Saiweb

Before you read any further note, I will not be including the original hack file, simply due to peoples stupidity in putting this on a production environment to play with, if you use the code you do so at your own risk, and by reading this blog entry / using the code provided you agree to accept all liability upon yourself for your own actions. Don’t be an idiot.

Around 10 days ago I came across this seemingly innocuous little file.

What I am going to cover in this entry is dissecting the ‘payload’ and not so much the web app in question or methods used to compromise it,

Whereas I will not at this time provide the original file, I will provide you with the md5 and sha1 hashes of the file so you can check it’s not lurking on your systems:

md5: 9ee3e6523d154114460d320477a8665a
sha1: 9c64fecea5620d70a716bbd74f6e89612a4a79c7

The bit we are interested in is the last line of the file:

Were you to run this line you would get

Confused yet? now I can appreciate the thinking behind packing a payload to avoid detection, but in this case the payload is packed 12 times, and no before you ask I did not manually run each returned statement to find this out.

Enter Python-Fu:

Copy the first payload lines into a file named payload.raw, take the above code and copy it into a file named dissect.py.

When dissect.py is run you will get the following output:

As such you may want to run it using the following command:

And what you will find after unpacking 12 times in total, the “payload” is the r57shell, this script is an information gathering tool and pseudo shell, meaning it will run any command on the host server that php can, providing in most cases ssh esq access to the exploited host, allowing you to do pretty much anything you wanted at this point, some of the features also include /etc/passwd /etc/shadow dumping, aswell as searching for a tirade of common file *.sql* admin* etc, it’s a one stop script for information gathering on a LAMP/WAMP based host.

Defense: modify php.ini to disable eval(), exec, shell_exec and all none essential functions.

And of course, ensure your web apps are patched and up to date as well as the host they are running on.

In some situations using a double quotes string is required i.e. “this\nstring\nappears\over\nmany\nlines” …

However in 99% of cases it is used without even thing about in implications of doing so … PHP will infact evaluate any string wrapped in double quotes, this adds a processing overhead, but it seems people do not actually reliase how much in comparrison to using single quotes for the same string.

Take for example this code:

Now I am running this on a live server, that is serving in excess of 100 pages a second, take a look at the output:

320 Chars evaluated in 1.40667E-5 seconds
320 Chars evaluated in 3.0994E-6 seconds
Single quotes are 77.97% faster

320 Chars evaluated in 1.28746E-5 seconds
320 Chars evaluated in 3.0994E-6 seconds
Single quotes are 75.93% faster

320 Chars evaluated in 1.3113E-5 seconds
320 Chars evaluated in 2.1458E-6 seconds
Single quotes are 83.64% faster

320 Chars evaluated in 1.19209E-5 seconds
320 Chars evaluated in 2.861E-6 seconds
Single quotes are 76% faster

320 Chars evaluated in 1.3113E-5 seconds
320 Chars evaluated in 2.861E-6 seconds
Single quotes are 78.18% faster

320 Chars evaluated in 1.3113E-5 seconds
320 Chars evaluated in 2.861E-6 seconds
Single quotes are 78.18% faster

The improvement is consistently in excess of 75%, so the moral of the story? don’t use “” if you do not need to!

Thanks to everyone along the way who’ve discussed and proven development methods along the way with me, and sorry it’s taken so long to get them written up.

Call to undefined function imagettfbbox()

Either you do not have php GD installed (check your phpinfo(); and see if GD has laoded with TTF support)

Or if you are compiling from source add: –with-gd –with-freetype-dir=/lib64 –with-ttf=/lib64 –enable-gd-native-ttf

to your configure line.

Note: you’ll need gd-devel and freetype-devel libs installed, and im using /lib64 as im running a 64bit OS.

Finaly it is ready and in a state I am happy to release it.

Features

• Complete code re-write, much more efficient and easier to update
• Flowplayer 3.1.1
• License detection, will only use the commercial version if you enter a license!
• Playlists
• Better wordpress API integration, all settings now stored in wordpress no more config files!
• Same admin interface

(Videos from Apple.com)

PHP mail() not working?

getting “sh: -t: command not found” when testing using the cli?
what you have is a missing devel package!!!!

In my case sendmail-devel was missing, you’d think the configure script would alert on this but alas no, devel pack installed and one recompile later and the issue is solved.

Because a picture is worth over 9000 internets … apparently

UPDATE: AKA “hayabusayuri” link … seriously who plays everquest? … maybe all that time playing everquest finally made the guy snap … and PHP & windows … never a good combination … infact Windows and internet is a bad combination

LINKY

Screencap incase it is removed:

(Thanks to the guys who forwarded me this)

Tonight I will be pushing to the development SVN a beta preview of the 2.1 release.

Here are some of the changes:

Poor tags, we barely knew them…

GOODBYE! inpost tags, (sort of), configuration will no longer be handled using the inpost tags, the old tag structure will be retired in favor of an anchor to place the player in your content [FLOWPLAYER], configuration of the player will now be handled by an admin menu box.

That’s quite a list you’ve got there…

(basic) Playlists support has been added, this is configurable from the admin menu for the post

Dude, where’s your config file?

The saiweb_wpfp.conf file has now been removed *gasp*, now reliant in internal wordpress *magic* for the storing of the plugin config.

Your media is a great big canvas, and you should throw all the paint you can on it

Fixed a bug with the canvas colour settings

Is that a logo in your pocket, or are you just pleased to see me?

The commercial version of flowplayer will now only be used if a license key is specified, the free version will now be used if no key is specified which has a reduced logo branding.

I Once Was Blind, But Now I See

Player embed causing issues with some navigation menus, this should be resolved with the wmode setting.

Details of how to get the preview version and install it along with screen casts of the new menus (time allowing) will be added to this post once everything is committed to subversion.

UPDATE: 15/04/2009 Got my hands on flowplayer 3.1 code is around 60% finished, went for a complete re-write.

An example of getting the current page / post ID, identifying whether the current item is a page or a post, and then appending the results to the content.

All from within a plugin.

Install the above as a plugin i.e. in wp-content/plugins/test/test.php

Head over to your admin menu and enable the plugin, now each page and post will identify itself as a page or post, and provide it’s ID.

There is a lot available in the $post object for a list add

The 2.1.0.0 release is due for the end of this month, you can follow it’s progress from the TRAC page here: http://trac.saiweb.co.uk/saiweb/milestone/wordpress-flowplayer%202.1.0.0

At the time of writing this intends to close 9 issues / feature requests.

If you have anything you want to see in the next release please leave a comment, or raise a ticket in the trac system.

Cheers

Buzz

Just as a warning and as a poke to say WHY are you not running PHP 5.x yet.

Parsing “” and it seems some multibyte chars to html_entity_decode() in PHP 4.3.10 will cause it to crash, returning random memory contents.

In my case some contents in memory from other sites running on the box were returned.