From 422acd3145a295a8f3a839495385ffda84668048 Mon Sep 17 00:00:00 2001
From: Metasploit <metasploit@rapid7.com>
Date: Tue, 21 May 2024 14:15:48 -0500
Subject: [PATCH] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 63 +++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index 7fe2b0d174..e490cc9242 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -165454,6 +165454,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_windows/http/northstar_c2_xss_to_agent_rce": {
+    "name": "NorthStar C2 XSS to Agent RCE",
+    "fullname": "exploit/windows/http/northstar_c2_xss_to_agent_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-12",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "chebuya"
+    ],
+    "description": "NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is\n          vulnerable to a stored xss.\n          An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.\n          With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts\n          (agents), and kill the original agent.\n\n          Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on\n          Ubuntu 22.04. The agent was running on Windows 10 19045.",
+    "references": [
+      "URL-https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/",
+      "URL-https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc",
+      "URL-https://github.com/EnginDemirbilek/NorthStarC2/commit/7674a4457fca83058a157c03aa7bccd02f4a213c",
+      "CVE-2024-28741"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-04-24 16:54:58 +0000",
+    "path": "/modules/exploits/windows/http/northstar_c2_xss_to_agent_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/northstar_c2_xss_to_agent_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/http/novell_imanager_upload": {
     "name": "Novell iManager getMultiPartParameters Arbitrary File Upload",
     "fullname": "exploit/windows/http/novell_imanager_upload",