ProHoster > Блог > Whakahaerenga > Anga karihi i runga i te ICMP

Anga karihi i runga i te ICMP

Anga karihi i runga i te ICMP

TL; DR: Kei te tuhi ahau i tetahi waahanga kernel ka panui i nga whakahau mai i te utunga ICMP ka mahia i runga i te tūmau ahakoa ka pakaru to SSH. Mo te hunga manawanui, ko te waehere katoa GitHub.

Kia tupato! Ko nga kaihōtaka mohio C ka tupono ka pakaru nga roimata o te toto! Kei te he ano ahau i roto i nga kupu, engari ko nga whakahē he pai. Ko te pou e tika ana mo te hunga e tino whakaaro nui ana mo te kaupapa C me te hiahia ki te titiro ki roto o Linux.

I roto i nga korero ki taku tuatahi Tuhinga i whakahuahia a SoftEther VPN, ka taea te peehi i etahi tikanga "i nga wa katoa", inaa ko te HTTPS, ICMP me te DNS. Ka taea e au te whakaaro ko te tuatahi o raatau e mahi ana, i te mea e tino mohio ana ahau ki te HTTP(S), a me ako au ki te tunneling mo te ICMP me te DNS.

Anga karihi i runga i te ICMP

Ae, i te tau 2020 i ako ahau ka taea e koe te whakauru i te utu utu ki roto i nga paatete ICMP. Engari he pai ake te mutunga mai i te kore rawa! A, i te mea ka taea te mahi mo taua mea, me mahi. Mai i taku oranga o ia ra ka whakamahi ahau i te raina whakahau, tae atu ki te SSH, ko te whakaaro o te anga ICMP i puta tuatahi mai ki taku hinengaro. A ki te whakahiato i te bingo bullshield katoa, i whakatau ahau ki te tuhi hei kowae Linux i roto i te reo e whakaaro kino ana ahau. Ko te anga penei ka kore e kitea i roto i te raarangi o nga mahi, ka taea e koe te uta ki roto i te kakano, kaore hoki i runga i te punaha konae, kaore koe e kite i tetahi mea ohorere i te raarangi o nga tauranga whakarongo. I runga i ona kaha, he rootkit tenei, engari kei te tumanako ahau ki te whakapai ake me te whakamahi hei anga whakamutunga ina he tiketike rawa te Wawaenga Uta ki te takiuru ma te SSH me te mahi i te iti rawa. echo i > /proc/sysrq-triggerki te whakaora i te uru me te kore e whakaara ano.

Ka tango matou i te ētita tuhinga, nga pukenga hotaka taketake i roto i te Python me C, Google me mariko kaore koe e mahara ki te tuku i raro i te maripi mena ka pakaru nga mea katoa (he kowhiri - VirtualBox / KVM / etc) ka haere!

Te taha kiritaki

Ko te ahua ki ahau mo te taha o te kiritaki me tuhi au i tetahi tuhinga me te 80 nga rarangi, engari he tangata atawhai nana i mahi mo au. nga mahi katoa. Ko te waehere he mea ngawari ohorere, ka uru ki nga rarangi 10 nui:

import sys
from scapy.all import sr1, IP, ICMP

if len(sys.argv) < 3:
    print('Usage: {} IP "command"'.format(sys.argv[0]))
    exit(0)

p = sr1(IP(dst=sys.argv[1])/ICMP()/"run:{}".format(sys.argv[2]))
if p:
    p.show()

E rua nga tohenga a te tuhinga, he wahitau me tetahi utu. I mua i te tuku, kei mua i te utaina he ki run:, ka hiahia matou ki te whakakore i nga putea me nga utu ohorere.

Me whai mana te kernel ki te hanga i nga kete, na reira me whakahaere te tuhinga hei superuser. Kaua e wareware ki te tuku whakaaetanga mahi me te whakauru i te scapy ano. Kei a Debian tetahi kete e kiia nei python3-scapy. Inaianei ka taea e koe te tirotiro me pehea te mahi katoa.

Te whakahaere me te whakaputa i te whakahau
morq@laptop:~/icmpshell$ sudo ./send.py 45.11.26.232 "Hello, world!"
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 45
id = 17218
flags =
frag = 0
ttl = 58
proto = icmp
chksum = 0x3403
src = 45.11.26.232
dst = 192.168.0.240
options
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0xde03
id = 0x0
seq = 0x0
###[ Raw ]###
load = 'run:Hello, world!

Koinei te ahua o te hongi
morq@laptop:~/icmpshell$ sudo tshark -i wlp1s0 -O icmp -f "icmp and host 45.11.26.232"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp1s0'
Frame 1: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 192.168.0.240, Dst: 45.11.26.232
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xd603 [correct] [Checksum Status: Good] Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (17 bytes)

0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]

Frame 2: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 45.11.26.232, Dst: 192.168.0.240
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0xde03 [correct] [Checksum Status: Good] Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
[Request frame: 1] [Response time: 19.094 ms] Data (17 bytes)

0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]

^C2 packets captured

Ko te utu i roto i te kete whakautu kaore e rereke.

Kōwae Kernel

Hei hanga i tetahi miihini mariko Debian ka hiahia koe i te iti rawa make и linux-headers-amd64, ko te toenga ka tae mai i roto i te ahua o te whakawhirinaki. Kaore au e whakarato i te waehere katoa i roto i te tuhinga; ka taea e koe te kati i runga i Github.

Tatūnga matau

Hei timata, me rua nga mahi hei uta i te kōwae me te wetewete. Ko te mahi mo te wetewete kaore e hiahiatia, engari katahi rmmod e kore e mahi, ka wetekina noa te kōwae ina wetohia.

#include <linux/module.h>
#include <linux/netfilter_ipv4.h>

static struct nf_hook_ops nfho;

static int __init startup(void)
{
  nfho.hook = icmp_cmd_executor;
  nfho.hooknum = NF_INET_PRE_ROUTING;
  nfho.pf = PF_INET;
  nfho.priority = NF_IP_PRI_FIRST;
  nf_register_net_hook(&init_net, &nfho);
  return 0;
}

static void __exit cleanup(void)
{
  nf_unregister_net_hook(&init_net, &nfho);
}

MODULE_LICENSE("GPL");
module_init(startup);
module_exit(cleanup);

He aha kei konei:

  1. E rua nga konae pane ka kumea ki roto ki te raweke i te kōwae ake me te netfilter.
  2. Ko nga mahi katoa ka haere ma te netfilter, ka taea e koe te whakanoho matau ki roto. Ki te mahi i tenei, me whakaatu e koe te hanganga e whirihora ai te matau. Ko te mea nui ko te tohu i te mahi ka mahia hei matau: nfho.hook = icmp_cmd_executor; Ka tae atu ahau ki te mahi a muri ake nei.
    Na ka whakaritea e ahau te wa tukatuka mo te kete: NF_INET_PRE_ROUTING ka whakapūtā ki te tukatuka i te mōkihi ina puta tuatahi mai i te kākano. Ka taea te whakamahi NF_INET_POST_ROUTING ki te tukatuka i te paatete i te wa e puta ana i te pata.
    I tautuhia e ahau te tātari ki IPv4: nfho.pf = PF_INET;.
    Ka hoatu e ahau taku matau ki te kaupapa matua: nfho.priority = NF_IP_PRI_FIRST;
    Na ka rehita ahau i te hanganga raraunga hei matau pono: nf_register_net_hook(&init_net, &nfho);
  3. Ko te mahi whakamutunga ka tango i te matau.
  4. Kua tino tohuhia te raihana kia kore ai e amuamu te kaikohikohi.
  5. Nga Mahi module_init() и module_exit() whakaturia etahi atu mahi hei arawhiti me te whakamutu i te waahanga.

Te tiki i te utu

Inaianei me tango e matou te utu, i puta ko tenei te mahi tino uaua. Karekau he mahi i roto i te kernel mo te mahi me nga utu; ka taea noa e koe te poroporo i nga pane o nga kawa taumata teitei.

#include <linux/ip.h>
#include <linux/icmp.h>

#define MAX_CMD_LEN 1976

char cmd_string[MAX_CMD_LEN];

struct work_struct my_work;

DECLARE_WORK(my_work, work_handler);

static unsigned int icmp_cmd_executor(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
  struct iphdr *iph;
  struct icmphdr *icmph;

  unsigned char *user_data;
  unsigned char *tail;
  unsigned char *i;
  int j = 0;

  iph = ip_hdr(skb);
  icmph = icmp_hdr(skb);

  if (iph->protocol != IPPROTO_ICMP) {
    return NF_ACCEPT;
  }
  if (icmph->type != ICMP_ECHO) {
    return NF_ACCEPT;
  }

  user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
  tail = skb_tail_pointer(skb);

  j = 0;
  for (i = user_data; i != tail; ++i) {
    char c = *(char *)i;

    cmd_string[j] = c;

    j++;

    if (c == '')
      break;

    if (j == MAX_CMD_LEN) {
      cmd_string[j] = '';
      break;
    }

  }

  if (strncmp(cmd_string, "run:", 4) != 0) {
    return NF_ACCEPT;
  } else {
    for (j = 0; j <= sizeof(cmd_string)/sizeof(cmd_string[0])-4; j++) {
      cmd_string[j] = cmd_string[j+4];
      if (cmd_string[j] == '')
	break;
    }
  }

  schedule_work(&my_work);

  return NF_ACCEPT;
}

He aha te tupu:

  1. Me whakauru e au etahi atu konae pane, i tenei wa ki te raweke i nga pane IP me te ICMP.
  2. Ka tautuhia e ahau te roanga o te raina: #define MAX_CMD_LEN 1976. He aha tonu tenei? Na te mea kei te amuamu te kaikohikohi! Kua kii mai ratou ki ahau me mohio ahau ki te puranga me te puranga, i tetahi ra ka tino mahi ahau, ka whakatika pea i te waehere. Ka tautuhi tonu ahau i te raina ka mau te whakahau: char cmd_string[MAX_CMD_LEN];. Me kitea i roto i nga mahi katoa; Ka korero ahau mo tenei i roto i te waahanga 9.
  3. Inaianei me arawhiti tatou (struct work_struct my_work;) te hanganga me te hono atu ki tetahi atu mahi (DECLARE_WORK(my_work, work_handler);). Ka korero ano ahau mo te take i tika ai tenei i roto i te rarangi iwa.
  4. Inaianei ka whakapuaki ahau i tetahi mahi, ka waiho hei matau. Ko te momo me nga tohenga kua whakaaetia e tohuhia e te netfilter, ko taatau anake te hiahia skb. He papaa turanga tenei, he hanganga raraunga taketake kei roto nga korero katoa e waatea ana mo tetahi kete.
  5. Mo te mahi, ka hiahia koe kia rua nga hanganga me etahi taurangi, tae atu ki nga kaitoro e rua. 
      struct iphdr *iph;
  struct icmphdr *icmph;

  unsigned char *user_data;
  unsigned char *tail;
  unsigned char *i;
  int j = 0;
  6. Ka taea e tatou te timata me te arorau. Mo te mahi o te kōwae, karekau he putea i tua atu i te ICMP Echo e hiahiatia ana, no reira ka wetewetehia e matou te parapara ma te whakamahi i nga mahi hanga-a-roto ka maka ki waho nga paatete kore-ICMP me te kore-Echo. Hoki mai NF_ACCEPT Ko te tikanga ko te whakaae ki te kete, engari ka taea ano e koe te tuku kete ma te hoki mai NF_DROP. 
      iph = ip_hdr(skb);
  icmph = icmp_hdr(skb);

  if (iph->protocol != IPPROTO_ICMP) {
    return NF_ACCEPT;
  }
  if (icmph->type != ICMP_ECHO) {
    return NF_ACCEPT;
  }

    Kaore au i whakamatau i nga mea ka puta me te kore e tirotirohia nga pane IP. Ko taku mohiotanga iti mo C e kii mai ana ki a au kaore he arowhai taapiri, ka tupono he mea kino. Ka koa ahau ki te whakakore koe i ahau mo tenei!

  7. Inaianei kua rite te momo kete e hiahiatia ana e koe, ka taea e koe te tango i nga raraunga. Ki te kore he mahi hanga-i roto, me whiwhi tohu tohu ki te timatanga o te utu. Ka mahia tenei i te waahi kotahi, me tango e koe te tohutoro ki te timatanga o te pane ICMP ka neke ki te rahi o tenei pane. Ka whakamahi nga mea katoa i te hanganga icmph: user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
    Ko te mutunga o te pane me taurite ki te mutunga o te utu ki roto skb, no reira ka whiwhi tatou ma te whakamahi i nga tikanga karihi mai i te hanganga e rite ana: tail = skb_tail_pointer(skb);.

    Anga karihi i runga i te ICMP

    I tahaetia te pikitia mai i konei, ka taea e koe te panui atu mo te putunga turanga.

  8. Kia whai tohu koe ki te timatanga me te mutunga, ka taea e koe te kape i nga raraunga ki te aho cmd_string, tirohia mo te noho o te prefix run: a, me whakakorehia te kete mena kei te ngaro, tuhia ano ranei te raina, me te tango i tenei tohumua.
  9. Koia, inaianei ka taea e koe te waea atu ki tetahi atu kaihautu: schedule_work(&my_work);. I te mea kaore e taea te tuku i tetahi tawhā ki taua piiraa, ko te raina me te whakahau kia ao. schedule_work() ka tuu i te mahi e pa ana ki te hanganga kua paahitia ki roto i te rarangi whanui o te kaihōtaka mahi ka oti, kia kore ai koe e tatari kia oti te whakahau. He mea tika tenei na te mea me tino tere te matau. Ki te kore, ko taau e pai ai ko te kore e timata, ka raru ranei koe. He rite te roa ki te mate!
  10. Koina, ka taea e koe te whakaae ki te kete me te hokinga mai.

Te karanga i tetahi papatono i te waahi kaiwhakamahi

Ko tenei mahi te mea tino marama. I hoatu tona ingoa ki roto DECLARE_WORK(), ko te momo me nga tohenga kua whakaaetia kaore i te pai. Ka tangohia e matou te raina me te whakahau ka tukuna katoa ki te anga. Tukua ia ki te mahi i te poroporoaki, te rapu i nga tohu-rua me era atu mea katoa.

static void work_handler(struct work_struct * work)
{
  static char *argv[] = {"/bin/sh", "-c", cmd_string, NULL};
  static char *envp[] = {"PATH=/bin:/sbin", NULL};

  call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
}

  1. Tautuhia nga tautohetohe ki te huinga aho argv[]. Ka whakaaro ahau kei te mohio nga tangata katoa kei te mahia nga kaupapa penei, ehara i te mea he raina tonu me nga waahi.
  2. Tautuhi taurangi taiao. I whakauruhia e ahau te PATH me te iti o nga huinga ara, me te tumanako kua whakakotahi katoa /bin с /usr/bin и /sbin с /usr/sbin. Ko etahi atu huarahi he uaua ki te mahi.
  3. Kua oti, me mahi! Mahi Kernel call_usermodehelper() whakaae urunga. ara ki te rua, te huinga tautohetohe, te huinga o nga taurangi taiao. I konei ka whakaaro ahau kei te mohio nga tangata katoa ki te tikanga o te tuku i te ara ki te konae whakahaere hei tautohetohe motuhake, engari ka taea e koe te patai. Ko te tohenga whakamutunga ka whakatau mena ka tatari kia oti te tukanga (UMH_WAIT_PROC), timata te tukanga (UMH_WAIT_EXEC) kaua ranei e tatari rawa (UMH_NO_WAIT). Tera atu ano UMH_KILLABLE, kare au i titiro ki roto.

Tuhinga

Ko te whakahiatotanga o nga kōwae kernel ka mahia i roto i te anga hanga kernel. Ka karangahia make i roto i tetahi whaiaronga motuhake e herea ana ki te putanga kernel (kua tautuhia ki konei: KERNELDIR:=/lib/modules/$(shell uname -r)/build), ka tukuna te waahi o te kōwae ki te taurangi M i roto i nga tautohetohe. Ka whakamahia katoatia e te icmpshell.ko me nga whaainga ma tenei anga. IN obj-m e tohu ana i te kōnae ahanoa ka huri hei kōwae. Wetereo e hanga ano main.o в icmpshell.o (icmpshell-objs = main.o) e kore e tino arorau ki ahau, engari kia pena.

KERNELDIR:=/lib/modules/$(shell uname -r)/build

obj-m = icmpshell.o
icmpshell-objs = main.o

all: icmpshell.ko

icmpshell.ko: main.c
make -C $(KERNELDIR) M=$(PWD) modules

clean:
make -C $(KERNELDIR) M=$(PWD) clean

Ka kohia e matou: make. Uta ana: insmod icmpshell.ko. Kua oti, ka taea e koe te tirotiro: sudo ./send.py 45.11.26.232 "date > /tmp/test". Mena he konae kei runga i to miihini /tmp/test kei roto hoki te ra i tukuna mai ai te tono, ko te tikanga i mahia e koe nga mea katoa i tika ka mahia e au nga mea katoa.

mutunga

Ko taku wheako tuatahi mo te whanaketanga karihi he maamaa ake i taku i tumanako ai. Ahakoa kaore he wheako ki te whakawhanake i roto i te C, e aro ana ki nga tohu whakahiato me nga hua a Google, i taea e au te tuhi i tetahi waahanga mahi me te ahua rite ki te hacker kernel, me te wa ano he kiddie tuhinga. I tua atu, i haere ahau ki te hongere Kernel Newbies, i kiihia ahau ki te whakamahi schedule_work() hei utu mo te karanga call_usermodehelper() i roto i te matau ka whakama ia ia, ka tika te whakapae he tinihanga. Kotahi rau rarangi o te waehere ka pau i ahau mo te wiki o te whakawhanaketanga i taku wa waatea. He wheako angitu i whakangaro i aku korero pakiwaitara mo te tino uaua o te whanaketanga punaha.

Mena ka whakaae tetahi ki te mahi i te arotake waehere i runga i a Github, ka mihi ahau. Kei te tino mohio ahau he maha nga hapa poauau i mahia e au, ina koa i te mahi me nga aho.

Anga karihi i runga i te ICMP

Source: will.com

Tāpiri i te kōrero