Saturday, May 2, 2015

The curious case of crc32 gzinflate php backdoor.

I was working on a side project on an IRH for a certain site. If you got compromised that bad what you should do is ls -lt to find out list of recent files being tampered.

I found out one glaring backdoor which is unlike most php backdoor that I've ever encountered.

















Let's rename it to give it a nicer view..

Summary on how this backdoor works:
  • Malicious data is stored in base64.
  • Upon execution of the script
  • The $data will be decoded from base64
  • Attacker/Controller need to submit a correct $key_value via POST or COOKIE
  • Each byte of  decoded data  in $data_decode  is XOR against ([$key_value + 72670] % 256)
  • $data_decode strings will be reversed and inflate via gzinflate  and assigned to $data_deflate
  • $data_deflate crc32 will be compared agains $data_crc32 to ensure the integrity of the code
  • A full payload function will be created and executed.

Based on experience you can predict that the final output will contain a function call to either exec() , eval(), proc_open() blax33.

There are 3 major challenges in order to  decode the $data properly:

  • Finding the correct keys.
  • Any error in gzinflate()  will trigger an exception and stop the script from executing.
  • Getting the correct crc32 checksum. 
Althought the correct keys is generate from ( $key_value +76270 ) mod 256 , It's possible just to bruteforce for the correct key from 0x00 till 0xFF due to the fact that the payload is xor one byte at a time.

I've tried to decode it back in python. To my disappoinment there is no gzinflate  function in python  but a famous snippet to compensate that is as below:

ungziped_str = zlib.decompressobj().decompress('x\x9c' + gziped_str)
So my watevershit scripting skills .  If I can find the correct key  I should be able to print out the payload.


But will the scripts work as expected ?



TOPKEK haram nye zlib

I'm still figuring out how to be able to inflate the string without triggering an exception . 

Conclusion

The backdoor is duh obviouly a backdoor, It can be detected easily. However implementing a key to the gzinflate value will stop the payload from being executed both by normal user and reverser..


P/S:If anyone can solve this problem it would be nice.

Attached is the link below :

1. Original Code : http://pastebin.com/aLS0NtdZ
2. Label Code :  http://pastebin.com/Gg56vLni
3. Half-Baked Decoder in Python: http://pastebin.com/HzgFmgr1

Btw it's May . Stay tune for WARGAMES 2015.

Updated :

Thanks to Syed Mohd Fadhil  he introduced two way to handle the zlib error .
 Instad of using 'x\x9c'  use guide from php2python  the equivalent for gzinflate in python like php is

zlib.decompress(compressed_data, -15)
And also introduced a nice try and except block to deal with any exception

And Walla we have a nice shell ..


Thanks all for the help

Attached is the full link 

Bruteforce script: http://pastebin.com/AFDJcUpK

Full Web Shell Code : http://pastebin.com/nmgQwTTf



Sunday, March 15, 2015

Bypassing AV in 2015

Haven't blog for quite some time.  This is the basis classical techniques that can be used to bypass AV via Python. Take note current code might not be able to bypass all BUT you be aware that there are tons of API that can be use :)





Get the PDF Files here

https://drive.google.com/file/d/0B9B87VpPnaYiZHZsUjZORXd2Qzg/view?usp=sharing




Tuesday, July 22, 2014

Gadget Review : Xperia M2 (value for money)

I usually don't blog much about gadgets. But my phone had become too antique and hot (anybody still using Iphone 4?) . TImes changes, IOS is getting boring, and exploitation knowledge need to gear up a little bit.

So after quick review with my master. Xperia M2 seems to be the right choice. Let's not bother about specs quality since it's not really dat important whether it's JB or ICS ,. Dalvik or Art or 21 mega pixel versus 5 mega pix..   kernel latest or not... for me it doesn't matter.

What matters for me.


1. Rootable and Bootloader Unlocked. Checked!



Rooting and Unlockable Bootlader is a must if we want to access most of the internal hardware capability provided by this phone.

2. Support Android Hacker Keyboard

Swipe/ Touchwiz craps?  Hacker Keyboard is mandatory for me.



3. NXP Based NFC.

This is the best NFC suitable for Malaysia Enviroment, cough cough.


4. Brick Resistence. 

In Xperia M2, there's a hidden switch besides the Sim Card and MMC  that can restore the phone to original factory state.Use it with caution.


5. The Lord of Internet.

Can we combine LTE + Wimax + Wifi all together and create a happy NAT balancing? U bet!!




Sunday, June 8, 2014

Why is a raven like a writing desk? IE8 plain/text MIME Type or Media Type Issues

P/S: This might not be a new issue at all (But I documented it so I won't forget or at least know where to look )


 from Alice in Wonderland

My life have it ups and downs . But last week was quite interesting,  I was fortunate enough to be given a  chance to conduct some lightning/bizzare art of  penetration testing technique at a prestigious organization that can block PornHub.

During my class on pwning a Win7 box I noticed that IE8 have some bizzare behaviour MIME type intepreation behaviour.

On a plain/text Mime IE8  will CSS Javascript Input under CompatabileView Mode. (Default mode).

Well dat just sucks right?

POC.


Dat was expected. plain/text Mime was interpreted correctly.

Now on IE8


I trip and spray :(
 Can we steal cookies?


Solution?
1. Disable Compatible View if you are not a developer..
2. Upgrade to the latest IE
3. Don`t use IE at all



Sunday, April 13, 2014

Immutable Data and Memory Sensitivity..

