DarkComet Server Remote File Download Exploit - Metasploit
This page contains detailed information about how to use the auxiliary/gather/darkcomet_filedownloader metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: DarkComet Server Remote File Download Exploit
Module: auxiliary/gather/darkcomet_filedownloader
Source code: modules/auxiliary/gather/darkcomet_filedownloader.rb
Disclosure date: 2012-10-08
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): 1604
List of CVEs: -
This module exploits an arbitrary file download vulnerability in the DarkComet C&C server versions 3.2 and up. The exploit does not need to know the password chosen for the bot/server communication.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show targets
... a list of targets ...
msf auxiliary(darkcomet_filedownloader) > set TARGET target-id
msf auxiliary(darkcomet_filedownloader) > show options
... show and set options ...
msf auxiliary(darkcomet_filedownloader) > exploit
Go back to menu.
Msfconsole Usage
Here is how the gather/darkcomet_filedownloader auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/darkcomet_filedownloader
msf6 auxiliary(gather/darkcomet_filedownloader) > show info
Name: DarkComet Server Remote File Download Exploit
Module: auxiliary/gather/darkcomet_filedownloader
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2012-10-08
Provided by:
Shawn Denbow & Jesse Hertz
Jos Wetzels
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOSTS 0.0.0.0 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1604 yes The target port (TCP)
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
Description:
This module exploits an arbitrary file download vulnerability in the
DarkComet C&C server versions 3.2 and up. The exploit does not need
to know the password chosen for the bot/server communication.
References:
https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf
http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
Module Options
This is a complete list of options available in the gather/darkcomet_filedownloader auxiliary module:
msf6 auxiliary(gather/darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOSTS 0.0.0.0 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1604 yes The target port (TCP)
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
Advanced Options
Here is a complete list of advanced options supported by the gather/darkcomet_filedownloader auxiliary module:
msf6 auxiliary(gather/darkcomet_filedownloader) > show advanced
Module advanced options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/darkcomet_filedownloader module can do:
msf6 auxiliary(gather/darkcomet_filedownloader) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the gather/darkcomet_filedownloader auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/darkcomet_filedownloader) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Could not find password in config.ini ...
Here is a relevant code snippet related to the "Could not find password in config.ini ..." error message:
394: if !filedata.nil?
395: # Automatically try to extract password from config.ini if we haven't set a key yet
396: if datastore['KEY'] == ''
397: password = parse_password(filedata)
398: if password.nil?
399: print_status("Could not find password in config.ini ...")
400: elsif password == ''
401: print_status("C2 server uses empty password!")
402: else
403: print_status("C2 server uses password [#{password}]")
404: end
Attack failed or empty config file encountered ...
Here is a relevant code snippet related to the "Attack failed or empty config file encountered ..." error message:
412: else
413: store_loot("darkcomet.file", "text/plain", datastore['RHOST'], filedata, datastore['TARGETFILE'], "File retrieved from DarkComet C2 server")
414: end
415: else
416: print_status(filedata.to_s)
417: end
418: else
419: print_error("Attack failed or empty config file encountered ...")
420: end
421: end
422: end
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8336 Merged Pull Request: Specify lhost by interface name
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6955 Merged Pull Request: Arbitrary File Download Exploit for DarkComet C2 server versions >= 3.2
- #6940 Merged Pull Request: Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
References
- CVE: Not available
- https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf
- http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
See Also
Check also the following modules related to this module:
- exploit/windows/scada/factorylink_csservice
- exploit/windows/scada/factorylink_vrn_09
- exploit/windows/scada/rockwell_factorytalk_rce
Authors
- Shawn Denbow & Jesse Hertz
- Jos Wetzels
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
