Your SlideShare is downloading. ×

Beyond r57


Published on

Presented at BSides Las Vegas, 2011

Presented at BSides Las Vegas, 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Beyond
  • 2. Outline
  • 3. PHP Background• It’s terrible• It’s always been terrible• Objects are an afterthought• Function names aren’t consistent
  • 4. Why bother?• They have to be uploaded and configured – Leaves logs, files on disk• Some call home to the authors• They all focus on the server – Maybe the database, too• Nothing looks beyond, to the network
  • 5. Rome Wasn’t Sacked in a Day• Build payloads from simple -> complex
  • 6. Essence of Payloads• Create form of communication• Do your bidding
  • 7. Simplest: Exec• Just run a system command• Don’t care about input/output• php/exec
  • 8. Slightly Less Simple: download-exec• Go grab an executable from a listening webserver• Save it to disk and run it• Still don’t care about input/output• php/download_exec
  • 9. More Complex: shell• Need to have a comm channel• Listen for input and send back output• php/reverse_tcp• php/bind_tcp
  • 10. Meterpreter• Flexible, extensible, capable• php/meterpreter/reverse_tcp• php/meterpreter/bind_tcp
  • 11. Meterpreter for Pwned Home Pages• Doesn’t have to be on disk• Uses the same protocol and extension system – The existing client works just fine• Does as much as possible w/o using a shell – Works in a chroot, doesn’t require /bin/sh• Platform independent; works anywhere PHP works
  • 12. Meterpreter Required Reading• “Beyond EIP” 2006 – skape and spoonm, Blackhat Federal• “Hacking Macs for Fun and Profit” 2009 – Dino dai Zovi and Charlie Miller, CanSecWest
  • 13. Why is Meterpreter cool?• Works even in restrictive environments• Not limited to installed commands• If it has more access, it can do cooler stuff• Programmatically automatable
  • 14. Meterpreter screenie
  • 15. Meterpreter• Flexible extension system• Uses a (mostly) binary protocol – TLV (Type, Length, Value) – Designed for extensibility
  • 16. Meterpreter Protocol4 bytes 4 bytes ($length - 8) bytesLength Type Value ….. Length Type Value …..
  • 17. Meterpreter Protocol• Packets are themselves TLVs• TLVs make parsing simple and flexible – No formatting knowledge is required outside of the TLV structure – Allows a core packet parsing engine without any knowledge of extensions or their protocols
  • 18. Meterpreter Ruby API• Powerful and flexible scripting capabilities• Extensions create an attribute under the main client object• Various bits of info in each extension – client.sys.config.sysinfo –
  • 19. Challenges of doing all this in PHP
  • 20. Liabilities• Magic Quotes• Size restrictions• Safe mode• disable_functions setting in php.ini• PHP Quirks
  • 21. We Don’t Need No Stinking Quotes
  • 22. Size Restrictions• URL length is limited to 4000 bytes on Apache• Total length of an HTTP header value is 8190• Solution is the same as for other kinds of shellcode: stagers – Setup some kind of communication with the attacker, read in more code, eval
  • 23. Safe Mode• Kind of a bummer for some things• Restricts files and command exec• Doesn’t limit sockets in any way
  • 24. disable_functions setting• Sucks• Can try a bunch of different functions with similar purposes until one works – shell_exec -> passthru -> system -> popen …• Esser’s memory corruption fu
  • 25. PHP Quirks• Stream vs Socket Resources – stream_select() vs socket_select()• Operator precedence – $var & CONST == CONST – $var & (CONST == CONST) – $var & 1• Can’t assume to have > version 4.3
  • 26. Assets• Many ways of doing the same thing – System Commands, Sockets• Your brains, his strength, my steel.
  • 27. Running System Commands• system, exec, popen, pctl_open, shell_exec, passthru, proc_open• A few non-default extensions: perl, win32std, win32services, almost certainly others
  • 28. Communications• Use the webserver – Simple, effective. Most existing payloads do this – Leaves logs =(• Programs on the system: nc, bash, ftp, … – No guarantee they’ll be there or work• Sockets
  • 29. Sockets• fsockopen, pfsockopen, socket_create, stream_socket, fopen• Extensions: curl, perl (wtf?)
  • 30. Files• fopen is usually enough – Nobody disables it because it would break everything
  • 31. Future• Javaterpreter, JSPterpreter – Already in the works, written by mihi• ASPterpreter?• Macterpreter/POSIX Meterpreter – Most of the code is there but is not really usable
  • 32. What should I call it?• PHP Meterpreter, php-terpreter• meterphpreter (pronounced “meterfpreter”)• phpterpreter (pronounced “fapterpreter”)• phpsucksmyballsterpreter
  • 33. Demos
  • 34. Questions8=====D