Going through my reader feeds in the morning, I saw one post that stood out today. On average there are about 500 rss feeds / day and through time you get used to clear in a glance things that matter and things that are just noise. The “interesting” post today was about “cPanel 11.x Privilege Escalation Exploit” at Inj3ct0r ( http://1337day.com/exploits/16512 ) .
Strange I thought first of all Inj3ct0r is not the first place that something like that will appear, a cPanel privilege escalation exploit, if it existed, most possibly it should had appear first on exploit-db.com and/or full-disclosure mail list. Most of the times Inj3ct0r works like an aggregator from other places collecting exploits and papers from other security related websites.
Let’s have a look then,
The “exploit” starts by deleting the file “fantasticodata/kanoodle_settings.php” and then it creates a hidden directory with the name fantasticodata by placing a dot ‘.’ in front creating “.fantasticodata'” .
As someone can see at line 47 there is an interesting piece of code stored on trsm variable. The code is base64 encoded and it can be easily decoded using an online decoder tool. My choice these days is http://base64decode.org/ .
Placing the code in base64decode.org we can see the decoded version of it:
Again another base64 encoding this time gzip compressed also. There are many ways to uncompress and decode the data the easiest and fasted method it will be just to run the php code in a safe environment and pipe the contents to a file.
user@vm1$ php phpdecode.php > test
user@vm1$ file test
test: ASCII text, with very long lines, with CRLF, LF line terminators
So as expected the file is text and specifically html code. The results are the following:
The output is the familiar page of r57shell/c99shell.
In a summary what the exploit will do, it will try to create a backdoor page on the server with the name kanoodle_settings.php on a hidden directory under the name .fantasticodata, as for the attackers a Google search results in a couple of days it will give them the required access to the system.