Web Shell | b374k 3.2.3 | shell packer 0.4.2

Several versions of b374 web shells can be found on internet. The full version of b374k web shell is around 219 KB. It contains the original source codes which clearly show the modules that will be loaded in this shell and also the algorithm that is used to validate the password.

The source codes indicate the password is hashed with MD5 algorithm and then hashed again with SHA1 algorithm.

The hashed result (checksum) is stored in the $GLOBAL[‘pass’] variable. As a consequence, in order to crack the password, the checksum needs to be cracked twice which is time-consuming.

To prevent codes from easily being understood by security analysts, the b374k author released a packer which can encode the majority of source codes. An example is shown as below.

The encoded codes only clearly show the checksum of the password. The rest of codes are encoded.

The packer allows attackers to use base64 algorithm to encode the source codes and then choose a compression algorithm, including gzdeflate, gzencode and gzcompress, and level to compress the encoded result. The compression will not only make the shell much smaller but also makes it harder to be detected.

The following is an example. This command will tell the packer to use base64 algorithm to encode the source codes and then use gzcompress algorithm (level 9) to compress the encoded codes. The result will be saved in the output.php file. The login password is “password” (without quotes). The output.php is around 109 KB which is approximately half size of the full version.

php -f index.php — -o output.php -p password -s -b -z gzcompress -c 9

The packer will also create a output.php.zip to store output.php. The zip file is around 83 KB.

The packer also allows attackers to choose a theme for the shell. Currently, the available themes are bluebook, bright, bterm, darkblue, default and garuda.

By default, when the packer encodes the codes, it includes all of the modules, which are “convert”, “database”, “info”, “mail”, “network” and “processes”. If attackers want to make the shell even smaller, they can choose which modules to be included in the shell.

Nevertheless, if we check the encoded codes closely, they still provide us enough information to decode them. For instance, the following codes show us which compression algorithm was used to decompress the shell.

$b374k=$func(‘$x’,’ ev’.’al’.’(“?>”. gz’.’un’.’com’.’pre’.’ss( ba’.’se’.’64'.’_de’.’co’.’de($x)));’)

The decompression function name is separated to avoid the detection. If we read it manually, we can see the codes can be decoded by base64_decode function and then decompressed by the gzuncompress function. Following this path, the majority of codes can be decoded to reveal the actual functions of the shell.

Originally published at https://www.tumblr.com on November 14, 2015.

Spear and Shield