CVE-2024-45256

CRITICAL

BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)

Title source: metasploit

Description

An arbitrary file write issue in the exfiltration endpoint in BYOB (Build Your Own Botnet) 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in file_add in api/files/routes.py.

Exploits (1)

metasploit WORKING POC EXCELLENT

by chebuya, Valentin Lobstein · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/byob_unauth_rce.rb

View Code ZIP pw:eip

References (3)

[Various Sources] https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/

[Various Sources] https://github.com/chebuya/exploits/tree/main/BYOB-RCE

[Various Sources] https://github.com/malwaredllc/byob

Scores

CVSS v3 9.8

EPSS 0.5087

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Published Aug 26, 2024

Tracked Since Feb 18, 2026