Skip to content

CCSIR/PHP-EXIF-Backdoors-generator-using-custom-shellcode

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits

pel

pel

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

shellcode.php

shellcode.php

 
 

Repository files navigation

PHP EXIF Backdoors generator using custom shellcode

PHPEB is a small tool that generates and stores obfuscated shellcode in user specified EXIF handlers. The backdoor is divided into two parts. The first part is a mix of the exif_read_data function to read the image headers and the preg_replace function to execute the content and the second is the real payload obfuscated in EXIF a JPG/TIFF file headers.

Both functions are harmless by themselves. Exif_read_data is commonly used to read images and preg_replace to replace the content of strings. However, preg_replace has a hidden and tricky option where if you pass the “/e” modifier it will execute the content (eval), instead of just searching/replacing.

Another interesting point is that the image that we generate still loads and works properly.

Started from Sucuri Research.

If you have any other cool ideas for obfuscating the shellcode, feel free to commit.

Note: This application has been created as a POC and it has an educational purpose only. We are not responsibles for any damage you may inflict/get using this tool.

##Usage

php phpeb.php [params]

##Params

  • -i path_to_image.jpg
  • -o path_to_backdoored_image.jpg
  • -s shellcode (optional)
  • -h EXIF headers (N/A in v1.0, Default:Make,Model)
  • -v verbose 1 or 0(optional, Default:0)
  • Default: !empty($1=@$_GET[1]) && $1($_GET[2]);

##Help

  • No need. Just download these files and upload in an environment that supports PHP. You can send any feedback or questions to contact [at] ccsir [dot] org

##License

Copyright (C) 2013 Cyber Security Research Center from Romania

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, see http://www.gnu.org/licenses/.

About

PHPEB is a small tool that generates and stores obfuscated shellcode in user specified EXIF handlers.

ccsir.org

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

79 stars

Watchers

10 watching

Forks

23 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages