From 47d86bf92eb15fe65dd4efbc04d0004856e88ddd Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Fri, 26 Feb 2016 12:13:16 +0100
Subject: Fix a really cool bypass

---
 php-malware-finder/malwares.yara                   | 4 ++--
 php-malware-finder/samples/artificial/bypasses.php | 5 +++++
 php-malware-finder/tests.sh                        | 2 ++
 3 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 php-malware-finder/samples/artificial/bypasses.php

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 5c3cc1e..4e7edea 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\s*\(/ nocase  // ;eval( <- this is dodgy
+        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
@@ -109,7 +109,7 @@ rule DodgyPhp
         $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
         $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
         $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
+        $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
         $htaccess = "SetHandler application/x-httpd-php"
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
diff --git a/php-malware-finder/samples/artificial/bypasses.php b/php-malware-finder/samples/artificial/bypasses.php
new file mode 100644
index 0000000..fc1c447
--- /dev/null
+++ b/php-malware-finder/samples/artificial/bypasses.php
@@ -0,0 +1,5 @@
+<?php 
+
+// https://rstforums.com/forum/topic/98500-php-malware-finder/?do=findComment&comment=615687
+print_r(call_user_func_array($_POST['functie'], array($_POST['argv'])));
+
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index a0885fd..93319a0 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -74,5 +74,7 @@ run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'
 run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func'
 run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
 
+run_test artificial/bypasses.php 'DodgyPhp'
+run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
 
 echo "[+] Congratz, the $CPT tests succeeded!"
-- 
cgit v1.3