National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up 03 29 2024
0 user ratings		2024-03-29 18:18:15
milo
Red Team (CNA)
 - archive -- 
Metasploit adds three new exploit modules including an RCE for SharePoint.

PHP code execution and Overshare[point]


Metasploit Weekly Wrap-Up 03/29/2024

Here in the Northern Hemisphere, Spring is in the air: flowers, bees, pollen… a new Metasploit 6.4 release, and now, fresh on the heels of this new release is a bountiful crop of exploits, features, and bug-fixes. Leading the pack is a pair of 2024 PHP code execution vulnerabilities in Artica Proxy and the Bricks Builder WordPress theme, and not to be outshone is a pair of Sharepoint vulnerabilities chained to give unauthenticated code execution as administrator.


New module content (3)


Artica Proxy Unauthenticated PHP Deserialization Vulnerability


Authors: Jaggar Henry of KoreLogic Inc. and h00die-gr3y [email protected]

Type: Exploit

Pull request: #18967 contributed by h00die-gr3y

Path: linux/http/artica_proxy_unauth_rce_cve_2024_2054

AttackerKB reference: CVE-2024-2054


Description: The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40. The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data user.


Unauthenticated RCE in Bricks Builder Theme


Authors: Calvin Alkan and Valentin Lobstein

Type: Exploit

Pull request: #18891 contributed by Chocapikk

Path: multi/http/wp_bricks_builder_rce

AttackerKB reference: CVE-2024-25600


Description: This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.


Sharepoint Dynamic Proxy Generator Unauth RCE


Authors: Jang and jheysel-r7

Type: Exploit

Pull request: #18721 contributed by jheysel-r7

Path: windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce

AttackerKB reference: CVE-2023-24955


Description: This PR adds a module that allows unauthenticated remote code execution as Administrator on Sharepoint 2019 hosts. It performs this by exploiting two vulnerabilities in Sharepoint 2019. First, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator.


Enhancements and features (4)



  • #18925 from sjanusz-r7 - Updates RPC API to include Auxiliary and Exploit modules in session.compatible_modules response.

  • #18982 from ekalinichev-r7 - Adds RPC methods session.interactive_read and session.interactive_write that support interaction with SQL, SMB, and Meterpreter sessions via RPC API.

  • #19016 from zgoldman-r7 - Updates the MSSQL modules to support the GUID column type. This also improves error logging.

  • #19017 from zgoldman-r7 - Improves the auxiliary/admin/mssql/mssql_exec and auxiliary/admin/mssql/mssql_sql modules to have improved error logging.


Bugs fixed (6)



  • #18985 from cgranleese-r7 - Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module.

  • #18992 from adfoster-r7 - Fixes a crash within the postgres version module.

  • #19006 from cgranleese-r7 - This fixes an issue where WMAP plugin module loading was causing failures.

  • #19009 from sjanusz-r7 - Updates modules/exploits/osx/local/persistence to no longer be marked as a compatible module for Windows targets.

  • #19012 from zeroSteiner - This fixes an issue that was reported where msfconsole will fail to start if the user's /etc/hosts file contained a host name ending in a . or containing _ characters.

  • #19015 from zeroSteiner - Previously, we fixed an issue where Metasploit would crash while parsing the hosts file if it ended in unexpected values like . or _. This fixes the same kind of issue in DNS names that enter the hostnames data through a different path by removing any trailing . so they can be used for DNS resolution.


Documentation added (1)



  • #18961 from zgoldman-r7 - This adds documentation for the new SQL and SMB session types.


You can always find more documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/03/29/metasploit-weekly-wrap-up-03-29-2024/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.