Posted: July 1st, 2010 | Author: Matt | Filed under: InfoSec, Research | 1 Comment »
In a galaxy far, far away….
I probably should have written this before the previous post but hey, if George Lucas can do it with Star Wars then I think I can wangle it on a blog post or two. Not that I’m comparing myself to old Mr. Lucas or anything….
So…PHP shells.
I have to thank Barry Irwin (@barryirwin) for most of the samples I now have in my collection. I had come across various shells in my ramblings around the Internet but it’s only while working on various phishing cases (I used to work for a large financial) that I came into a much wider variety.
The basic premise behind a PHP shell is to give a remote attacker a certain degree of control over a victim web server. There seem to be two common ways to “get shell” on a web server.
- Compromised FTP credentials
- A really crappy version of Joomla/WordPress/Pick your favourite CMS
- Remote file include vulnerabilities (see #2)
So if you see things like this in your web server log files, start worrying:
But we’re getting a little ahead of ourselves. We know a PHP shell is for remotely “controlling” a web server but what is it in detail ?
Most of the shells I have come across are a single PHP file, usually under 200Kb in size. The file is then interpreted by the web server as a PHP file giving the attacker functions such as (but by no means limited to):
- Uploading file
- Changing permissions on exiting files
- A simple “command line” to run commands on
- A simple but effective file browser
The interface will look something like this:
As you can see the interface is pretty intuitive and gives loads of useful information about the target machine.
By simply clicking on a few buttons or typing the odd command, you can execute commands and create directories and files to your hearts content. But there’s a catch !! (It’s not a very big catch at the end of the day). You can only execute commands etc. with the privileges of the user that the web server is running as (usually apache/www-data/vpsserveruseraccount).
However, that’s not going to stop the attacker running netcat (which is on just about ever version of *nix out there) on a high port (above 1024) and making a shell available on the local server. From there it’s trivial to escalate privileges from nobody to root. But that’s a story for another day.
Some of the more malicious shells include things like backdoors coded in C or Perl which drop a little backdoor onto the system. This will either allow the attacker to connect directly to a port running a basic shell or sorts, or failing that, a reverse shell out to a server that is under the attackers control.
More malicious “plugins” include things like:
- FTP/SSH brute forcers
- MySQL / Database frontends
You’re only really limited by what you can code in PHP…
Obfuscation
Another trend that I’ve seen in a few of the more “31337″ shells is the use of obfuscation within the code. What happens is that instead of a plain old PHP file, they will use the built in functions within PHP to obfuscate the code contained within. All this is at the end of the day are simple gzip or base64 encodings of the code (or a fun combination of the two). I’m not entirely sure why this happens. It can’t be for IDS evasion as the code is still interpreted and sent in the clear. It may be for server side anti-virus evasion, but this seems unlikely as well. If anyone knows the reasoning behind this, please get in touch…
Here’s an example of some of the obfuscation I’ve seen…
Decoding these samples is fairly straight forward so I won’t bore you with the details here again 
So, to wrap it all up, we have a simple PHP file that somehow lands up on a web server, giving the attacker a very easy to use interface to “manage” a web server. In my experience, I’ve only really seen these shells in use with phishing sites. One has to ask if it’s all part of the fraud ecosystem and if so, how it all fits together…but that’s a story for the sequel…or prequel perhaps…I don’t know…I don’t have a decent Jar-Jar character to ruin it all with…
Posted: June 12th, 2010 | Author: Matt | Filed under: InfoSec, Research | Tags: google, pdf, Research, security | 2 Comments »
How it all began.
Today I was trawling through my Gmail spam folder like a good little mail monkey when I came across a rather strange bit of spam. Usually you just get rubbish about making your manhood the size of a small country or the latest twitter/gmail support/facebook AV malware. Most of the time I just ignore the messages due to them being very boring and not really worth a coffee and a few hours in Terminal…
Today’s message was a little different. It was a very simple email with the subject line “New Resume” and one line in the body of the email saying “Please review my CV, Thank You!“. So, seeing as I have NO idea who the sender was and that there are no issues with the PDF format that I know of, I saved the PDF document to my desktop as I had a virtual machine I just knew the PDF would love immediately.