Considered this python code snippets

import hashlib
while True:
   print("Enter your password")
   s = raw_input('--> ')
   print(s)
   print("Now the md5sum")
   s = hashlib.md5(s).hexdigest()
   print(s)

By any means it's relatively a simple code to understand, we use s as a placeholder for our incoming data string, compute it's md5sum and replace the s value with a hexdigest.. In short s now contain the md5sum in hex right? So any plaintext that we've entered should vanished and and flush out by the garbage collector in python VM right?

Let's give it a test.


So most people would think any previous plaintext value would be washed out from the memory. The String DogFood  won`t exist right? Let's attach this current script on a debugger ('Im using edb debugger , the best thing besides windbg sorry stallman gdb just sux!!!!');


I like using edb debugger, it helps for example binary search string. Since we have replace the s value from DogFood to a hex string. We shouldn`t see any DogFood string in the memory right? Unfortunely that is entirely not true :(




DogFood in Hex
 High-level languages often have data types that are immutable. The program can only write to an immutable object once, at creation time. In other words s is just a label and the string maybe be stored in the same address or  anywhere in the memory. (Noted to self, heap/stack/bss/dss/ is actually some sort of label the computer generated to ou  give it some of approximate understanding on a specific region in the memory) 

Let's search for the md5sum string. 36f65df05afee9fb079943b7ba5d9617



The string was stored in a different address!!


So in a High Level Language,  there is no gurantee your initial plaintext data in an address would be overwrite with a encrypted blob/binary . The only way to ensure overwrite is 100% is to use either mutable data structure that are capable of replacing dynamics element.

So why did u see a chunk of the unencrypted/crypted data in the heartbleed heak leak? Not a surprise anymore right?




Thursday, April 10, 2014

Epilogue Pentest: Forget about Heartbleed and Enter the Reality of Volatile Memory

From XKCD..



Yeah there's lot of buzz on heartbleed as the worst bug ever. My opinion? It is a serious bug due to the fallacy of the way C works . Despite the hype memory leakage is not exactly something new and skillful botnet/attackers/pentesters have exploited  it for years.

What can we learn from this bug?.. At the Beginning and at the End of an Encrypted Connection lies the encrypted data. Don`t the trust user input in one thing, but trusting your server memory and hands behind it is also well sucks.

If you are one of the CISO fans well PCI  often said "End-to-End Encryption" .. which means data + communication channel are supposed to be well encrypted.. Which is good

But there's one catch...

Suppose an attacker/sysadmin managed to get hold on a server with a privileged access (or decided to abused it anyway). Hypothetically something like this.



So we have root privileged. Yes in most tutorial no doubt people will start dumping /etc/shadow and yadax2 implement fake/website blax3.

Suppose that all data is encryted and there's no way to see it in plaintext form.. If you understand the bug in heartbleed , it tells us that unencrypted related data  lies in the process memory closely at at the heap/free store..

Pick up one process 5356 in this example and examine the maps.


Data memory leaked in heart bleed relies on how the heap was align/rebased/mapped blax3.,


We can use  gcore or  Folks from Rohitab  have created one nice tool similar to procdump in Windows :)




And it's a gold mine..





Do you trust your sysadmin? I know I don`t.  And dark tips. Don`t trust your router memory either...

What about dumping in Windows? It's as easy as .




Volatile memory are dangerous... 








Sunday, April 6, 2014

Transform your Dir-615 TM into a Wifi Dumper/Cracking Machine

My health is not that good lately, for some reason , I was diagnosed for  asthma  few days ago. 

During Wireless Penetration Testing analysis , i often found that people love to talk about some china/brand wireless card such as SignalKing/Alpha etcx3. While those card might work , it's not portable enough due to the fact you need a PC/Notebook nearby in order to powered up those devices. Which is not good for professional lazy pentester. 

 

So the solution? Turn your antics DIR-615 into a portable wireless monster machine!!!

Disclaimer (If you screw somewhere along the way), well too bad

Steps.1  Flash DIR615 with this firmware ..http://downloads.openwrt.org/attitude_adjustment/12.09/ramips/rt305x/openwrt-ramips-rt305x-dir-615-d-squashfs-factory.bin

To flash you are required to turn off your DIR-615 machine, and hold the reset button for a few seconds, u set your IP to 192.168.0.x>1 , go to 192.168.0.1 and you will be redirected to the firmware upgrade page.


Upload the firmware.

Step2. 
  • Download the sysupgrade firmware http://downloads.openwrt.org/attitude_adjustment/12.09/ramips/rt305x/openwrt-ramips-rt305x-dir-620-a1-squashfs-sysupgrade.bin 
  • Setup openwrt initially
  • Push sysupgrade into openwrt via scp to /tmp
  • ssh into your openwrt and use the sysupgrade  -v openwrt-ramips-rt305x-dir-620-a1-squashfs-sysupgrade.bin

Step 3
  • If you have luci you can set the wifi into Monitor mode via Luci HTTP.
  • or modified /etc/config/wireless to be something like this

  • Tips your openwrt should`t have Internet connection, opkg relies on wget which respect http_proxy env,, I used polipo proxy so to make opkg works i usually use ssh root@192.168.1.1 -R8123:localhost:8123 

After that install  opkg install aircrack-ng kmod-usb-storage kmod-fs-vfat wireless-tools screen . Try not to install too much stuff since space is very limited.

And that's it. use screen to deamonized your stuff.


Knowledge about dumping to your usb drive and airocrack usage is left for your own exercise..

By the way, It is illegal to steal Wifi in Malaysia.  .. This is just a simple tutorial on how yet to built your own powerful portable wifi-pentesting machine.