeting CVE-2024-7593 which is an improper access control vulnerability in Ivanti Virtual Traffic Manager (vTM) . It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product before 22.7R2.
Ray static arbitrary file read
Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and danmcinerney [email protected]
Type: Auxiliary
Pull request: #19363 contributed by Takahiro-Yoko
Path: gather/ray_lfi_cve_2023_6020
AttackerKB reference: CVE-2023-6020
Description: The auxiliary module allows reading files on the remote system through a local file inclusion vulnerability.
PHP Hex Encoder
Author: Julien Voisin
Type: Encoder
Pull request: #19420 contributed by jvoisin
Path: php/hex
Description: This adds an ascii-hex encoder for PHP with optional compression.
Ray Agent Job RCE
Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_agent_job_rce
AttackerKB reference: CVE-2023-48022
Description: This exploit module allows for arbitrary code execution on the target.
Ray cpu_profile command injection
Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
AttackerKB reference: CVE-2023-6019
Description: This exploit module allows for command injection to be performed on the target.
GiveWP Unauthenticated Donation Process Exploit
Authors: EQSTSeminar, Julien Ahrens, Valentin Lobstein, and Villu Orav
Type: Exploit
Pull request: #19424 contributed by Chocapikk
Path: multi/http/wp_givewp_rce
AttackerKB reference: CVE-2024-5932
Description: Adds a new module exploits/multi/http/wp_givewp_rce which targets CVE-2024-5932 - a critical RCE vulnerability in the WordPress GiveWP plugin (up to version 3.14.1).
pgAdmin Binary Path API RCE
Authors: Ayoub Mokhtar, M.Selim Karahan, and Mustafa Mutlu
Type: Exploit
Pull request: #19422 contributed by igomeow
Path: windows/http/pgadmin_binary_path_api
AttackerKB reference: CVE-2024-3116
Description: Adds a new module targeting all versions of PgAdmin up to 8.4 which leverages a Remote Code Execution (RCE) CVE-2024-3116 flaw through the validate binary path API.
Gather electerm Passwords
Author: Kali-Team [email protected]
Type: Post
Pull request: #19395 contributed by cn-kali-team
Path: multi/gather/electerm
Description: Adds a post module to gather passwords and saved session information stored in the Electerm program.
Enhanced Modules (2)
Modules which have either been enhanced, or renamed:
- #19393 from jheysel-r7 - Adds a patch bypass for CVE-2024-32113 (the original vulnerability this exploited). The patch released in 18.12.14 disallows the Path Traversal vulnerability to be exploited however it was later disclosed that the vulnerable endpoint was accessible all along, without the need for the Path Traversal. And so CVE-2024-38856 was issued as an Incorrect Authorization which was patched in version 18.12.15.
- #19417 from Chocapikk - The new PHP filter chain evaluates a POST parameter, which simplifies the process and reduces the payload size enabling the module to send the entire payload in one POST request instead of writing the payload to a file character by character over many POST requests. Support for both Windows and Linux Meterpreter payloads, not just PHP Meterpreter, has also been added.
Enhancements and features (3)
- #19377 from jvoisin - Not written.
- #19409 from jvoisin - This adds additional fingerprinting checks to the existing
post/linux/gather/checkvmmodule to more accurately identify VMs. - #19415 from zeroSteiner - Changes the output of the
ldap_esc_vulnerable_cert_finderto be more useful, including display changes favoring useful templates and including an explanation of why a template may be vulnerable.
Bugs fixed (4)
- #19241 from zgoldman-r7 - Replaced the usage a deprecated Ruby method to fix crashing modules.
- #19376 from jvoisin - This fixes the php/base64 encoder which was previously generating php payloads that were failing when being being run due to the way single quotes were being inserted into the payload.
- #19411 from dledda-r7 - Fixes a crash in Metasploit's RPC layer when calling
module.resultswhen a nil module result was present. - #19421 from zeroSteiner - This updates the windows/fileformat/adobe_pdf_embedded_exe exploit to define that its compatible with both ARCH_X86 and ARCH_X64 payloads due to it just generating an EXE.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
