Skip to content

Commit

Permalink
Added imap_open bug on definitions
Browse files Browse the repository at this point in the history
  • Loading branch information
marcocesarato committed Jun 13, 2019
1 parent ad98e89 commit 848eb49
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 51 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# AMWSCAN - PHP Antimalware Scanner

**Version:** 0.5.0.66 beta
**Version:** 0.5.0.67 beta

**Github:** https://github.com/marcocesarato/PHP-Antimalware-Scanner

Expand Down
30 changes: 15 additions & 15 deletions dist/scanner

Large diffs are not rendered by default.

55 changes: 20 additions & 35 deletions src/Definitions.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,29 +23,20 @@ class Definitions {
"eval_comment" => '/(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\((?<=\().*?(?=\))\)/',
"eval_execution" => '/(eval\(\$[a-z0-9_]+\((?<=\()@?\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si',
"align" => '/(\$\w+=[^;]*)*;\$\w+=@?\$\w+\((?<=\().*?(?=\))\)/si',
"b374k" => '/(\\\'|\")ev(\\\'|\")\.(\\\'|\")al(\\\'|\")\.(\\\'|\")\(\"\?>/i',
// b374k shell
"weevely3" => '/\$\w=\$[a-zA-Z]\(\'\',\$\w\);\$\w\(\);/i',
// weevely3 launcher
"c99_launcher" => '/;\$\w+\(\$\w+(,\s?\$\w+)+\);/i',
// http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
"too_many_chr" => '/(chr\([\d]+\)\.){8}/i',
// concatenation of more than eight `chr()`
"concat" => '/(\$[\w\[\]\\\'\"]+\\.[\n\r]*){10}/i',
// concatenation of vars array
"concat_vars_with_spaces" => '/(\$([a-zA-Z0-9]+)[\s\r\n]*\.[\s\r\n]*){6}/',
// concatenation of more than 6 words, with spaces
"concat_vars_array" => '/(\$([a-zA-Z0-9]+)(\{|\[)([0-9]+)(\}|\])[\s\r\n]*\.[\s\r\n]*){6}.*?(?=\})\}/i',
// concatenation of more than 6 words, with spaces
"b374k" => '/(\\\'|\")ev(\\\'|\")\.(\\\'|\")al(\\\'|\")\.(\\\'|\")\(\"\?>/i', // b374k shell
"weevely3" => '/\$\w=\$[a-zA-Z]\(\'\',\$\w\);\$\w\(\);/i', // weevely3 launcher
"c99_launcher" => '/;\$\w+\(\$\w+(,\s?\$\w+)+\);/i', // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
"too_many_chr" => '/(chr\([\d]+\)\.){8}/i', // concatenation of more than eight `chr()`
"concat" => '/(\$[\w\[\]\\\'\"]+\\.[\n\r]*){10}/i', // concatenation of vars array
"concat_vars_with_spaces" => '/(\$([a-zA-Z0-9]+)[\s\r\n]*\.[\s\r\n]*){6}/', // concatenation of more than 6 words, with spaces
"concat_vars_array" => '/(\$([a-zA-Z0-9]+)(\{|\[)([0-9]+)(\}|\])[\s\r\n]*\.[\s\r\n]*){6}.*?(?=\})\}/i', // concatenation of more than 6 words, with spaces
"var_as_func" => '/\$_(GET|POST|COOKIE|REQUEST|SERVER)[\s\r\n]*\[[^\]]+\][\s\r\n]*\((?<=\().*?(?=\))\)/i',
"global_var_string" => '/\$\{[\s\r\n]*(\\\'|\")_(GET|POST|COOKIE|REQUEST|SERVER)(\\\'|\")[\s\r\n]*\}/i',
"extract_global" => '/extract\([\s\r\n]*\$_(GET|POST|COOKIE|REQUEST|SERVER).*?(?=\))\)/i',
"escaped_path" => '/(\\\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}/i',
"include_icon" => '/@?include[\s\r\n]*(\([\s\r\n]*)?("|\\\')([^"\\\']*)(\.|\\\\056\\\\046\\\\2E)(\i|\\\\151|\\\\x69|\\\\105)(c|\\\\143\\\\099\\\\x63)(o|\\\\157\\\\111|\\\\x6f)(\"|\\\')((?=\))\))?/mi',
// Icon inclusion
"include_icon" => '/@?include[\s\r\n]*(\([\s\r\n]*)?("|\\\')([^"\\\']*)(\.|\\\\056\\\\046\\\\2E)(\i|\\\\151|\\\\x69|\\\\105)(c|\\\\143\\\\099\\\\x63)(o|\\\\157\\\\111|\\\\x6f)(\"|\\\')((?=\))\))?/mi', // Icon inclusion
"backdoor_code" => '/eva1fYlbakBcVSir/i',
"infected_comment" => '/\/\*[a-z0-9]{5}\*\//i',
// usually used to detect if a file is infected yet
"infected_comment" => '/\/\*[a-z0-9]{5}\*\//i', // usually used to detect if a file is infected yet
"hex_char" => '/\\\\[Xx](5[Ff])/i',
"hacked_by" => '/hacked[\s\r\n]*by/i',
"killall" => '/killall[\s\r\n]*\-9/i',
Expand All @@ -55,33 +46,25 @@ class Definitions {
"base64_inclusion" => '/@?include[\s\r\n]*(\([\s\r\n]*)?("|\\\')data\:text/plain;base64[\s\r\n]*\,[\s\r\n]*\$_GET\[[^\]]+\](\\\'|")[\s\r\n]*((?=\))\))?/si',
"clever_include" => '/@?include[\s\r\n]*(\([\s\r\n]*)?("|\\\')[\s\r\n]*[^\.]+\.(png|jpe?g|gif|bmp|ico).*?("|\\\')[\s\r\n]*((?=\))\))?/i',
"basedir_bypass" => '/curl_init[\s\r\n]*\([\s\r\n]*[\"\\\']file:\/\/.*?(?=\))\)/i',
"basedir_bypass2" => '/file\:file\:\/\//i',
// https://www.intelligentexploit.com/view-details.html?id=8719
"basedir_bypass2" => '/file\:file\:\/\//i', // https://www.intelligentexploit.com/view-details.html?id=8719
"non_printable" => '/(function|return|base64_decode).{,256}[^\\x00-\\x1F\\x7F-\\xFF]{3}/i',
"double_var" => '/\${[\s\r\n]*\${.*?}(.*)?}/i',
"double_var2" => '/\${\$[0-9a-zA-z]+}/i',
"global_save" => '/\[\s\r\n]*=[\s\r\n]*\$GLOBALS[\s\r\n]*\;[\s\r\n]*\$[\s\r\n]*\{/i',
"hex_var" => '/\$\{[\s\r\n]*(\\\'|\")\\\\x.*?(?=\})\}/i',
// check for ${"\xFF"}, IonCube use this method ${"\x
"register_function" => '/register_[a-z]+_function[\s\r\n]*\([\s\r\n]*[\\\'\"][\s\r\n]*(eval|assert|passthru|exec|include|system|shell_exec|`).*?(?=\))\)/i',
// https://github.com/nbs-system/php-malware-finder/issues/41
"hex_var" => '/\$\{[\s\r\n]*(\\\'|\")\\\\x.*?(?=\})\}/i', // check for ${"\xFF"}, IonCube use this method ${"\x
"register_function" => '/register_[a-z]+_function[\s\r\n]*\([\s\r\n]*[\\\'\"][\s\r\n]*(eval|assert|passthru|exec|include|system|shell_exec|`).*?(?=\))\)/i', // https://github.com/nbs-system/php-malware-finder/issues/41
"safemode_bypass" => '/\x00\/\.\.\/|LD_PRELOAD/i',
"ioncube_loader" => '/IonCube\_loader/i',
"nano" => '/\$[a-z0-9-_]+\[[^]]+\]\((?<=\().*?(?=\))\)/',
//https://github.com/UltimateHackers/nano
"nano" => '/\$[a-z0-9-_]+\[[^]]+\]\((?<=\().*?(?=\))\)/', //https://github.com/UltimateHackers/nano
"ninja" => '/base64_decode[^;]+getallheaders/',
"execution" => '/\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)[\s\r\n]*\([\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/',
// function that takes a callback as 1st parameter
"execution2" => '/\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)[\s\r\n]*\([\s\r\n]*[^,]+,[\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/',
