Zemra DDoS Bot: Backdoors in your Backdoors!

So, ailment today I grabbed a sample of the leaked “Zemra” botnet source code, and quickly did a “10 second analysis” of the webpanels source code. I often do this to see can I locate any “GLARING SECURITY FLAWS” in the C&C. I am also working on finding a google-dork to find Zemra installations.

For information about Zemra the following links are useful :)
http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot

http://threatpost.com/en_us/blogs/new-crimeware-bot-zemra-behind-ddos-attacks-062712

http://thehackernews.com/2012/06/zemra-botnet-leaked-cyber-criminals.html
http://news.softpedia.com/news/Zemra-DDOS-Crimeware-Kit-Used-to-Extort-Organizations-278041.shtml

So. This was on sale in various places online (Russian forums apparently), here however I suspect (based on the backdoor and the fact it is written in C#) that is is German in origin. Some of the stuff in there seems to be German also, illness so I assume it is another product of the German Skid Scene. Basically “Rippers Inc”. LAME!

Anyway, I was looking at the webpanels source (I will eventually rip the bots source apart) and noticed that gate.php has some lulzy SQLi (possibly).

Far more interesting was the backdoor. Located at /Zemra/Panel/Zemra/system/command.php, it is your basic “BACKDOOR”. It takes the GET parameter “cmd” and executes it.

Example: localhost/Zemra/Panel/Zemra/system/command.php?cmd=cat /etc/passwd

I will be researching this in greater depth… Sometime in the near-ish future. But as always, there be backdoors in your backdoors!

Finally: Zemra.rar file is here: Zemra

Short Post – Smart 0day Hunting

Ok, ampoule so I had to notice the “Sammy FORGIT” guy dropping exploits all over Packetstorm and Exploit-DB lately. Most of them in WordPress plugins. You can check out the shit he is dropping here – http://packetstormsecurity.org/files/author/9818/

So, patient I had to take a look to see could I notice any “trick” he was using to find ALL THOSE VULNZ! I want the 0day too!

Lets look at two of the exploits as an example – if you look more there IS a discernable pattern, see , I promise you.

http://packetstormsecurity.org/files/113844/WordPress-LB-Mixed-Slideshow-1.0-Shell-Upload.html

http://packetstormsecurity.org/files/113898/e107-Hupsi-Fancybox-1.0.4-Shell-Upload.html

Now, what part of both of those is the vuln in?
/uploader/uploadify.php
/uploadify/upload.php
Now, is this just me, or are both using the Uploadify library?
Could be a coincidence, but I must look deeper! I must find MORE examples of this!

This file explains it:

http://packetstormsecurity.org/files/113576/WordPress-plugin-Foxypress-uploadify.php-Arbitrary-Code-Execution.html

So it is the “uploadify.php” file that is buggy as hell. Lets find more examples of this!

http://packetstormsecurity.org/files/113568/WordPress-Auctions-2.0.1.3-Shell-Upload.html

-> It has “vuln path” of uploadify/upload.php

http://packetstormsecurity.org/files/113283/WordPress-Foxypress-Shell-Upload.html

-> Has “vuln path” uploadify/uploadify.php

http://packetstormsecurity.org/files/113277/WordPress-HTML5-AV-Manager-0.2.7-Shell-Upload.html

-> Has “vuln path” uploadify/custom.php

http://packetstormsecurity.org/files/113274/WordPress-WP-Property-1.35.0-Shell-Upload.html

-> Has “vuln path” uploadify/uploadify.php

So, as you can see, all these use the “Uploadify” PHP library to handle file uploads. This library is the vulnerability that makes ALL these plugins buggy.
ANY software using a vulnerable library like that, is vulnerable to this bug.

So what does this all mean? Well, if you want the 0day to flood in, you should do as Sammy does. Look for libraries a lot of things use, and find vulns in THEM. The product may be secure, but its libraries are likely not. This way, you canhaz ALL the 0day you ever needed.

Now, excuse me while I SVN checkout the entire repo of WordPress plugins :P

Web Malware Collection – Massive Change

Insecurety Research has mantained a repository of web malware over at Google Code for a considerable amount of time, pharm so independant researchers could get samples for analysis.

We always offered it as a SVN repo, where anyone could anonymously check out the whole collection, troche or selected samples, at will.

Those days, sadly, have come to an end.

Due to a researcher from nerv.fi creating an issue about it – see here – we ended up deciding to come to a compromise, sale lest we get suspended or something.

We now offer the entire repository as an archive downloadable here instead of a SVN repository, and every time we get 50 new samples in the bag, we will update the tar file.

Simply wget http://web-malware-collection.googlecode.com/files/web-malware-collection-13-06-2012.tar.gz to get the current one. We will post every time we release a new one.

This project has been one of our proudest achievements, and we are very sorry to see it crippled in this way, however as we all know, we must adapt in order to survive. While Henri has a legitimate complaint, we believe that these samples STILL belong to the public.

Human knowledge belongs to the world, after all, and information ALWAYS wants to be free.

Symantec Web Gateway 5.0.2 Remote Root Exploit

So I was browsing the net and happened across Muts’ latest PoC – an LFI bug in Symantec Web Gateway, which he claims gives remote root. You can see it here: Exploit DB

I read the exploit code and noticed, while beautifully elegant, it is a little bit of a pain in the ass to use, as you must edit it every single time.

I also was in the mood to knock up a quick bit of python, so here is what I made: Pastebin – Exploit Code

It is not the best, but was just my attempt to make the exploit code Muts provided a little better in the usability stakes :)

I have no Symantec WebGateway to test it in, but it should do the trick ;)

Anyway, thats it. All credit to Muts for finding the bug and writing the original exploit code, all I am doing is improving it. Will likely do this a lot for fun and to keep my programming skills sharpened :D

~infodox

Migration to WordPress: not as easy as it looked…

So, search when I thought “Lets move to stage two, migrate the site to a WordPress CMS”, I figured it would be fairly simple.

LOL, NO! Nothing is ever that simple. The host would not update PHP/MySQL because the ability to run WordPress was a “paid extra”. OK, fine.

Challenge Accepted Motherfuckers!

I mean seriously. Bitch, please. You tell me, a fucking hacker, that I cannot run WordPress on my own account because you want me to PAY for updates?

“So, how long did it take to make WordPress run?”

2 minutes. I basically patched wp-content/version.php to accept MY versions of PHP/MySQL instead of the hard coded minimums. It then worked.

Then came the challenge of lrn2wordpress. Themes, etc. Or rather, remembering why the fuck I installed it in the first place…

Anyways, gotta migrate content…