Share
## https://sploitus.com/exploit?id=9FC49DAC-96BF-5E1D-9523-94023777BF26
# CVE-2024-4577 - PHP CGI Argument Injection Detection Lab

A complete detection engineering lab for **CVE-2024-4577** (PHP CGI Argument Injection). Includes pre-built Vagrant boxes, Wazuh SIEM rules, and exploit tools for Blue Team training.

## What's Included

- **Windows Server 2022 VM** - Vulnerable XAMPP + PHP-CGI, Sysmon, Wazuh Agent
- **Kali Linux VM** - Pre-installed exploit scripts
- **Wazuh SIEM** - Docker-based with 54 production detection rules
- **Detection Rules** - Wazuh XML, Sigma YAML, IOCs

## Quick Start

### Prerequisites
- [Vagrant](https://www.vagrantup.com/downloads) 2.3+
- [VirtualBox](https://www.virtualbox.org/wiki/Downloads) 7.0+
- [Docker](https://docs.docker.com/get-docker/)
- 12GB RAM minimum

### 1. Start Wazuh SIEM
```bash
cd wazuh
docker compose up -d
# Dashboard: https://localhost:443 (admin / SecretPassword)
```

### 2. Start Lab VMs
```bash
vagrant up
# Downloads ~12GB on first run
```

### 3. Get VM IPs
```bash
VBoxManage guestproperty enumerate "DetectionLab-Windows" | grep IP
VBoxManage guestproperty enumerate "DetectionLab-Kali" | grep IP
```

### 4. Launch Attack
```bash
vagrant ssh kali
python3 ~/exploits/CVE-2024-4577.py --url http:/// --cmd "whoami"
```

### 5. See Detection
Wazuh Dashboard -> Discover -> Filter: `rule.id: 100442`

## Vagrant Boxes

Pre-built boxes on HCP Vagrant Registry:
- `CVE-2024-4577/windows` - Windows Server 2022 target
- `CVE-2024-4577/kali` - Kali Linux attacker

## Detection Coverage (54 rules)

| Layer | Detection | MITRE ATT&CK |
|-------|-----------|--------------|
| Web Log | Soft hyphen variants, PHP wrappers | T1190 |
| Process | php-cgi.exe spawning cmd/powershell | T1059 |
| File | Webshell drops in htdocs | T1505.003 |
| Credential | LSASS, SAM dump, Mimikatz | T1003 |
| Lateral | PsExec, WMI, WinRM | T1021 |
| Persistence | Scheduled tasks, services, registry | T1053, T1543 |

## Credentials

| System | Username | Password |
|--------|----------|----------|
| Windows VM | Administrator | DetectionLab123! |
| Kali VM | kali | kali |
| Wazuh | admin | SecretPassword |

## Project Structure

```
CVE-2024-4577/
โ”œโ”€โ”€ Vagrantfile           # Lab VM definitions
โ”œโ”€โ”€ README.md             # This file
โ”œโ”€โ”€ detections/           # Detection rules
โ”‚   โ”œโ”€โ”€ wazuh-rules.xml   # 54 Wazuh detection rules
โ”‚   โ”œโ”€โ”€ sigma-rules.yml   # Sigma format rules
โ”‚   โ”œโ”€โ”€ iocs.json         # Indicators of Compromise
โ”‚   โ””โ”€โ”€ detection-guide.md
โ””โ”€โ”€ wazuh/                # Wazuh SIEM stack
    โ””โ”€โ”€ docker-compose.yml
```

## CVE Details

- **CVE ID**: CVE-2024-4577
- **Type**: Remote Code Execution
- **CVSS**: 9.8 (Critical)
- **Affected**: PHP 8.1 < 8.1.29, 8.2 < 8.2.20, 8.3 < 8.3.8 (Windows + CGI mode)
- **Root Cause**: Soft hyphen (0xAD) bypasses CVE-2012-1823 fix in Windows Best-Fit encoding

## License

MIT