Calling functions without their names in PHP

Strings. Ah juicy and precious strings! It is common for malware scanners and IDPS to look for suspicious strings in network traffic and files… but what if there are no strings to look for? (whaaa?)

Today I was wondering about some features found in many interpreted languages of listing its internal functions in some sort of list/array. This way we can enumerate the [index] => function_name relationship, replace all function_names on the code to their index and voilá!

You might ask: “But you can just put those indexes on the rulesets.” I answer: “Yes, that’s true”. But different server/PHP configurations might generate the different indexes. Besides, numbers are much more fun to obfuscate than strings.

PHP, because it’s widely used on the wild

I wasn’t remembering if PHP had this or not but I was pretty confident due to its nature. Turns out that get_defined_functions is there as expected. With the aid of call_user_func_array it enabled the calling of functions without writing down their names in any encoded form (but it is required that you enumerate them beforehand).

The Code

This snippet has fewer than 10 lines (and it’s optimized for readability) and is our indirect caller function.

Then you can call your functions like this:

The output

Just for illustration:

We can even make it a little more compact

But Jan, there are still tree other internal function names exposed in your code. (func_get_args, call_user_func_array and array_shift)

Heck, you’re right. Let’s make this better.

or even…

MOAR compact!

A simple silly backdoor

How the numbers could be obfuscated to bypass simple rules?

Well, with the very simple math stuff:

  • XOR/AND/OR all entries: $index^$key, $index&$key, $index|$key
  • SUM/SUB/DIV/MUL all entries: $index+$key,$index-$key, $index/$key, $index*$key

And so on.

So, what to do to prevent/catch those things?

Keep an eye for get_defined_functions.

Cya!

GoldenEye 2.1 released with even more randomness

Recently I’ve discovered that GoldenEye got his first signature from a big vendor.

That’s funny since the main GoldenEye objective is to be signature-proof due its randomness. I’ve done a quick search on the internet and found the signature update link for their products, downloaded, located that one mentioned above.

It was a very crude signature, as expected:

Mostly are the only static texts GoldenEye had (since this update ;)). These are mostly leftovers from Barry’s HULK, which GoldenEye was spawned from.

Changelog

No worries, this new patch include the following changes:

  • Referer strings from search engines now only domain part hardcoded (rest is generated)
  • Referer generation function now generates even more random referers.
  • NO MORE HARDCODED USER AGENTS. I admit, hardcoded user agents were lame. There’s now a User-Agent Generator function that will generate RFC-2616 compliant user-agent strings.
  • External User-Agent List Support: As the generator function may generate UAs for inexistent browser version + plugin version combinations, you can now supply your own list of User-Agents (one per line – text file) via the -u flag.
  • Besides no-cache I’ve added the directive max-age=0 that does basically the same thing. GoldenEye will chose one of them during the strike request.
  • More random keepalive values: They’re 110-120 (legacy), now they’re random 1-1000
  • User-Agent lists: I’ve added a res directory for external resources. Multiple text files were placed there with user agents from different platforms.
  • Utilities! Now the getuas.py scrapes (requires BeautifulSoup) http://www.useragentstring.com/ URLs.

About the User-Agent generation algorithm

The user-agent string follows the following format: Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]

I have a python dictionary with OS-specific values and Platform-specific (Webkit, Gecko, Internet Explorer) values. There are many options for each one. Mostly generated on the fly thanks to python’s dynamic lists generation.

Here’s an example of the property generation

Upon program start, it will generate N random values and populate the python list. As lists can be easily joined with the + operator, this makes dynamic list generation a charm. The same goes to OS-specific values

Any effort now to block our user-agents will block legitimate traffic also :)

About referer generation

In the previous GoldenEye versions, referers were crude and simple, like search engine search urls with some random parameter. Now referers are generated like request urls:

  • Random PATH (/Hiad727ja)
  • Random QueryString key and value names
  • Random QueryString key and value quantity
  • Random QueryString presence

As it was before, referer presence is also random.

I think that covers all the changes for this version.

Download, test (please, not on other people’s servers) and report!

Whitespace Esolang Covert Channel / Steganography

I’ve been always a fan of esoteric programming languages (esolangs). These programming languages are generally made just for fun, mostly in universities or for challenges. Wikipedia describes as the following:

An esoteric programming language (esolang, in short) is a programming language designed to test the boundaries of computer programming language design, as a proof of concept, or as a joke. The use of esoteric distinguishes these languages from programming languages that working developers use to write software.

You’ve probably seen some of the famous ones like brainfuck and shakespeare language. Some months ago I stumbled upon this funny one called “Whitespace“.

About Whitespace esolang

Whitespace is an esolang created by Edwin Brady and Chris Morris from the University of Durham in released in 2003. Their opcodes consists only of spaces, tabs and line-feeds. Interesting, huh?

Here’s a sample Hello, World! program in Whitespace (red = spaces, blue = tabs, black = VIM cursor):

Whitespace

This “feature” came into my mind as a very difficult pattern to detect through computational means since the language natively discards every other character permitting this language to be merged arbitrarily with any other text…. and even some code ;)

I’ve then remembered that HTML has cool workarounds with repeated spaces and tabs when it comes to parsing and rendering, so I could be able to inject Whitespace opcodes into HTML without breaking it and with minor rendering quirks.

So the weather was crappy, beer was over and I decided to make a covert shell with that.

Creating the covert shell

PHP is one of the most used languages in websites and power popular platforms like WordPress and MediaWiki. PHP has an output buffering system (ob_start, ob_get_contents etc) and a widely abused feature called auto_prepend_file. These would be enough to setup my covert shell.

I quickly spawned two files, one .htaccess to handle my shell injection via auto_prepend_file (very known and old trick) and one wcc.php to do the magic.

This would ensure my shell works on almost any php page on the target acessible through the browser.

First thing I had to do was ensure that the I’ve got the output buffer after all other possible output buffer handlers had processed it. There’s quite a time since I left web developing but I did remembered about register_shutdown_function that is used to, you know, register functions that will run before the script exits.

I could’ve stopped there, but I’ve wanted to prevent other register_shutdown_functions to win the race and alter the output after I did, so I did some research and saw that if you call register_shutdown_function from a register_shutdown_function, it will have high chances of being the last shutdown function (unless other register_shutdown_function did the same trick).

And further down…

That took care of ensuring that my wcc_merge_output function will run at the very end of any script.

Now it’s time to play with the output buffer and do the whitespace magic. I’ve placed ob_start on my wcc_init function that is prepended by .htaccess so as soon as script starts, output buffering is enabled.

If the magic cookie key is set, it will run the command with exec (for testing purposes, you can change to whichever method you want), gzdeflate-it and convert to whitespace language.

I won’t comment on the actual code responsible to converting from ASCII to Whitespace but FYI, it basically converts each char to binary, pushes each character to Whitespace Stack, then adds “print char from stack” N times, where N = len(string) and finally adds the “end program” sentence.

You can read more about the internals of Whitespace Language on the official page’s tutorial. If you’re interested, you can check the wcc_whitespace_print_string function source-code.

The wcc_init function ended up looking like this:

When the original script finishes its job and execution is passed to my shutdown function, wcc_merge_output will grab the contents of the output buffer, merge, display and exit.

The caveat

Of course, nothing comes easy. I decided to test the WCC on a real (little old) WordPress install so I pulled up an old VM that I had it installed.

My buffer was being ignored or duplicated, depending on the page. Turns out I did not account the race condition that other codes might introduce when handling output buffer and they were flushing the buffer before I could act, so I created a little trap to prevent others from messing with it.

As from the documentation for the callback parameter from ob_start:

The function will be called when the output buffer is flushed (sent) or cleaned (with ob_flush(), ob_clean() or similar function) or when the output buffer is flushed to the browser at the end of the request.

That did the trick.

The sanitization and tokenization process is quite simple.

For content, first I replace all tabs to spaces, place each line in an array with respective line number as index. Then I remove the linefeeds from the each line and break the line into tokens separated by spaces.

For whitespace, I just convert a string to an array of characters. Dead simple.

Merging content

This is quite simple also. For each whitespace token (character/opcode), I add one of the content parts (tokens) followed by the whitespace token.

If whitespace payload is less than content, when I finish adding whitespace tokens, I just add the remaining pieces glued toghether by spaces and keep their line feeds.

If whitespace payload is greater than content, I just add raw whitespace payload to the end of the HTML content. This brings up some issues on detection but it’s better than no output at all. Just choose a page with more content.

You can check it out the source-code of this routine.

Issuing requests to the shell

In this PoC I’ve used the classic Cookie command input trick.

So through a shell, you can do something like

Then parse with any Whitespace interpreter and inflate the payload again

inflate.php reads input from stdin and passes to gzinflate.

Result?

Visual Differences

For some content you might get some quirks, for others, not.

Here’s a screenshot from both pages sources. First with embedded Whitespace command output and the second is the original.

Whitespace HTML Source Comparison

Here’s a screenshot from both pages rendered HTML. First with embedded Whitespace command output and the second is the original. (Don’t mind the images, this theme has random header images)

Whitespace Rendered HTML Comparison

Size discrepancies

Since we’re mostly changing stuff than adding, our file size ends up very close to the original if you have enought HTML to fit your command output. Below is the comparison of the original HTML with one with the output from some commands.

I’ve ran id, ip a show, ps aux and ls -al. id was the only one that fit entirely in the HTML I’ve got (pretty short page). The others resulted in raw whitespace appended to the end of the original HTML.

