Here in the Northern Hemisphere, Spring is in the air: flowers, bees, pollen… a new Metasploit 6.4 release, and now, fresh on the heels of this new release is a bountiful crop of exploits, features, and bug-fixes. Leading the pack is a pair of 2024 PHP code execution vulnerabilities in Artica Proxy and the Bricks Builder WordPress theme, and not to be outshone is a pair of Sharepoint vulnerabilities chained to give unauthenticated code execution as administrator.
Authors: Jaggar Henry of KoreLogic Inc. and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18967 contributed by h00die-gr3y
Path: linux/http/artica_proxy_unauth_rce_cve_2024_2054
AttackerKB reference: CVE-2024-2054
Description: The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40. The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data
user.
Authors: Calvin Alkan and Valentin Lobstein
Type: Exploit
Pull request: #18891 contributed by Chocapikk
Path: multi/http/wp_bricks_builder_rce
AttackerKB reference: CVE-2024-25600
Description: This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.
Authors: Jang and jheysel-r7
Type: Exploit
Pull request: #18721 contributed by jheysel-r7
Path: windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce
AttackerKB reference: CVE-2023-24955
Description: This PR adds a module that allows unauthenticated remote code execution as Administrator
on Sharepoint 2019 hosts. It performs this by exploiting two vulnerabilities in Sharepoint 2019. First, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator
user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator
.
session.compatible_modules
response.session.interactive_read
and session.interactive_write
that support interaction with SQL, SMB, and Meterpreter sessions via RPC API.auxiliary/admin/mssql/mssql_exec
and auxiliary/admin/mssql/mssql_sql
modules to have improved error logging.unix/webapp/wp_admin_shell_upload
module.modules/exploits/osx/local/persistence
to no longer be marked as a compatible module for Windows targets./etc/hosts
file contained a host name ending in a .
or containing _
characters.hosts
file if it ended in unexpected values like .
or _
. This fixes the same kind of issue in DNS names that enter the hostnames data through a different path by removing any trailing .
so they can be used for DNS resolution.You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro