Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BSidesLV] Beyond r57

Leave a comment Posted by on July 29, 2010

Beyond r57 – Eygyp7

There are a thousand PHP shells on the web, either by design or simple stupidity.

  • PHP Background
  • PHP Payloads
  • Meterpreter Background
  • Difficulties

PHP Background

PHP is retarded. Objects are an afterthought (15 years later!)

Sometimes they return 1, sometimes they return true –> WTF!

PHP Payloads

r57 (PHP Shell)… is a clusterfuck of forms. Ugly as hell.

It’s intended to be used on a webserver only for access to the local site. There’s not much in r57 or other shells to go beyond the local and move on to connected systems.

A whole bunch of r57 shells on the web currently are backdoored –> base64 encoded section at the end sends a shell back to an IP in Russia.

c99 (PHP Shell)… pretty much the same as r57.

No methods to go beyond the local server.

Uploading a shell to a remote server leaves logs and files. If you’re not getting detected, then they’re not even trying!

Some of them even call home to the authors.

The essence of payloads is to create some form of communication

Simple PHP shells in Metasploit .:

  • PHP/Exec
  • PHP/DownloadExec

These do simple execution and nothing more

Something more useful would be a remote shell and in/out to and from the box.

  • PHP/reverse_tcp
  • PHP/bind_tcp

Most commands (except cd) don’t hold state between commands. It’s easier to deal with commands one at a time!

So it gets better

  • PHP/meterpreter/reverse_tcp
  • PHP/meterpreter/bind_tcp

More flexible, extensible and capable.

This doesn’t have to be on disk. Bypassing issues of traditional PHP shells uploading files and executing them.

Uses the same protocol as the traditional meterpreter. This means the same client-side connector can be used

Does as much as possible through PHP without calling a shell. Not everything is possible however (ps for example). Works in a chroot and doesn’t need /bin/sh

Anywhere PHP runs, PHP/meterpreter runs…. Windows, Linux, ….

In restrictive environments you can still use the meterpreter PHP shell… not limited to installed commands.

Programmatically automatable –> Scriptable and extensions to make things easier on the fly –> Use of existing scripts

Flexible extension system… loading external PHP (through eval)

Designed for modular extension.

The modular scripting capabilities including tcp, udp, process and file channels.

e.g. client.sys.config.sysinfo (not 100% the same format as std. Meterpreter)

Challenges of writing this in PHP

  1. Magic Quotes
  2. Size restrictions
  3. Safe mode
  4. Disable_functions setting in PHP.ini
  5. PHP is stupid

Magic Quotes

  • Base64 encode and decode! No need for quotes
  • increases size 1/3

Size restrictions

  • Limits (Apache 4000 bytes). Solution was to use a stager
  • Stub to load further data
  • Entire PHP meterpreter is around 8k

Safe Mode

  • Restricts opening of files unless your UID owns that file
  • No restrictions on sockets!
  • Not a big issue

Disable_functions

  • Can disable functions that we need
  • Can try a bunch of possible workaround functions
    • There are 14 functions that can run a command!
    • shell_exec, passthru, system, popen, …
  • Esser’s memory corruption

PHP is stupid

  • Stream and socket resources
    • They don’t play well together….
  • Difference in output for system commands
    • Each of the 14 ways to exec code return different output!
  • Operator precedence
  • Can’t assume anything newer than 4.3

What’s good in PHP

Don’t need /bin/sh –> chroot env still works

Running system commands through extensions –> perl for example

Win32std gives you direct access to Windows system calls

PHP Meterpreter – What Works

  • Upload/Download
  • Editing files
  • Read files
  • Process interaction (execute -i)
  • Pivoting, tcp/udp, portfwd

PHP Meterpreter – Not working

  • Screenshots
  • UI Fiddling
  • Incognito / token manipulation

PHP Meterpreter – Might work later

  • Registry editing
  • Log modification (Windows)

The Future

Java Meterpreter and JSPterpreter

  • Already have working code…… should be integrated soon

ASPterpreter

  • An unknown… need an SAP guru to take up the challenge

MACterpreter/POSIX Meterpreter

  • Most code present, not yet usable
  • Compiles!

Implement Esser memory corruption exploits for use with a getsystem command in PHP meterpreter

New features going into the regular meterpreter will also be implemented in the PHP version if they make sense (not everything does)

What should it be called?

  • PHP Meterpreter / PHP-terpreter
  • Meterphpter
  • phpterpreter
  • phpsucksmyballsterpreter

Links:

Conference, Security , , , , , , ,

Comments are closed.

%d bloggers like this: