Skip to main content

Posts

Showing posts from August, 2018

Analyzing and detecting web shells

Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i've been asked by others to do a write up on web shells, so here it is ;). 
For those new to web shells, think of this type of malware as code designed to be executed by the web server - instead of writing a backdoor in C, for example, an attacker can write malicious PHP and upload the code directly to a vulnerable web server. Web shells span across many different languages and server types. Let's take a looks at some common servers and some web extensions:
Operating System Service Binary Name Extensions Windows IIS (Internet Information Services) w3wp.exe .asp/.aspx Windows/Linux apache/apache2/nginx httpd/httpd.exe/nginx .php Windows/Linux Apache Tom

Decoding the Pentester: Rev1

Recently, a friend of mine on a red team sent me a payload he uses on some red team exercises. Intrigued by this obfuscated payload, I decided to tear it apart to get the raw payload. Like all things we analyze, we could just tweak the code or extension so it would execute in a sandbox, but I like to understand how these payloads operate at each layer. So let’s dive in….

The payload sent over looks like a normal HTML page with a javascript tag, outlined below:










We have two methods to deal with this type of payload for manual analysis:
Manual reassembly of the payloadBrowser based debugging
Manual reassembly of the payload For any raw text payloads, I usually start with Sublime text (because mass cursor is awesome). To begin, we can see that the variable _0xbbba contains an array of hex blobs, each separated by a comma. To remove this layer, I first extract all the items within the array and remove all the commas and quotes  to see what the decoded payload may look like. To speed up the r…