Phase Bot – Exploiting C&C Panel

I’ve been withholding this article for a while, due to the fact that the minute I post it all the vulnerabilities will be patched, thus becoming useless to us; however, it turns out hacking all of the phase C&C panels has generated a bit of noise, resulting in the vulnerabilities being found and patched anyway.

Captcha Reuse

This is quite an easy mistake to make for someone not familiar with coding php: when the captcha image is loaded the session variable $_SESSION[‘captcha’] is set to the captcha code, each time the captcha image is loaded the $_SESSION[‘captcha’] variable is updated with the new captcha.
On page load, the browser will perform a GET request to captcha.php, resulting in a new image being returned and the session being updated with the new code.
The code checks the submitted captcha code with the one stored in the session, unfortunately if the login fails it doesn’t destroy the session variable; meaning that as long as you don’t perform a GET request to captcha.php, you can reuse the same captcha code indefinitely, allowing login bruteforcing.

Plaintext Passwords

Obviously, no command and control panel would be complete without storing passwords in plaintext; this isn’t a huge issue because there’s no way for an outsider to read from the SQL database, right?

SQL Inject

Another must have for your budding bot developer, the trusty old SQL injection vulnerability. 
The bot implements are really lame method of supporting reverse HTTP proxies: The proxy will set $_GET[“i”] to the urlencoded IP of the bot, which is then input to the database without any sanitization. Sadly, there is no error checking (also popular with bot developers), meaning we can’t just output the password (the injection is totally blind).
What we can do, is use boolean logic, that is, we ask the database a question and tell it to do something if the answer is true, and nothing if the answer is false. For example: “If the first character of the password is ‘A’, hang for 5 seconds, else do nothing”. If the request takes 5+ seconds to complete, we know the first letter of the password is A. Boolean logic allows us to bruteforce each character of the password separately, which means it will only take about 5 minutes for a 30 character password using mixed case, numbers, and symbols.
An example SQL query would be: 

IF(SUBSTRING((SELECT value FROM settings WHERE id=’2′), 1, 1) = BINARY CHAR(‘A’), SLEEP(5), 0)

The coolest thing about this kind of attack is that if we output each attempt, we get a program that looks like it came out of a lame 90s hacker movie, except it actually works!
Both Xylitol and I individually exploited this vulnerability, so I’ve posted both of our exploits. 
And of course, nobody uses the same password for their hacking forum account as they do for their botnet panel. 
MalwareTech SBK – A Bootkit Capable of Surviving Reformat

Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a proof of concept for many reasons (people have even contacted …

Hard Disk Firmware Hacking (Final)

Core 2, I choose you. Less than 5 minutes after posting the last article, i discovered the final piece of my puzzle: a second CPU core. I was looking through my OpenOCD configuration when I realized it had a single tap definition hardcoded, so i decided to comment it out …

Hard Disk Firmware Hacking (Part 5)

“Discovery requires experimentation” This weekend I made a pretty big breakthrough which lead to me making a few smaller breakthroughs and ultimately negating most of my previous research. I’ve also learned that “not reinventing the wheel” isn’t always the best option, especially when it comes to trusting other people’s research. …