From d1739f32c272515b089ade938525d65aa25933e5 Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 13 May 2024 16:55:43 -0400 Subject: [PATCH] review of chaos rat --- .../exploit/linux/http/chaos_rat_xss_to_rce.md | 6 +++--- .../exploits/linux/http/chaos_rat_xss_to_rce.rb | 16 +++++----------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md b/documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md index 988d2dbbbeab..fc81fbf5b033 100644 --- a/documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md +++ b/documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md @@ -1,7 +1,7 @@ ## Vulnerable Application CHAOS v5.0.8 is a free and open-source Remote Administration Tool that -allow generate binaries to control remote operating systems. The +allows generated binaries to control remote operating systems. The webapp contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The webapp also contains an XSS vulnerability within @@ -43,11 +43,11 @@ to expand the menu, select `Manage`, `Generate Client`. Click `Build`. ### USERNAME -User to login with, defaults for CHAOS is `admin`. +User to login with, default for CHAOS is `admin`. ### PASSWORD -Password to login with, defaults for CHAOS is `admin`. +Password to login with, default for CHAOS is `admin`. ### JWT diff --git a/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb b/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb index 43362450412e..bc696c880e64 100644 --- a/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb +++ b/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb @@ -18,7 +18,7 @@ def initialize(info = {}) 'Name' => 'Chaos RAT XSS to RCE', 'Description' => %q{ CHAOS v5.0.8 is a free and open-source Remote Administration Tool that - allow generate binaries to control remote operating systems. The + allows generated binaries to control remote operating systems. The webapp contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The webapp also contains an XSS vulnerability within @@ -72,8 +72,8 @@ def initialize(info = {}) register_options( [ Opt::RPORT(8080), - OptString.new('USERNAME', [ false, 'User to login with']), - OptString.new('PASSWORD', [ false, 'Password to login with']), + OptString.new('USERNAME', [ false, 'User to login with']), # admin + OptString.new('PASSWORD', [ false, 'Password to login with']), # admin OptString.new('TARGETURI', [ true, 'The URI of the Chaos Application', '/']), OptString.new('JWT', [ false, 'Agent JWT Token of the malware']), OptPath.new('AGENT', [ false, 'A Chaos Agent Binary']) @@ -362,7 +362,7 @@ def exploit datastore['AGENT'] fail_with(Failure::BadConfig, 'Username and password, or JWT, or AGENT path required') end - fail_with(Failure::BadConfig, 'SRVHOST can not be 0.0.0.0, must be a valid IP address') if datastore['SRVHOST'] == '0.0.0.0' + fail_with(Failure::BadConfig, 'SRVHOST can not be 0.0.0.0, must be a valid IP address') if Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0 @xss_response_received = false @@ -412,13 +412,7 @@ def cleanup print_error("Failed to stop http server due to #{e}") end end - @threads.each(&:kill) # no need for these anymore + @threads.each(&:kill) unless @threads.nil? # no need for these anymore super end - - def on_new_session(session) - super - cleanup - end - end