CVE-2020-7384
a vulnerability was found in rapid7 metasploit (the affected version is unknown). It has been declared as critical. This vulnerability affects some unknown processing of the component APK File Handler. The manipulation with an unknown input leads to a command injection vulnerability. The CWE definition for the vulnerability is CWE-77. The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability.
Exploit
┌──(kali㉿kali)-[~/archive/htb/labs/scriptkiddie]
└─$ searchsploit Metasploit Framework template APK
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
Metasploit Framework 6.0.11 - msfvenom APK template command injection | multiple/local/49491.py
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsWhile there is a Python script for exploit this vulnerability, I will go with the manual way as it’s rather custom that the way the web server handles the requests
Thankfully, the article that I found earlier has a step-by-step guide.
I will be ScriptKiddie that through