View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update | 
|---|---|---|---|---|---|
| 0003899 | Kali Linux | Queued Tool Addition | public | 2017-03-01 19:15 | 2023-10-25 14:21 | 
| Reporter | kum0nga | Assigned To | daniruiz | ||
| Priority | normal | Severity | minor | Reproducibility | always | 
| Status | closed | Resolution | won't fix | ||
| Summary | 0003899: Chankro - tool to bypass disable_functions & open_basedir in post-explotation stage | ||||
| Description | Chankro is a tool written in python that generate a PHP capable of run a custom binary (like a meterpreter) or a bash script (p.e. reverse shell) bypassing disable_functions & open_basedir. The bypass is made by the explotation of this bug (https://bugs.php.net/bug.php?id=46741). If a unix based server has enabled mail() and putenv() is possible to set LD_PRELOAD to a evil .so that will hook the binary called when PHP executes mail(). This way we can hijack a function of that binary and execute our code without restrictions. Chankro is powerfull tool focused on post-explotation stage during a pentest. Can be downloaded from here: https://github.com/TarlogicSecurity/Chankro The usage is pretty simple (select: arch, input file, output file, and the path where the .so will be dropped): python chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html I hope this tool helps you with your next pentest. Best regards. | ||||
| Attached Files | |||||
| To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us): 
 | |
| Name: Chankro Version: v0.2 Download: https://github.com/TarlogicSecurity/Chankro Author: Juan Manuel Fernandez (@TheXC3LL) License: GNU General Public License v3.0 Description: Dependencies: python modules argparse and base64 Similar tools: There is no any tool that automatizes the explotation of this bug. How to install: download repo from Github & execute it How to use: python chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html -> Arch: 64 o 32bits | |
| There isn't a git tag release on https://github.com/TarlogicSecurity/Chankro/releases | |
| Done! https://github.com/TarlogicSecurity/Chankro/releases/tag/v0.2 | |
| Updated to version v0.3. Now no need to hook a function, just uses attribute((constructor)) to execute the payload when is pre-loaded. Download: https://github.com/TarlogicSecurity/Chankro/releases/tag/v0.3 | |
| @kali-team, please could this be packaged up. | |
| I'm closing this as the tool is based on python2, which is now deprecated and unsupported in Kali | |
| Date Modified | Username | Field | Change | 
|---|---|---|---|
| 2017-03-01 19:15 | kum0nga | New Issue | |
| 2017-03-01 19:15 | kum0nga | File Added: Chankro-master.zip | |
| 2018-01-29 14:45 | g0tmi1k | Note Added: 0008365 | |
| 2018-01-31 08:33 | TheXC3LL | Note Added: 0008588 | |
| 2018-01-31 09:21 | g0tmi1k | Note Added: 0008589 | |
| 2018-01-31 16:04 | TheXC3LL | Note Added: 0008592 | |
| 2018-05-02 08:04 | TheXC3LL | Note Added: 0009085 | |
| 2019-12-09 13:30 | g0tmi1k | Severity | minor => feature | 
| 2020-03-25 13:35 | g0tmi1k | Note Added: 0012542 | |
| 2020-03-25 13:35 | g0tmi1k | Status | new => acknowledged | 
| 2020-03-25 13:35 | g0tmi1k | Category | New Tool Requests => Queued Tool Addition | 
| 2020-06-17 14:58 | g0tmi1k | Severity | feature => minor | 
| 2020-12-01 11:05 | g0tmi1k | Summary | Chankro: tool to bypass disable_functions & open_basedir in post-explotation stage => Chankro - tool to bypass disable_functions & open_basedir in post-explotation stage | 
| 2023-10-25 14:21 | daniruiz | Note Added: 0018557 | |
| 2023-10-25 14:21 | daniruiz | Assigned To | => daniruiz | 
| 2023-10-25 14:21 | daniruiz | Status | acknowledged => closed | 
| 2023-10-25 14:21 | daniruiz | Resolution | open => won't fix | 
