Merge remote-tracking branch 'upstream/master'

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.4.5)
+    metasploit-framework (6.4.6)
       actionpack (~> 7.0.0)
       activerecord (~> 7.0.0)
       activesupport (~> 7.0.0)

LICENSE_GEMS

@@ -80,7 +80,7 @@ memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.2, "New BSD"
 metasploit-credential, 6.0.7, "New BSD"
-metasploit-framework, 6.4.5, "New BSD"
+metasploit-framework, 6.4.6, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
 metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"

db/modules_metadata_base.json

@@ -25139,6 +25139,70 @@
 
     ]
   },
+  "auxiliary_gather/rancher_authenticated_api_cred_exposure": {
+    "name": "Rancher Authenticated API Credential Exposure",
+    "fullname": "auxiliary/gather/rancher_authenticated_api_cred_exposure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-08-18",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Florian Struck",
+      "Marco Stuurman"
+    ],
+    "description": "An issue was discovered in Rancher versions up to and including\n          2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys\n          and Ranchers service account token (used to provision clusters),\n          were stored in plaintext directly on Kubernetes objects like Clusters,\n          for example cluster.management.cattle.io. Anyone with read access to\n          those objects in the Kubernetes API could retrieve the plaintext\n          version of those sensitive data.",
+    "references": [
+      "URL-https://github.com/advisories/GHSA-g7j7-h4q8-8w2f",
+      "URL-https://github.com/fe-ax/tf-cve-2021-36782",
+      "URL-https://fe.ax/cve-2021-36782/",
+      "CVE-2021-36782"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-19 12:55:46 +0000",
+    "path": "/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb",
+    "is_install_path": true,
+    "ref_name": "gather/rancher_authenticated_api_cred_exposure",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/redis_extractor": {
     "name": "Redis Extractor",
     "fullname": "auxiliary/gather/redis_extractor",
@@ -47044,7 +47108,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-04-04 08:34:51 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_hashdump",
@@ -47095,7 +47159,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-04-18 15:15:36 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_login",
@@ -47193,7 +47257,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-04-04 08:34:51 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_schemadump",
@@ -49523,7 +49587,7 @@
       "postgres"
     ],
     "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-04-12 11:43:30 +0000",
     "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/postgres/postgres_login",
@@ -77677,6 +77741,69 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_linux/http/panos_telemetry_cmd_exec": {
+    "name": "Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/panos_telemetry_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-12",
+    "type": "exploit",
+    "author": [
+      "remmons-r7",
+      "sfewer-r7"
+    ],
+    "description": "This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that\n          allow an unauthenticated attacker to create arbitrarily named files and execute\n          shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or\n          GlobalProtect Portal enabled and telemetry collection on (default). Affected versions\n          include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,\n          < 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to\n          one hour to execute, depending on how often the telemetry service is set to run.",
+    "references": [
+      "CVE-2024-3400",
+      "URL-https://security.paloaltonetworks.com/CVE-2024-3400",
+      "URL-https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/",
+      "URL-https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2024-04-18 18:34:18 +0000",
+    "path": "/modules/exploits/linux/http/panos_telemetry_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/panos_telemetry_cmd_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_linux/http/peercast_url": {
     "name": "PeerCast URL Handling Buffer Overflow",
     "fullname": "exploit/linux/http/peercast_url",
@@ -99634,6 +99761,70 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/gambio_unauth_rce_cve_2024_23759": {
+    "name": "Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability",
+    "fullname": "exploit/multi/http/gambio_unauth_rce_cve_2024_23759",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-01-19",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <[email protected]>",
+      "usd Herolab"
+    ],
+    "description": "A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower\n          allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.\n          The identified vulnerability within Gambio pertains to an insecure deserialization flaw,\n          which ultimately allows an attacker to execute remote code on affected systems.\n          The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.\n          As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,\n          potentially resulting in complete system compromise, data exfiltration, or unauthorized access\n          to sensitive information.",
+    "references": [
+      "CVE-2024-23759",
+      "URL-https://attackerkb.com/topics/cxCsICfcDY/cve-2024-23759",
+      "URL-https://herolab.usd.de/en/security-advisories/usd-2023-0046/"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, x64, x86",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2024-04-19 13:44:18 +0000",
+    "path": "/modules/exploits/multi/http/gambio_unauth_rce_cve_2024_23759.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/gambio_unauth_rce_cve_2024_23759",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_multi/http/gestioip_exec": {
     "name": "GestioIP Remote Command Execution",
     "fullname": "exploit/multi/http/gestioip_exec",
@@ -160073,6 +160264,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_windows/http/forticlient_ems_fctid_sqli": {
+    "name": "FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE",
+    "fullname": "exploit/windows/http/forticlient_ems_fctid_sqli",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-21",
+    "type": "exploit",
+    "author": [
+      "Zach Hanley",
+      "James Horseman",
+      "jheysel-r7",
+      "Spencer McIntyre"
+    ],
+    "description": "An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).\n          FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized\n          platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which\n          can be sent directly into database queries.\n\n          FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013\n          and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.\n          In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable\n          SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code\n          execution in the context of NT AUTHORITY\\SYSTEM\n\n          Affected versions of FortiClient EMS include:\n          7.2.0 through 7.2.2\n          7.0.1 through 7.0.10\n\n          Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.\n\n          It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient\n          EMS for the necessary vulnerable services to be available.",
+    "references": [
+      "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/",
+      "URL-https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py",
+      "CVE-2023-48788"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 8013,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-04-12 10:00:07 +0000",
+    "path": "/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/forticlient_ems_fctid_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/http/fortilogger_arbitrary_fileupload": {
     "name": "FortiLogger Arbitrary File Upload Exploit",
     "fullname": "exploit/windows/http/fortilogger_arbitrary_fileupload",