TL; DR: Ndikulemba kernel module yomwe idzawerenge malamulo kuchokera ku ICMP payload ndikuwapereka pa seva ngakhale SSH yanu itawonongeka. Kwa osaleza mtima kwambiri, code yonse ndi github.
Chenjezo Odziwa kupanga mapulogalamu a C ali pachiwopsezo cha kutulutsa misozi yamagazi! Ndikhoza kulakwitsa mu mawu, koma kutsutsa kulikonse ndikovomerezeka. Cholembacho chimapangidwira iwo omwe ali ndi lingaliro lovuta kwambiri la C mapulogalamu ndipo akufuna kuyang'ana mkati mwa Linux.
Mu ndemanga yanga yoyamba nkhani adatchulapo SoftEther VPN, yomwe imatha kutsanzira ma protocol ena "okhazikika", makamaka HTTPS, ICMP komanso DNS. Nditha kuganiza woyamba wa iwo akugwira ntchito, popeza ndimadziwa bwino HTTP(S), ndipo ndidaphunzira kuwongolera ICMP ndi DNS.
Inde, mu 2020 ndidaphunzira kuti mutha kuyika zolipira mopanda malire m'mapaketi a ICMP. Koma mochedwa kuposa kale! Ndipo popeza kuti chinachake chikhoza kuchitidwa pa icho, ndiye chiyenera kuchitidwa. Popeza m'moyo wanga watsiku ndi tsiku nthawi zambiri ndimagwiritsa ntchito mzere wolamula, kuphatikiza kudzera pa SSH, lingaliro la chipolopolo cha ICMP lidabwera m'maganizo mwanga poyamba. Ndipo kuti ndisonkhanitse bingo yathunthu ya bullshield, ndidaganiza zoilemba ngati gawo la Linux mchilankhulo chomwe ndimangokhala nacho. Chipolopolo chotere sichidzawoneka pamndandanda wazinthu, mutha kuyiyika mu kernel ndipo sichikhala pamafayilo, simudzawona chilichonse chokayikitsa pamndandanda wamadoko omvera. Pankhani ya kuthekera kwake, iyi ndi rootkit yodzaza, koma ndikuyembekeza kuyisintha ndikuigwiritsa ntchito ngati chipolopolo chomaliza pamene Mulingo Wapakati uli wapamwamba kwambiri kuti ulowe kudzera pa SSH ndikuchita osachepera. echo i > /proc/sysrq-triggerkubwezeretsa mwayi popanda kuyambiranso.
Timatenga mkonzi wamakalata, maluso oyambira ku Python ndi C, Google ndi pafupifupi zomwe simusamala kuziyika pansi pa mpeni ngati zonse zitasweka (posankha - VirtualBox / KVM / etc) ndipo tiyeni tizipita!
Mbali ya kasitomala
Zikuwoneka kwa ine kuti kwa gawo la kasitomala ndiyenera kulemba script yokhala ndi mizere pafupifupi 80, koma panali anthu okoma mtima omwe adandichitira izi. ntchito zonse. Khodiyo idakhala yosavuta mosayembekezereka, yokwanira mizere 10 yofunika:
import sys
from scapy.all import sr1, IP, ICMP
if len(sys.argv) < 3:
print('Usage: {} IP "command"'.format(sys.argv[0]))
exit(0)
p = sr1(IP(dst=sys.argv[1])/ICMP()/"run:{}".format(sys.argv[2]))
if p:
p.show()
Script imatenga zifukwa ziwiri, adiresi ndi malipiro. Asanatumize, malipiro amatsogoleredwa ndi kiyi run:, tidzayifuna kuti isakhale ndi mapaketi okhala ndi zolipira mwachisawawa.
Kuthamanga ndi kutulutsa lamulo morq@laptop:~/icmpshell$ sudo ./send.py 45.11.26.232 "Hello, world!"
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 45
id = 17218
flags =
frag = 0
ttl = 58
proto = icmp
chksum = 0x3403
src = 45.11.26.232
dst = 192.168.0.240
options
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0xde03
id = 0x0
seq = 0x0
###[ Raw ]###
load = 'run:Hello, world!
Izi ndi momwe zimawonekera mu sniffer morq@laptop:~/icmpshell$ sudo tshark -i wlp1s0 -O icmp -f "icmp and host 45.11.26.232"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp1s0'
Frame 1: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 192.168.0.240, Dst: 45.11.26.232
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xd603 [correct]
[Checksum Status: Good]
Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (17 bytes)
Kuti mupange makina enieni a Debian mudzafunika osachepera make ΠΈ linux-headers-amd64, ena onse adzabwera ngati odalira. Sindipereka nambala yonse m'nkhaniyi; mutha kuyipanga pa Github.
Ndinayenera kuphatikiza mafayilo owonjezera apamutu, nthawi ino kuti ndisinthe mitu ya IP ndi ICMP.
Ndakhazikitsa kutalika kwa mzere: #define MAX_CMD_LEN 1976. Chifukwa chiyani kwenikweni? Chifukwa wolemba akudandaula za izo! Adandiwuza kale kuti ndiyenera kumvetsetsa phula ndi muluwu, tsiku lina ndidzachita izi ndipo mwina ndikuwongolera code. Nthawi yomweyo ndinayika mzere womwe ukhala ndi lamulo: char cmd_string[MAX_CMD_LEN];. Iyenera kuwoneka muzochita zonse; Ndilankhula za izi mwatsatanetsatane mundime 9.
Tsopano tikuyenera kuyambitsa (struct work_struct my_work;) kupanga ndikugwirizanitsa ndi ntchito ina (DECLARE_WORK(my_work, work_handler);). Ndilankhulanso chifukwa chake izi zili zofunika m'ndime yachisanu ndi chinayi.
