review of chaos rat

h00die · May 13, 2024 · d1739f3 · d1739f3
1 parent 7f02902
commit d1739f3
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 14 deletions.
diff --git a/documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md b/documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md
@@ -1,7 +1,7 @@
 ## Vulnerable Application
 
 CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
-allow generate binaries to control remote operating systems. The
+allows generated binaries to control remote operating systems. The
 webapp contains a remote command execution vulnerability which
 can be triggered by an authenticated user when generating a new
 executable. The webapp also contains an XSS vulnerability within
@@ -43,11 +43,11 @@ to expand the menu, select `Manage`, `Generate Client`. Click `Build`.
 
 ### USERNAME
 
-User to login with, defaults for CHAOS is `admin`.
+User to login with, default for CHAOS is `admin`.
 
 ### PASSWORD
 
-Password to login with, defaults for CHAOS is `admin`.
+Password to login with, default for CHAOS is `admin`.
 
 ### JWT
 

diff --git a/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb b/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb
@@ -18,7 +18,7 @@ def initialize(info = {})
         'Name' => 'Chaos RAT XSS to RCE',
         'Description' => %q{
           CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
-          allow generate binaries to control remote operating systems. The
+          allows generated binaries to control remote operating systems. The
           webapp contains a remote command execution vulnerability which
           can be triggered by an authenticated user when generating a new
           executable. The webapp also contains an XSS vulnerability within
@@ -72,8 +72,8 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(8080),
-        OptString.new('USERNAME', [ false, 'User to login with']),
-        OptString.new('PASSWORD', [ false, 'Password to login with']),
+        OptString.new('USERNAME', [ false, 'User to login with']), # admin
+        OptString.new('PASSWORD', [ false, 'Password to login with']), # admin
         OptString.new('TARGETURI', [ true, 'The URI of the Chaos Application', '/']),
         OptString.new('JWT', [ false, 'Agent JWT Token of the malware']),
         OptPath.new('AGENT', [ false, 'A Chaos Agent Binary'])
@@ -362,7 +362,7 @@ def exploit
            datastore['AGENT']
       fail_with(Failure::BadConfig, 'Username and password, or JWT, or AGENT path required')
     end
-    fail_with(Failure::BadConfig, 'SRVHOST can not be 0.0.0.0, must be a valid IP address') if datastore['SRVHOST'] == '0.0.0.0'
+    fail_with(Failure::BadConfig, 'SRVHOST can not be 0.0.0.0, must be a valid IP address') if Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0
 
     @xss_response_received = false
 
@@ -412,13 +412,7 @@ def cleanup
         print_error("Failed to stop http server due to #{e}")
       end
     end
-    @threads.each(&:kill) # no need for these anymore
+    @threads.each(&:kill) unless @threads.nil? # no need for these anymore
     super
   end
-
-  def on_new_session(session)
-    super
-    cleanup
-  end
-
 end