Share
## https://sploitus.com/exploit?id=9FC49DAC-96BF-5E1D-9523-94023777BF26
# CVE-2024-4577 - PHP CGI Argument Injection Detection Lab
A complete detection engineering lab for **CVE-2024-4577** (PHP CGI Argument Injection). Includes pre-built Vagrant boxes, Wazuh SIEM rules, and exploit tools for Blue Team training.
## What's Included
- **Windows Server 2022 VM** - Vulnerable XAMPP + PHP-CGI, Sysmon, Wazuh Agent
- **Kali Linux VM** - Pre-installed exploit scripts
- **Wazuh SIEM** - Docker-based with 54 production detection rules
- **Detection Rules** - Wazuh XML, Sigma YAML, IOCs
## Quick Start
### Prerequisites
- [Vagrant](https://www.vagrantup.com/downloads) 2.3+
- [VirtualBox](https://www.virtualbox.org/wiki/Downloads) 7.0+
- [Docker](https://docs.docker.com/get-docker/)
- 12GB RAM minimum
### 1. Start Wazuh SIEM
```bash
cd wazuh
docker compose up -d
# Dashboard: https://localhost:443 (admin / SecretPassword)
```
### 2. Start Lab VMs
```bash
vagrant up
# Downloads ~12GB on first run
```
### 3. Get VM IPs
```bash
VBoxManage guestproperty enumerate "DetectionLab-Windows" | grep IP
VBoxManage guestproperty enumerate "DetectionLab-Kali" | grep IP
```
### 4. Launch Attack
```bash
vagrant ssh kali
python3 ~/exploits/CVE-2024-4577.py --url http:/// --cmd "whoami"
```
### 5. See Detection
Wazuh Dashboard -> Discover -> Filter: `rule.id: 100442`
## Vagrant Boxes
Pre-built boxes on HCP Vagrant Registry:
- `CVE-2024-4577/windows` - Windows Server 2022 target
- `CVE-2024-4577/kali` - Kali Linux attacker
## Detection Coverage (54 rules)
| Layer | Detection | MITRE ATT&CK |
|-------|-----------|--------------|
| Web Log | Soft hyphen variants, PHP wrappers | T1190 |
| Process | php-cgi.exe spawning cmd/powershell | T1059 |
| File | Webshell drops in htdocs | T1505.003 |
| Credential | LSASS, SAM dump, Mimikatz | T1003 |
| Lateral | PsExec, WMI, WinRM | T1021 |
| Persistence | Scheduled tasks, services, registry | T1053, T1543 |
## Credentials
| System | Username | Password |
|--------|----------|----------|
| Windows VM | Administrator | DetectionLab123! |
| Kali VM | kali | kali |
| Wazuh | admin | SecretPassword |
## Project Structure
```
CVE-2024-4577/
โโโ Vagrantfile # Lab VM definitions
โโโ README.md # This file
โโโ detections/ # Detection rules
โ โโโ wazuh-rules.xml # 54 Wazuh detection rules
โ โโโ sigma-rules.yml # Sigma format rules
โ โโโ iocs.json # Indicators of Compromise
โ โโโ detection-guide.md
โโโ wazuh/ # Wazuh SIEM stack
โโโ docker-compose.yml
```
## CVE Details
- **CVE ID**: CVE-2024-4577
- **Type**: Remote Code Execution
- **CVSS**: 9.8 (Critical)
- **Affected**: PHP 8.1 < 8.1.29, 8.2 < 8.2.20, 8.3 < 8.3.8 (Windows + CGI mode)
- **Root Cause**: Soft hyphen (0xAD) bypasses CVE-2012-1823 fix in Windows Best-Fit encoding
## License
MIT