Comments (7)
Hi all,
I'm re-pasting my message here again. :)
(from: #72)
The problem is in the file: vendor/marcocesarato/amwscan/src/Deobfuscator.php
The following "calc" function is defined in mentioned file:
private function calc($expr)
{
if (is_array($expr)) {
$expr = $expr[0];
}
preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
return $exprArr[1](explode(',', $exprArr[2]));
}
preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
if (!empty($exprArr[1]) && !empty($exprArr[2])) {
if (in_array('*', $exprArr[2], true)) {
$pos = array_search('*', $exprArr[2], true);
$res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
$expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('/', $exprArr[2], true)) {
$pos = array_search('/', $exprArr[2], true);
$res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('-', $exprArr[2], true)) {
$pos = array_search('-', $exprArr[2], true);
$res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('+', $exprArr[2], true)) {
$pos = array_search('+', $exprArr[2], true);
$res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} else {
return $expr;
}
}
return $expr;
As you can see, this is a recursive function that - for some reason - has an erroneous stop condition for the file you indicated and goes into very, very deep levels of recursion (in my case, about ~281000 - until the memory on the stack is exhausted).
I haven't had time to disarm this function and analyze the stop condition, but it seems that a simple and sufficient workaround is to add an additional guard in the form:
if($level>100000) return "";
This will interrupt further nesting if it goes too far :)
So, all the correct function code will therefore look as follows:
private function calc($expr, $level = 0)
{
if($level>100000) return "";
if (is_array($expr)) {
$expr = $expr[0];
}
preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
return $exprArr[1](explode(',', $exprArr[2]));
}
preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
if (!empty($exprArr[1]) && !empty($exprArr[2])) {
if (in_array('*', $exprArr[2], true)) {
$pos = array_search('*', $exprArr[2], true);
$res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
$expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr, $level+1);
} elseif (in_array('/', $exprArr[2], true)) {
$pos = array_search('/', $exprArr[2], true);
$res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr, $level+1);
} elseif (in_array('-', $exprArr[2], true)) {
$pos = array_search('-', $exprArr[2], true);
$res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr,$level+1);
} elseif (in_array('+', $exprArr[2], true)) {
$pos = array_search('+', $exprArr[2], true);
$res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr,$level+1);
} else {
return $expr;
}
}
return $expr;
}
This is completely sufficient (at least for my needs).
I sincerely greet you and warm hugs for the file that helped me to solve this problem,
~WB
from php-antimalware-scanner.
@killmasta93 thank you for your report! could you please provide more details? does it crash due to the max memory limit?
from php-antimalware-scanner.
hi @esurov thanks for the reply, nope i just run it but after a while it crashes when you say memory limit do you mean of the VM?
from php-antimalware-scanner.
Hi @killmasta93 Does it produce any output upon the crash? With the memory limit I mean the PHP setting in your php.ini. You might want to change it to something like this:
memory_limit = 2G
from php-antimalware-scanner.
HI @esurov Thank you for the reply im attaching picture, it starts running then after checksum it start
i was checking logs didnt find anything with issue on memory limit as for the php.ini do you mean on the host or the docker container?
Thank you
im attaching the logs that shows
2023-10-02 21:55:31] [INFO] Scan date: 2023-10-02 21:55:31
[2023-10-02 21:55:31] [INFO] Scanning /root/PHP-Antimalware-Scanner/dist
[2023-10-02 21:55:31] [INFO] Mapping and retrieving checksums, please wait
[2023-10-02 21:55:31] [INFO] Verifying files checksum
[2023-10-02 21:55:31] [INFO] Found 0 files to check
[2023-10-02 21:55:31] [INFO] Checking files
[2023-10-02 21:55:31] [SUCCESS] Scan finished!