For what it’s worth, the email originated out of Korea / 121.50.250.98
Red Flag Number One
(As if a PDF document from an unknown person on your spam folder isn’t enough)
Before that though I fired up pdfid.py from @DidierStevens which told me there were two “OpenAction” items in the document (these turned out to be the Launch action type). So we know there are at least two possible malicious elements to this document. Next I fired up Vim (because I’m a die hard vim fan and would use it as a vehicle to get to the moon if I could). A quick scan of the document came up with a number of things I’d like to look into later:
- /URI(mailto:a@foo.be)
- /URI(http://www.foo.be/)
Note: I thought these first two items were just random noise that the attacker had placed into the document to make it look more legitimate, but as it turns out the document is actually a valid resume of Alexandre Dulaunoy (adulau). There were a couple of other references to Alexandre, I picked up on this one after parsing the document with pdf-parser.py
As it turns out, spammers had picked up his CV through a Google search and simply added the nasty payload to it. Kudos to Alexandre for putting up a message on his home page about the problem shortly after the problem started.
HUGE Red Flag Number Two
Object 81 (pdf-parser.py -f -o 81)
The Launch action type which runs “cmd.exe” with a bunch of VBS scripts should be more than enough evidence that this PDF is out to hurt someone…
Launch Action type
So clearly we have a malicious PDF document that’s using the Launch action to get the payload onto the machine and executed. Didier Stvens wrote Escape From PDF back in March and it’s already been used in the latest iterations of the Zeus bot. It seems someone has picked up on this and is using it in this PDF. What this does is it relies on the user to allow the execution of the Launch (cmd.exe) through a prompt that comes up when you open the PDF document. The attacker has “obfuscated” the output a little as can be seen here:
When the user clicks Open, the Launch action fires off cmd.exe which will then interpret the embedded VBScript files and drop the malicious payloads onto the machine. More on that later..
The funny thing to note here is that if you simply click “Do not open” the malicious code doesn’t execute. That is of course if the user hasn’t checked the box that says “Do not show this message again”…
You can even scroll up on this message window and see all the good stuff going on yourself:
Still, we can’t expect the user to be so savvy as to scroll the scroll button and do a little reading now can we ?
Virtual Machine Abuse.
So we have a PDF document that has malicious content. What do we do now ?
We fire up Vmware with a fairly unpatched version of Windows XP. I ran this PDF through Adobe Reader 8.2 and Foxit Reader 3.2. Foxit didn’t do anything as they have patched against the Launch action type.
Adobe was a slightly different story. While Adobe did prompt me as can be seen in the screenshots above, let’s pretend for a second that I am a normal user and I don’t read dialogs at all. I clicked Open or that I had seen this dialog previously and had checked the little box that says “Do not show this message again”…
Clicking “Open” triggered the Launch action type and dropped vbs1.vbs onto my desktop (I believe this is because the PDF was originally on my desktop). You’ll remember that the vbs1.vbs script was included in the PDF document. Here’s what vbs1.vbs looks like:
I haven’t had much chance to skill up on VBScript yet, but I believe the vbs1.vbs script creates a new file vbs2.vbs from the contents of the PDF document. I will confirm this once I’ve has some time to dig through both scripts a little more. It’s interesting to note that the second VBS file does look like it’s been obfuscated slightly. Either that or it’s just the way the file type is represented. If you have any input on this, please let me know…here’s a portion of vbs2.vbs:
Once the two VBScript files had run, an EXE was dropped onto the desktop which was then executed. I believe this EXE to be included in the PDF document as the output from tcpdump doesn’t show any traffic going out to the Internet to fetch anything. This was the malicious payload. A quick scan with Virus Total shows the executable to be Alureon or something similar. Quite a nasty trojan / DNS changer…I’ve chatted to Alexandre after the incident and he believes the dropper may be pulling different malware down each time it runs. I will probably test this over the weekend if I can find the time and bandwidth to do so.
After the bomb dropped.
So we now have a compromised machine with a trojan executable being run on the machine. I didn’t leave it to run for all that long as it’s probably not a wise thing to do. All of this through a PDF document that was opened on a Windows machine running a fairly old copy of Adobe Reader.
It’s interesting to note that the PDF document only had a detection rate of 31% on Virus Total and a fairly common trojan was used as the payload (80% detection rate on VT). Why not use something a little simpler/quieter/APTier (sorry, I used APT) ? I could be very wrong on this one. Perhaps the dropper does pull down different malware depending on what type of machine it’s run from.
When dealing with PDF documents you HAVE to have two tools by Didier Stevens. pdfid.py to identify the document and it’s contents and pdf-parser.py to do the actual analysis. I also use vim to do a quick scan through the raw PDF.
On the Windows side, I used CaptureBAT to monitor file and registry changes. This just confirmed that cmd.exe was executing and creating the vbs1 and vbs2 files on the local machine.
I also copied the VBScript files and executable off the machine for later analysis. Thankfully AV was triggered during analysis (Microsoft Security Essentials) so we know it works (kind of). But then again, it triggered a little too late if you ask me.
I’m sure there’s a lesson to be learned somewhere in here but I am more concerned with having a cold beer at this point in time.
Thanks to the following people:
Gmail / Alexandre Dulaunoy / Didier Stevens / Mikko hypponen / Barry Irwin
MD5sums:
PDF Document: cff871a36828866de1f42574be016bb8
vbs1.vbs: 7897e6b5f2443d254a5890a28ef88079
vbs2.vbs: 25c926b0ac7285c627a3988f0a8e49d9
exe.exe: 069d17b209ebd4bb0f63365089154dc2
Posted: June 10th, 2010 | Author: Matt | Filed under: InfoSec | Tags: brucon, conference, help me please, security | 1 Comment »
Ok..here’s my little plea for help
I’m hoping to go to Brucon this year due to a fluff with $airline previously. This was all going well, flights booked, travel from London to Brussels kind of planned, only one last thing to sort out…the ticket.
Now I thought it was going to be easy to pay for the Brucon ticket. Simply walk into $bank, say “I’d like to pay money into this bank account please” and it’s done. Alas because of fraud in our beloved country, I need an invoice as proof of said conference. Alas Brucon doesn’t provide invoices for the basic ticket which I have bought (mostly because I’m broke and can’t afford the business ticket). So I have no way to pay for $ticket.
So, this is my plea to anyone going to #Brucon who currently resides somewhere where it’s not a pain in the ass to pay the Brucon organizers:
1. Can I paypal you the fee of 150Euro for the ticket and you purchase the ticket on my behalf ?
2. Can you purchase said ticket for me and I will pay you le cash when I get to Belgium ?
(beers will be purchased as an extra “thanks for being awesome to a lonely .za hacker)
I know it’s a lot to ask but I really want to get across to Brucon this year…
If you’re keen to help out, please get hold of me…
Thanks
@z0nbi
Posted: June 9th, 2010 | Author: Matt | Filed under: InfoSec | Tags: cli, security, windows | No Comments »
So while I’m busy with the PDF article I’ve been writing and researching for the last couple of days I thought I’d chuck this out there.
WMIC or Windows Management Instrumentation Command-line was introduced with Windows XP and the Windows 2003 server family of operating systems.
What this allows a user to do is run various system admin commands from the command line. The kicker here is that not only can they be run on the local machine but with the /node switch, you can run commands on remote machines. While you can argue that you can do similar things with psexec, I am not here to argue. That and you have to download psexec..WMIC comes with Windows…woot !
So what exactly can you do with WMIC ?
The list is only really limited by your imagination and knowledge of WMIC and it’s various switches. The one main problem is that the documentation is fairly thin on the ground. Ed Skoudis has a really great webcast called Essential Windows Command-Line Kung Fu for Info Sec Pros which you can check out HERE…
Other than that and a fairly large amount of Googling, I’ve come up with this not altogether complete list of coolness:
Installed Applications –
wmic product list brief
List installed Patches –
wmic qfe list
List local drives –
wmic logicaldisk get caption,description,providername
Examine Auto Start Processes –
wmic /node: /user: startup list full
Find who is logged on to a computer –
wmic /node: /user: ComputerSystem Get UserName
Local user accounts –
wmic /node: /user: useraccount list full
Local group accounts –
wmic group list
OS summary –
wmic os get name, servicepackmajorversion
List printers –
wmic printer list status
Kill a process –
WMIC PROCESS where name=’evil.exe’ delete
NIC and IP address in use –
wmic nicconfig where IPEnabled=’true’
Change NIC to DHCP –
wmic /node:machinename nicconfig where Index=1 call EnableDHCP
Get shares –
wmic share list brief
Get processes that aren’t running from %WINDOWS% –
wmic PROCESS WHERE “NOT ExecutablePath LIKE ‘%Windows%’” GET ExecutablePath
Some of these can be very useful, especially when you’re running an assessment. I know there are a bunch more out there but I leave it to you
to find them. Mostly because I now wake up screaming Google at night and I need a break. If you find anything particularly neat, please hit me up and I’ll add it to my list.
