From 607fb09391b976c79573dee21888548db7b751b6 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Wed, 17 Apr 2024 09:16:24 -0500 Subject: [PATCH] automatic module_metadata_base.json update --- db/modules_metadata_base.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index 7b5e60b5a2dd..22af1cdbf45c 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -65531,7 +65531,7 @@ "Ron Bowes", "jheysel-r7" ], - "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n 'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n to the J-Web application, in order to overwrite the the root password hash. If there is no user\n authenticated to the J-Web application this method will not work. The module then authenticates\n with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.", + "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n 'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n to the J-Web application, in order to overwrite the root password hash. If there is no user\n authenticated to the J-Web application this method will not work. The module then authenticates\n with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.", "references": [ "URL-https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/", "URL-https://vulncheck.com/blog/juniper-cve-2023-36845", @@ -65560,7 +65560,7 @@ "PHP In-Memory", "Interactive SSH with jail break" ], - "mod_time": "2023-09-29 11:40:03 +0000", + "mod_time": "2024-04-15 11:06:50 +0000", "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb", "is_install_path": true, "ref_name": "freebsd/http/junos_phprc_auto_prepend_file", @@ -88658,7 +88658,7 @@ "Linux Command", "Unix Command" ], - "mod_time": "2023-11-07 09:21:04 +0000", + "mod_time": "2024-04-15 11:06:50 +0000", "path": "/modules/exploits/linux/misc/cisco_ios_xe_rce.rb", "is_install_path": true, "ref_name": "linux/misc/cisco_ios_xe_rce", @@ -163208,7 +163208,7 @@ "targets": [ "Windows Command" ], - "mod_time": "2023-05-08 12:11:01 +0000", + "mod_time": "2024-04-15 11:06:50 +0000", "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_authenticated_rce.rb", "is_install_path": true, "ref_name": "windows/http/manageengine_adaudit_plus_authenticated_rce",