## Argument Injection for PHP on Windows ![Metasploit Weekly Wrap-Up 06/21/2024](https://blog.rapid7.com/content/images/2024/06/metasploit-sky.png) This week includes modules that target file traversal and arbitrary file read vulnerabilities for software such as Apache, SolarWinds and Check Point, with the highlight being a module for the recent PHP vulnerability submitted by [sfewer-r7](). This module exploits an argument injection vulnerability, resulting in remote code execution and a Meterpreter shell running in the context of the Administrator user. Note, that this attack requires the target to be running a Japanese or Chinese locale, as the attack targets Windows’s character replacement behavior for certain code pages when calling Win32 API functions. A default configuration of XAMPP is vulnerable. This attack is unauthenticated and the server must expose PHP in CGI mode, not FastCGI. More information on this exploit can be found on [AttackerKB](). ## New module content (4) ### Check Point Security Gateway Arbitrary File Read Author: remmons-r7 Type: Auxiliary Pull request: [#19221]() contributed by [remmons-r7]() Path: `gather/checkpoint_gateway_fileread_cve_2024_24919` AttackerKB reference: [CVE-2024-24919]() Description: This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. This vulnerability is tracked as CVE-2024-24919. ### SolarWinds Serv-U Unauthenticated Arbitrary File Read Authors: Hussein Daher and sfewer-r7 Type: Auxiliary Pull request: [#19255]() contributed by [sfewer-r7]() Path: `gather/solarwinds_servu_fileread_cve_2024_28995` AttackerKB reference: [CVE-2024-28995]() Description: This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected. ### Apache OFBiz Forgot Password Directory Traversal Authors: Mr-xn and jheysel-r7 Type: Exploit Pull request: [#19249]() contributed by [jheysel-r7]() Path: `multi/http/apache_ofbiz_forgot_password_directory_traversal` AttackerKB reference: [CVE-2024-32113]() Description: This adds an exploit for CVE-2024-32113, which is an unauthenticated RCE in Apache OFBiz. ### PHP CGI Argument Injection Remote Code Execution Authors: Orange Tsai, sfewer-r7, and watchTowr Type: Exploit Pull request: [#19247]() contributed by [sfewer-r7]() Path: `windows/http/php_cgi_arg_injection_rce_cve_2024_4577` AttackerKB reference: [CVE-2024-4577]() Description: Windows systems running Japanese or Chinese (simplified or traditional) locales are vulnerable to a PHP CGI argument injection vulnerability. This exploit module returns a session running in the context of the Administrator user. ## Enhancements and features (2) * [#18829]() from [cdelafuente-r7]() \- Adding multiple HttpServer services in a module is sometimes complex since they share the same methods. This usually causes situations where #on_request_uri needs to be overridden to handle requests coming from each service. This updates the cmdstager and the Java HTTP ClassLoader mixins, since these are commonly used in the same module. This also updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module to make use of these new changes. * [#19229]() from [softScheck]() \- The junos_phprc_auto_prepend_file module used to depend on having a user authenticated to the J-Web application to steal the necessary session tokens in order to exploit. With this enhancement the module will now create a session if one doesn't exist. Also it adds datastore options to change the hash format to be compatible with older versions as well an option to attempt to set ssh root login to true before attempting to establish a root ssh session. ## Bugs fixed (4) * [#19176]() from [Fufu-btw]() \- This adds the x86 and x64 architectures to the `exploit/windows/http/dnn_cookie_deserialization_rce` module's target metadata. * [#19253]() from [aaronjfeingold]() \- This fixes an incorrect CVE reference in the `exploit/unix/http/zivif_ipcheck_exec` module. * [#19256]() from [adfoster-r7]() \- Fix warnings in acceptance tests. * [#19261]() from [zeroSteiner]() \- Fixed powershell_base64 encoder to execute encoded strings correctly. ## Documentation You can find the latest Metasploit documentation on our docsite at [docs.metasploit.com](). ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.4.13...6.4.14]() * [Full diff 6.4.13...6.4.14]() If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the commercial edition [Metasploit Pro]() [![Metasploit Weekly Wrap-Up 06/21/2024](https://blog.rapid7.com/content/images/2024/06/cta2.png)]( "Insight IDR" )

Query Builder