Class: Metasploit::Framework::LoginScanner::Caidao

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/caidao.rb

Overview

Chinese Caidao login scanner

Constant Summary collapse

DEFAULT_PORT =

Inherit LIKELY_PORTS, LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP

80
PRIVATE_TYPES =
[ :password ]
LOGIN_STATUS =

Shorter name

Metasploit::Model::Login::Status

Constants inherited from HTTP

HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_username, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Methods inherited from HTTP

#send_request

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempts to login to Caidao Backdoor. This is called first.

Parameters:

Returns:

  • (Result)

    A Result object indicating success or failure


78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# File 'lib/metasploit/framework/login_scanner/caidao.rb', line 78

def (credential)
  result_opts = {
    credential:  credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  if ssl
    result_opts[:service_name] = 'https'
  else
    result_opts[:service_name] = 'http'
  end

  begin
    result_opts.merge!((credential.public, credential.private))
  rescue ::Rex::ConnectionError => e
    result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
  end
  Result.new(result_opts)
end

#check_setupBoolean

Checks if the target is Caidao Backdoor. The login module should call this.

Returns:

  • (Boolean)

    TrueClass if target is Caidao, otherwise FalseClass


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/metasploit/framework/login_scanner/caidao.rb', line 17

def check_setup
  @flag ||= Rex::Text.rand_text_alphanumeric(4)
  @lmark ||= Rex::Text.rand_text_alphanumeric(4)
  @rmark ||= Rex::Text.rand_text_alphanumeric(4)

  case uri
  when /php$/mi
    @payload = "$_=\"#{@flag}\";echo \"#{@lmark}\".$_.\"#{@rmark}\";"
    return true
  when /asp$/mi
    @payload = 'execute("response.write(""'
    @payload << "#{@lmark}"
    @payload << '""):response.write(""'
    @payload << "#{@flag}"
    @payload << '""):response.write(""'
    @payload << "#{@rmark}"
    @payload << '""):response.end")'
    return true
  when /aspx$/mi
    @payload = "Response.Write(\"#{@lmark}\");"
    @payload << "Response.Write(\"#{@flag}\");"
    @payload << "Response.Write(\"#{@rmark}\")"
    return true
  end
  false
end

#set_sane_defaultsObject


44
45
46
47
# File 'lib/metasploit/framework/login_scanner/caidao.rb', line 44

def set_sane_defaults
  self.method = "POST" if self.method.nil?
  super
end

#try_login(username, password) ⇒ Hash

Actually doing the login. Called by #attempt_login

Parameters:

  • username (String)

    The username to try

  • password (String)

    The password to try

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body


56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/metasploit/framework/login_scanner/caidao.rb', line 56

def (username, password)
  res = send_request(
    'method'  => method,
    'uri'     => uri,
    'data'    => "#{password}=#{@payload}"
  )

  unless res
    return { :status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s }
  end

  if res && res.code == 200 && res.body.to_s.include?("#{@lmark}#{@flag}#{@rmark}")
    return { :status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s }
  end

  { :status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s }
end