From 97564364b082aace0adcf306446bdff97f539ed2 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Wed, 24 Feb 2016 10:26:05 +0100
Subject: Even more tests for the testsuite!

---
 php-malware-finder/malwares.yara                | 21 +++++++++++----------
 php-malware-finder/samples/artificial/dodgy.php | 18 ++++++++++++++++++
 php-malware-finder/tests.sh                     | 25 ++++++++++++++++++++-----
 3 files changed, 49 insertions(+), 15 deletions(-)
 create mode 100644 php-malware-finder/samples/artificial/dodgy.php

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 8fe7b15..bfc4d7a 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -108,14 +108,12 @@ rule DodgyPhp
         $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
         $htaccess = "SetHandler application/x-httpd-php"
         $iis_com = /IIS:\/\/localhost\/w3svc/
-        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
-        $ini_get = /ini_get\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
-        $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
-        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
+        $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
+        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(\s*['"]\/[^\/]*\/e/  // http://php.net/manual/en/function.preg-replace.php
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
-        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $udp_dos = /sockopen\s*\(['"]udp:\/\//
+        $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/
+        $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\//
         $user_function = /(call_user_func|create_function)/
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
 
@@ -138,6 +136,7 @@ rule DangerousPhp
         $ = "fsockopen" fullword
         $ = "function_exists" fullword
         $ = "getmygid" fullword
+        $ = "shmop_open" fullword
         $ = "mb_ereg_replace_callback" fullword
         $ = "passthru" fullword
         $ = "pcntl_exec" fullword
@@ -183,10 +182,9 @@ rule DangerousPhp
 rule DodgyStrings
 {
     strings:
-        $ = ".ssh/authorized_keys"
         $ = ".bash_history"
         $ = ".mysql_history"
-        $ = /-perm -0[24]000/ // find setuid files
+        $ = ".ssh/authorized_keys"
         $ = "/(.*)/e"  // preg_replace code execution
         $ = "/../../../"
         $ = "/etc/passwd"
@@ -195,8 +193,9 @@ rule DodgyStrings
         $ = "/etc/shadow"
         $ = "/etc/syslog.conf"
         $ = "/proc/cpuinfo" fullword
-        $ = "/windows/system32/"
         $ = "/var/log/lastlog"
+        $ = "/windows/system32/"
+        $ = "LOAD DATA LOCAL INFILE" nocase
         $ = "WScript.Shell"
         $ = "WinExec"
         $ = "b374k" fullword nocase
@@ -210,6 +209,7 @@ rule DodgyStrings
         $ = "hashcrack" nocase
         $ = "id_rsa" fullword
         $ = "ipconfig" fullword nocase
+        $ = "kernel32.dll" fullword nocase
         $ = "kingdefacer" nocase
         $ = "libpcprofile"  // CVE-2010-3856 local root
         $ = "locus7s" nocase
@@ -224,6 +224,7 @@ rule DodgyStrings
         $ = "uname -a" fullword
         $ = "warez" fullword nocase
         $ = /(reverse|web)\s*shell/ nocase
+        $ = /-perm -0[24]000/ // find setuid files
         $ = /\/bin\/(ba)?sh/ fullword
         $ = /hack(ing|er)/ nocase
         $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
diff --git a/php-malware-finder/samples/artificial/dodgy.php b/php-malware-finder/samples/artificial/dodgy.php
new file mode 100644
index 0000000..1c85f39
--- /dev/null
+++ b/php-malware-finder/samples/artificial/dodgy.php
@@ -0,0 +1,18 @@
+<?php
+
+curl_init  ( "file:///etc/parla");
+curl_setopt($ch, CURLOPT_URL, "file:file:////etc/passwd");
+set_magic_quotes_runtime ( 0);
+eval(base64_decode($_GET['lol']));
+$a= "SetHandler application/x-httpd-php";
+$b = "IIS://localhost/w3svc";
+include  ( 'lol.png');
+ini_get (  'disable_function');
+ini_set("disable_function", "");
+ini_restore("allow_url_include");
+preg_replace ("/*/e");
+$c = "env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'";
+fsockopen (  'udp://');
+call_user_func('LOL');
+$d = "<!--#exec cmd=";
+
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index b73184a..a0885fd 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -27,9 +27,9 @@ run_test classic/ajaxshell.php 'DodgyStrings'
 run_test classic/ajaxshell.php 'Websites'
 run_test classic/ajaxshell.php '0x23e2:$: shell_exec'
 run_test classic/ajaxshell.php '0x2380:$eval: {\\x0A\\x09\\x09\\x09\\x09\\x09system('
-run_test classic/ajaxshell.php "0x16e0:\$ini_get: ini_get('safe_mode')"
-run_test classic/ajaxshell.php "0x17f1:\$ini_get: ini_get('open_basedir')"
-run_test classic/angel.php '0x1d:\$disable_magic_quotes: set_magic_quotes_runtime(0)'
+run_test classic/ajaxshell.php "0x16e0:\$ini_get: ini_get('safe_mode"
+run_test classic/ajaxshell.php "0x17f1:\$ini_get: ini_get('open_basedir"
+run_test classic/angel.php '0x1d:$disable_magic_quotes:'
 run_test classic/b374k.php 'ObfuscatedPhp'
 run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'"
 run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func('
@@ -38,7 +38,7 @@ run_test classic/b374k.php '0x43:$: github.com/b374k/b374k'
 run_test classic/sosyete.php '0x1a0a:$execution: exec($_POST'
 run_test classic/simattacker.php '0x16e:$: fpassthru'
 run_test classic/r57.php '0x149da:$: xp_cmdshell'
-run_test classic/cyb3rsh3ll.php '0x164d:$udp_dos: sockopen("udp://'
+run_test classic/cyb3rsh3ll.php '0x23323:$udp_dos: fsockopen("udp://'
 run_test classic/c99.php '0x3d56:$eval: {exec('
 run_test classic/c100.php '0x4f8d:$eval: {eval('
 
@@ -46,7 +46,7 @@ run_test classic/c100.php '0x4f8d:$eval: {eval('
 run_test obfuscators/cipher_design.php '0x124:$execution: eval(base64_decode'
 run_test obfuscators/cipher_design.php '0x123:$eval: ;eval('
 run_test obfuscators/online_php_obfuscator.php '0x51:$eval: ;preg_replace('
-run_test obfuscators/online_php_obfuscator.php "0x52:\$pr: preg_replace('/.*/e'"
+run_test obfuscators/online_php_obfuscator.php "0x52:\$pr: preg_replace('/.*/e"
 run_test obfuscators/online_php_obfuscator.php "SuspiciousEncoding"
 run_test obfuscators/phpencode.php "ObfuscatedPhp"
 run_test obfuscators/phpencode.php "DodgyPhp"
@@ -58,6 +58,21 @@ run_test artificial/obfuscated.php '0xd1:$align: ;$b374k=$func('
 run_test artificial/obfuscated.php '0xf0:$weevely3:'
 run_test artificial/obfuscated.php '0x103:$c99_launcher:'
 run_test artificial/obfuscated.php '0x117:$variable_variable:'
+run_test artificial/dodgy.php '$basedir_bypass:'
+run_test artificial/dodgy.php '$basedir_bypass2:'
+run_test artificial/dodgy.php '$disable_magic_quotes:'
+run_test artificial/dodgy.php '$execution: eval(base64_decode'
+run_test artificial/dodgy.php '$execution: base64_decode($_GET'
+run_test artificial/dodgy.php '$htaccess:'
+run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc'
+run_test artificial/dodgy.php "0xef:\$include: include  ( 'lol.png"
+run_test artificial/dodgy.php "0x106:\$ini_get: ini_get (  'disable_function"
+run_test artificial/dodgy.php '0x126:$ini_get: ini_set("disable_function'
+run_test artificial/dodgy.php '0x147:$ini_get: ini_restore("allow_url_include'
+run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};'
+run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'
+run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func'
+run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
 
 
 echo "[+] Congratz, the $CPT tests succeeded!"
-- 
cgit v1.3