• Stars
    star
    306
  • Rank 136,456 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created over 8 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Security-related PHP7 OPcache abuse tools and demo

PHP OPcache Override

This project contains the demo website and the tools presented in the following blog posts :

010 Editor Template

These templates parse OPcache files generated by a 32 and 64 bit platform.

  • Download 010 editor
  • Templates -> Open Template... Select OPCACHE_x86.bt or OPCACHE_x86_64.bt
  • Open your OPcache file
  • Press F5

Python System ID Scraper

This tool lets you extract the system_id of a phpinfo() page. Simply pass a filename or a URL.

$ ./system_id_scraper.py info.html
PHP version : 7.0.4-7ubuntu2
Zend Extension ID : API320151012,NTS
Zend Bin ID : BIN_SIZEOF_CHAR48888
Assuming x86_64 architecture
------------
System ID : 81d80d78c6ef96b89afaadc7ffc5d7ea

OPcache Disassembler

This tool lets you disassemble an OPcache file.

You can display it as a syntax tree (-t) or pseudocode (-c) on both 32 and 64 bit platforms. Simply pass a display option, the architecture to use and an OPcache file.

$ ./opcache_disassembler.py -c -a64 malware.php.bin

#0 $280 = FETCH_IS('_GET', None);
#1 ~0 = ISSET_ISEMPTY_DIM_OBJ($280, 'test');
#2 JMPZ(~408, ->5);
#3 ECHO('success', None);
...

OPcache Malware Hunter

This tool helps detect malware hidden in OPcache files by looking for manipulated OPcache files. It compiles its own version of the source code, compares the compiled file with the current cache file and checks for differences. You must run this tool on the same system as the one where the cache files have been compiled originally.

OPcache malware hunter requires four parameters :

  • The location of the cache folder
  • The architecture of the system (32 or 64 bit)
  • The system_id
  • The php.ini file used

In the situation where a potentially infected cache file is found, OPcache Malware Hunter will generate an HTML report in the filesystem showing the differences between the source code and the infected cache file.

$ ./opcache_malware_hunt.py /tmp/cache -a64 2d3b19863f4c71f9a3adda4c957752e2 /etc/php/7.0/cli/php.ini
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-load.php.bin
...
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin
Potentially infected files :
 - /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin

Main page of generated report :

A typical report page :

diff

Demo

To setup the demo, run the following two commands :

sudo ./setup.sh
php -S 127.0.0.1:8080 -c php.ini

Note that on some Linux based systems, the opcache subsystem is compiled out of the PHP core and must be dynamically loaded. This can be performed by adding the following statement under the [PHP] directive:

zend_extension=opcache.so

Dockerized setup

Due to construct 2.9's API breakage, I created a docker container to run this project using construct 2.8. To use:

docker build -t opcache_analysis .
docker run -it --rm opcache_analysis sh

Then inside the busybox shell of the container you can use the tools, for example:

python ./analysis_tools/opcache_disassembler.py -c -a64 index.php.bin

More Repositories

1

pyrdp

RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
Python
1,483
star
2

malboxes

Builds malware analysis Windows VMs so that you don't have to.
Python
1,028
star
3

dtd-finder

List DTDs and generate XXE payloads using those local DTDs.
Kotlin
601
star
4

WSuspicious

WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations
C#
338
star
5

pywsus

Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.
Python
286
star
6

csp-auditor

Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
Java
135
star
7

DLLPasswordFilterImplant

DLL Password Filter Implant with Exfiltration Capabilities
C
133
star
8

template-injection-workshop

Workshop on Template Injection (6 exercises) covering Twig, Jinja2, Tornado, Velocity and Freemaker engines.
CSS
118
star
9

xxe-workshop

Workshop given at Hack in Paris 2019
JavaScript
118
star
10

ldap-scanner

Checks for signature requirements over LDAP
Python
92
star
11

frida-xamarin-unpin

A Frida script to bypass Xamarin certificate pinning implementations
C#
65
star
12

advanced-binary-analysis

Materials for the Binary Analysis Workshop presented at NorthSec 2020
HTML
63
star
13

break-fast-serial

A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
Python
54
star
14

security-cheat-sheet

Minimalist cheat sheet for developpers to write secure code
HTML
54
star
15

xfsc

eXtensions for Financial Services (XFS) proof of concept client to explore and issue commands directly to the devices that support the protocol. Force ATMs to dispense cash if you have code execution on them.
C
53
star
16

gophish-cli

Gophish Python cli to perform huge phishing campaigns
Python
40
star
17

linkedin-osint

A simple proof of concept that demonstrate how emails can easily be tie to LinkedIn profile
Python
36
star
18

presentations

Material from presentations done by GoSecure researchers
HTML
32
star
19

burp-ntlm-challenge-decoder

Burp extension to decode NTLM SSP headers and extract domain/host information
Kotlin
32
star
20

request-smuggling-workshop

Python
22
star
21

Cisco2Checkpoint

Tool that assists in migrating firewall rules from Cisco to Checkpoint. Will optimize rules for you (rationalization, reuse merging, etc.).
Python
21
star
22

unicode-pentester-cheatsheet

An easy to navigate list of unicode characters that have risky transformations πŸ’₯
HTML
20
star
23

zap-autodecode-view

ZAP plugin demonstrating custom view for WebSocket messages.
Kotlin
13
star
24

goinsecure-deserialization

Accompanying material needed for the workshop
Java
11
star
25

LansweeperPasswordRecovery

Lansweeper Password Recovery Tool
C#
11
star
26

malware-ioc

Indicators of Compromise (IOCs) for malware we have researched
YARA
10
star
27

44con-code-review-workshop

References, tools and sample payloads
10
star
28

hackfest-deserialization-workshop

8
star
29

jenkins-fsb

Jenkins instance with preconfigured jobs to analyze Java binaries using Find Security Bugs.
Shell
6
star
30

orange-code-widget

🍊 Widget for Orange to visualize code sample
Python
6
star
31

request-smuggling-nsec-demo

PHP
5
star
32

burp-fuzzy-encoding-generator

Quickly test various encoding for a given value in Burp Intruder
Kotlin
5
star
33

malware_investigation_template

Because .idb files should be version controlled.
Shell
4
star
34

fq-pyrdp

fq format for parsing PyRDP replays
Go
4
star
35

owasp-workshop-zap

Atelier pratique sur le dΓ©veloppement d'extension ZAP / Workshop on ZAP extension development
HTML
4
star
36

caplets

Fork of caplets with RDP proxy caplet
JavaScript
3
star
37

confoo-xss-bypass-demos

Demonstration for the presentation Modern XSS
3
star
38

java-hostname-verification-poc

Java
2
star
39

missing-security-controls

HTML
1
star
40

notebooks

Cybersecurity Research Jupyter Notebooks for the Community
Jupyter Notebook
1
star
41

gosecure.github.io

HTML
1
star