Phase Bot – Exploiting C&C Panel

I’ve been withholding this article for a while, due to the fact that the minute I post it all the vulnerabilities will be patched, thus becoming useless to us; however, it turns out hacking all of the phase C&C panels has generated a bit of noise, resulting in the vulnerabilities being found and patched anyway.

Captcha Reuse

This is quite an easy mistake to make for someone not familiar with coding php: when the captcha image is loaded the session variable $_SESSION[‘captcha’] is set to the captcha code, each time the captcha image is loaded the $_SESSION[‘captcha’] variable is updated with the new captcha.
On page load, the browser will perform a GET request to captcha.php, resulting in a new image being returned and the session being updated with the new code.
The code checks the submitted captcha code with the one stored in the session, unfortunately if the login fails it doesn’t destroy the session variable; meaning that as long as you don’t perform a GET request to captcha.php, you can reuse the same captcha code indefinitely, allowing login bruteforcing.

Plaintext Passwords

Obviously, no command and control panel would be complete without storing passwords in plaintext; this isn’t a huge issue because there’s no way for an outsider to read from the SQL database, right?

SQL Inject

Another must have for your budding bot developer, the trusty old SQL injection vulnerability. 
The bot implements are really lame method of supporting reverse HTTP proxies: The proxy will set $_GET[“i”] to the urlencoded IP of the bot, which is then input to the database without any sanitization. Sadly, there is no error checking (also popular with bot developers), meaning we can’t just output the password (the injection is totally blind).
What we can do, is use boolean logic, that is, we ask the database a question and tell it to do something if the answer is true, and nothing if the answer is false. For example: “If the first character of the password is ‘A’, hang for 5 seconds, else do nothing”. If the request takes 5+ seconds to complete, we know the first letter of the password is A. Boolean logic allows us to bruteforce each character of the password separately, which means it will only take about 5 minutes for a 30 character password using mixed case, numbers, and symbols.
An example SQL query would be: 

IF(SUBSTRING((SELECT value FROM settings WHERE id=’2′), 1, 1) = BINARY CHAR(‘A’), SLEEP(5), 0)

The coolest thing about this kind of attack is that if we output each attempt, we get a program that looks like it came out of a lame 90s hacker movie, except it actually works!
Both Xylitol and I individually exploited this vulnerability, so I’ve posted both of our exploits. 
And of course, nobody uses the same password for their hacking forum account as they do for their botnet panel. 
Uncategorized
9
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Uncategorized
1
Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Uncategorized
1
Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …