added default options and updated documentation

h00die-gr3y · bwatters-r7 · commit 215957465cf3 · 2025-02-20T13:19:41.000-06:00
diff --git a/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md b/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md
@@ -108,3 +108,5 @@ meterpreter >
 ## Limitations
 You have to wait maximum five minutes for a session to allow `cron` to run the malicious watchdog script
 containing the payload. Just be patient and wait for the magic to happen ;-)
+Another limitation is that the root filesystem on RaspberyMatic image is mounted read-only, so you need to set the
+option `FETCH_WRITABLE_DIR` to `/tmp` (this is mounted RW) otherwise the exploit will fail.
diff --git a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb
@@ -49,7 +49,11 @@ def initialize(info = {})
             {
               'Platform' => ['unix', 'linux'],
               'Arch' => [ARCH_CMD],
-              'Type' => :unix_cmd
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/linux/http/aarch64/meterpreter_reverse_tcp',
+                'FETCH_WRITABLE_DIR' => '/tmp'
+              }
             }
           ]
         ],

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,11 @@ def initialize(info = {})`
`49`	`49`	`{`
`50`	`50`	`'Platform' => ['unix', 'linux'],`
`51`	`51`	`'Arch' => [ARCH_CMD],`
`52`		`- 'Type' => :unix_cmd`
	`52`	`+ 'Type' => :unix_cmd,`
	`53`	`+ 'DefaultOptions' => {`
	`54`	`+ 'PAYLOAD' => 'cmd/linux/http/aarch64/meterpreter_reverse_tcp',`
	`55`	`+ 'FETCH_WRITABLE_DIR' => '/tmp'`
	`56`	`+ }`
`53`	`57`	`}`
`54`	`58`	`]`
`55`	`59`	`],`