Dexter (CasinoLoader) SQL Injection
This module exploits a vulnerability found in the command and control panel used to control Dexter (Point of Sale malware). This is done by accessing the PHP page used by bots to report in (gateway.php) which does not sanitize input. Input is encrypted and encoded, but the key is supplied by the bot connecting. The 'page' parameter is used in this case. The command and control panel designates a location to upload files, and can be used as a reliable location to write a PHP shell. Authentication is not needed to exploit this vulnerability.
- bwall (Brian Wallace) <bwallace [at] cylance.com>
- CasinoLoader gateway.php
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/dexter_casinoloader_exec msf exploit(dexter_casinoloader_exec) > show targets ...targets... msf exploit(dexter_casinoloader_exec) > set TARGET <target-id> msf exploit(dexter_casinoloader_exec) > show options ...show and set options... msf exploit(dexter_casinoloader_exec) > exploit