Thursday 23 May 2013

Pony 1.9 (Win32/Fareit)

Came across a Pony panel recently and the original one not the 'TF' version.
Alright let's talk about Pony, the guys have some cool stats.
The panel is on 95.170.83.145 and the sql server used by pony is located elsewhere on 178.63.77.68

I've tried to add my own user inside the panel, but i got some difficulty forcing me to dump the f*cker and review the source code.
I've read just a small part of the code but that was fun, here is the authentication function:

They call mixed_sha1():
random_salt_value_start, random_salt_value_end are strings who don't change, but the coder named them 'random' for an unknown reason, i'm still not sure if joke or human stupidity.

ok cool, i know how to hash my password, where they records IPs now ?
Panel in Russian but code comments in English... ok i start to believe a retard edited the code.

get_login_log():

Alright, let's get bad guys IPs:
SELECT * FROM pony_system_log WHERE log_source LIKE 'login'
And that all i need to know for remove traces after on the panel and stay stealth.

Now let's have a fast look on Pony builder:
Loader:
Settings:
Themes:

Changelog (available here http://pastebin.com/ufiueRSH):

Files:
The builder is coded with Delphi and the payload in assembler.

Pony 1.9 got leaked in december 2012 and translated to English by Unic0de.
Personally at the end of 2012 i've do a courtesy visit to a PPI affiliate (Hacking Moneycloud)

Someone trying to sell Pony the same day it got leaked (lol?):

Now for the panel of our bad guys, login:

Dashboard:
Всего E-mail паролей в списке -> Total E-mail passwords: 10467
Всего сертификатов в списке -> Total certificates: 1
Всего RDP в списке -> Total RDP: 114
Всего уникальных отчетов -> Total unique reports: 10588
Получено дубликатов -> Received duplicate: 11211
Не обработано отчетов -> Not processed Reports: 1
Событий в системных логах -> Events in the system log files: 219865
Полный размер отчетов в БД -> Full size records in the database: 16.84 MB
Полный размер БД -> Full database size: 78.52 MB
Добавлено FTP (HTTP) за последние 24 часа -> Posted FTP (HTTP) in the last 24 hours: 54 (6771)
Добавлено FTP (HTTP) за последний час -> Posted FTP (HTTP) for the last 3 hours: 3 (132)
Добавлено FTP (HTTP) за последние 10 минут -> Posted FTP (HTTP) for the last 10 minutes: 0 (17)
Добавлено отчетов за последние 24 часа -> Published reports for the last 24 hours: 821
Добавлено отчетов за последний час -> Published reports in the last hour: 22
Добавлено отчетов за последние 10 минут -> Published reports in the last 10 minutes: 2

FTP list:
Скачать список FTP -> Download the FTP list
Скачать список SSH -> Download the SSH list
Очистить список FTP -> Delete the FTP list
Очистить список SSH -> Delete the SSH list
Показать фильтр -> Show Filter

Filters:
Countries:
Date:

HTTP list:

Others:
Скачать список E-mail -> Download the E-mail list
Скачать сертификаты -> Download Certificates
Скачать список RDP -> Download the RDP list
Очистить список E-mail -> Remove E-mail list
Удалить сертификаты -> Remove certificates
Очистить список RDP -> Remove RDP list

Stats:

Stolen passwords in the last 24 hours:

Stolen passwords in the last month:

 OS popularity:

FTP Clients popularity:

 Browsers popularity:

E-mail client popularity:

Domains:

Error logs:
Скачать логи -> Download logs
Очистить логи -> Remove logs

Error report:
Скачать отчет -> Download the report
Повторно обработать отчет -> Reprocess the report
Удалить отчет -> Delete the report

Reports:
Скачать все отчеты -> Download all reports
Скачать необработанные отчеты -> Download the raw reports
Удалить все отчеты -> Delete records
Показать фильтр -> Show Filter

View report:
Скачать отчет -> Download the report
Повторно обработать отчет -> Reprocess the report
Удалить отчет -> Delete the report

Management:

Server Settings:
Пароль для дешифровки отчетов -> Password for decrypt reports

Add New User:
Оптимизировать (сжать) таблицы MySQL -> Optimize (compress) the MySQL table
Пересоздать таблицы MySQL -> Recreate the MySQL table

Change password:

Help:

Panel (Russian) can be downloaded here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1558&p=19374#p19374


12 comments:

  1. http://pastebin.com/sDR7BMHn

    ReplyDelete
  2. tu as bien caché l'email du gars mais last modified by ... ou l'on voi son pseudo , mieux si tu le cache aussi je pense! lol

    ReplyDelete
    Replies
    1. Hello, nan c'était juste histoire de caché sont adresse jabber après sont pseudo j'ai laissé ça volontairement.

      Delete
  3. LR is shutdown.

    ReplyDelete
  4. You seem to be able to bruteforce every panel you come across, what are you using?

    I'm stuck on such things after decompiling the executable, I'd also sure like to see his face when the bots are all removed.

    ReplyDelete
  5. I've not bruteforce i've made my own account from the sql db

    ReplyDelete
  6. How about the Source Code?

    ReplyDelete
    Replies
    1. what's do you want to know about the source code ?

      Delete
  7. Hello, is it possible to hack into Pony Panel ?
    If so how can you please tell us ?

    Thank You

    ReplyDelete
    Replies
    1. yes it's possible just look the code and search where is the problem ;) hint: auth bypass, good luck.

      Delete
  8. lol.. if i read this post it would save me lots and lots of time. I was trying to breach a Panel an have to search through the code for the authentication process, after that i then created my own password and authenticated using the login screen, next thing i did was to replace their original sha1 but since i was already authenticated and the panel didn't check for passwords changes - i had a beautiful time deleting all reports..they were confused, they deleted the panel but i already had shell access and simple reuploaded it... lol

    ReplyDelete