Today I release a simple exploit as a PoC for the 5 advisories. These were discovered by Larry W Cashdollar. The exploit takes on the following phases:
- It checks that the plugin exists.
- If it does it generates a webshell and uploads it to the server.
- The plugin renames shells to an md5 hash; The PoC confirms this by filtering it in the response body.
- It runs a command against the victim/target to see that it actually successfully exploited.
- It then provides you with the URL to run further custom commands.
To understand the thought process of making this CVE actualize read online here. The exploit can be found on github.
You may also read the path to automation of web attacks, the attack above has been used as an example ; this can be found on slideshare.
It was also identified that this attack now covers 5 plugins which use an unlicensed software from Invedion CVE’s and was updated to exploit all. They are as below:
The wordpress Vulnerability database entries for the same :
- https://wpvulndb.com/vulnerabilities/8743
- https://wpvulndb.com/vulnerabilities/8774
- https://wpvulndb.com/vulnerabilities/8773
- https://wpvulndb.com/vulnerabilities/8772
- https://wpvulndb.com/vulnerabilities/8771
This is listed in the following areas:
https://www.exploit-db.com/exploits/41540/
https://cxsecurity.com/issue/WLB-2017030065