LOL. In some cases it even “minifies” a little…

Final notes

  • I did not put any effort on encoding/encrypting the cookie or commands or whatever. This is only to test the covert response channel.
  • I also know that cookie based command passing is easily detectable. And are many other better ways to do that.
  • Of course there are better methods than exec to run code. This is also not the point of this research.

Source code & files

All files are available on my github repo. Feel free to download, play, fork, whatever.

Enumerating Android installed applications without special permissions

Sometimes I took some random Android app I’ve recently installed on my phone and start performing some tests on it. It’s not uncommon to see unauthenticated API requests, plaintext HTTP communication and some obfuscation logic or hardcoded credentials rammed down at client code. As I use to say in my SCADA talks,

“everything that is ‘new’ is prone to ‘newbie’ mistakes”

This is not different for mobile development. The urge for delivery and the hype of start-ups and its fast-paced deployment philosophy usually results on developments with little to no attention to security.

Well, today I was reversing one of those applications. I won’t disclose the name of it for obvious reasons so don’t ask. I started simply by jacking up ProxyDroid to Burp and started to use the app normally.

Then I saw something on Burp that made me REALLY concerned.

That prick was spying on me! So I got a little mad and decided to rip the apk open and take a look at the code to see how that was being done.

As I rolled my eyes through the code seeking the “competitor mining” code, I was getting some usual juice like finding that all of the requests were unauthenticated that could lead to almost complete data extraction from partners, customers and transactions, scary!

And then I found it! Consider the following snippet from the app:

So it seems that any app can call getInstalledPackages from the PackageManager class on Android SDK and enumerate all you installed apps? Yes, this is true.

And there’s more! According to the documentation:

A List of PackageInfo objects, one for each package that is installed on the device. In the unlikely case of there being no installed packages, an empty list is returned. If flag GET_UNINSTALLED_PACKAGES is set, a list of all applications including those deleted with DONT_DELETE_DATA (partially installed apps with data directory) will be returned.

So any app can also return apps you uninstalled!

But Jan, how bad is this?

Well, basically I don’t like anything tracking me and that’s why I make extensive use of privacy tools when I’m online, so I don’t like either any app phoning-home with the list of apps I have.

In the case above, this company was using this in order to collect market data from competitors and payments gateway. As many may think this is “part of the business” I think this is not also wrong and offending as this capability of the Android System really should have its own permission.

For me, as there is no system-defined permission for reading installed apps, this is clearly a case of “it’s not a bug, it’s a feature” that is really creepy.

UPDATE: Comments from Zigurd on Hacker News

I’ve submitted this post to Hacker News and an user raised some interesting questions that I’ll post below and comment on them:

Package names weren’t made to be private

There are a few rationales one could cite for this:
One could probably obtain the package names of all the apps out there, so, as long as package names can be used to access components in Android, this is information that could be extracted by trial and error anyway.

I totally agree on “package names weren’t designed to be private”. As I cited this is a feature not a bug but I think it should. Not that the package name should be a secret but you shouldn’t be able to retrieve the installed ones from the user system.

The impact doesn’t pose a threat

On the other hand, everything you can do with this knowledge is controlled by sandboxing and permissions, so having this knowledge doesn’t give you anything beyond what you could have with a good guess.
Lastly, one would have to reinvent package naming around names that cannot be guessed. To sum it up, package names weren’t designed to be private, and retrofitting privacy to package names is hard.

I disagree with “everything you can do with this knowledge is controlled by sandboxing and permissions, so having this knowledge doesn’t give you anything beyond what you could have with a good guess.” because this information can be used to later push application-specific ads or even try to present the user with data in order to make him click on an ad or link and get exposed.

There are several ways on enumerating (guessing) installed packages

I agree there is a privacy concern, however, if you took away that method in the package manager, you could still try invoking, say, standard methods in components in packages and guess their names.
The developers’ domain names are public, so there is no way to prevent guessing parts of package names in Android and probably no way to prevent guessing complete package names.
Let’s take a use case: I want to secretly check if you have banking apps installed. I can install them and discover their package names. Then I can make a malicious app that checks if some component of those apps exists, by checking for an intent filter match, for example. Then I present you with a targeted phishing attack that looks like those apps’ screens. You didn’t need to enumerate all installed packages to do that.

I get this point and I do agree that are diferrent ways on enumerating apps but you need to do some guessing. The evil part I think is that you can enumerate ALL apps without need to guessing.

There are legitimate uses for enumerating all the packages

There are legitimate uses for enumerating all the packages. I’ve used it for a plug-in architecture for an app that enables 3rd party plug-ins.

And I also agree with you that there are legitimate uses for that, as you have for sending/receiving SMS, but my point is: Users should be warned that this app is attempting to do that so they can judge where to install it or no, as you have for all other sensitive information.

I’m really happy on having this article bringing up this discussion because it’s an example of how even to minor issues, the security concerns should be evaluated.

New version of GoldenEye WebServer DoS tool released

After the hackers 2 hackers conference talk last year, some people contacted me about known Python performance issues regarding the use of threads related to the GIL.

Indeed the threading wasn’t performing well due the nature of GIL so I’ve rewritten the code to support Python’s multiprocessing module. It’s a tad faster but I haven’t tested it exhaustively so if you feel the inner-beta-tester in you, let me know!

The download is available as always at the github project page at https://github.com/jseidl/GoldenEye and you can read more about the tool at the project page at this blog.

Please test it (ON YOUR OWN RESOURCES!!) and let me know your thoughts!

Fixing ‘guake can not init’ and buggy tab titles on Backtrack 5 R3

Hi Folks, I’m a heavy Guake Terminal user and I just installed the latest Backtrack 5 revision (R3) and installed Guake on it. I was surprised when I tried to start by getting the message:

“Guake can not init!\n\nGconf Error.\nHave you installed guake.schemas properly?”

Long story short, it seems that the package bundled with this version of Backtrack (and maybe others) have a bug into the debian package file/script that installs the guake.schemas file into an erroneous location (/usr/etc/gconf/schemas/).

The location should be /etc/gconf/schemas/guake.schemas. You’ll have to mkdir this schemas directory under /etc/gconf and mv or ln -s this file there. Problem solved.

This solution was found here.

Buggy tab titles

Other thing that annoys me a LOT is that some versions (0.4.1 and maybe older ones) of Guake have a bug in the tab titles setting mechanism. It simply goes blank and you’re left with a blank title when you try to change it.

You’ll have to hack up a Guake file to fix that:

  1. Edit guake.py (on BT5R3 is at /usr/lib/guake/guake.py
  2. Comment out the following code on line 983: dialog.destroy()
  3. Copy that same code (uncommented of course) below the if statement (about line 987)
  4. Save and restart Guake
  5. Enjoy!

This solution was found here.

Well, that’s all for now! Hope that this hint helps someone!

Talking about D/DoS (again) at XVII Semana de Informática (Computer Science Week)

I’m speaking at the 17th Computer Science Week at Minas Gerais, Brazil November 24th. I’ll be giving an extended version of my H2HC Talk for Computer Science students at UFV (Universidade Federal de Viçosa / Viçosa Federal University) at Minas Gerais, Brazil.

More at my talk’s summary page on the event website

@UPDATE
It was a great talk! Thanks for everyone that attended! Slides are on my slideshare!

Quick and dirty ngrep credential (username/password) sniffer

Some time ago I’ve posted a quick (and dirty too!) command-liner using tcpdump to sniff plaintext credentials over the wire.

Now I’ve acomplished the same thing with a shorter regex and ngrep tool.

Where -i is for case-insensitive and -q for more precise output. See man ngrep for additional information.

And the output is as follows:

Hope that helps!

About Hackers 2 Hackers Conference 9th Edition

Hi Folks,

This last weekend was my talk on Hackers 2 Hackers Conference 9th Edition @ São Paulo, Brazil. The talk was in portuguese and the slides are available here (download pdf) and here (slideshare).

The subject of the talk was about layer 7 denial of service techniques and tools, using haproxy and socat to create a distributed denial of service from a single node, some XSS payload for DDoS and demonstration of the GoldenEye Mobile tool released today.

I am very happy with the results, with the public’s acceptance and reaction to the material presented and for the cheers from all the good friends and IT professionals from Brazil.

Also, thanks to Utah Networks, the talk was live streamed and recorded and the video can be found on this link or below.

TI Safe, the company that I currently work at, has also published some photos at their Flickr page.

As I promised to the attendees, the code for GoldenEye and GoldenEye Mobile are available at my github page.

Below a demo video of the GoldenEye Mobile tool in a test:

Talk apart, the whole event was AWESOME as usual. Spectacular specially crafted beer, excellent coffee-break, excellent service, excellent infrastructure! Hackers 2 Hackers Conference once again proved why is one of the most incredible confs at Brazil.

Thanks for people at H2HC for accepting the paper and doing such a great event.

I’m speaking at Hackers 2 Hackers Conference 9th edition – 2012 @ São Paulo, Brazil!

Hi folks! I’m glad to inform that my paper “Advanced DDoS techniques: Layer 7, load-balancing and mobile tools” was accepted by the 9th Hackers 2 Hackers Conference (H2HC).

The event will take place on October 20-21 and it seems to be another success just like previous editions.

Don’t forget to check the event’s website for full line-up. If you can, enroll and enjoy!