Metasploit Weekly Wrap-Up 06/14/2024

New module content (5)

Telerik Report Server Auth Bypass

Authors: SinSinology and Spencer McIntyre
Type: Auxiliary
Pull request: #19242 contributed by zeroSteiner
Path: scanner/http/telerik_report_server_auth_bypass
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-4358 which is an authentication bypass in Telerik Report Server versions up to and including 10.0.24.305.

Cacti Import Packages RCE

Authors: Christophe De La Fuente and Egidio Romano
Type: Exploit
Pull request: #19196 contributed by cdelafuente-r7
Path: multi/http/cacti_package_import_rce
AttackerKB reference: CVE-2024-25641

Description: This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file.

VSCode ipynb Remote Development RCE

Authors: Zemnmez and h00die
Type: Exploit
Pull request: #18998 contributed by h00die
Path: multi/misc/vscode_ipynb_remote_dev_exec
AttackerKB reference: CVE-2022-41034

Description: VSCode allows users to open a Jypiter notebook (.ipynb) file. Versions v1.4.0 - v1.71.1 allow the Jypiter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. This vulnerability is tracked as CVE-2022-41034.

Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution

Authors: Arseniy Sharoglazov and sfewer-r7
Type: Exploit
Pull request: #19240 contributed by sfewer-r7
Path: windows/http/rejetto_hfs_rce_cve_2024_23692
AttackerKB reference: CVE-2024-23692

Description: Adds an exploit module for CVE-2024-23692, an unauthorized SSTI in the Rejetto HTTP File Server (HFS).

Telerik Report Server Auth Bypass and Deserialization RCE

Authors: SinSinology, Soroush Dalili, Spencer McIntyre, and Unknown
Type: Exploit
Pull request: #19243 contributed by zeroSteiner
Path: windows/http/telerik_report_server_deserialization
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-1800 which is an authenticated RCE in Telerik Report Server. To function without authentication it chains CVE-2024-4358 to create a new administrator account before launching the authenticated RCE.

Enhancements and features (4)

• #19191 from adfoster-r7 - Adds support for Ruby 3.4.0-preview1.
• #19197 from sjanusz-r7 - Updates the new PostgreSQL, MSSQL, and MySQL session types to track the history of commands that the user has entered.
• #19199 from cgranleese-r7 - Updates brute force modules to output a summary of the credential discovered. This functionality is currently opt-in with the feature set show_successful_logins true msfconsole command.
• #19225 from h00die - This adds a link to android payload issues to increase visibility.

Bugs fixed (3)

• #19235 from cgranleese-r7 - Fixes an issue where Java payloads zip paths were not being created properly.
• #19239 from e2002e - Updates the modules/auxiliary/gather/zoomeye_search module to work again.
• #19248 from zgoldman-r7 - This removes an extra rescue clause added in error and allows the actual rescue clause to rescue exceptions properly in the event a staged http[s] payload calls back to a stageless http[s] listener.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.12…6.4.13
• Full diff 6.4.12…6.4.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro