The first step was to look at the source code provided in the zip file. Of particular interest are the scan.php and elfparsing.php.
In elfparsing.php looking at the code below, one can see that the file requirement is a 32bit elf file. (If confused look up ELF fileheaders).
if($magic_0==0x7f && $magic_1==0x45 && $magic_2==0x4C && $magic_3==0x46) {
//echo 'magic found\n';
} else {
sec_warning();
return -1;
}
if($magic_4==0x01) {
//print '32bit not supported <br>';
return 32;
}
if($magic_4==0x02) {
//return 64;
die('64bit not supported');
//sec_warning();
}
sec_warning();
In scan.php the following code shows that for the uploaded file to get past the opcode md5 check it must have b0 01 90 90 90 90 90 90 90 90 cd 80as the starting 12 bytes of the main program.
$opcodes=getOpcodes($rest);
print "Entry Opcodes are: ".$opcodes;
print "\n";
print "Signature is: " . md5($opcodes);
print "\n";
/*
* hint: zombie virus signature is
* 8048340: b0 01 mov $0x1,%al
* 8048342: 90 nop
* 8048343: 90 nop
* 8048344: 90 nop
* 8048345: 90 nop
* 8048346: 90 nop
* 8048347: 90 nop
* 8048348: 90 nop
* 8048349: 90 nop
* 804834a: cd 80 int $0x80
*/
/*
* secret zombie total signature engine is based on md5
*/
if (md5($opcodes) === 'cd53b957ec552afb39cba6daed7a9abc') {
print "found zombie virus, trying to execute it\n";
The next step is creating an elf file to upload to the service, and the file you upload must be able to execute normally. This step must be done on a 32bit linux distribution. I made a c file that has a main function with system(“ cat config.php” ) as its only command. Once compiled I opened it up in Ida Pro Free edition. 
Changing the size of a program will cause it to break because all of the relative references will be thrown off; however, conveniently there are a number of nop statements after call __libc_start_main. I opened the elf file up in a hex editor and copied 12 nop op codes and placed them at the start of the program (before the 31 ED). I then changed those 12 bytes to reflect the zombie virus signature. One more thing must be done to the program before it can be uploaded. The call __libc_start_main no longer refers to the same point in memory because it is a relative reference. Therefore its value must be decreased by the same amount of bytes that were moved. To accomplish this I changed E8 CB FF FF FF to E8 BF FF FF FF to reflect the change in address. Save the file and upload to the server.
analysing file 94b0f040323a591c3e3680246b7ce3ec 8048330: b0 01 mov $0x1,%al 8048332: 90 nop 8048333: 90 nop 8048334: 90 nop 8048335: 90 nop 8048336: 90 nop 8048337: 90 nop 8048338: 90 nop 8048339: 90 nop 804833a: cd 80 int $0x80 804833c: 31 ed xor %ebp,%ebp 804833e: 5e pop %esi 804833f: 89 e1 mov %esp,%ecx 8048341: 83 e4 f0 and $0xfffffff0,%esp 8048344: 50 push %eax 8048345: 54 push %esp 8048346: 52 push %edx 8048347: 68 00 84 04 08 push $0x8048400 804834c: 68 10 84 04 08 push $ Entry Opcodes are: b0 01 90 90 90 90 90 90 90 90 cd 80 Signature is: cd53b957ec552afb39cba6daed7a9abc found zombie virus, trying to execute it <?php $readelfpath='/usr/bin/readelf'; $objdumppath='/usr/bin/objdump'; $uploadpath='upload/'; $scriptpath='/var/www/'; $secret='55c4080daefb5f794c3527101882b50b'; ?> done we are safeFlag =55c4080daefb5f794c3527101882b50b.
-- zlouity
No comments:
Post a Comment