Now that we have the key, we can use this key to encrypt the file we want to upload, thus impersonating a bot trying to upload a report. However, the C&C tries to make sure that only valid report files are ever uploaded, and what we want to upload is not going to be a valid report file. We would like to execute something on the server, so we need to upload an executable file, which the server knows how to execute. We know that the C&C is using .php files, therefore, we will try to upload a php file too, which will be executed on the server side by the PHP interpreter. But, the server won't let us upload .php files, however, there is a vulnerability in the C&C's code and a well-known technique to bypass the checks they are performing on uploaded files. Below is the code for checking which file extensions are allowed.
As you can see, it doesn't allow us to upload any PHP file or .htaccess file in addition to a lot of other possibly executable files. The problem lies in the fact that this sort of very simple check can be easily bypassed. One of the most widely used bypass methods is to use a trailing dot with the file extension, that is, instead of just filename.php we can use filename.php. (note the additional dot after the php). The PHP interpreter is quite liberal, and it will interpret it as a valid php file. With PHP we could execute a number of commands on the server, but in our case, we would like to get access to the control panel, so we will use a PHP web-shell (we have talked about web-shells in a previous blog) , which will allow us to browse the filesystem, interact with the backend database, and (possibly, depending on the server configuration) execute system commands.
Now, we have everything we need to compromise the C&C server: the RC4 key, the file we want to upload (web-shell), and a way to bypass the checks. By default, Zeus C&C's use gate.php to receive the reports, and they will store these reports in C&C's IP/_reports/files/BOTNET_ID/BOTID/ directory.
Since we are impersonating a bot, we control both the BOTNET_ID and BOTID values, so we can predict where our uploaded file will end up. All we have to do after uploading our file is to browse to this location and our code will be executed.
After we browse to the uploaded file, we are presented with a web-shell.
Sign up for CIO Asia eNewsletters.