Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
add. exploit module for agent tesla panel rce #12277
This module exploit the command injection vulnerability in control center of the agent Tesla.
Resources for testing are available here:
I used WAMP server 3.1.9 x64 configured with PHP version 5.6.40 (for ioncube compatibility).
I used a Debian 9 on which I installed PHP version 5.6.40 (for ioncube compatibility).
A proxy chain of format type:host:port[,type:host:port][...]. It's optional.
The target IP adress on which the control center responds.
The target TCP port on which the control center responds. Default: 80
Negotiate SSL/TLS for outgoing connections. Default: false
The base URI path of control center. Default: '/WebPanel
The target HTTP server virtual host.
I used https://cybercrime-tracker.net/ to search for Tesla c2.
And I found sources of the WebPanel's on the followings:
I selected 3 different version WebPanels. What you can find HERE.
The initial exploit found is subtle, using PHP Object Injection mixed with an SQL injection in this panel page: "/WebPanel/server_side/scripts/server_processing.php".
This is present in WebPanel1.7z.
But in every other panel I found, I read this fix.:
He seem of Agent Tesla developper have add that we must be authenticated to read the page (on top).
But he ignore of sanitize variables $_GET['where'] and $_GET['clmns']. Then, the patch is not a patch because the exploit work fine when you are authenticated now.
I deduced this because the file timestamps between the three panel's provided above are consistent.
I added support for this possibility in this module.