New OSX payloads:ARMed and Dangerous

In addition to an RCE leveraging CVE-2024-5084 to gain RCE through a WordPress Hash form, this release features the addition of several new binary OSX stageless payloads with aarch64 support: Execute Command, Shell Bind TCP, and Shell Reverse TCP.

The new osx/aarch64/shell_bind_tcp payload opens a listening port on the target machine, which allows the attacker to connect to this open port to spawn a command shell using the user provided command using the execve system call on Apple silicon laptops.

The new osx/aarch64/shell_reverse_tcp payload that can connect back to the configured attacker’s RHOST and RPORT to spawn a command shell using the execve system call on Apple silicon laptops.
The new osx/aarch64/exec payload can execute arbitrary user provided commands using the execve system call on Apple silicon laptops, for example:

msf6 payload(osx/aarch64/exec) > generate -f macho cmd="/bin/bash -c 'echo 123 && echo abc && whoami && echo 🔥'" -o shell
[*] Writing 50072 bytes to shell…

And executing:

$ chmod +x ./shell
$ ./shell
123
abc
user
🔥

New module content (4)

WordPress Hash Form Plugin RCE

Authors: Francesco Carlucci and Valentin Lobstein
Type: Exploit
Pull request: #19208 contributed by Chocapikk
Path: multi/http/wp_hash_form_rce
AttackerKB reference: CVE-2024-5084

Description: This adds an exploit module that leverages a vulnerability in the WordPress Hash Form – Drag & Drop Form Builder plugin (CVE-2024-5084) to achieve remote code execution. Versions up to and including 1.1.0 are vulnerable. This allows unauthenticated attackers to upload arbitrary files, including PHP scripts, due to missing file type validation in the file_upload_action function.

OSX aarch64 Execute Command

Author: alanfoster
Type: Payload (Single)
Pull request: #18646 contributed by AlanFoster
Path: osx/aarch64/exec

Description: Add osx aarch64 exec payload.

OS X x64 Shell Bind TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18776 contributed by AlanFoster
Path: osx/aarch64/shell_bind_tcp

Description: Add osx aarch64 bind tcp payload.

OSX aarch64 Shell Reverse TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18652 contributed by AlanFoster
Path: osx/aarch64/shell_reverse_tcp

Description: Add osx aarch64 shell reverse tcp payload.

Enhancements and features (0)

None

Bugs fixed (3)

• #19209 from zgoldman-r7 - Updates multiple file format exploits to show the default settings to users when running show options.
• #19211 from sjanusz-r7 - Fixes an issue were the database management logic would default a model's updated_at value to incorrectly be set to the created_at value.
• #19217 from zgoldman-r7 - Fixes path tab completion for modules when using Ruby 3.2+.
• #19227 from bcoles - Fixed an issue in Moodle::Login.moodle_login that reported a false negative when logging in with user's credentials.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.11...6.4.12
• Full diff 6.4.11...6.4.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Quis dīrumpet ipsos dīrumpēs

In this release, we feature a double-double: two exploits each targeting two pieces of software. The first pair is from h00die targeting the Jasmine Ransomeware Web Server. The first uses CVE-2024-30851 to retrieve the login for the ransomware server, and the second is a directory traversal vulnerability allowing arbitrary file read. The second pair from Dave Yesland of Rhino Security targets Progress Flowmon with CVE-2024-2389 and it pairs well like wine with the additional and accompanying Privilege Escalation module.

New module content (4)

Jasmin Ransomware Web Server Unauthenticated Directory Traversal

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_dir_traversal
AttackerKB reference: CVE-2024-30851

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Jasmin Ransomware Web Server Unauthenticated SQL Injection

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_sqli

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Flowmon Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19150 contributed by DaveYesland
Path: linux/http/progress_flowmon_unauth_cmd_injection
AttackerKB reference: CVE-2024-2389

Description: Unauthenticated Command Injection Module for Progress Flowmon CVE-2024-2389.

Progress Flowmon Local sudo privilege escalation

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19151 contributed by DaveYesland
Path: linux/local/progress_flowmon_sudo_privesc_2024

Description: Privilege escalation module for Progress Flowmon unpatched feature.

Enhancements and features (3)

• #19195 from adfoster-r7 - Updates msfconsole to support risc-v platforms.
• #19198 from adfoster-r7 - Add support for Ruby 3.3.x.
• #19200 from adfoster-r7 - Updates Metasploit's gemspec file to work with additional static analysis tools.

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.10...6.4.11
• Full diff 6.4.10...6.4.11

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

PHP code execution and Overshare[point]

Here in the Northern Hemisphere, Spring is in the air: flowers, bees, pollen… a new Metasploit 6.4 release, and now, fresh on the heels of this new release is a bountiful crop of exploits, features, and bug-fixes. Leading the pack is a pair of 2024 PHP code execution vulnerabilities in Artica Proxy and the Bricks Builder WordPress theme, and not to be outshone is a pair of Sharepoint vulnerabilities chained to give unauthenticated code execution as administrator.

New module content (3)

Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Authors: Jaggar Henry of KoreLogic Inc. and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18967 contributed by h00die-gr3y
Path: linux/http/artica_proxy_unauth_rce_cve_2024_2054
AttackerKB reference: CVE-2024-2054

Description: The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40. The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data user.

Unauthenticated RCE in Bricks Builder Theme

Authors: Calvin Alkan and Valentin Lobstein
Type: Exploit
Pull request: #18891 contributed by Chocapikk
Path: multi/http/wp_bricks_builder_rce
AttackerKB reference: CVE-2024-25600

Description: This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.

Sharepoint Dynamic Proxy Generator Unauth RCE

Authors: Jang and jheysel-r7
Type: Exploit
Pull request: #18721 contributed by jheysel-r7
Path: windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce
AttackerKB reference: CVE-2023-24955

Description: This PR adds a module that allows unauthenticated remote code execution as Administrator on Sharepoint 2019 hosts. It performs this by exploiting two vulnerabilities in Sharepoint 2019. First, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator.

Enhancements and features (4)

• #18925 from sjanusz-r7 - Updates RPC API to include Auxiliary and Exploit modules in session.compatible_modules response.
• #18982 from ekalinichev-r7 - Adds RPC methods session.interactive_read and session.interactive_write that support interaction with SQL, SMB, and Meterpreter sessions via RPC API.
• #19016 from zgoldman-r7 - Updates the MSSQL modules to support the GUID column type. This also improves error logging.
• #19017 from zgoldman-r7 - Improves the auxiliary/admin/mssql/mssql_exec and auxiliary/admin/mssql/mssql_sql modules to have improved error logging.

Bugs fixed (6)

• #18985 from cgranleese-r7 - Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module.
• #18992 from adfoster-r7 - Fixes a crash within the postgres version module.
• #19006 from cgranleese-r7 - This fixes an issue where WMAP plugin module loading was causing failures.
• #19009 from sjanusz-r7 - Updates modules/exploits/osx/local/persistence to no longer be marked as a compatible module for Windows targets.
• #19012 from zeroSteiner - This fixes an issue that was reported where msfconsole will fail to start if the user's /etc/hosts file contained a host name ending in a . or containing _ characters.
• #19015 from zeroSteiner - Previously, we fixed an issue where Metasploit would crash while parsing the hosts file if it ended in unexpected values like . or _. This fixes the same kind of issue in DNS names that enter the hostnames data through a different path by removing any trailing . so they can be used for DNS resolution.

Documentation added (1)

• #18961 from zgoldman-r7 - This adds documentation for the new SQL and SMB session types.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.0...6.4.1
• Full diff 6.4.0...6.4.1

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro