StillzTech: Information Security

Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i've been asked by others to do a write up on web shells, so here it is ;).  For those new to web shells, think of this type of malware as code designed to be executed by the web server - instead of writing a backdoor in C, for example, an attacker can write malicious PHP and upload the code directly to a vulnerable web server. Web shells span across many different languages and server types. Let's take a looks at some common servers and some web extensions: Operating System Service Binary Name Extensions Windows IIS (Internet Information Services) w3wp.exe .asp/.aspx Windows/Linux apache/ apache2/nginx httpd/httpd.exe/nginx .php Windows/Linux Apache Tomcat* tomcat*.exe/tomcat* .jsp/.jspx Web shells 101 To better understand web shells, let’s take a look at a simple eval web shell below: <?php

Recently, a friend of mine on a red team sent me a payload he uses on some red team exercises. Intrigued by this obfuscated payload, I decided to tear it apart to get the raw payload. Like all things we analyze, we could just tweak the code or extension so it would execute in a sandbox, but I like to understand how these payloads operate at each layer. So let’s dive in…. The payload sent over looks like a normal HTML page with a javascript tag, outlined below: Top part of the HTML file Bottom part of the HTML file We have two methods to deal with this type of payload for manual analysis: Manual reassembly of the payload Browser based debugging Manual reassembly of the payload For any raw text payloads, I usually start with Sublime text (because mass cursor is awesome). To begin, we can see that the variable _0xbbba contains an array of hex blobs, each separated by a comma. To remove this layer, I first extract all the items within the array and remove al