New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CHAOS rat xss to rce #19104
CHAOS rat xss to rce #19104
Conversation
@chebuya wanted to bring this to your attention since you discovered it |
documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md
Outdated
Show resolved
Hide resolved
|
||
data.add_part("http://localhost\'$(#{payload.encoded})\'", nil, nil, 'form-data; name="address"') | ||
data.add_part('8080', nil, nil, 'form-data; name="port"') | ||
data.add_part('1', nil, nil, 'form-data; name="os_target"') # 1 windows, 2 linux |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This module is in the modules/exploit/linux
folder - can this be exploited on Windows as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in theory you likely could run this software on windows, its written in golang
. The install instructions only mention linux, and the docker image is linux (not surprising), so I think Windows installs are minimal if existent at all.
However, this specific option is for when the admin is building a new payload to run on a victim. The option here actually makes no difference, I just opted for 1
since its the default.
# Handle the HTTP request and return a response. Code borrowed from: | ||
# msf/core/exploit/http/server.rb | ||
# | ||
def start_http_service(opts = {}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could probably be handled the HTTPServer mixin. Also, the HTML mixin can return a webpage if needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Normally that's how I would handle it, however the direct login method doesn't need an HTTP server, so I wanted to avoid launching it if it wasn't needed. I thought this would be the more efficient route to avoid some kind of potential HTTP server error when it launches (bad ip, port used, etc)) when it wasn't required anyways.
Tested and seems to be working as intended 👍 Happy to land once the rest of the feedback is resolved. Credential method
Agent method
JWT method
|
Release NotesAdds an exploit for HAOS v5.0.8, which contains a remote command execution vulnerability which |
CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
allow generate binaries to control remote operating systems. The
webapp contains a remote command execution vulnerability which
can be triggered by an authenticated user when generating a new
executable. The webapp also contains an XSS vulnerability within
the view of a returned command being executed on an agent.
Execution can happen through one of three routes:
JWT
token from an agent can be provided to emulate a compromisedhost. If a logged in user attempts to execute a command on the host
the returned value contains an xss payload.
JWT
token can be extracted.Verified against CHAOS
7d5b20ad7e58e5b525abdcb3a12514b88e87cef2
runningin a docker container.
Verification
use exploit/linux/http/chaos_rat_xss_to_rce
set rhost [ip]
set username [username]
,set password [password]
set jwt [jwt token]
set agent [path to agent]
run