Additional RCE payloads for Tsunami scanner payload generator

[dawidg-doyen]

Hi Tsunami Team,

This PR adds 4 additional RCE payloads to the Tsunami scanner payload generator:

• linux_root_crontab - Triggers RCE via crontab. It's for Arbitrary File Write with root privilege vulnerabilities. The generated payload must be written in /etc/cron.d directory, e.g. /etc/cron.d/tsunami_rce_cron

• linux_curl_trace_read - A curl --trace payload for blind RCE detection for cases when attacker is able to read files (Arbitrary File Read) after a blind RCE. See Selenium Grid RCE detector, for an example of such vulnerability. This payload saves an RCE detection string in /tmp/tsunami-rce file that can then be read via the additional Arbitrary File Read vuln in order to confirm that the curl command executed successfully via payload.checkIfExecuted(traceFileContents).

• windows_callback - Confirms RCE by opening the callback URL with powershell and Invoke-WebRequest command on Windows systems. It's an equivalent of the linux_callback payload for Linux.

• windows_echo - Confirms reflected RCE by printing a RCE detection string with a random value with powershell and echo and Windows systems. It's an equivalent of the linux_printf payload for Linux.

Testbeds

I created the following docker testbeds for testing purposes:

• Arbitrary File Write, for testing linux_root_crontab

• RCE + Arbitrary File Read, for testing linux_curl_trace_read

Example use of the payloads in detectors

linux_root_crontab

  private static final String RCE_CRON_PATH = "/etc/cron.d/tsunami_rce_cron";

  PayloadGeneratorConfig config =
        PayloadGeneratorConfig.newBuilder()
            .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.ARBITRARY_FILE_WRITE)
            .setInterpretationEnvironment(
                PayloadGeneratorConfig.InterpretationEnvironment.LINUX_ROOT_CRONTAB)
            .setExecutionEnvironment(
                PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
            .build();

 Payload payload = this.payloadGenerator.generate(config);
 String crontabEntry = payload.getPayload();

 if (payload.getPayloadAttributes().getUsesCallbackServer()) {
      // Save cron payload in /etc/cron.d/ and wait for RCE
      var unused = writeContentsToFile(networkService, RCE_CRON_PATH, crontabEntry);

      // The CRON job should execute after 1 min
      logger.atInfo().log("Waiting for RCE callback from the cronjob.");
      try {
        Thread.sleep(65000);
      } catch (InterruptedException e) {
        logger.atWarning().withCause(e).log("Failed to wait for RCE result");
      }
      return payload.checkIfExecuted();
    }

linux_curl_trace_read

   private static final String CURL_TRACE_PATH = "/tmp/tsunami-rce";

    PayloadGeneratorConfig config =
        PayloadGeneratorConfig.newBuilder()
            .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.BLIND_RCE_FILE_READ)
            .setInterpretationEnvironment(
                PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
            .setExecutionEnvironment(
                PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
            .build();

    Payload payload = this.payloadGenerator.generate(config);
    String curlPayload = payload.getPayload();
    String fileContents = "";

    // Confirm RCE with curl trace file write + read when callback server is disabled
    if (!payload.getPayloadAttributes().getUsesCallbackServer()) {

      // execute curl --trace command to inject RCE detection string into the trace log
      var unused = executeCommand(networkService, curlPayload);

      // The curl trace log should contain RCE detection string
      fileContents = readFileContents(networkService, CURL_TRACE_PATH);
      return payload.checkIfExecuted(fileContents);
    }

Both of the payloads can be tested on the provided testbeds.

Best Regards, Dawid Golunski