What's in the honeypot? CVE-2012-1823 execute arbitrary code in PHP before 5.3.12 and 5.4.x before 5.4.2

I thought I would create a series of posts about what I have collected and will collect in my honeypot that is running.  This is again only meant for educational purposes, and as I discuss what is found I am not attributing it to anyone.

Here is one of the first items that I would like to touch on:

The POST request to the honeypot was not found and displayed the 404 error.  However, I wanted to understand what was hex encoded.  I dug back into my archive and found my hex decoder at the following link.

Notice also that when I copy the hex encoded pattern the letters are in upper-case and my decoder is in lower-case.  So I found a quick sed command to convert the letters to lower-case, as shown below.

 

After I decoded the hex I found the following text:

Ok noticing that the -d looks to be an option.  So I did a search for PHP options.  

So from the above command switch it appears that they are trying to change the php.ini entries.  Then after a little more searching the following exploit published to exploit-db came up addressing CVE-2012-1823.  The exploit is located here.

Evaluating the pststr() variable that is created it matches the same patterns as I have seen in the honeypot.

Also reading about the exploit you find that the payload is actually in the POST data that is sent with the web request.  The description of the vulnerability as posted on the CVE page is, "sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case".