Glastopf's new vulnerability emulator
22 Jul 2009 Lukas Rist glastopf parser webhoneypot
The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.
Here a simple example:
The injected file:
$un = @php_uname(); echo "uname -a: $un "; ?>
The parser:
for line in file: pattern = "uname" if re.search(pattern, line): uname = "Linux debian 2.6.8... " response = "uname -a: " + uname + " " return response
Looks very simple? But what about Uname, Kernel, UNAME or even zname (Noticed the typo? Remember, they are just kids ;) )? So another goal is to leave pattern matching behind and invest some time and sweat into a cleverer parser.
Things are getting even more complicated when echo calls occurring in functions. A simple example:
function echothis($e, $c) { echo "$e: "; echo $c; echo " "; } echothis("uname -a: ", @php_uname()); ?>
The new parser I’m using with Glastopf is able to recognize functions with echo calls and parses all calls of this function. Here is a pseudo example how this works:
if "function fu(bar)" in line: store function into functionlist for function in functionlist: if "echo" in function: echofunction = function for line in injected_file: if name_of_echofunction in line: sent the line to the echo_parser
So as you see, I’m going to rewrite the PHP parser :) Just kidding, but I will use the next days to replace the variable replacement through pattern matching with a much more generic and powerful approach. I have committed a preliminary version of the new parser into SVN, actually you can choose between the old and clumsy and the new anbrainy parser.
Last but not least I invite you all to play around, comment and rewrite my Honeypot. Most parts are already finished and functional.