-
Notifications
You must be signed in to change notification settings - Fork 143
Payloads
gdncc edited this page Apr 16, 2019
·
4 revisions
The payloads contain the actual exploit code to attack a specific vulnerable service.
Singularity supports the following attack payloads:
-
Basic fetch request (
simple-fetch-get.js
): This sample payload makes a GET request to the root directory ('/') and shows the server response using thefetch
API. The goal of this payload is to function as example request to make additional contributions as easy as possible. - automatic: This payload automatically attempts to detect known services and exploit them using other payloads listed in this section or that were developed and added to Singularity by users.
-
Chrome DevTools RCE (
exposed-chrome-devtools.js
): This payload demonstrates a remote code execution (RCE) vulnerability in Microsoft VS Code fixed in version 1.19.3. This payload can be adapted to exploit any software that exposes Chrome Dev Tools onlocalhost
. -
Etcd k/v dump (
etcd.js
): This payload retrieves the keys and values from the etcd key-value store. -
pyethapp (
pyethapp.js
): Exploits the Python implementation of the Ethereum client Pyethapp to get the list of owned eth addresses and retrieve the balance of the first eth address. -
Rails Console RCE (
rails-console-rce.js
): Performs a remote code execution (RCE) attack on the Rails Web Console. -
AWS Metadata Exfil (
aws-metadata-exfil.js
): Forces a headless browser to exfiltrate AWS metadata including private keys to a given host. Check the payload contents for additional details on how to setup the attack. -
Duplicati RCE (
duplicati-rce.js
): This payload exploits the Duplicati backup client and performs a remote code execution (RCE) attack. For this attack to work, parametertargetURL
in filepayload-duplicati-rce.html
must be updated to point to a valid Duplicati backup containing the actual RCE payload, a shell script. -
WebPDB (
webpdb.js
): A generic RCE payload to exploitPDB
, a python debugger exposed via websockets. -
Hook and Control (
hook-and-control.js
): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the "soohooked" sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup. -
Jenkins Script Console (
jenkins-script-console.js
): This payload exploits the Jenkins Script Console and displays the stored credentials. -
Docker API (
docker-api.js
): This payload exploits the Docker API and displays the/etc/shadow
file of the Docker host.
Creating your own payloads is as simple as copying the sample payload JS file
(simple-fetch-get.js
) and modify it according to your needs.
The sample payload makes a single GET request and displays the response.
Start with copying the content of this file to a new .js
file and add its name
to the attackPayloads
list in the manager-config.json
file.
Then modify the new JS file to change the request URL for example.