Why build when you can borrow ;P? On a serious note, I like to have a look at the vulnerabilities of offensive tools. I did look at botnet panels a few years ago and thought that it was time again to do so.
4
4
5
5
6
-
In this post we'll have a look at the Plague Botnet. You can find it with your favorite search engineoryoucantakemypackagewhereyoucaneasilyrunitwithdocker-compose.
6
+
In this post we'll have a look at the Plague Botnet. You can find it with your favorite search engine.
7
7
While doing static analysis I find it crucial to have a setup where I can test/debug stuff so nowadays I do that first, so take your time to set it up properly if you want to follow along.
8
8
9
9
skipped 39 lines
49
49
50
50
51
51
52
-
Ok, vuln number two, oh man this shit is so full of vulns that at some point I just stopped looking. Anyway, persistent XSS is in my opinion another good way to at least make a botnet takeover (creating new admin user, leaking all the data, deleting all the malware on the clients, (push new stuff *evill grin*)) ... there are so many options and I will demonstrate this a bit further when we look at another panel in a later post)
52
+
Ok, vuln number two, oh man this shit is so full of vulns that at some point I just stopped looking. Anyway, persistent XSS is in my opinion another good way to at least make a botnet takeover (creating new admin user, leaking all the data, deleting all the malware on the clients, (push new stuff \*evil grin\*)) ... there are so many options and I will demonstrate this a bit further when we look at another panel in a later post)
53
53
54
54
As already mentioned, the operator most often does have a panel to see how many clients are there, what OS do they have what AV and so on and so on. This data is of course taken from the client and if not properly sanitized might lead to all kind of injection scenarios.
55
55
56
-
The first persistend XSS was in commands.php, the script the client sends it's data back/interacts with the botnet panel.
56
+
The first persistent XSS was in commands.php, the script the client sends it's data back/interacts with the botnet panel.
57
57
58
58
```php
59
59
# commands.php : 4
skipped 23 lines
83
83
}
84
84
```
85
85
86
-
in commands.php QueueCommand() function is called with the fully controllable $GUID. Then the LogStr() function is called which eventually writes the still unsanitized, totally controllable input into the file. ... but they wouldn't also just display the data, would they? *Insert Anakin meme*
86
+
in commands.php QueueCommand() function is called with the fully controllable $GUID. Then the LogStr() function is called which eventually writes the still unsanitized, totally controllable input into the file. ... but they wouldn't also just display the data, would they? \*Insert Anakin meme\*
87
87
88
88
so you can just use curl or the below python script to trigger a XSS PoC, writing a good payload is left as an exercise to the reader.
89
89
skipped 10 lines
100
100
print(r.text)
101
101
```
102
102
103
-
SCREENSHOT panel
104
-
105
-
106
103
107
104
And this isn't the only place where this method will work, also the client data displayed in the panel is just the same, but as they fucked up the database config / insert into process, this does not work on my version per default and I was to lazy to fix it.
108
105
skipped 54 lines
163
160
* How can we increase the likelyhood?
164
161
165
162
166
-
While the first two factors are debatable, we can of course increase the likelyhood of a hit when uploading more files. Therefore the strategy is simple: 1. Prepare our evil php code, upload ~200 files (you can increase that of course if you want to), and then try to find one of our shells. Easy. Here's the full exploit script, I recommend using it ethically *laught*
163
+
While the first two factors are debatable, we can of course increase the likelyhood of a hit when uploading more files. Therefore the strategy is simple: 1. Prepare our evil php code, upload ~200 files (you can increase that of course if you want to), and then try to find one of our shells. Easy. Here's the full exploit script, I recommend using it ethically \*laught\*