Someone should really create a Wiki for Info-Sec stuff…just throwing that out there
Peas…
Posted: June 8th, 2010 | Author: Matt | Filed under: InfoSec | Tags: php, rat, security | No Comments »
So I’ve been doing some work on phishing sites of late and what usually accompanies a phishing site are the tools the hackers/crackers have used to “admin” the site. What usually happens (and feel free to correct me if I’m wrong) is a site will get compromised through sql injection/remote file include/local file include/$x and a “shell” will be loaded onto the web root somewhere. Of the samples I’ve found most are of the C99 or R57 variety with the odd “special” sample every now and again.
It’s the custom “special” samples as well as the more modified C99 samples that seem to have a little more “added” to them but that’s a story for another time. Let’s just say that you
wouldn’t want to a. have them running on your site or b. run them on a public facing “testing” server as they tend to be a little more mouthy than most of the vanilla PHP shells I’ve found.
But the whole point of this post is to explore the obfuscation being used in some of the samples. Way back when (not too long ago really), the shells I found were just plain old PHP scripts which allowed remote admin “access” to the server they were running on. Plain and (fairly) simple really. Upload the script and get the web server to run it and you had a fairly rudimentary shell on the server.
Lately though the shells have been obfuscating either pieces of their code or their entire code base, hiding their true nature. Now I thought this may have been to hide from things like WAFs or server side script checks but would that really work if the code is being parsed when the attacker reads the page in question ? I don’t think so…
Most of the samples I’ve found use either gzip compression or base64 encoding or a fun combination of the two to get the job done. Mostly this is because both methods are built into PHP or take very little work to get installed on most modern web servers. The resulting PHP code looks something like this:
As can be seen in this sample (truncated of course) the attackers have used a combination of gzip and base64 to hide their code. It’s fairly clear that someone looking at this code would really know what’s going on. I’d hazard a guess that even a trained “web developer” would look at this and go “wow..they’re compressing their code, it must be good stuff” and be on their merry little way. Or perhaps that’s just me being cynical…
All of the other samples I have are just variations of this theme…
So Jim, would you like to see what’s behind curtain number pwn ?
I’ve always been a fan of running code of malicious intent within virtual machines just to see what it does. This isn’t really possible or fun in this case. But @barryirwin did make a very good point in that it’s only a matter of time before a more malicious attackers leaves a fun little logic bomb in their PHP code that “explodes” unless it’s run under the right circumstances (Apache web server with PHP etc…). Still, how do we get to that obfuscated code ? It’s something I’ve been messing around with and I believe I’ve come right with. If you don’t think so, please let me know…I’d love some input on this one…
So let’s take the example code of:
PHP
eval(base64_decode(“CmVjaG8gIjwhLS0gdGhlIGJ1bm55IGlzIHJ1…
…
/PHP
What I’ve done is this…
PHP
$myFile = “myplaintext.txt”;
$fh = fopen($myFile, ‘w’) or die(“can’t open file”); # open that file for writing
$data = base64_decode(“CmVjaG8gIjwhLS0gdGhlIGJ1bm55IGlzIHJ1… # note the slight change from eval to $data
fwrite($fh, $data); # write decoded data out to my file handler variable
fclose($fh); # close file / clean up
/PHP
I then run this modified file through the PHP command line parser like so:
/usr/bin/php leetshell.php
What this does is leave me with a plain text file “myplaintext.txt” in the same working directory which should then be the decoded PHP script file. I can then look through this script file for other goodies like backdoors etc…
Fairly simple yes ? If there is a better/safer way of doing this, please let me know…
Hopefully this post has shed a little light on a fairly simple topic. PHP shells are still pretty prolific, certainly in the research I’ve been doing. With the prevalence of LAMP/WAMP stacks out there, as well as dodgy copies of Joomla/WordPress/$CMS I don’t seem them going away any time soon.
A big thanks to Barry Irwin/@barryirwin for pointers/you’re an idiot/sample files …
