Beyond r57egypt@metasploit.com
Outline
PHP Background•   It’s terrible•   It’s always been terrible•   Objects are an afterthought•   Function names aren’t consi...
Why bother?• They have to be uploaded and configured  – Leaves logs, files on disk• Some call home to the authors• They al...
Rome Wasn’t Sacked in a Day• Build payloads from simple -> complex
Essence of Payloads• Create form of  communication• Do your bidding
Simplest: Exec• Just run a system command• Don’t care about input/output• php/exec
Slightly Less Simple: download-exec• Go grab an executable from a listening  webserver• Save it to disk and run it• Still ...
More Complex: shell•   Need to have a comm channel•   Listen for input and send back output•   php/reverse_tcp•   php/bind...
Meterpreter• Flexible, extensible, capable• php/meterpreter/reverse_tcp• php/meterpreter/bind_tcp
Meterpreter for Pwned Home Pages• Doesn’t have to be on disk• Uses the same protocol and extension system  – The existing ...
Meterpreter Required Reading• “Beyond EIP” 2006  – skape and spoonm, Blackhat Federal• “Hacking Macs for Fun and Profit” 2...
Why is Meterpreter cool?•   Works even in restrictive environments•   Not limited to installed commands•   If it has more ...
Meterpreter screenie
Meterpreter• Flexible extension system• Uses a (mostly) binary protocol  – TLV (Type, Length, Value)  – Designed for exten...
Meterpreter Protocol4 bytes       4 bytes       ($length - 8) bytesLength        Type              Value …..     Length   ...
Meterpreter Protocol• Packets are themselves TLVs• TLVs make parsing simple and flexible  – No formatting knowledge is req...
Meterpreter Ruby API• Powerful and flexible scripting capabilities• Extensions create an attribute under the main  client ...
Challenges of doing all this in PHP
Liabilities• Magic Quotes• Size restrictions• Safe mode• disable_functions  setting in php.ini• PHP Quirks
We Don’t Need No Stinking Quotes
Size Restrictions• URL length is limited to 4000 bytes on Apache• Total length of an HTTP header value is 8190• Solution i...
Safe Mode• Kind of a bummer for some things• Restricts files and command exec• Doesn’t limit sockets in any way
disable_functions setting• Sucks• Can try a bunch of different functions with  similar purposes until one works  – shell_e...
PHP Quirks• Stream vs Socket Resources  – stream_select() vs socket_select()• Operator precedence  – $var & CONST == CONST...
Assets• Many ways of doing the same thing  – System Commands, Sockets• Your brains, his strength, my steel.
Running System Commands• system, exec, popen, pctl_open, shell_exec,  passthru, proc_open• A few non-default extensions: p...
Communications• Use the webserver  – Simple, effective. Most existing payloads do this  – Leaves logs =(• Programs on the ...
Sockets• fsockopen, pfsockopen, socket_create,  stream_socket, fopen• Extensions: curl, perl (wtf?)
Files• fopen is usually enough  – Nobody disables it because it would break    everything
Future• Javaterpreter, JSPterpreter  – Already in the works, written by mihi• ASPterpreter?• Macterpreter/POSIX Meterprete...
What should I call it?•   PHP Meterpreter, php-terpreter•   meterphpreter (pronounced “meterfpreter”)•   phpterpreter (pro...
Demos
Questions8=====D
Beyond r57
Beyond r57
Beyond r57
Beyond r57
Upcoming SlideShare
Loading in …5
×

Beyond r57

2,585 views
2,460 views

Published on

Presented at BSides Las Vegas, 2011

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,585
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Beyond r57