// functions that takes a callback as 2nd parameter
"execution3" => '/\b(array_(diff|intersect)_u(key|assoc)|array_udiff)[\s\r\n]*\([\s\r\n]*([^,]+[\s\r\n]*,?)+[\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER))[\s\r\n]*\[[^]]+\][\s\r\n]*\)+[\s\r\n]*;/',
// functions that takes a callback as 2nd parameter
"execution" => '/\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)[\s\r\n]*\([\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/', // function that takes a callback as 1st parameter
"execution2" => '/\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)[\s\r\n]*\([\s\r\n]*[^,]+,[\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/', // functions that takes a callback as 2nd parameter
"execution3" => '/\b(array_(diff|intersect)_u(key|assoc)|array_udiff)[\s\r\n]*\([\s\r\n]*([^,]+[\s\r\n]*,?)+[\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER))[\s\r\n]*\[[^]]+\][\s\r\n]*\)+[\s\r\n]*;/',// functions that takes a callback as 2nd parameter
"shellshock" => '/\(\)[\s\r\n]*{[\s\r\n]*[a-z:][\s\r\n]*;[\s\r\n]*}[\s\r\n]*;/',
"silenced_eval" => '/@eval[\s\r\n]*\((?<=\().*?(?=\))\)/',
"silence_inclusion" => '/@(include|include_once|require|require_once)[\s\r\n]+([\s\r\n]*\()?("|\\\')([^"\\\']*)(\\\\x[0-9a-f]{2,}.*?){2,}([^"\\\']*)("|\\\')[\s\r\n]*((?=\))\))?/si',
"silence_inclusion2" => '/@(include|include_once|require|require_once)[\s\r\n]+([\s\r\n]*\()?("|\\\')([^"\\\']*)(\\[0-9]{3,}.*?){2,}([^"\\\']*)("|\\\')[\s\r\n]*((?=\))\))?/si',
"ssi_exec" => '/\<\!\-\-\#exec[\s\r\n]*cmd\=/i',
//http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
"ssi_exec" => '/\<\!\-\-\#exec[\s\r\n]*cmd\=/i', //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
"htaccess_handler" => '/SetHandler[\s\r\n]*application\/x\-httpd\-php/i',
"htaccess_type" => '/AddType\s+application\/x-httpd-(php|cgi)/i',
"file_prepend" => '/php_value[\s\r\n]*auto_prepend_file/i',
Expand All @@ -104,6 +87,8 @@ class Definitions {
"etc_passwd" => '/(\/)*etc\/+passwd\/*/si',
"etc_shadow" => '/(\/)*etc\/+shadow\/*/si',
"explode_chr" => '/explode[\s\r\n]*\(chr[\s\r\n]*\([\s\r\n]*\(?\d{3}([\s\r\n]*-[\s\r\n]*\d{3})?[\s\r\n]*\).*?(?=\))\)/si',
"imap_open" => '/imap_open\((\\\'|\"){(\\\'|\")[\s\r\n]*\.[\s\r\n]*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si', // check https://bugs.php.net/bug.php?id=76428
"imap_open_proxy" => '/x[\s\r\n]*\-oProxyCommand[\s\r\n]*\=(.*?\|base64(\\\\t\-d)?(\|sh)?)?/si'
);

// Default functions definitions
Expand Down Expand Up @@ -3308,7 +3293,7 @@ public static function optimizeSig(&$sigs) {
usort($sigs, 'strcasecmp');
$txt = implode("\n", $sigs);

for($i = 24; $i >= 1; ($i > 4) ? $i -= 4 : -- $i) {
for($i = 24; $i >= 1; ($i > 4) ? $i -= 4 : --$i) {
$txt = preg_replace_callback('#^((?>(?:\\\\.|\\[.+?\\]|[^(\n]|\((?:\\\\.|[^)(\n])++\))(?:[*?+]\+?|\{\d+(?:,\d*)?\}[+?]?|)){' . $i . ',})[^\n]*+(?:\\n\\1(?![{?*+]).+)+#im', array(__CLASS__, 'optimizeMergePrefixes'), $txt);
}

Expand Down

0 comments on commit 848eb49

Please sign in to comment.