[2023-10-02 21:55:31] [INFO] Files scanned: 0
[2023-10-02 21:55:31] [INFO] Files edited: 0
[2023-10-02 21:55:31] [INFO] Files quarantined: 0
[2023-10-02 21:55:31] [INFO] Files whitelisted: 0
[2023-10-02 21:55:31] [INFO] Files ignored: 0
[2023-10-02 21:55:31] [INFO] Malware detected: 0
[2023-10-02 21:55:31] [INFO] Malware removed: 0
[2023-10-02 21:55:55] [INFO] Scan date: 2023-10-02 21:55:55
[2023-10-02 21:55:55] [INFO] Scanning /scsi1/xxxxx
[2023-10-02 21:55:55] [INFO] Mapping and retrieving checksums, please wait
[2023-10-02 21:55:58] [SUCCESS] Found WordPress 6.2.2 (en_US) at "/scsi1/xxx"
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Akeeba Backup CORE for WordPress 7.8.0.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Pro 3.11.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Pro 3.7.7
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor 3.11.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin ElementsKit Lite 2.8.5
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Envato Elements 2.0.11
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Essential Addons for Elementor 5.6.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Essential Blocks 4.0.2
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Site Kit by Google 1.95.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Header & Footer Builder 1.6.13
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin MetForm 3.2.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Really Simple SSL 6.2.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Simple Chat Button 1.5.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Themesflat Addons For Elementor 1.9.6
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin WP Sticky Button - Click to Chat 1.4.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Yoast SEO 20.2.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin WP Mail SMTP 3.7.0
[2023-10-02 21:55:58] [INFO] Retrieving checksums of Wordpress 6.2.2
[2023-10-02 21:55:59] [INFO] Verifying files checksum
[2023-10-02 21:56:11] [INFO] Found 1883 files to check
[2023-10-02 21:56:11] [INFO] Checking files
[2023-10-02 21:56:12] [DANGER] PROBABLE MALWARE FOUND!
[2023-10-02 21:56:12] [WARNING] Checksum: 7c30e6993591b043f8f685b35f699868
[2023-10-02 21:56:12] [WARNING] File path: /scsi1/xxxx/wp-content/plugins/elementor-pro/wp-cron.php
[2023-10-02 21:56:12] [DANGER] Evil code found: [!] Exploit (hex_char) [line 46] - Hex char is usually used for the obfuscation of malicious code => \x5f
[2023-10-02 21:56:25] [SUCCESS] File '/scsi1/lxxxxwp-content/plugins/elementor-pro/wp-cron.php' skipped!
[2023-10-02 21:56:25] [DANGER] PROBABLE MALWARE FOUND!
[2023-10-02 21:56:25] [WARNING] Checksum: e808c392175886a9b2ca099e11cdd3de
[2023-10-02 21:56:25] [WARNING] File path: /scsi1/lxxxxxxx/wp-content/plugins/elementor-pro/core/integrations/actions/email/email.php
[2023-10-02 21:56:25] [DANGER] Evil code found: [!] Exploit (double_var2) [line 95] - Double var technique is usually used for the obfuscation of malicious code => ${$field}
[2023-10-02 21:56:28] [SUCCESS] File '/scsi1/xxxxxxwp-content/plugins/elementor-pro/core/integrations/actions/email/email.php' skipped!
from php-antimalware-scanner.
Hi @killmasta93 !
Thanks for providing these details. If you're running the scanner in docker then it could be that memory limit is hit on default PHP settings. Maybe it could be a good idea to make a PR to increase the memory limit.
from php-antimalware-scanner.
@Borcejn thank you so much
from php-antimalware-scanner.
Related Issues (20)
- dist version has been detected as malware HOT 1
- Add new signature
- Failed adding file to whitelist
- Undetected malwares HOT 1
- PHP malwares hiding as CSS files HOT 1
- Could not open input file: awscan HOT 1
- Scanner stops at 96%
- Scanning wordpress site HOT 1
- Should identify compose packages and validate their checksums
- Dependency Dashboard
- Scanner crash when encountering certain kind of malware HOT 11
- too many false positives. HOT 1
- Install via composer
- Lack of unit tests
- Open with VIM open at line HOT 2
- Build fails HOT 2
- Commit fails HOT 2
- FTP Scan :)
- Is this project up to date HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from php-antimalware-scanner.