  1. 1. Beyond r57egypt@metasploit.com
  2. 2. Outline
  3. 3. PHP Background• It’s terrible• It’s always been terrible• Objects are an afterthought• Function names aren’t consistent
  4. 4. Why bother?• They have to be uploaded and configured – Leaves logs, files on disk• Some call home to the authors• They all focus on the server – Maybe the database, too• Nothing looks beyond, to the network
  5. 5. Rome Wasn’t Sacked in a Day• Build payloads from simple -> complex
  6. 6. Essence of Payloads• Create form of communication• Do your bidding
  7. 7. Simplest: Exec• Just run a system command• Don’t care about input/output• php/exec
  8. 8. Slightly Less Simple: download-exec• Go grab an executable from a listening webserver• Save it to disk and run it• Still don’t care about input/output• php/download_exec
  9. 9. More Complex: shell• Need to have a comm channel• Listen for input and send back output• php/reverse_tcp• php/bind_tcp
  10. 10. Meterpreter• Flexible, extensible, capable• php/meterpreter/reverse_tcp• php/meterpreter/bind_tcp
  11. 11. Meterpreter for Pwned Home Pages• Doesn’t have to be on disk• Uses the same protocol and extension system – The existing client works just fine• Does as much as possible w/o using a shell – Works in a chroot, doesn’t require /bin/sh• Platform independent; works anywhere PHP works
  12. 12. Meterpreter Required Reading• “Beyond EIP” 2006 – skape and spoonm, Blackhat Federal• “Hacking Macs for Fun and Profit” 2009 – Dino dai Zovi and Charlie Miller, CanSecWest
  13. 13. Why is Meterpreter cool?• Works even in restrictive environments• Not limited to installed commands• If it has more access, it can do cooler stuff• Programmatically automatable
  14. 14. Meterpreter screenie
  15. 15. Meterpreter• Flexible extension system• Uses a (mostly) binary protocol – TLV (Type, Length, Value) – Designed for extensibility
  16. 16. Meterpreter Protocol4 bytes 4 bytes ($length - 8) bytesLength Type Value ….. Length Type Value …..
  17. 17. Meterpreter Protocol• Packets are themselves TLVs• TLVs make parsing simple and flexible – No formatting knowledge is required outside of the TLV structure – Allows a core packet parsing engine without any knowledge of extensions or their protocols
  18. 18. Meterpreter Ruby API• Powerful and flexible scripting capabilities• Extensions create an attribute under the main client object• Various bits of info in each extension – client.sys.config.sysinfo – client.net.socket.create_tcp_client_channel
  19. 19. Challenges of doing all this in PHP
  20. 20. Liabilities• Magic Quotes• Size restrictions• Safe mode• disable_functions setting in php.ini• PHP Quirks
  21. 21. We Don’t Need No Stinking Quotes
  22. 22. Size Restrictions• URL length is limited to 4000 bytes on Apache• Total length of an HTTP header value is 8190• Solution is the same as for other kinds of shellcode: stagers – Setup some kind of communication with the attacker, read in more code, eval
  23. 23. Safe Mode• Kind of a bummer for some things• Restricts files and command exec• Doesn’t limit sockets in any way
  24. 24. disable_functions setting• Sucks• Can try a bunch of different functions with similar purposes until one works – shell_exec -> passthru -> system -> popen …• Esser’s memory corruption fu
  25. 25. PHP Quirks• Stream vs Socket Resources – stream_select() vs socket_select()• Operator precedence – $var & CONST == CONST – $var & (CONST == CONST) – $var & 1• Can’t assume to have > version 4.3
  26. 26. Assets• Many ways of doing the same thing – System Commands, Sockets• Your brains, his strength, my steel.
  27. 27. Running System Commands• system, exec, popen, pctl_open, shell_exec, passthru, proc_open• A few non-default extensions: perl, win32std, win32services, almost certainly others
  28. 28. Communications• Use the webserver – Simple, effective. Most existing payloads do this – Leaves logs =(• Programs on the system: nc, bash, ftp, … – No guarantee they’ll be there or work• Sockets
  29. 29. Sockets• fsockopen, pfsockopen, socket_create, stream_socket, fopen• Extensions: curl, perl (wtf?)
  30. 30. Files• fopen is usually enough – Nobody disables it because it would break everything
  31. 31. Future• Javaterpreter, JSPterpreter – Already in the works, written by mihi• ASPterpreter?• Macterpreter/POSIX Meterpreter – Most of the code is there but is not really usable
  32. 32. What should I call it?• PHP Meterpreter, php-terpreter• meterphpreter (pronounced “meterfpreter”)• phpterpreter (pronounced “fapterpreter”)• phpsucksmyballsterpreter
  33. 33. Demos
  34. 34. Questions8=====D

×