WeBaCoo

WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool to maintain access to a compromised web server.

WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute commands to the compromised server. The obfuscated communication is accomplished using HTTP header’s Cookie fields under valid client HTTP requests and relative web server’s responses.

The script-kit has two main operation modes: Generation and “Terminal”. Using generation mode, user can create the backdoor code containing the PHP payloads. On the other hand, at the remote “terminal” mode the client can connect to the compromised server where the backdoor PHP code has been injected. In order to establish the remote “pseudo”-shell, the user must provide the server’s URL path containing the injected code.

WeBaCoo is written in Perl under GPLv3 license and is hosted at Github. You can download WeBaCoo by cloning the repository:

git clone git://github.com/anestisb/WeBaCoo.git

Or download it direct from:

https://github.com/anestisb/WeBaCoo/zipball/master
http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz

 

Relative material:

  • Since January 3, 2012 WeBaCoo is available at Backtrack 5 repositories.
  • WeBaCoo detailed documentation can be found in project’s wiki page.
  • An overall feature demonstration video is available at SecurityTube.
  • A more comprehensive analysis of the tool and some case studies can be found in this blog post.
  • Detailed instructions of running WeBaCoo over HTTPS using an HTTP proxy can be found here.
  • Porting WeBaCoo to Metasploit Framework demo/tutorial video at SecurityTube.

CHANGELOG

Version 0.2.3 [11 March 2012]
 
+ Single command execution mode (-e flag)
+ Multi HTTP methods suppot (-m flag)
+ Execute external CMDs inside main console
+ Download extension module
+ Stealth extension module
+ Fix color print bug under Windows OS
 
 
Version 0.2.2 [29 January 2012]
 
+ Executed command logging to external file
+ Postgres CLI extension module
+ Upload extension module
 
 
Version 0.2.1 [23 January 2012]
 
+ MySQL CLI support
+ Support for extension modules
 
 
Version 0.2 [19 December 2011]
 
+ Built in Tor proxy support.
+ New random delimiter string for each request.
+ Newer version check & update.
+ Enhanced error handling.
 
 
Version 0.1.4 [17 December 2011]
 
+ Insert dummy spaces at base64 obfuscated code, to bypass
  statistical detection methdos.
+ Added initial user ID print info.
+ Added check for disabled PHP system functions.
 
 
Version 0.1.3 [13 December 2011]
 
+ Protect base64 decoder function in backdoor code.
+ Fix URI escaped character bug.
+ Fix server's response empty HTTP data bug.
 
 
Version 0.1.2 [6 December 2011]
 
+ Add verbose support with 3 levels to print out requests/responses
  HTTP headers or/and data.
+ Add support for HTTP proxies with basic authentication.
+ Fix minor bug at output buffer.
 
 
Version 0.1.1 [30 November 2011]
 
+ Add 4xx HTTP status error code handling.
 
 
Version 0.1 [29 November 2011]
 
+ Initial release

 

Your feedback from various tests under different setups and protection mechanisms are appreciated in order to evolve WeBaCoo.

 

 

A. Bechtsoudis