Showing posts with label php. Show all posts
Showing posts with label php. Show all posts

Saturday, 11 January 2014

Decoding Zeus 2.9.6.1 dynamic config

I got a look on the zeus builder who was released by the MMBB guy on exploit.in, finally i'm decided to write something about it, so let's talk about the change in the config encryption.
MD5: 0a05783316e7f765e731aadf5098564f

This version use AES instead of RC4 and can interact with the latest version of Firefox.
Anyway it's nothing more than a basic Zeus v2.

iBank parser on the panel, monitoring of process:
About the panel, the released version require Ioncube loader (nvm, the gate code can be recovered easily)

Now let's view an example of report from modules, keylog+screenshot:


Part of the static config (in plain on generated bot):

Installation process/dynamic config decoding (beware, dubstep):

And a small code because it's easier to understand:
<?php
    function decode($data, $key) {
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '');
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
       
        mcrypt_generic_init($td, $key, $iv);
        mcrypt_generic($td, $data);
       
        $data = mdecrypt_generic($td, $data);
       
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);
       
        return $data;
    }
   
    function visualDecrypt(&$data) {
        $len = strlen($data);
       
        if ($len > 0)
            for ($i = $len - 1; $i > 0; $i--)
                $data[$i] = chr(ord($data[$i]) ^ ord($data[$i - 1]));
    }
   
    $data    = file_get_contents('config.bin');
    $key     = md5('hasd7h12g1', true);
    $decoded = decode($data, $key);
   
    visualDecrypt($decoded);
   
    $size = strlen($decoded);
   
    header('Content-Type: application/octet-stream;');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . $size);
    header('Content-Disposition: attachment; filename=config_decrypted.dll');
    header('Expires: 0');
    header('Cache-Control: no-cache, must-revalidate');
    header('Pragma: no-cache');
   
    echo($decoded);
   
    exit;
?>

You can find the decoded modules here:
JAVA: 7d7ae6ffbd9f3c7673b339f9b94493e5
BSS: cc98dabebe047c6115a6cd9d13ed3122
KEYLOG: 8ac1c7c019d16ff3b8a9543d46ae5e0e

And if you want to test yourself the WebInject, i usually use this code:
set_url http://requesttests.appspot.com* GP
data_before
</body>
data_end

data_inject
<center><img src="http://temari.fr/webinject.png" alt="Injected!"></center>
data_end

data_after
data_end





/facepalm
Posted by at 18:18 5 comments
Labels: , , , ,

Sunday, 10 April 2011

Creating a online Ransomware unlocker

A simple code for make your own online unlocker service against ransomwares.
Inspired from Kaspersky



So... I'll just leave this here.

config.php:
<?php
    // Xyl2k! :þ
    // Admin ids
    $LOGIN = "root";  //login
    $PASSWD = "toor";   //password
    // MySQL ids
    $MySQL['HOST'] = 'localhost';
    $MySQL['USER'] = 'root';
    $MySQL['PASS'] = '';
    $MySQL['DB']   = 'ransom';
   
    $db_connection = mysql_connect($MySQL['HOST'], $MySQL['USER'], $MySQL['PASS']);
    if (!$db_connection)
            die('Error - Could Not Connect to the Server.');
    $db_selected = mysql_select_db($MySQL['DB'], $db_connection);
    if (!$db_selected)
            die('Error - Could Not Connect to the Database.');

ransom.php:
<?php
    require('config.php');
?>

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
            <title>Ransom Unlocker</title>
        <link rel="stylesheet" media="screen" type="text/css" title="Design" href="style.css" />
    </head>
    <body>
        <center>
            <font size="6"><b>&#9763; Unlocker &#9763;</b></font>
        </center>
        <form id="form1" name="form1" method="GET" action="<?php echo basename($_SERVER['PHP_SELF']);?>">
        <label for="call">Code to call: </label>
        <input type="text" name="call" id="call" />
        <input style="text-shadow: none;" value="Search" type="submit" />
        <?php
        if (isset($_GET['call'])) // TRUE
        {
            $call = mysql_real_escape_string($_GET['call']);
            $req = mysql_query('SELECT serial FROM winlock WHERE codetocall=\''.$call.'\'');
            if (!mysql_num_rows($req))
                echo '<p> Unlock code not found</p>';
            else
                while ($datas = mysql_fetch_array($req))
                    echo '<p> Unlock code: <b>'.htmlspecialchars($datas['serial']).'</b></p>';
        }
        ?>
        </form>
    </body>
</html>

ransomadmin.php:
<?php
    session_start();
    require('config.php');
?>

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
            <title>Admin - Ransom Unlocker</title>
        <link rel="stylesheet" media="screen" type="text/css" title="Design" href="style.css" />
    </head>
    <body>
        <center>
        <font size="6"><b>&#9763; Unlocker Admin &#9763;</b></font>
        </center>
        <?php
        if (isset($_POST['login']) && isset($_POST['password']))
            if ($_POST['login'] == $LOGIN && $_POST['password'] == $PASSWD)
                $_SESSION['access'] = true;
                if (isset($_SESSION['access']) && $_SESSION['access'] == true)
                {
                    ?>
                    <form id="form1" name="form1" method="POST" action="ransomadmin.php">
                    <table border="0">
                      <tr>
                        <td align="right"><label for="call">Code to call:</label></td>
                        <td><input name="call" type="text" id="call" size="48" maxlength="255" /></td>
                        </tr>
                      <tr>
                        <td align="right"><label for="serial">Unlock code:</label></td>
                        <td><textarea name="serial" id="serial" cols="45" rows="5"></textarea></td>
                        </tr>
                      <tr>
                        <td>&nbsp;</td>
                        <td><input style="text-shadow: none;" value="Add" type="submit" /></td>
                        </tr>
                    </table>
                    </form>
                    <?php
                    if (isset($_POST['call']) && isset($_POST['serial']))
                    {
                        $call = mysql_real_escape_string($_POST['call']);
                        $serial = mysql_real_escape_string($_POST['serial']);
                       
                        $req = mysql_query("INSERT INTO winlock VALUES('".$call."','".$serial."')") or die(mysql_error());
                       
                        echo "<p>Le code ".htmlspecialchars($_POST['call'])." à été inséré !</p>";
                    }
                }
        else
        {
        ?>
            <form name="tapz" action="<?php echo basename($_SERVER['PHP_SELF']);?>" method="POST">
                <table border="0">
                    <tr>
                        <td align="right">Login :</td>
                        <td><input name="login" type="text" size="30" maxlength="30" /></td>
                    </tr>
                    <tr>
                        <td align="right">Password :</td>
                        <td><input name="password" type="password" size="30" maxlength="30" /></td>
                    </tr>
                    <tr>
                        <td>&nbsp;</td>
                        <td><input type="submit" value="-= Connect =-" /></td>
                    </tr>
                </table>
            </form>
    </body>
</html>
<?php
} ?>

sql database:
-- phpMyAdmin SQL Dump
-- version 3.3.9
-- http://www.phpmyadmin.net
--
-- Serveur: localhost
-- Généré le : Dim 10 Avril 2011 à 19:00
-- Version du serveur: 5.1.36
-- Version de PHP: 5.3.0

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Base de données: `ransom`
--

-- --------------------------------------------------------

--
-- Structure de la table `winlock`
--

CREATE TABLE IF NOT EXISTS `winlock` (
  `codetocall` varchar(255) NOT NULL,
  `serial` text NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

--
-- Contenu de la table `winlock`
--

INSERT INTO `winlock` (`codetocall`, `serial`) VALUES
('123456', 'XXX-XXX-XXX-XXX');
Posted by at 22:32 1 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)