Last updated at Fri, 05 Apr 2024 20:44:49 GMT

PHP code execution and Overshare[point]

Here in the Northern Hemisphere, Spring is in the air: flowers, bees, pollen… a new Metasploit 6.4 release, and now, fresh on the heels of this new release is a bountiful crop of exploits, features, and bug-fixes. Leading the pack is a pair of 2024 PHP code execution vulnerabilities in Artica Proxy and the Bricks Builder WordPress theme, and not to be outshone is a pair of Sharepoint vulnerabilities chained to give unauthenticated code execution as administrator.

New module content (3)

Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Authors: Jaggar Henry of KoreLogic Inc. and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18967 contributed by h00die-gr3y
Path: linux/http/artica_proxy_unauth_rce_cve_2024_2054
AttackerKB reference: CVE-2024-2054

Description: The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40. The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data user.

Unauthenticated RCE in Bricks Builder Theme

Authors: Calvin Alkan and Valentin Lobstein
Type: Exploit
Pull request: #18891 contributed by Chocapikk
Path: multi/http/wp_bricks_builder_rce
AttackerKB reference: CVE-2024-25600

Description: This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.

Sharepoint Dynamic Proxy Generator Unauth RCE

Authors: Jang and jheysel-r7
Type: Exploit
Pull request: #18721 contributed by jheysel-r7
Path: windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce
AttackerKB reference: CVE-2023-24955

Description: This PR adds a module that allows unauthenticated remote code execution as Administrator on Sharepoint 2019 hosts. It performs this by exploiting two vulnerabilities in Sharepoint 2019. First, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator.

Enhancements and features (4)

  • #18925 from sjanusz-r7 - Updates RPC API to include Auxiliary and Exploit modules in session.compatible_modules response.
  • #18982 from ekalinichev-r7 - Adds RPC methods session.interactive_read and session.interactive_write that support interaction with SQL, SMB, and Meterpreter sessions via RPC API.
  • #19016 from zgoldman-r7 - Updates the MSSQL modules to support the GUID column type. This also improves error logging.
  • #19017 from zgoldman-r7 - Improves the auxiliary/admin/mssql/mssql_exec and auxiliary/admin/mssql/mssql_sql modules to have improved error logging.

Bugs fixed (6)

  • #18985 from cgranleese-r7 - Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module.
  • #18992 from adfoster-r7 - Fixes a crash within the postgres version module.
  • #19006 from cgranleese-r7 - This fixes an issue where WMAP plugin module loading was causing failures.
  • #19009 from sjanusz-r7 - Updates modules/exploits/osx/local/persistence to no longer be marked as a compatible module for Windows targets.
  • #19012 from zeroSteiner - This fixes an issue that was reported where msfconsole will fail to start if the user's /etc/hosts file contained a host name ending in a . or containing _ characters.
  • #19015 from zeroSteiner - Previously, we fixed an issue where Metasploit would crash while parsing the hosts file if it ended in unexpected values like . or _. This fixes the same kind of issue in DNS names that enter the hostnames data through a different path by removing any trailing . so they can be used for DNS resolution.

Documentation added (1)

  • #18961 from zgoldman-r7 - This adds documentation for the new SQL and SMB session types.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro