Skip to content

Payloads

Jump to bottom
gdncc edited this page Apr 16, 2019 · 4 revisions

The payloads contain the actual exploit code to attack a specific vulnerable service.

Singularity supports the following attack payloads:

  • Basic fetch request (simple-fetch-get.js): This sample payload makes a GET request to the root directory ('/') and shows the server response using the fetch API. The goal of this payload is to function as example request to make additional contributions as easy as possible.
  • automatic: This payload automatically attempts to detect known services and exploit them using other payloads listed in this section or that were developed and added to Singularity by users.
  • Chrome DevTools RCE (exposed-chrome-devtools.js): This payload demonstrates a remote code execution (RCE) vulnerability in Microsoft VS Code fixed in version 1.19.3. This payload can be adapted to exploit any software that exposes Chrome Dev Tools on localhost.
  • Etcd k/v dump (etcd.js): This payload retrieves the keys and values from the etcd key-value store.
  • pyethapp (pyethapp.js): Exploits the Python implementation of the Ethereum client Pyethapp to get the list of owned eth addresses and retrieve the balance of the first eth address.
  • Rails Console RCE (rails-console-rce.js): Performs a remote code execution (RCE) attack on the Rails Web Console.
  • AWS Metadata Exfil (aws-metadata-exfil.js): Forces a headless browser to exfiltrate AWS metadata including private keys to a given host. Check the payload contents for additional details on how to setup the attack.
  • Duplicati RCE (duplicati-rce.js): This payload exploits the Duplicati backup client and performs a remote code execution (RCE) attack. For this attack to work, parameter targetURL in file payload-duplicati-rce.html must be updated to point to a valid Duplicati backup containing the actual RCE payload, a shell script.
  • WebPDB (webpdb.js): A generic RCE payload to exploit PDB, a python debugger exposed via websockets.
  • Hook and Control (hook-and-control.js): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the "soohooked" sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup.
  • Jenkins Script Console (jenkins-script-console.js): This payload exploits the Jenkins Script Console and displays the stored credentials.
  • Docker API (docker-api.js): This payload exploits the Docker API and displays the /etc/shadow file of the Docker host.

Creating Your Own Payloads

Creating your own payloads is as simple as copying the sample payload JS file (simple-fetch-get.js) and modify it according to your needs. The sample payload makes a single GET request and displays the response. Start with copying the content of this file to a new .js file and add its name to the attackPayloads list in the manager-config.json file. Then modify the new JS file to change the request URL for example.

Clone this wiki locally