National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up 04 19 24


0 user ratings
2024-04-19 18:49:08
milo
Red Team (CNA)

 - archive -- 

Welcome Ryan and the new CrushFTP module


It's not every week we add an awesome new exploit module to the Framework while adding the original discoverer of the vulnerability to the Rapid7 team as well. We're very excited to welcome Ryan Emmons to the Emergent Threat Response team, which works



Welcome Ryan and the new CrushFTP module


Metasploit Weekly Wrap-Up 04/19/24

It's not every week we add an awesome new exploit module to the Framework while adding the original discoverer of the vulnerability to the Rapid7 team as well. We're very excited to welcome Ryan Emmons to the Emergent Threat Response team, which works alongside Metasploit here at Rapid7. Ryan discovered an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in CrushFTP (CVE-2023-43177) versions prior to 10.5.1 which results in unauthenticated remote code execution. Metasploit's very own Christophe De La Fuente did a fantastic job of turning this complex exploit into a smooth running Metasploit module. This release includes another unauthenticated remote code execution vulnerability in the oh so popular PostgreSQL management tool, pgAdmin. Written by Spencer McIntyre, the module exploits CVE-2024-2044 which is a path-traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized.


New module content (3)


MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever


Author: h00die

Type: Auxiliary

Pull request: #18936 contributed by h00die

Path: gather/mongodb_ops_manager_diagnostic_archive_info

AttackerKB reference: CVE-2023-0342


Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-0342) in MongoDB Ops Manager v5.0 prior to 5.0.21 and v6.0 prior to 6.0.12 to retrieve the SAML SSL Pem Key File Password, which is stored in plaintext in the application's Diagnostics Archive.


CrushFTP Unauthenticated RCE


Authors: Christophe De La Fuente and Ryan Emmons

Type: Exploit

Pull request: #18918 contributed by cdelafuente-r7

Path: multi/http/crushftp_rce_cve_2023_43177

AttackerKB reference: CVE-2023-43177


Description: This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.


pgAdmin Session Deserialization RCE


Authors: Abdel Adim Oisfi, Davide Silvetti, and Spencer McIntyre

Type: Exploit

Pull request: #19026 contributed by zeroSteiner

Path: multi/http/pgadmin_session_deserialization

AttackerKB reference: CVE-2024-2044


Description: This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn't block the HTTP request.


Enhancements and features (0)


None


Bugs fixed (0)


None


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/04/19/metasploit-weekly-wrap-up-04-19-24/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.