One-Click RCE in OpenClaw via gatewayUrl WebSocket Token Exfiltration

This repository is a working JavaScript/HTML proof-of-concept exploit for CVE-2026-25253 affecting OpenClaw/clawbot versions earlier than v2026.1.29. The exploit chain is multi-stage: a victim is lured to an attacker-hosted page (meeting.html) disguised as a meeting/install page; that page causes the victim browser to open the local OpenClaw Control UI with a malicious gatewayUrl parameter so the UI connects to the attacker-controlled WebSocket server; attacker-server.js captures the authentication token by intentionally rejecting the first connect attempt to force fallback from a device-bound token to a replayable settings token; the browser exploit then opens its own WebSocket connection to the real local gateway at 127.0.0.1:18789 using the stolen token; finally it invokes OpenClaw RPC methods to disable approval prompts, patch configuration to turn off sandboxing and run exec on the host, and sends an agent message that causes a shell command to run. Repository structure is simple: README.md documents the vulnerability, attack flow, setup, and usage; attacker-server.js implements both the HTTP server on port 3000 and the attacker WebSocket capture server on port 8080; meeting.html contains the browser-side exploit logic and social-engineering UI; package.json/package-lock.json declare the ws dependency; node_modules/ws is vendored third-party library code and not part of the exploit logic itself. The exploit is not a scanner or detector—it is intended to achieve token theft and host command execution on a vulnerable, locally running OpenClaw instance through browser-based interaction and cross-site WebSocket abuse.

Repository contains a small Flask-based exploit server plus two HTML/JS templates implementing a browser-driven localhost pivot leading to command execution against a local OpenClaw service (claimed CVE-2026-25253). Structure and roles: - exploit.py: Runs a Flask app on port 13337 and a WebSocket endpoint at "/" (via Flask-Sock). It serves two pages (/eqst1 and /eqst2), exposes /token for one-time retrieval of a captured gateway token, and /report_result to receive and print command output. The WebSocket handler inspects incoming JSON messages for auth fields (gatewayToken/token). If a token is not present and it sees a "connect" method, it forces an AUTH_FAILED response once to trigger a “device token fallback” behavior, increasing chances the client will resend/emit a gateway token. - templates/eqst1.html: “1-click” entry page. On click, it opens /eqst2 and then redirects the browser to a local endpoint http://127.0.0.1:18789/chat with a crafted query parameter gatewayUrl=ws://<attacker_host>:13337/. This is intended to coerce the local OpenClaw UI/service to connect back to the attacker WebSocket (token interception). - templates/eqst2.html: Exploit runner. It polls /token until the attacker server has captured a gateway token. Then it connects to the local WebSocket ws://127.0.0.1:18789/, performs a connect handshake using a freshly generated Ed25519 identity (WebCrypto), requests elevated operator scopes, and upon successful hello/handshake sends a chat.send request that instructs the agent to execute an arbitrary command (default: `id`). When chat output arrives, it exfiltrates the output to /report_result. Exploit capabilities: - Token capture/interception: Captures a gateway token from a coerced connection to attacker-controlled WebSocket. - Authentication/connection establishment: Uses the captured token plus a signed device identity to complete a connect challenge with privileged scopes. - Command execution via chat/agent instruction: Sends a prompt-like instruction to execute a supplied command and return output. - Output exfiltration: Posts command output back to attacker server and prints it. Notable operational details: - Default command is configurable via --command in exploit.py and is templated into eqst2.html. - The exploit is designed for a victim environment where a service is bound to localhost:18789 and is reachable from the browser (classic browser-to-localhost attack surface).

Repository is an operational PoC for CVE-2026-25253: one-click RCE against OpenClaw by combining token exfiltration and Cross-Site WebSocket Hijacking (CSWSH) against a localhost WebSocket gateway. Structure/purpose: - attacker-server.js: Node.js attack infrastructure. Runs (1) an HTTP server on port 3000 serving exploit.html and (2) a WebSocket server on port 8080 to capture tokens and relay them to waiting exploit pages. It parses incoming JSON messages and specifically looks for {type:'req', method:'connect'} to extract msg.params.auth.token. It intentionally rejects the first connect attempt (assumed “device token”) by returning an AUTH_FAILED error to trigger the victim UI’s fallback behavior, then captures the subsequent “settings token”. - exploit.html: Browser exploit. Stage 1 opens the victim’s local Control UI in a popup at http://127.0.0.1:18789 with a gatewayUrl query parameter pointing to the attacker’s WS server, causing the Control UI to connect outward and send its stored token. The page also connects to the attacker WS endpoint to receive the stolen token. Stage 2+ uses the stolen token to open its own WebSocket to the victim’s local gateway ws://127.0.0.1:18789 (relying on missing/weak Origin validation). It then performs API calls (as described in README and partially visible in code) to authenticate/handshake, disable execution approvals (exec.approvals.set ask:'off'), patch configuration to disable sandbox/container protections (config.patch with sandbox.mode:'off' and host:'gateway'), and finally sends an 'agent' request to execute an arbitrary command (default: touch /tmp/success) on agentId 'main' with sessionKey 'agent:main:main'. - package.json / package-lock.json: minimal dependency management; only external dependency is ws for the attacker server. - node_modules/ws/*: vendored ws library code. Key exploit capabilities: - Token theft/exfiltration by abusing a gatewayUrl parameter to redirect the Control UI’s WebSocket connection to an attacker-controlled WS endpoint. - CSWSH to a localhost WebSocket service (OpenClaw gateway) from an attacker origin. - Post-auth actions to reduce/disable security controls (approval prompts and sandboxing) and achieve command execution via the product’s agent command channel. Overall, this is not a scanner/detector; it is a working exploit chain with attacker infrastructure and a browser-delivered payload.

Repository contains a two-stage browser-driven exploit PoC targeting a Clawdbot webchat/control UI design flaw where a user-controlled `gatewayUrl` parameter (or persisted setting) determines the WebSocket backend. Structure/purpose: - `exploit.py`: Flask server (port 13337) serving Stage 1 (`/lolada1`) and Stage 2 (`/lolada2`) pages plus a WebSocket endpoint (`/`) to receive and parse the victim’s initial WebSocket `connect` frame. It extracts `params.auth.token` (or `params.auth.password`) and exposes the stolen token via `/token` for Stage 2 to poll. - `templates/lolada1.html`: Stage 1 lure. On click, opens Stage 2 and redirects the browser to the target chat page (`http://127.0.0.1:18789/chat`) with `gatewayUrl` set to the attacker WebSocket (`ws://<HOSTNAME>:13337/`). This coerces the target UI to connect to the attacker, leaking auth material. - `templates/lolada2.html`: Stage 2. Polls `/token` until the token is captured, then connects to the local gateway (`ws://127.0.0.1:18789/`), performs a challenge/response connect flow (generates Ed25519 identity, signs payload), and sends a `chat.send` request with a prompt instructing the agent to execute an arbitrary command (`--command`, default `id`) and display output. - `exploit_hackian.py`: A Playwright-based harness to reproduce/validate the issue safely by stubbing `WebSocket` in-page, capturing the first outbound frame, and testing multiple scenarios (plain/encoded gatewayUrl, token/password/session in URL params, device publicKey presence). It blocks third-party network requests and prints a JSON report. - `exfiltrated.json`: Example output from the harness showing that `gatewayUrl` can be set to an attacker endpoint and that the first `connect` frame may include `auth.token` (e.g., `TEST_TOKEN_LEAK_123`) and device identity fields. Main exploit capabilities: 1) WebSocket endpoint injection via `gatewayUrl` to redirect the victim UI’s WebSocket connection to an attacker-controlled server. 2) Exfiltration of sensitive auth material (token/password) from the victim’s initial WebSocket `connect` message. 3) Post-exfiltration authenticated WebSocket API abuse to send `chat.send` messages that induce agent-side command execution (RCE-by-instruction), returning output via chat events. Notable implementation issue: in `exploit.py`, the password branch assigns `PASSWORD = token` (likely a bug; should be `PASSWORD = password`).