Tsopano ndikulengeza ntchito, yomwe idzakhala mbedza. Mitundu ndi mikangano yovomerezeka imayendetsedwa ndi netfilter, timangofuna skb. Ichi ndi socket buffer, dongosolo lofunikira la data lomwe lili ndi zonse zomwe zilipo za paketi.
Sindinayese zomwe zingachitike popanda kuyang'ana mitu ya IP. Kudziwa kwanga kochepa pa C kumandiuza kuti popanda macheke owonjezera, china chake choyipa chiyenera kuchitika. Ndikhala wokondwa mukandiletsa izi!
Tsopano kuti phukusili ndi la mtundu womwe mukufuna, mutha kuchotsa deta. Popanda ntchito yomangidwa, choyamba muyenera kupeza cholozera kumayambiriro kwa malipiro. Izi zachitika pamalo amodzi, muyenera kutenga cholozera kumayambiriro kwa mutu wa ICMP ndikusunthira ku kukula kwa mutuwu. Chilichonse chimagwiritsa ntchito kapangidwe icmph: user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
Mapeto a mutu ayenera kufanana ndi mapeto a malipiro apakati skb, chifukwa chake timachipeza pogwiritsa ntchito zida za nyukiliya kuchokera kumapangidwe ofanana: tail = skb_tail_pointer(skb);.
Chithunzicho chinabedwa kuchokera pano, mutha kuwerenga zambiri za socket buffer.
Mukakhala ndi zolozera kumayambiriro ndi kumapeto, mukhoza kukopera deta mu chingwe cmd_string, yang'anani kukhalapo kwa mawu oyamba run: ndi, mwina kutaya phukusi ngati palibe, kapena lembaninso mzere kachiwiri, kuchotsa prefix.
Ndi zimenezo, mukhoza kuvomereza phukusi ndi kubwerera lolingana.
Kuyimbira pulogalamu mumalo ogwiritsira ntchito
Ntchitoyi ndi yomveka kwambiri. Dzina lake linaperekedwa DECLARE_WORK(), mtundu ndi mikangano yovomerezedwa sizosangalatsa. Timatenga mzere ndi lamulo ndikuupereka kwathunthu ku chipolopolo. Muloleni athane ndi kugawa, kufunafuna ma binaries ndi china chilichonse.
Zatha, tiyeni tichite! Kernel ntchito call_usermodehelper() amavomereza kulowa. njira yopita ku binary, mikangano yambiri, mitundu yosiyanasiyana ya chilengedwe. Pano ndikuganiza kuti aliyense amamvetsetsa tanthauzo la kudutsa njira yopita ku fayilo yomwe ingathe kuchitidwa ngati mkangano wosiyana, koma mukhoza kufunsa. Mtsutso womaliza umanena za kudikirira kuti ntchitoyi ithe (UMH_WAIT_PROC), ndondomeko imayamba (UMH_WAIT_EXEC) kapena osadikira konse (UMH_NO_WAIT). Pali zinanso UMH_KILLABLE, sindinayang'ane nazo.
Msonkhano
Kuphatikiza kwa ma module a kernel kumachitika kudzera mu kernel make-framework. Wayitanitsidwa make mkati mwa chikwatu chapadera chomangiriridwa ku mtundu wa kernel (tanthauzo apa: KERNELDIR:=/lib/modules/$(shell uname -r)/build), ndipo malo a module amaperekedwa ku variable M mu mikangano. icmpshell.ko ndi zolinga zoyera zimagwiritsa ntchito chimango ichi kwathunthu. MU obj-m ikuwonetsa fayilo ya chinthu chomwe chidzasinthidwa kukhala module. Syntax yomwe imayambiranso main.o Π² icmpshell.o (icmpshell-objs = main.o) sizikuwoneka zomveka kwa ine, koma zikhale choncho.
KERNELDIR:=/lib/modules/$(shell uname -r)/build
obj-m = icmpshell.o
icmpshell-objs = main.o
all: icmpshell.ko
icmpshell.ko: main.c
make -C $(KERNELDIR) M=$(PWD) modules
clean:
make -C $(KERNELDIR) M=$(PWD) clean
Timasonkhanitsa: make. Kutsegula: insmod icmpshell.ko. Mwamaliza, mutha kuyang'ana: sudo ./send.py 45.11.26.232 "date > /tmp/test". Ngati muli ndi fayilo pamakina anu /tmp/test ndipo ili ndi tsiku lomwe pempholo linatumizidwa, zomwe zikutanthauza kuti munachita zonse bwino ndipo ndachita zonse moyenera.
Pomaliza
Chochitika changa choyamba ndi chitukuko cha nyukiliya chinali chosavuta kuposa momwe ndimayembekezera. Ngakhale popanda chidziwitso chomwe chikukula mu C, kuyang'ana pa malingaliro ophatikiza ndi zotsatira za Google, ndinatha kulemba gawo logwira ntchito ndikumva ngati wowononga kernel, komanso nthawi yomweyo mwana wa script. Kuphatikiza apo, ndinapita ku tchanelo cha Kernel Newbies, komwe adandiuza kuti ndigwiritse ntchito schedule_work() m'malo moyitana call_usermodehelper() mkati mbedza palokha ndi manyazi iye, moyenerera kukayikira chinyengo. Mizere zana yamakhodi idanditengera pafupifupi sabata yachitukuko munthawi yanga yaulere. Chochitika chochita bwino chomwe chidawononga nthano yanga yapanthawi yovutirapo ya chitukuko cha dongosolo.