“Pwning SpyEye” – I wrote this paper after the release of 1.2.X on underground forums but i have seen it under other names. That's why the scene is so fag - because there is plagiarism and it's unpunished.
1. What do we need?
- Computer preferably running Linux, net connectivity, a browser
- One SpyEye 1.2.X C&C center (works on 1.3.X too)
- Sqlmap (python installed)
- A brain
II. The compromise
1. Locating your target
Best way to do is to reverse engineer SpyEye builder/bins or simply looking at your network traffic after infecting yourself (wireshark etc.). You can also social engineer the botnet master to reveal his IP/domain name but there will be different article on social engineering.
After we have know the SpyEye C&C (e.g. the-new-social-network.com/h0s7/) you start looking thorough SpyEye 1.2.X (works on 1.3.X too) you will notice many vulnerabilities including XSS, CSRF, SQL etc. but the most interesting of all is the SQLi (SQL injection) one. For this example I will be using frm_findrep_sub2.php which is vulnerable. Example path would be the-new-social-network.com/h0s7/p4n3l/frm_findrep_sub2.php). So we navigate to:
and we receive an error… interesting! But if we try
“Not found” is displayed back. There is no need to do it manually (except if server has strict firewall rules/ids/ips) this is why we will be using a tool called SQLmap which is as lame as Havij.
After finished we launch a second attack but this time guessing the path (can be guessed by identifying server OS). You can do a "nc IP 80" and then type "HTTP 1.1/200 OK" and see the OS name or "nc IP 22" for ssh. Of course ports might be changed so it's best to run an nmap scan.
Now check the directory in which the sqlmap.py is in… pwn3d. Now you have the botnet MySQL credentials but in order to compromise the box we must upload a shell/get a reverse/bind connection.
3. Gaining access – uploading a shell
To upload a shell we can either check for phpmyadmin (directories by default are phpMyAdmin or phpmyadmin) or try logging in by connecting to the port in config.php (3306 by default for MySQL). If you have the time, nerve and not being lazy at SQL injections you can manually expose the current directory. After connected in preferred method we do this query:
Note: PHP SHELL SOURCE HERE has to be replaced with your php shell source (c99, r57 or custom php upload file script).
Now go to http:/the-new-social-network.com/h0s7/p4n3l/kns.php and see your PHP shell uploaded. A basic rooting tutorial will be created and link will be posted as continue of this.
SQLmap - http://sqlmap.sourceforge.net/