Newsy.co

Metasploit Weekly Wrap-Up 12/13/2024

It’s raining RCEs!

Metasploit Weekly Wrap-Up 12/13/2024

It's the second week of December and the weather forecast announced another storm of RCEs in Metasploit-Framework land. This weekly release includes RCEs for Moodle e-Learning platform, Primefaces, WordPress Really Simple SSL and CyberPanel along with two modules to change password through LDAP and SMB protocol.

New module content (7)

Change Password

Author: smashery
Type: Auxiliary
Pull request: #19671 contributed by smashery
Path: admin/ldap/change_password

Description: This adds a module that is able to change a user's password knowing the current value or reset a user's password given the necessary permissions using LDAP.

SMB Password Change

Author: smashery
Type: Auxiliary
Pull request: #19666 contributed by smashery
Path: admin/smb/change_password

Description: This adds a module that is able to change a user's password knowing the current value or reset a user's password given the necessary permissions using SMB.

WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)

Authors: Aaryan Golatkar and Ron Jost
Type: Auxiliary
Pull request: #19701 contributed by aaryan-11-x
Path: scanner/http/wp_perfect_survey_sqli
AttackerKB reference: CVE-2021-24762

Description: This adds an auxiliary module that exploits CVE-2021-24762, an unauthenticated SQL Injection that allows dumping user credentials from the database.

Moodle Remote Code Execution (CVE-2024-43425)

Authors: Michael Heinzl and RedTeam Pentesting GmbH
Type: Exploit
Pull request: #19430 contributed by h4x-x0r
Path: linux/http/moodle_rce
AttackerKB reference: CVE-2024-43425

Description: This adds an exploit module for Moodle learning platform. The module exploits a command injection vulnerability in Moodle CVE-2024-43425 to obtain remote code execution. By default, the application will run in the context of www-data, so only a limited shell can be obtained.

Primefaces Remote Code Execution Exploit

Authors: Bjoern Schuette and h00die
Type: Exploit
Pull request: #19649 contributed by h00die
Path: multi/http/primefaces_weak_encryption_rce
AttackerKB reference: CVE-2017-1000486

Description: This adds a module which exploits a Java Expression Language RCE vulnerability in the Primefaces JSF framework. Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt.

WordPress Really Simple SSL Plugin Authentication Bypass to RCE

Authors: István Márton and Valentin Lobstein
Type: Exploit
Pull request: #19661 contributed by Chocapikk
Path: multi/http/wp_reallysimplessl_2fa_bypass_rce
AttackerKB reference: CVE-2024-10924

Description: This add an exploit module for a CVE-2024-10924, a vulnerability in the WordPress Really Simple Security plugin, versions 9.0.0 to 9.1.1.1 and allows unauthenticated attackers to bypass Two-Factor Authentication (2FA). By exploiting this flaw, an attacker can retrieve the administrator's session cookie directly, enabling full control over the WordPress instance, including the ability to upload and execute arbitrary code.

CyberPanel Multi CVE Pre-auth RCE

Authors: DreyAnd, Luka Petrovic (refr4g), and Valentin Lobstein
Type: Exploit
Pull request: #19608 contributed by Chocapikk
Path: unix/webapp/cyberpanel_preauth_rce_multi_cve
AttackerKB reference: CVE-2024-51378

Description: Adds a CyberPanel Pre-Auth RCE exploit module for for the following CVEs: CVE-2024-51378, CVE-2024-51567, CVE-2024-51568. The module contains three separate actions which lets you specify which CVE you would like to exploit.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

  • #19533 from Grezzo - This updates the existing multi/http/werkzeug_debug_rce module that only targeted older version of the vulnerable Werkzeug application that didn't include any authentication. The update adds support for newer versions of Werkzeug that do support authentication. The updated module supports the following authentication methods:

Generated-Cookie: Uses information about the system (which may be gained, e.g. using a separate arbitrary file-read vulnerability) to calculate an authentication cookie which is then used
Known-Cookie: Uses a user-provided cookie to authenticate
Known-PIN: uses a user-provided PIN to authenticate
None: If authentication has been disabled, or is unsupported (e.g. in very old versions of Werkzeug)
When generating a cookie (and PIN), there are 3 different algorithms used, depending on the target selected by the user. This is because the algorithm used to generate the cookie/PIN has changed throughout the application's development.

  • #19696 from smashery - This updates replaces the existing samr_computer module with a more general one that can also be used to add user accounts to active directory if the operator has the necessary permissions.

Enhancements and features (2)

  • #19703 from zeroSteiner - Adds additional documentation to the windows/dns_txt_query_exec module to help clarify how it works for users.
  • #19705 from ostrichgolf - Updates the exploits/linux/http/projectsend_unauth_rce module to include the CVE entry CVE-2024-11680 for ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution.

Bugs fixed (3)

  • #19621 from zeroSteiner - This fixes the symlinks handling by the Java Meterpreter on Windows targets.
  • #19656 from sjanusz-r7 - Fixed an issue where an SSH session could sometimes be reported as alive when it has failed to open successfully against Windows running older versions of OpenSSH.
  • #19700 from jheysel-r7 - Fixes a bug where HTTP redirects were not handling HTTP query parameters correctly.

Documentation added (1)

  • #19714 from bwatters-r7 - Updates the exploits/linux/http/projectsend_unauth_rce module metadata to include CVE-2024-11680.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.4.39...6.4.40
  • Full diff 6.4.39...6.4.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Subscribe Now