最后更新于2024年9月6日星期五14:47:56 GMT
一种编码PHP有效负载的新方法
A new PHP encoder has been released by a community contributor, jvoisin, allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters.
射线的漏洞
This release of Metasploit Framework also features 3 new modules to target ray.io, which is a framework for distributing AI-related workloads across multiple machines, which makes it an excellent exploitation target. 这些模块可以执行任意的文件读取, perform remote code execution and command injection, making them a great all-round addition to a penetration testing workflow.
The vulnerabilities for which modules are provided are:
新增模块内容(9)
Control iD iDSecure Authentication Bypass (cve - 2023 - 6329)
作者:Michael Heinzl和Tenable
类型:辅助
拉的要求: #19380 提供的 h4x-x0r
Path: 管理/ http / idsecure_auth_bypass
AttackerKB参考: cve - 2023 - 6329
Description: Adds an auxiliary module targeting cve - 2023 - 6329, 不正确的访问控制漏洞, which allows an unauthenticated user to compute valid credentials and to add a new administrative user to the web interface of Control iD iDSecure <= v4.7.43.0.
Ivanti Virtual Traffic Manager Authentication Bypass (cve - 2024 - 7593)
Authors: Michael Heinzl, mxalias, and ohnoisploited
类型:辅助
拉的要求: #19386 提供的 h4x-x0r
Path: 管理/ http / ivanti_vtm_admin
AttackerKB参考: cve - 2024 - 7593
Description: Adds an exploit targeting cve - 2024 - 7593 which is 不正确的访问控制漏洞 in Ivanti Virtual Traffic Manager (vTM) . It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product before 22.7R2.
射线静态任意文件读取
作者:横山隆宏,byt3bl33d3r marcello@protectai.com和danmcinerney dan@protectai.com
类型:辅助
拉的要求: #19363 提供的 Takahiro-Yoko
Path: 收集/ ray_lfi_cve_2023_6020
AttackerKB参考: cve - 2023 - 6020
Description: The auxiliary module allows reading files on the remote system through a local file inclusion vulnerability.
PHP十六进制编码器
作者:Julien Voisin
类型:编码器
拉的要求: #19420 提供的 jvoisin
Path: php/hex
Description: This adds an ascii-hex encoder for PHP with optional compression.
射线代理工作RCE
作者:横山隆宏,byt3bl33d3r marcello@protectai.com和塞拉伯切尔
类型:利用
拉的要求: #19363 提供的 Takahiro-Yoko
Path: linux / http / ray_agent_job_rce
AttackerKB参考: cve - 2023 - 48022
Description: This exploit module allows for arbitrary code execution on the target.
Ray cpu_profile命令注入
作者:横山隆宏,byt3bl33d3r marcello@protectai.com和塞拉伯切尔
类型:利用
拉的要求: #19363 提供的 Takahiro-Yoko
Path: linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
AttackerKB参考: cve - 2023 - 6019
Description: This exploit module allows for command injection to be performed on the target.
GiveWP未经认证的捐赠过程漏洞
Authors: EQSTSeminar, Julien Ahrens, Valentin Lobstein, and Villu Orav
类型:利用
拉的要求: #19424 提供的 Chocapikk
Path: 多/ http / wp_givewp_rce
AttackerKB参考: cve - 2024 - 5932
描述:新增一个模块 利用/多/ http / wp_givewp_rce which targets cve - 2024 - 5932 - a critical RCE vulnerability in the WordPress GiveWP plugin (up to version 3.14.1).
pgAdmin二进制路径API RCE
作者:Ayoub Mokhtar, M.Selim Karahan和Mustafa Mutlu
类型:利用
拉的要求: #19422 提供的 igomeow
Path: windows / http / pgadmin_binary_path_api
AttackerKB参考: cve - 2024 - 3116
描述:新增一个模块 targeting all versions of PgAdmin up to 8.4 which leverages a Remote Code Execution (RCE) cve - 2024 - 3116 flaw through the validate binary path API.
收集选举密码
作者:Kali-Team kali-team@qq.com
Type: Post
拉的要求: #19395 提供的 cn-kali-team
Path: 多/收集/ electerm
Description: Adds a post module to gather passwords and saved session information stored in the Electerm program.
增强模块(2)
Modules which have either been enhanced, or renamed:
- #19393 from jheysel-r7 - Adds a patch bypass for CVE-2024-32113 (the original vulnerability this exploited). 该补丁于18年发布.12.14 disallows the Path Traversal vulnerability to be exploited however it was later disclosed that the vulnerable endpoint was accessible all along, 而不需要遍历路径. And so CVE-2024-38856 was issued as an Incorrect Authorization which was patched in version 18.12.15.
- #19417 from Chocapikk - The new PHP filter chain evaluates a POST parameter, which simplifies the process and reduces the payload size enabling the module to send the entire payload in one POST request instead of writing the payload to a file character by character over many POST requests. Support for both Windows and Linux Meterpreter payloads, 不仅仅是PHP Meterpreter, 也添加了.
增强功能和特性(3)
- #19377 from jvoisin -没有写.
- #19409 from jvoisin - This adds additional fingerprinting checks to the existing
post / linux /收集/ checkvm模块,更准确地识别虚拟机. - #19415 from zeroSteiner —修改
ldap_esc_vulnerable_cert_finder更有用, including display changes favoring useful templates and including an explanation of why a template may be vulnerable.
bug修复(4)
- #19241 from zgoldman-r7 - Replaced the usage a deprecated Ruby method to fix crashing modules.
- #19376 from jvoisin - This fixes the php/base64 encoder which was previously generating php payloads that were failing when being being run due to the way single quotes were being inserted into the payload.
- #19411 from dledda-r7 - Fixes a crash in Metasploit's RPC layer when calling
module.results当出现nil模块结果时. - #19421 from zeroSteiner - This updates the windows/fileformat/adobe_pdf_embedded_exe exploit to define that its compatible with both ARCH_X86 and ARCH_X64 payloads due to it just generating an EXE.
文档
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
如果你是 git 用户,可以克隆 Metasploit框架 (主分支)为最新.
To install fresh without using git, you can use the open-source-only 夜间的安装程序 or the
商业版 Metasploit职业
