Welcome Ryan and the new CrushFTP module

It's not every week we add an awesome new exploit module to the Framework while adding the original discoverer of the vulnerability to the Rapid7 team as well. We're very excited to welcome Ryan Emmons to the Emergent Threat Response team, which works alongside Metasploit here at Rapid7. Ryan discovered an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in CrushFTP (CVE-2023-43177) versions prior to 10.5.1 which results in unauthenticated remote code execution. Metasploit's very own Christophe De La Fuente did a fantastic job of turning this complex exploit into a smooth running Metasploit module. This release includes another unauthenticated remote code execution vulnerability in the oh so popular PostgreSQL management tool, pgAdmin. Written by Spencer McIntyre, the module exploits CVE-2024-2044 which is a path-traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized.

New module content (3)

MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever

Author: h00die
Type: Auxiliary
Pull request: #18936 contributed by h00die
Path: gather/mongodb_ops_manager_diagnostic_archive_info
AttackerKB reference: CVE-2023-0342

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-0342) in MongoDB Ops Manager v5.0 prior to 5.0.21 and v6.0 prior to 6.0.12 to retrieve the SAML SSL Pem Key File Password, which is stored in plaintext in the application's Diagnostics Archive.

CrushFTP Unauthenticated RCE

Authors: Christophe De La Fuente and Ryan Emmons
Type: Exploit
Pull request: #18918 contributed by cdelafuente-r7
Path: multi/http/crushftp_rce_cve_2023_43177
AttackerKB reference: CVE-2023-43177

Description: This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.

pgAdmin Session Deserialization RCE

Authors: Abdel Adim Oisfi, Davide Silvetti, and Spencer McIntyre
Type: Exploit
Pull request: #19026 contributed by zeroSteiner
Path: multi/http/pgadmin_session_deserialization
AttackerKB reference: CVE-2024-2044

Description: This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn't block the HTTP request.

Enhancements and features (0)

None

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.3...6.4.4
• Full diff 6.4.3...6.4.4

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Go go gadget Fortra GoAnywhere MFT Module

This Metasploit release contains a module for one of 2024's hottest vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in Fortra GoAnywhere MFT allows for unauthenticated attackers to access the InitialAccountSetup.xhtml endpoint which is used during the products initial setup to create the first administrator user. After setup has completed, this endpoint is supposed to be no longer available. Attackers can use this vulnerability to create a user with Administrator privileges. Once Administrative privileges have been obtained for the GoAnywhere MFT application, uploading a .jsp payload in order to achieve RCE is trivial.

New module content (3)

runc (docker) File Descriptor Leak Privilege Escalation

Authors: Rory McNamara and h00die
Type: Exploit
Pull request: #18780 contributed by h00die
Path: linux/local/runc_cwd_priv_esc

Description: This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.

Cacti RCE via SQLi in pollers.php

Authors: Aleksey Solovev and Christophe De La Fuente
Type: Exploit
Pull request: #18769 contributed by cdelafuente-r7
Path: multi/http/cacti_pollers_sqli_rce

Description: This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Authors: James Horseman, Zach Hanley, and sfewer-r7
Type: Exploit
Pull request: #18762 contributed by sfewer-r7
Path: multi/http/fortra_goanywhere_mft_rce_cve_2024_0204

Description: This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

Enhancements and features (3)

• #18696 from zgoldman-r7 - Introduces a standalone MSSQL client class that can be used in new contexts not tied to a specific module.
• #18718 from cgranleese-r7 - Updates the auxiliary/scanner/mysql/mysql_login.rb module to include a new CreateSession option that opens an interactive session. This functionality is currently behind a feature flag which can be enabled with features set mysql_session_type true.
• #18761 from dwelch-r7 - Adds a user notification that new modules support a CreateSession option. This functionality is currently behind a feature flag which can be enabled with the features command.

Bugs fixed (3)

• #18704 from dwelch-r7 - Fixes a bug with framework having 0 registered nop modules when the defer-module-loads feature was enabled.
• #18773 from sjanusz-r7 - Fixes an issue where Ctrl+Z and Ctrl+C when in the context of an interactive PostgreSQL shell prompt inside the PostgreSQL session type did work correctly.
• #18803 from dwelch-r7 - Fixes a crash when using exploit/multi/handler with an invalid payload name.

Documentation added (1)

• #18782 from ekalinichev-r7 - Updates our existing Windows installation documentation to mention that Administrator privileges are required when installing via our .msi package.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.54...6.3.55
• Full diff 6.3.54...6.3.55

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro