ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Nuclear plhaub hla ICMP

Nuclear plhaub hla ICMP

Nuclear plhaub hla ICMP

TL; DR: Kuv tabtom sau cov ntsiav module uas yuav nyeem cov lus txib los ntawm ICMP payload thiab ua rau lawv ntawm tus neeg rau zaub mov txawm tias koj SSH poob. Rau qhov tsis txaus siab tshaj plaws, tag nrho cov cai yog github.

Ceev faj Cov kws tshaj lij C programmers txaus ntshai ua rau lub kua muag ntshav! Tej zaum kuv txawm yuav yuam kev nyob rau hauv lub terminology, tab sis tej kev thuam yog txais tos. Cov ntawv tshaj tawm yog npaj rau cov neeg uas muaj lub tswv yim ntxhib heev ntawm C programming thiab xav saib rau sab hauv ntawm Linux.

Hauv cov lus rau kuv thawj zaug Tshooj hais txog SoftEther VPN, uas tuaj yeem ua raws li qee qhov "tsis tu ncua" raws tu qauv, tshwj xeeb HTTPS, ICMP thiab txawm tias DNS. Kuv tuaj yeem xav txog tsuas yog thawj zaug ntawm lawv ua haujlwm, txij li kuv paub zoo nrog HTTP(S), thiab kuv yuav tsum kawm tunneling dhau ICMP thiab DNS.

Nuclear plhaub hla ICMP

Yog lawm, xyoo 2020 kuv tau kawm tias koj tuaj yeem tso qhov kev txiav txim siab them nyiaj rau hauv ICMP pob ntawv. Tab sis zoo lig tshaj tsis tau! Thiab txij li qee yam tuaj yeem ua tiav txog nws, ces nws yuav tsum tau ua. Txij li thaum nyob rau hauv kuv lub neej niaj hnub kuv feem ntau siv cov kab hais kom ua, suav nrog ntawm SSH, lub tswv yim ntawm ICMP plhaub tuaj rau kuv lub siab ua ntej. Thiab txhawm rau sib sau ua tiav bullshield bingo, kuv txiav txim siab sau nws ua Linux module hauv hom lus uas kuv tsuas muaj lub tswv yim ntxhib ntawm. Xws li lub plhaub yuav tsis pom nyob rau hauv daim ntawv teev cov txheej txheem, koj tuaj yeem thauj nws mus rau hauv cov ntsiav thiab nws yuav tsis nyob rau hauv cov ntaub ntawv kaw lus, koj yuav tsis pom dab tsi txawv txav hauv cov npe ntawm cov chaw mloog. Hais txog nws lub peev xwm, qhov no yog lub hauv paus tag nrho, tab sis kuv vam tias yuav txhim kho nws thiab siv nws ua lub plhaub ntawm qhov chaw kawg thaum Load Average siab dhau los nkag rau hauv SSH thiab ua kom tsawg kawg. echo i > /proc/sysrq-triggerkom rov qab nkag tsis tau rebooting.

Peb coj cov ntawv nyeem, kev txawj sau ntawv hauv Python thiab C, Google thiab virtual uas koj tsis xav muab tso rau hauv rab riam yog tias txhua yam tawg (yeem - hauv zos VirtualBox / KVM / thiab lwm yam) thiab cia mus!

Cov neeg siv khoom sab

Nws zoo li kuv tias rau tus neeg siv khoom kuv yuav tau sau ib tsab ntawv nrog txog 80 kab, tab sis muaj cov neeg siab zoo uas ua rau kuv tag nrho cov hauj lwm. Cov cai tau dhau los ua qhov yooj yim npaj txhij txog, haum rau 10 kab tseem ceeb:

import sys
from scapy.all import sr1, IP, ICMP

if len(sys.argv) < 3:
    print('Usage: {} IP "command"'.format(sys.argv[0]))
    exit(0)

p = sr1(IP(dst=sys.argv[1])/ICMP()/"run:{}".format(sys.argv[2]))
if p:
    p.show()

Tsab ntawv siv ob qhov kev sib cav, qhov chaw nyob thiab them nyiaj. Ua ntej xa, lub payload yog ua ntej los ntawm tus yuam sij run:, peb yuav xav tau nws kom tsis suav cov pob khoom nrog random payloads.

Lub kernel xav tau cov cai rau cov pob khoom siv tes ua, yog li tsab ntawv yuav tsum tau khiav ua tus superuser. Tsis txhob hnov ​​​​qab muab kev tso cai ua tiav thiab nruab scapy nws tus kheej. Debian muaj ib pob hu ua python3-scapy. Tam sim no koj tuaj yeem tshawb xyuas seb nws ua haujlwm li cas.

Khiav thiab tawm qhov hais kom ua
morq@laptop:~/icmpshell$ sudo ./send.py 45.11.26.232 "Hello, world!"
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 45
id = 17218
flags =
frag = 0
ttl = 58
proto = icmp
chksum = 0x3403
src = 45.11.26.232
dst = 192.168.0.240
options
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0xde03
id = 0x0
seq = 0x0
###[ Raw ]###
load = 'run:Hello, world!

Qhov no yog qhov zoo li hauv sniffer
morq@laptop:~/icmpshell$ sudo tshark -i wlp1s0 -O icmp -f "icmp and host 45.11.26.232"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp1s0'
Frame 1: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 192.168.0.240, Dst: 45.11.26.232
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xd603 [correct] [Checksum Status: Good] Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (17 bytes)

0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]

Frame 2: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 45.11.26.232, Dst: 192.168.0.240
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0xde03 [correct] [Checksum Status: Good] Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
[Request frame: 1] [Response time: 19.094 ms] Data (17 bytes)

0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]

^C2 packets captured

Lub payload nyob rau hauv cov lus teb pob tsis hloov.

Kernel module

Txhawm rau tsim hauv Debian lub tshuab virtual koj yuav xav tau tsawg kawg make ΠΈ linux-headers-amd64, tus so yuav tuaj nyob rau hauv daim ntawv ntawm dependencies. Kuv yuav tsis muab tag nrho cov cai hauv kab lus; koj tuaj yeem clone nws ntawm Github.

Hook teeb

Txhawm rau pib, peb xav tau ob txoj haujlwm txhawm rau txhawm rau thauj khoom thiab tshem tawm nws. Kev ua haujlwm rau kev tshem tawm tsis tas yuav tsum tau, tab sis tom qab ntawd rmmod nws yuav tsis ua hauj lwm; lub module yuav tsuas yog unloaded thaum muab tua.

#include <linux/module.h>
#include <linux/netfilter_ipv4.h>

static struct nf_hook_ops nfho;

static int __init startup(void)
{
  nfho.hook = icmp_cmd_executor;
  nfho.hooknum = NF_INET_PRE_ROUTING;
  nfho.pf = PF_INET;
  nfho.priority = NF_IP_PRI_FIRST;
  nf_register_net_hook(&init_net, &nfho);
  return 0;
}

static void __exit cleanup(void)
{
  nf_unregister_net_hook(&init_net, &nfho);
}

MODULE_LICENSE("GPL");
module_init(startup);
module_exit(cleanup);

Dab tsi tshwm sim ntawm no:

  1. Ob lub header cov ntaub ntawv raug rub rau hauv los tswj cov module nws tus kheej thiab netfilter.
  2. Txhua qhov kev ua haujlwm dhau los ntawm netfilter, koj tuaj yeem teeb tsa hooks hauv nws. Ua li no, koj yuav tsum tshaj tawm cov qauv uas tus nuv yuav raug teeb tsa. Qhov tseem ceeb tshaj plaws yog txhawm rau txheeb xyuas cov haujlwm uas yuav raug ua raws li tus nuv: nfho.hook = icmp_cmd_executor; Kuv yuav tau mus rau qhov ua nws tus kheej tom qab.
    Tom qab ntawd kuv teem sijhawm ua haujlwm rau pob: NF_INET_PRE_ROUTING qhia kom ua cov pob thaum nws thawj zaug tshwm nyob rau hauv lub ntsiav. Yuav siv tau NF_INET_POST_ROUTING los ua cov pob ntawv thaum nws tawm hauv lub kernel.
    Kuv teeb lub lim rau IPv4: nfho.pf = PF_INET;.
    Kuv muab kuv tus nuv qhov tseem ceeb tshaj plaws: nfho.priority = NF_IP_PRI_FIRST;
    Thiab kuv sau npe cov ntaub ntawv qauv raws li qhov tseeb nuv: nf_register_net_hook(&init_net, &nfho);
  3. Qhov kawg muaj nuj nqi tshem tawm tus nuv.
  4. Daim ntawv tso cai qhia meej meej kom tus neeg sau tsis yws.
  5. Zog module_init() ΠΈ module_exit() teeb tsa lwm txoj haujlwm los pib thiab xaus lub module.

Retrieving lub payload

Tam sim no peb yuav tsum tau rho tawm lub payload, qhov no tau los ua txoj haujlwm nyuaj tshaj plaws. Lub kernel tsis muaj cov haujlwm ua haujlwm rau kev ua haujlwm nrog kev them nyiaj; koj tsuas tuaj yeem txheeb xyuas cov ntsiab lus ntawm qib siab dua.

#include <linux/ip.h>
#include <linux/icmp.h>

#define MAX_CMD_LEN 1976

char cmd_string[MAX_CMD_LEN];

struct work_struct my_work;

DECLARE_WORK(my_work, work_handler);

static unsigned int icmp_cmd_executor(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
  struct iphdr *iph;
  struct icmphdr *icmph;

  unsigned char *user_data;
  unsigned char *tail;
  unsigned char *i;
  int j = 0;

  iph = ip_hdr(skb);
  icmph = icmp_hdr(skb);

  if (iph->protocol != IPPROTO_ICMP) {
    return NF_ACCEPT;
  }
  if (icmph->type != ICMP_ECHO) {
    return NF_ACCEPT;
  }

  user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
  tail = skb_tail_pointer(skb);

  j = 0;
  for (i = user_data; i != tail; ++i) {
    char c = *(char *)i;

    cmd_string[j] = c;

    j++;

    if (c == '')
      break;

    if (j == MAX_CMD_LEN) {
      cmd_string[j] = '';
      break;
    }

  }

  if (strncmp(cmd_string, "run:", 4) != 0) {
    return NF_ACCEPT;
  } else {
    for (j = 0; j <= sizeof(cmd_string)/sizeof(cmd_string[0])-4; j++) {
      cmd_string[j] = cmd_string[j+4];
      if (cmd_string[j] == '')
	break;
    }
  }

  schedule_work(&my_work);

  return NF_ACCEPT;
}

Dab tsi tshwm sim:

  1. Kuv yuav tsum suav nrog cov ntaub ntawv header ntxiv, lub sijhawm no los tswj tus IP thiab ICMP headers.
  2. Kuv teem lub siab tshaj plaws kab ntev: #define MAX_CMD_LEN 1976. Vim li cas qhov no? Vim tus compiler yws txog nws! Lawv twb tau hais rau kuv tias kuv yuav tsum nkag siab txog pawg thiab heap, muaj ib hnub kuv yuav twv yuav raug hu ua qhov no thiab tej zaum tseem kho cov cai. Kuv tam sim teeb tsa kab uas yuav muaj cov lus txib: char cmd_string[MAX_CMD_LEN];. Nws yuav tsum pom nyob rau hauv txhua txoj haujlwm;
  3. Tam sim no peb yuav tsum pib (struct work_struct my_work;) qauv thiab txuas nws nrog lwm txoj haujlwm (DECLARE_WORK(my_work, work_handler);). Kuv tseem yuav tham txog vim li cas qhov no yuav tsum muaj nyob rau hauv nqe lus cuaj.
  4. Tam sim no kuv tshaj tawm txoj haujlwm, uas yuav yog tus nuv. Hom thiab lees txais cov lus sib cav yog dictated los ntawm netfilter, peb tsuas yog txaus siab rau skb. Qhov no yog lub qhov (socket) tsis muaj, cov qauv ntaub ntawv tseem ceeb uas muaj tag nrho cov ntaub ntawv muaj nyob ntawm pob ntawv.
  5. Txhawm rau ua haujlwm ua haujlwm, koj yuav xav tau ob lub qauv thiab ntau qhov sib txawv, suav nrog ob tus iterations. 
      struct iphdr *iph;
  struct icmphdr *icmph;

  unsigned char *user_data;
  unsigned char *tail;
  unsigned char *i;
  int j = 0;
  6. Peb tuaj yeem pib nrog logic. Rau lub module ua hauj lwm, tsis muaj pob ntawv lwm yam tshaj li ICMP Echo yog xav tau, yog li peb parse lub tsis siv built-in functions thiab pov tawm tag nrho cov non-ICMP thiab non-Echo packets. Rov qab los NF_ACCEPT txhais tau tias kev lees txais ntawm pob, tab sis koj tuaj yeem tso cov pob los ntawm kev xa rov qab NF_DROP. 
      iph = ip_hdr(skb);
  icmph = icmp_hdr(skb);

  if (iph->protocol != IPPROTO_ICMP) {
    return NF_ACCEPT;
  }
  if (icmph->type != ICMP_ECHO) {
    return NF_ACCEPT;
  }

    Kuv tsis tau sim dab tsi yuav tshwm sim yam tsis tau kuaj xyuas tus IP headers. Kuv qhov kev paub tsawg kawg ntawm C qhia kuv tias yam tsis muaj kev kuaj xyuas ntxiv, qee yam txaus ntshai yuav tshwm sim. Kuv yuav zoo siab yog tias koj txwv kuv ntawm qhov no!

  7. Tam sim no hais tias lub pob yog ntawm cov hom uas koj xav tau, koj tuaj yeem rho tawm cov ntaub ntawv. Yog tsis muaj kev ua haujlwm built-in, koj thawj zaug yuav tsum tau txais tus taw tes rau qhov pib ntawm payload. Qhov no yog ua tiav nyob rau hauv ib qho chaw, koj yuav tsum coj tus pointer mus rau qhov pib ntawm ICMP header thiab txav mus rau qhov loj ntawm lub header. Txhua yam siv cov qauv icmph: user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
    Qhov kawg ntawm lub header yuav tsum phim qhov kawg ntawm lub payload nyob rau hauv skb, yog li peb tau txais nws siv nuclear txhais tau tias los ntawm cov qauv sib xws: tail = skb_tail_pointer(skb);.

    Nuclear plhaub hla ICMP

    Daim duab raug nyiag lawm ntawm no, koj tuaj yeem nyeem ntxiv txog lub qhov (socket) buffer.

  8. Thaum koj muaj tus taw tes rau qhov pib thiab xaus, koj tuaj yeem luam cov ntaub ntawv mus rau hauv ib txoj hlua cmd_string, kos nws rau qhov muaj qhov ua ntej run: thiab, muab pov tseg lub pob yog tias nws ploj lawm, lossis rov sau kab dua, tshem tawm cov npe no.
  9. Qhov ntawd yog nws, tam sim no koj tuaj yeem hu rau lwm tus tuav: schedule_work(&my_work);. Txij li thaum nws yuav tsis tuaj yeem dhau qhov parameter rau qhov kev hu no, kab nrog cov lus txib yuav tsum yog thoob ntiaj teb. schedule_work() yuav muab cov haujlwm cuam tshuam nrog cov qauv dhau mus rau hauv cov kab dav dav ntawm lub sijhawm ua haujlwm thiab ua tiav, tso cai rau koj tsis txhob tos kom tiav cov lus txib. Qhov no yog qhov tsim nyog vim tias tus nuv yuav tsum ceev heev. Txwv tsis pub, koj qhov kev xaiv yog tias tsis muaj dab tsi yuav pib lossis koj yuav tau txais kev ceeb toom kernel. Kev ncua zoo li kev tuag!
  10. Ntawd yog nws, koj tuaj yeem lees txais lub pob nrog cov khoom xa rov qab.

Hu rau qhov program hauv userspace

Txoj haujlwm no yog qhov nkag siab tshaj plaws. Nws lub npe tau muab rau hauv DECLARE_WORK(), hom thiab lees txais cov lus tsis txaus siab. Peb coj txoj kab nrog cov lus txib thiab hla nws tag nrho mus rau lub plhaub. Cia nws nrog parsing, nrhiav binaries thiab lwm yam.

static void work_handler(struct work_struct * work)
{
  static char *argv[] = {"/bin/sh", "-c", cmd_string, NULL};
  static char *envp[] = {"PATH=/bin:/sbin", NULL};

  call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
}

  1. Teem cov lus sib cav rau ib qho array ntawm cov hlua argv[]. Kuv mam li xav tias txhua tus paub tias cov kev pab cuam tau ua tiav li no, thiab tsis yog ib txoj kab txuas ntxiv nrog qhov chaw.
  2. Teem ib puag ncig hloov pauv. Kuv tso tsuas yog PATH nrog qhov tsawg kawg nkaus ntawm txoj hauv kev, vam tias lawv txhua tus twb tau ua ke lawm /bin с /usr/bin и /sbin с /usr/sbin. Lwm txoj hauv kev tsis tshua muaj teeb meem hauv kev xyaum.
  3. Ua tiav, cia peb ua! Kernel muaj nuj nqi call_usermodehelper() lees txais kev nkag. txoj kev mus rau binary, array ntawm kev sib cav, array ntawm ib puag ncig hloov pauv. Ntawm no kuv kuj xav tias txhua leej txhua tus nkag siab lub ntsiab lus ntawm kev hla txoj kev mus rau cov ntaub ntawv executable raws li kev sib cav sib cais, tab sis koj tuaj yeem nug. Qhov kev sib cav zaum kawg qhia seb puas yuav tos kom tiav (UMH_WAIT_PROC), process start (UMH_WAIT_EXEC) los tsis tos (UMH_NO_WAIT). Puas muaj ib co ntxiv UMH_KILLABLE, Kuv tsis tau saib mus rau hauv nws.

Sib dhos

Kev sib dhos ntawm kernel modules yog ua los ntawm kernel make-framework. Hu make nyob rau hauv ib tug tshwj xeeb directory khi rau lub kernel version (txhais tau ntawm no: KERNELDIR:=/lib/modules/$(shell uname -r)/build), thiab qhov chaw ntawm lub module raug xa mus rau qhov sib txawv M hauv cov lus sib cav. Lub icmpshell.ko thiab lub hom phiaj huv si siv lub moj khaum no nkaus. IN obj-m qhia txog tej ntaub ntawv uas yuav hloov mus rau hauv ib lub module. Syntax uas remakes main.o Π² icmpshell.o (icmpshell-objs = main.o) tsis zoo heev rau kuv, tab sis yog li ntawd.

KERNELDIR:=/lib/modules/$(shell uname -r)/build

obj-m = icmpshell.o
icmpshell-objs = main.o

all: icmpshell.ko

icmpshell.ko: main.c
make -C $(KERNELDIR) M=$(PWD) modules

clean:
make -C $(KERNELDIR) M=$(PWD) clean

Peb sau: make. Chaw thau khoom: insmod icmpshell.ko. Ua tiav, koj tuaj yeem tshawb xyuas: sudo ./send.py 45.11.26.232 "date > /tmp/test". Yog tias koj muaj cov ntaub ntawv ntawm koj lub tshuab /tmp/test thiab nws muaj hnub uas qhov kev thov raug xa mus, uas txhais tau tias koj tau ua txhua yam zoo thiab kuv tau ua txhua yam zoo.

xaus

Kuv thawj qhov kev paub nrog kev txhim kho nuclear tau yooj yim dua li qhov kuv xav tau. Txawm hais tias tsis muaj kev paub dhau los hauv C, tsom mus rau cov lus qhia muab sau ua ke thiab Google cov txiaj ntsig, Kuv tuaj yeem sau cov haujlwm ua haujlwm thiab xav tias zoo li cov neeg nyiag nkas kernel, thiab tib lub sijhawm sau ntawv kiddie. Tsis tas li ntawd, kuv tau mus rau Kernel Newbies channel, uas kuv tau hais kom siv schedule_work() tsis yog hu call_usermodehelper() nyob rau hauv tus nuv nws tus kheej thiab txaj muag rau nws, rightly doubting ib tug kws txuj ci dag. Ib puas kab ntawm cov lej raug nqi rau kuv txog ib lub lim tiam ntawm kev txhim kho hauv kuv lub sijhawm dawb. Ib qho kev vam meej uas rhuav tshem kuv tus kheej cov dab neeg hais txog qhov nyuaj ntawm kev txhim kho lub cev.

Yog tias ib tus neeg pom zoo ua qhov kev tshuaj xyuas ntawm Github, kuv yuav ua tsaug. Kuv paub tseeb tias kuv tau ua yuam kev ntau heev, tshwj xeeb tshaj yog thaum ua haujlwm nrog cov hlua.

Nuclear plhaub hla ICMP

Tau qhov twg los: www.hab.com

Ntxiv ib saib