Metasploit Weekly Wrap-Up 06/07/2024

New OSX payloads:ARMed and Dangerous

In addition to an RCE leveraging CVE-2024-5084 to gain RCE through a WordPress Hash form, this release features the addition of several new binary OSX stageless payloads with aarch64 support: Execute Command, Shell Bind TCP, and Shell Reverse TCP.

The new osx/aarch64/shell_bind_tcp payload opens a listening port on the target machine, which allows the attacker to connect to this open port to spawn a command shell using the user provided command using the execve system call on Apple silicon laptops.

The new osx/aarch64/shell_reverse_tcp payload that can connect back to the configured attacker’s RHOST and RPORT to spawn a command shell using the execve system call on Apple silicon laptops.
The new osx/aarch64/exec payload can execute arbitrary user provided commands using the execve system call on Apple silicon laptops, for example:

msf6 payload(osx/aarch64/exec) > generate -f macho cmd="/bin/bash -c 'echo 123 && echo abc && whoami && echo 🔥'" -o shell
[*] Writing 50072 bytes to shell…

And executing:

$ chmod +x ./shell
$ ./shell
123
abc
user
🔥

New module content (4)

WordPress Hash Form Plugin RCE

Authors: Francesco Carlucci and Valentin Lobstein
Type: Exploit
Pull request: #19208 contributed by Chocapikk
Path: multi/http/wp_hash_form_rce
AttackerKB reference: CVE-2024-5084

Description: This adds an exploit module that leverages a vulnerability in the WordPress Hash Form – Drag & Drop Form Builder plugin (CVE-2024-5084) to achieve remote code execution. Versions up to and including 1.1.0 are vulnerable. This allows unauthenticated attackers to upload arbitrary files, including PHP scripts, due to missing file type validation in the file_upload_action function.

OSX aarch64 Execute Command

Author: alanfoster
Type: Payload (Single)
Pull request: #18646 contributed by AlanFoster
Path: osx/aarch64/exec

Description: Add osx aarch64 exec payload.

OS X x64 Shell Bind TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18776 contributed by AlanFoster
Path: osx/aarch64/shell_bind_tcp

Description: Add osx aarch64 bind tcp payload.

OSX aarch64 Shell Reverse TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18652 contributed by AlanFoster
Path: osx/aarch64/shell_reverse_tcp

Description: Add osx aarch64 shell reverse tcp payload.

Enhancements and features (0)

None

Bugs fixed (3)

• #19209 from zgoldman-r7 - Updates multiple file format exploits to show the default settings to users when running show options.
• #19211 from sjanusz-r7 - Fixes an issue were the database management logic would default a model’s updated_at value to incorrectly be set to the created_at value.
• #19217 from zgoldman-r7 - Fixes path tab completion for modules when using Ruby 3.2+.
• #19227 from bcoles - Fixed an issue in Moodle::Login.moodle_login that reported a false negative when logging in with user’s credentials.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.11…6.4.12
• Full diff 6.4.11…6.4.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Subscribe Now