Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- some time ago i hacked me a script kiddie with a awesome t00l lulz
- Going through the changed files I stumbled upon a php file which had some code prepended. The script had a very long line that started like this:
- [PHP]
- eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf……..
- [/PHP]
- Ok, lets check what does the script do. Lets assign the long string to a variable and base64 decode it and inflate the compression.
- [PHP]
- $script = base64_decode($script);
- $script = gzinflate($script);
- echo $script;
- [/PHP]
- The output was not what I expected.
- [PHP]
- eval(gzinflate(base64_decode(‘FJ3HjqPcGkUf57……..
- [/PHP]
- The strings looked similar and I was already looking for an error in my code. Nope, code is correct. There is a slight change in the string. It seems it was compressed and encoded couple of times. Wow, it means I can have many evals inside evals. Fun!
- [PHP]
- do {
- // extract the first 28 characters
- // the eval(gzinflate(base64_decode part
- $start = substr($string, 0, 28);
- // remove the first 30 chars, the eval(gzinflate(base64_decode(‘ part
- $string = substr($string, 30);
- // remove the last )));
- $string = substr($string, 0, strlen($string)-4);
- $string = base64_decode($string);
- $string = gzinflate($string);
- echo “Iteration:”.$i++.”\n”;
- // iterate as long as we get a eval(gzinflat start
- } while ($start == “eval(gzinflate(base64_decode”);
- [/PHP]
- After 11 iterations I got the code. Kind of reminded me a challenge that was posted to a mailing list and the question was what was the output of the program. That time it was more difficult: base64 encoded perl, that outputted base64 encoded bytecode, that outputted Java source file with a byte array that was byte code for the class file of the solution.
- Lets see the functionality that it has to offer:
- Full blown file manager
- Quick menu for
- Finding all suid files
- Finding all sgid files
- Finding all htaccess files
- Finding all writeable folders
- …
- Interface for the UNIX tool find
- Input field for executing commands as webserver user
- Tools for installing a backdoor
- Perl/C flavoured programs that are downloaded from a Singapore server
- Compiled/Interpreted – depending what is available
- Processes viewer
- FTP brute force cracker using users from /etc/passwd
- System info (CPU, Memory, installed binaries, passwd file, configuration files)
- SQL dump utility
- Interface for executing PHP code
- Self removal
- Adding a password for the script
- Fancy design!
- I’m just amazed. This is way too eazy. So this is how it works:
- Lets scan the internet for WordPress installation (automated)
- Look for vulnerable versions (automated)
- Exploit (in this case themes were filled with hidden links – semi automated)
- PROFIT! (automated)
- only clamav know this mallwarescript so beware.
- We are legion. we do not forget. we do not forgive. expect us. expect me
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement