Added Poison Ivy Command and Control Scanner\n Auxiliary module to scan for Poison Ivy C&C on ports 80,8080,443 and 3460

ColonelMoran · ColonelMoran · commit 226cd241bf42 · 2013-12-15T14:34:50.000Z
diff --git a/modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb b/modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb
@@ -0,0 +1,95 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Tcp
+
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+
+  def initialize
+    super(
+      'Name'        => 'Poison Ivy C&C Scanner',
+      'Description' => 'Enumerate Poison Ivy C&C on ports 3460,80,8080 and 443. Adaptation of iTrust Python script.
+www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf',
+      'Author'      => [ 'SeawolfRN'],
+      'License'     => MSF_LICENSE
+    )
+
+    register_options(
+    [
+      OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]),
+      OptInt.new('CONCURRENCY', [true, "The number of concurrent ports to check per host", 10]),
+    ], self.class)
+
+    deregister_options('RPORT')
+
+  end
+
+
+  def run_host(ip)
+
+    timeout = datastore['TIMEOUT'].to_i
+
+    ports = Rex::Socket.portspec_crack("3460,80,443,8080")
+
+    while(ports.length > 0)
+      t = []
+      r = []
+      begin
+      1.upto(datastore['CONCURRENCY']) do
+        this_port = ports.shift
+        break if not this_port
+        t << framework.threads.spawn("Module(#{self.refname})-#{ip}:#{this_port}", false, this_port) do |port|
+          begin
+            s = connect(false,
+              {
+                'RPORT' => port,
+                'RHOST' => ip,
+                'ConnectTimeout' => (timeout / 1000.0)
+              }
+            )
+            r << [ip,port,"open"]
+            s.send("\x00"*0x100,0) #Send 0x100 zeros, wait for answer
+            data=s.recv(0x100)
+            if data.length==0x100
+              data=s.recv(0x4)
+              if data=="\xD0\x15\x00\x00" #Signature for PIVY C&C
+                print_status("#{ip}:#{port} - C&C Server Found")
+              end
+            end
+          rescue ::Rex::ConnectionRefused
+            vprint_status("#{ip}:#{port} - TCP closed")
+            r << [ip,port,"closed"]
+          rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
+          rescue ::Rex::Post::Meterpreter::RequestError
+          rescue ::Interrupt
+            raise $!
+          rescue ::Exception => e
+            print_error("#{ip}:#{port} exception #{e.class} #{e} #{e.backtrace}")
+          ensure
+            disconnect(s) rescue nil
+          end
+        end
+      end
+      t.each {|x| x.join }
+
+      rescue ::Timeout::Error
+      ensure
+        t.each {|x| x.kill rescue nil }
+      end
+
+      r.each do |res|
+        report_service(:host => res[0], :port => res[1], :state => res[2])
+      end
+    end
+  end
+
+end
