Beyond r57 – Eygyp7
There are a thousand PHP shells on the web, either by design or simple stupidity.
- PHP Background
- PHP Payloads
- Meterpreter Background
PHP is retarded. Objects are an afterthought (15 years later!)
Sometimes they return 1, sometimes they return true –> WTF!
r57 (PHP Shell)… is a clusterfuck of forms. Ugly as hell.
It’s intended to be used on a webserver only for access to the local site. There’s not much in r57 or other shells to go beyond the local and move on to connected systems.
A whole bunch of r57 shells on the web currently are backdoored –> base64 encoded section at the end sends a shell back to an IP in Russia.
c99 (PHP Shell)… pretty much the same as r57.
No methods to go beyond the local server.
Uploading a shell to a remote server leaves logs and files. If you’re not getting detected, then they’re not even trying!
Some of them even call home to the authors.
The essence of payloads is to create some form of communication
Simple PHP shells in Metasploit .:
These do simple execution and nothing more
Something more useful would be a remote shell and in/out to and from the box.
Most commands (except cd) don’t hold state between commands. It’s easier to deal with commands one at a time!
So it gets better
More flexible, extensible and capable.
This doesn’t have to be on disk. Bypassing issues of traditional PHP shells uploading files and executing them.
Uses the same protocol as the traditional meterpreter. This means the same client-side connector can be used
Does as much as possible through PHP without calling a shell. Not everything is possible however (ps for example). Works in a chroot and doesn’t need /bin/sh
Anywhere PHP runs, PHP/meterpreter runs…. Windows, Linux, ….
In restrictive environments you can still use the meterpreter PHP shell… not limited to installed commands.
Programmatically automatable –> Scriptable and extensions to make things easier on the fly –> Use of existing scripts
Flexible extension system… loading external PHP (through eval)
Designed for modular extension.
The modular scripting capabilities including tcp, udp, process and file channels.
e.g. client.sys.config.sysinfo (not 100% the same format as std. Meterpreter)
Challenges of writing this in PHP
- Magic Quotes
- Size restrictions
- Safe mode
- Disable_functions setting in PHP.ini
- PHP is stupid
- Base64 encode and decode! No need for quotes
- increases size 1/3
- Limits (Apache 4000 bytes). Solution was to use a stager
- Stub to load further data
- Entire PHP meterpreter is around 8k
- Restricts opening of files unless your UID owns that file
- No restrictions on sockets!
- Not a big issue
- Can disable functions that we need
- Can try a bunch of possible workaround functions
- There are 14 functions that can run a command!
- shell_exec, passthru, system, popen, …
- Esser’s memory corruption
PHP is stupid
- Stream and socket resources
- They don’t play well together….
- Difference in output for system commands
- Each of the 14 ways to exec code return different output!
- Operator precedence
- Can’t assume anything newer than 4.3
What’s good in PHP
Don’t need /bin/sh –> chroot env still works
Running system commands through extensions –> perl for example
Win32std gives you direct access to Windows system calls
PHP Meterpreter – What Works
- Editing files
- Read files
- Process interaction (execute -i)
- Pivoting, tcp/udp, portfwd
PHP Meterpreter – Not working
- UI Fiddling
- Incognito / token manipulation
PHP Meterpreter – Might work later
- Registry editing
- Log modification (Windows)
Java Meterpreter and JSPterpreter
- Already have working code…… should be integrated soon
- An unknown… need an SAP guru to take up the challenge
- Most code present, not yet usable
Implement Esser memory corruption exploits for use with a getsystem command in PHP meterpreter
New features going into the regular meterpreter will also be implemented in the PHP version if they make sense (not everything does)
What should it be called?
- PHP Meterpreter / PHP-terpreter