Update to mod_rootme
Last weekend, I took part in the Cyber Dawn exercise, as a member of the red cell. In other words, I got to sit in a room with a bunch of people for two days hacking a bunch of networks being actively defended. All in all, it was fun, awesome, and a learning experience. While gaining access to systems wasn’t my forte, I was able to maintain access on quite a few systems with a nifty little Apache module called mod_rootme. However, the current version only supports Apache 1.3 and 2.0, seemingly updated about 5 years ago. So I took a stab at updating it to Apache 2.2, succeeded, and am posting the result here, dubbed as version 0.4:
For those of you who have never heard of it before, here’s a brief description of what mod_rootme is and how it works. Essentially, it’s an Apache module that you drop onto a box and load into Apache (by putting it in the right place, changing the config, and restarting the process). Once done, you can send an appropriate request, via the given client or netcat, (essentially “GET root”), and it will drop you to a root shell on the box. Pretty nifty, right?
Apache normally runs one root process, which spawns several other non-root processes, to handle requests. What mod_rootme does is when it loads, it takes advantage of the fact that it’s root for a moment, and spawns a second root Apache process (easy enough to detect for a wary sysadmin). This second Apache process just waits for an appropriate request, and spawns the shell. There’s also a hook that listens to all incoming traffic in place, waiting for the appropriate time to activate the shell. All in all pretty cool, but as noted, it’s reasonably detectable.
My modifications of substance were noting that the uri field in the request_rec structure no longer seems to hold the information we’re looking for, and now seems to be in the args field. I’m not sure I would have noticed what was wrong so quickly had it not been segfaulting, but that’s what happens when you strcmp() a potentially NULL char pointer! In any case, simply putting in NULL checks and checking both these fields seems to work. I also had to change a few #defines that lets it load into Apache 2.2. Overall, pretty simple changes.
And if you’re curious, you can also access the previous version for reference here.
Enjoy!
That’s awesome, I had no idea five years ago this project would live on, congrats ^^ Btw, do you mind submitting your version to packetstormsecurity ? This way it will be included with the previous versions.
Yeah, I’ll do that. It’s a very nifty tool! Actually the version I managed to post here my friend recently pointed out was nit the version I meant to post… it’s a bit off but I’ll fix that soon too. Laziness is a bitch!